SAP GRC Interview Questions

What is the rule set in GRC?

Collection of rules is nothing but rule set. There is a default rule set in GRC called Global Rule Set.

What is the landscape of GRC?

GRC Landscape is 2 system landscape,



in GRC there is no Quality system.

Explain about SPM?

SPM can be used to maintain and monitor the super user access in an SAP system. This enables the super-users to perform emergency activities and critical transactions

within a completely auditable environment. The logs of the SPM user IDs help auditors in easily tracing the critical transactions that have been performed by the Business users

What is use of su56?

Displays the current users Authorization Profiles available it the ID. Can also be used to reset their User buffer to pick up new roles and authorizations.

What is the use of RSECADMIN?


Reporting Users – Analysis Authorization using transaction

RSECADMIN, to maintain authorizations for reporting users.

RSECADMIN – To maintain analysis authorization and role

assignment to user.

What is offline risk analysis?

Offline Mode Risk Analysis process is performed with the help of Risk Identification and Remediation module in SAP GRC Access Control Suite. Offline mode Analysis helpos in identifying SOD Violations in an ERP System remotely. The data from system is exported to flat files and then it can be imported into the CC instance with the help of data extractor utility.

It can also be used to remotely analyze an ERP system which may be present in a different ERP Landscape.

How can find out whether CUA (Central User Administration) is configured on your sap system?

Execute su01 You can find out a tab called system tab....  If system tab is not displayed there in su01 screen there

is no CUA is configured.

How do we test security systems? What is the use of SU56?

Through Tcode SU56, We will check the users buffer

How we Schedule and administering Background jobs?

Scheduling and administrating of background jobs can be done by using tcodes sm36 and sm37

What are the Critical Tcodes and Authorization Objects in R/3?

Just to say all the t-codes which can affect roles and user master records are critical ones. SU01, PFCG, RZ10, RZ11, SU21, SU03, Sm37 are some of critical t-codes.

Below are critical objects






Interested in mastering SAP GRC Training? Enroll now for FREE demo on SAP GRC Training.

How we Check if the PFCG_TIME_DEPENDENCY is running for user master reconciliations?

Execute SM37 and search for PFCG_TIME_DEPENDENCY

What is ruleset? and how to update risk id in rule set?

Also during indirect asssignment of roles to user using t codes Po13 and po10, we must to do user comparision, so that the roles get reflected in the SU01 record of user.

What is the difference between PFCG,PFCG_TIME_DEPENDENCY&PFUD?

PFCG is used to create maintain and modify the roles.

PFCG_TIME_DEPENDENCY is a background job of PFUD.

PFUD is used for mass user comparison but the difference is if you set the background job daily basis it will do mass

user comparison automatically

What does user compare do?

If you are also using the role to generate authorization profiles, then you should note that the generated profile is not entered in the user master record until the user master records have been compared. You can automate this by scheduling report FCG_TIME_DEPENDENCY on.

Does s_tabu_dis org level values in a master role gets reflected in the child role?

If we do the adjusted derived role in the master role while updating the values in the master role thn values will

be reflected in the child roles.

What is the T-code to get into RAR from R/3?


How do I change the name of master / parent role keeping the name of derived/child role same? I would like to keep the name of   derived /child role same and the profile associated with the child roles.

First copy the master role using PFCG to a role with new name you wish to have. Then you must generate the role. Now open each derived role and delete the menu. Once the menus are removed it will let you put new inheritance. You can put the name of the new master role you created. This will help you keep the same derived role name and the same profile name. Once the new roles are done you can transport it. The transport automatically includes the Parent roles.

What is the difference between C (Check) and U (Unmentioned)?


When defining authorizations using Profile Generator, the table USOBX_C defines which authorization checks should occur within a transaction and which authorization checks should be maintained in the PG. aeck Table for Table USOBT_C.

In USOBX_C there are 4 Check Indicators.

CM (Check/Maintain)

-An authority check is carried out against this object.

-The PG creates an authorization for this object and field values are displayed for changing.

-Default values for this authorization can be maintained.

C (Check)

-An authority check is carried out against this object.

-The PG does not create an authorization for this object, so field values are not displayed.

-No default values can be maintained for this authorization.

N (No check)

-The authority check against this object is disabled.

-The PG does not create an authorization for this object, so field values are not displayed.

-No default values can be maintained for this authorization.

U (Unmaintained)

-No check indicator is set.

-An authority check is always carried out against this object.

-The PG does not create an authorization for this object, so field values are not displayed.

-No default values can be maintained for this authorization.