SAP GRC Interview Questions and Answers

Q1. What is the rule set in GRC?

Ans. The collection of rules is nothing but ruleset. There is a default rule set in GRC called Global Rule Set.

Q2. What is the landscape of GRC?

Ans. GRC Landscape is 2 system landscape,

  • SAP GRC DEV
  • SAP GRC PRD
  • in GRC there is no Quality system.

Interested in mastering SAP GRC Training? Enroll now for FREE demo on SAP GRC Training.

Q3. Explain about SPM?

Ans. SPM can be used to maintain and monitor the superuser access in an SAP system. This enables the super-users to perform emergency activities and critical transactions within a completely auditable environment. The logs of the SPM user IDs help auditors in easily tracing the critical transactions that have been performed by the Business users

Q4. What is the use of su56?

Ans. Displays the current user's Authorization Profiles available it the ID. It can also be used to reset their User buffer to pick up new roles and authorizations.

Q5. What is the use of RSECADMIN?

Ans.

  •  IN SAP BI Reporting Users – Analysis Authorization using transaction RSECADMIN, to maintain authorizations for reporting users.
  • RSECADMIN – To maintain analysis authorization and role assignment to the user.

Q6. What is offline risk analysis?

Ans. Offline Mode Risk Analysis process is performed with the help of the Risk Identification and Remediation module in SAP GRC Access Control Suite. Offline mode Analysis helps in identifying SOD Violations in an ERP System remotely. The data from the system is exported to flat files and then it can be imported into the CC instance with the help of data extractor utility.

It can also be used to remotely analyze an ERP system that may be present in a different ERP Landscape.

Q7. How can find out whether CUA (Central User Administration) is configured on your sap system?

Ans. Execute su01 You can find out a tab called system tab...  If the system tab is not displayed there in the su01 screen there is no CUA that is configured.

Q8. How do we test security systems? What is the use of SU56?

Ans. Through Tcode SU56, We will check the user's buffer

Q9. How we Schedule and administering Background jobs?

Ans. Scheduling and administrating of background jobs can be done by using codes sm36 and sm37.

SAP GRC Certification Questions and Answers

Q10. What are the Critical Tcodes and Authorization Objects in R/3?

Ans. Just to say all the t-codes which can affect roles and user master records are critical ones. SU01, PFCG, RZ10, RZ11, SU21, SU03, Sm37 are some of the critical t-codes. Below are critical objects S_TABU_DIS S_USER_AGR S_USER_AUT S_USER_PRO S_USER_GRP

Q11. How we Check if the PFCG_TIME_DEPENDENCY is running for user master reconciliations?

Ans. Execute SM37 and search for PFCG_TIME_DEPENDENCY

Q12. What is the ruleset? and how to update risk id in ruleset?

Ans. Also during the indirect assignment of roles to the user using t codes Po13 and po10, we must do user comparison, so that the roles get reflected in the SU01 record of the user.

Q13. What is the difference between PFCG, PFCG_TIME_DEPENDENCY&PFUD?

Ans. PFCG is used to create maintain and modify the roles. PFCG_TIME_DEPENDENCY is a background job of PFUD. PFUD is used for mass user comparison but the difference is if you set the background job daily basis it will do mass user comparison automatically

Q14. What does the user compare do?

Ans. If you are also using the role to generate authorization profiles, then you should note that the generated profile is not entered in the user master record until the user master records have been compared. You can automate this by scheduling report FCG_TIME_DEPENDENCY on.

Q15. Does s_tabu_dis org level values in a master role gets reflected in the child role?

Ans. If we do the adjusted derived role in the master role while updating the values in the master role then values will be reflected in the child roles.

Q16. What is the T-code to get into RAR from R/3?

Ans. /virsar/ZVRAT

Q17. How do I change the name of the master/parent role keeping the name of derived/child role the same?

Ans. I would like to keep the name of the derived /child role the same and the profile associated with the child roles. First copy the master role using PFCG to a role with the new name you wish to have. Then you must generate the role. Now open each derived role and delete the menu. Once the menus are removed it will let you put new inheritance. You can put the name of the new master role you created. This will help you keep the same derived role name and the same profile name. Once the new roles are done you can transport it. Transport automatically includes Parent roles.

Q18. What is the difference between C (Check) and U (Unmentioned)?

Ans. Background:

When defining authorizations using Profile Generator, the table USOBX_C defines which authorization checks should occur within a transaction and which authorization checks should be maintained in the PG. aeck Table for Table USOBT_C.

In USOBX_C there are 4 Check Indicators.

CM (Check/Maintain)

-An authority check is carried out against this object.

-The PG creates an authorization for this object and field values are displayed for changing.

-Default values for this authorization can be maintained.

C (Check)

-An authority check is carried out against this object.

-The PG does not create an authorization for this object, so field values are not displayed.

-No default values can be maintained for this authorization.

N (No check)

-The authority check against this object is disabled.

-The PG does not create an authorization for this object, so field values are not displayed.

-No default values can be maintained for this authorization.

U (Unmaintained)

-No check indicator is set.

-An authority check is always carried out against this object.

-The PG does not create an authorization for this object, so field values are not displayed.

-No default values can be maintained for this authorization.