+44 7459 302492
info@uplatz.com
SAP GRC (Governance Risk and Compliance)
SAP GRC or Governance, Risk, and Compliance help the company in managing the regulations and compliance for data security and authentication standards for the enterprise. It allows organizations in managing and improving the risks incurred, for the smooth functioning of the audit management and also integrating the GRC activities with the existing process. SAP GRC consists of three main areas i.e. Analyze, Manage and Monitor.
Why use SAP GRC: Implementation of SAP GRC helps enterprises in controlling and improving risks involved in an organization, especially related to the audit and compliance the redundancies through a unified approach.
Different modules in SAP GRC:
The SAP GRC consists of the following modules:
1. Access Control
2. Process Control and Fraud Management
3. Risk Management
4. Audit Management
5. Fraud Management
6. Global Trade Services
7. Capability Model
In this SAP GRC course from Uplatz, learners will be able to understand an overview of SAP GRC, Access Risk Analysis, Emergency Access Management, Role Management, Access Request Management and the Reporting Framework.
At the end of this course, learners will be awarded a Certification of Completion on SAP GRC by Uplatz.
SAP GRC (Governance Risk and Compliance)
SAPGRC 10 Course Curriculum
1)Introduction
Introduction to SAP Access Control 10.0
Access Control 10.0 Overview
Key Features and Benefits
Managing Compliance with Access Control 10.0
Segregation of Duties Risk Management Process
Information Architecture, Security, and Authorizations
1)Access Risk Analysis:-
Analyze and Manage Risk
Shared Master Data
Configuration and Rule Set Maintenance
Risk Analysis Framework
System-Specific Mitigation
Mass Mitigation
2)Emergency Access Management:-
Emergency Access Management
Emergency Access Management Overview
Centralized Firefighting
Plan for Emergency Access
Monitor Emergency Access
3)Role Management:-
Design and Manage Roles
Configure Role Methodology
Plan for Technical Role Definition
Plan for Business Role Definition
4)Access Request Management:-
Provision and Manage Users
Plan for User Access
Request Approval
Review Access Risk (SoD Review)
o Design SOD Ruleset
o Critical Permissions
o Risks and Functions
o Troubleshooting with Tables and Transactions
Monitor User Access
Monitor Role Access
5) Reporting Framework:-
Reporting
Reporting Framework
Change Existing Reports
---------------------------------------------------------------------------------------------
SAP GRC (Governance Risk and Compliance) Interview Questions
---------------------------------------------------------------------------------------------
#1. What is the rule set in GRC?
Ans. The collection of rules is nothing but rule set. There is a default rule set in GRC called Global Rule Set.
#2. What is the landscape of GRC?
Ans. GRC Landscape is 2 system landscape,
• SAP GRC DEV
• SAP GRC PRD
• in GRC there is no Quality system.
#3. Explain about SPM?
Ans. SPM can be used to maintain and monitor the superuser access in an SAP system. This enables the super-users to perform emergency activities and critical transactions within a completely auditable environment. The logs of the SPM user IDs help auditors in easily tracing the critical transactions that have been performed by the Business users
#4. What is the use of su56?
Ans. Displays the current users Authorization Profiles available it the ID. It can also be used to reset their User buffer to pick up new roles and authorizations.
#5. What is the use of RSECADMIN?
Ans.
• IN SAP BI Reporting Users – Analysis Authorization using transaction RSECADMIN, to maintain authorizations for reporting users.
• RSECADMIN – To maintain analysis authorization and role assignment to the user.
#6. What is offline risk analysis?
Ans. Offline Mode Risk Analysis process is performed with the help of the Risk Identification and Remediation module in SAP GRC Access Control Suite. Offline mode Analysis helps in identifying SOD Violations in an ERP System remotely. The data from the system is exported to flat files and then it can be imported into the CC instance with the help of data extractor utility.
It can also be used to remotely analyze an ERP system that may be present in a different ERP Landscape.
#7. How can find out whether CUA (Central User Administration) is configured on your sap system?
Ans. Execute su01 You can find out a tab called system tab... If the system tab is not displayed there in the su01 screen there is no CUA that is configured.
#8. How do we test security systems? What is the use of SU56?
Ans. Through Tcode SU56, We will check the user's buffer
#9. How we Schedule and administering Background jobs?
Ans. Scheduling and administrating of background jobs can be done by using codes sm36 and sm37
#10. What are the Critical Tcodes and Authorization Objects in R/3?
Ans. Just to say all the t-codes which can affect roles and user master records are critical ones. SU01, PFCG, RZ10, RZ11, SU21, SU03, Sm37 are some of the critical t-codes. Below are critical objects S_TABU_DIS S_USER_AGR S_USER_AUT S_USER_PRO S_USER_GRP
#11. How we Check if the PFCG_TIME_DEPENDENCY is running for user master reconciliations?
Ans. Execute SM37 and search for PFCG_TIME_DEPENDENCY
#12. What is the ruleset? and how to update risk id in ruleset?
Ans. Also during the indirect assignment of roles to the user using t codes Po13 and po10, we must do user comparison, so that the roles get reflected in the SU01 record of the user.
#13. What is the difference between PFCG, PFCG_TIME_DEPENDENCY&PFUD?
Ans. PFCG is used to create maintain and modify the roles. PFCG_TIME_DEPENDENCY is a background job of PFUD. PFUD is used for mass user comparison but the difference is if you set the background job daily basis it will do mass user comparison automatically
#14. What does the user compare do?
Ans. If you are also using the role to generate authorization profiles, then you should note that the generated profile is not entered in the user master record until the user master records have been compared. You can automate this by scheduling report FCG_TIME_DEPENDENCY on.
#15. Does s_tabu_dis org level values in a master role gets reflected in the child role?
Ans. If we do the adjusted derived role in the master role while updating the values in the master role thn values will be reflected in the child roles.
#16. What is the T-code to get into RAR from R/3?
Ans. /virsar/ZVRAT
#17. How do I change the name of the master/parent role keeping the name of derived/child role the same?
Ans. I would like to keep the name of the derived /child role the same and the profile associated with the child roles. First copy the master role using PFCG to a role with the new name you wish to have. Then you must generate the role. Now open each derived role and delete the menu. Once the menus are removed it will let you put new inheritance. You can put the name of the new master role you created. This will help you keep the same derived role name and the same profile name. Once the new roles are done you can transport it. Transport automatically includes Parent roles.
#18. What is the difference between C (Check) and U (Unmentioned)?
Ans. Background:
When defining authorizations using Profile Generator, the table USOBX_C defines which authorization checks should occur within a transaction and which authorization checks should be maintained in the PG. aeck Table for Table USOBT_C.
In USOBX_C there are 4 Check Indicators.
CM (Check/Maintain)
-An authority check is carried out against this object.
-The PG creates an authorization for this object and field values are displayed for changing.
-Default values for this authorization can be maintained.
C (Check)
-An authority check is carried out against this object.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization.
N (No check)
-The authority check against this object is disabled.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization.
U (Unmaintained)
-No check indicator is set.
-An authority check is always carried out against this object.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization.
---------------------------------------------------------------------------------------------
