Register Login

SAP GRC Interview Questions and Answers

Updated Jul 26, 2024

1. What are the components of GRC?

The main components of GRC are:

  • Access Control: Manages and controls user access rights and segregation of duties.
  • Risk Management: Identifies, assesses, and mitigates risks.
  • Process Control: Ensures compliance with internal controls and regulatory requirements.
  • Audit Management: Facilitates and manages internal and external audits.

2. What are the upgrades happened in GRC 5.3 from GRC 5.2?

Upgrades from GRC 5.2 to GRC 5.3 include:

  • Enhanced user interface and user experience.
  • Improved performance and stability.
  • New features and functionalities, such as advanced reporting capabilities and better integration with SAP ERP.
  • Bug fixes and support for newer SAP versions.

3. Is it possible to have a request type by which we can change the validity period of a user? If possible, then what are the actions?

Yes, it is possible. To change the validity period of a user, you can:

  • Define the request type in the GRC configuration.
  • Configure the request to include actions like updating the user validity in the user provisioning system.
  • Set up workflow steps to manage approval processes and validations.

4. What's the latest Support Pack for GRC 5.3? How it differ from the previous one?

The specific latest support pack should be checked on the SAP Support Portal. Generally, differences include bug fixes, performance improvements, and updates to integrate with newer SAP systems.

5. What are the issues faced by you in ERM & CUP after going live?

Common issues may include:

  • Integration problems with other SAP modules.
  • Performance issues or slow processing times.
  • Incorrect or incomplete configurations.
  • User adoption and training issues.

6. Can we change Single roles, objects & Profile descriptions through mass maintenance of roles? If yes, how?

Yes, changes can be made via mass maintenance. This is done through transaction codes or SAP tools for role maintenance where you can update multiple roles in bulk.

7. What are the prerequisites for creating a workflow for user provisioning?

Prerequisites include:

  • Defining the user provisioning processes and roles.
  • Configuring the workflow in SAP GRC, including routing and approval steps.
  • Ensuring proper integration with SAP ERP and other systems.
  • Setting up required authorizations and roles for workflow participants.

8. How will you control the GRC system if you have multiple rulesets activated?

Control can be achieved by:

  • Prioritizing and organizing rulesets effectively.
  • Regularly reviewing and updating rulesets.
  • Using GRC configuration to handle conflicts and overlaps between rulesets.

9. Can we view the changes of a role, that happened in PFCG, through GRC?

Yes, GRC can track and audit changes to roles made in PFCG if configured to do so, often involving integration with Change Management tools.

10. How will you mitigate a user against an authorization object which is decided as sensitive by Business?

Mitigation involves:

  • Implementing mitigating controls in SAP GRC.
  • Defining and applying specific mitigation actions or processes.
  • Reviewing and approving these mitigations as per compliance requirements.

11. Give an example of SOD with object level control & also decide the Risk implication from the Technical standpoint.

  • Example: Preventing a user from both creating and approving purchase orders (P2P process).
  • Risk Implication: If a user can both create and approve POs, it increases the risk of fraud or error in financial transactions from a technical standpoint.

12. Is it possible to assign two roles with different validity period to a user in one shot through GRC? If yes, how?

Yes, this is possible through GRC request types and user provisioning configuration, which allows assigning multiple roles with different validity periods in one request.

13. What's the use of a Detour path? How Fork path differ from the Detour path?

  • Detour Path: Allows the workflow to take an alternative path based on conditions or exceptions.
  • Fork Path: Splits the workflow into parallel paths that run simultaneously.

14. How can you enable a self-password reset facility in GRC?

Enable self-service password reset through the GRC configuration settings, usually involving user management or self-service configuration areas.

15. Can we have customized actions for creating request types in CUP?

Yes, CUP allows for the customization of actions for request types, involving configuring actions and workflows to meet specific business needs.

16. Which SOX rules were inherited in SAP GRC?

SAP GRC inherits various SOX compliance requirements, including segregation of duties, access controls, and audit trails to support financial reporting and internal controls.

17. How many types of Background job you are familiar with? Why Role/Profile & User Sync. job is required?

Types include Role/Profile Synchronization, User Synchronization, and Access Risk Analysis jobs. These jobs ensure synchronization of roles and users across systems and conduct regular risk analyses.

18. Where can we change the default expiration time for mitigating controls? What's the default value for the same?

Change the default expiration time through GRC configuration settings. The default value is typically 365 days but can be customized as needed.

19. How will you do the mass import of role in GRC?

Use GRC mass import tools or transaction codes to upload role data from files or external systems, following SAP guidelines for data formatting and validation.

20. Explain the total configuration & utility of SPM?

SPM (Security Policy Management): Configures policies and controls to manage security compliance. It includes managing and monitoring compliance with security policies and standards.

21. Can we create Logical systems in GRC? If yes, how & what can be the advantages & disadvantages of the same?

Yes, logical systems can be created in GRC. Advantages include better system organization and management. Disadvantages may include increased complexity and maintenance overhead.

22. Can we have a different set of number ranges activated for request generation?

Yes, different number ranges can be configured for different types of requests through GRC configuration settings.

23. Explain, how can we create derived roles in ERM. What will be the significant changes in methodology for creating composite roles?

Derived roles inherit characteristics from a parent role. The methodology for creating composite roles involves defining multiple roles with inherited permissions and managing role hierarchies.


Comments

  • 30 Jan 2010 7:06 am Utsav Mukherjee Best Answer
    It's not possible to provide all possible questions but I am highlighting on some of them.May be these will be helpful for you.

    Some GRC Questions:
    1. What are the components of GRC?
    2. What are the upgrades happened in GRC 5.3 from GRC 5.2?
    3. Is it possible to have a request type by which we can change the validity period of a user? If possible, then what are the actions?
    4. What's the latest Support Pack for GRC 5.3? How it differs from the previous one?
    5. What are the issues faced by you in ERM & CUP after golive?
    6. Can we change Single roles, objects & Profile description through mass maintenance of role? If yes, how?
    7. What are the prerequisites for creating a workflow for user provisioning?
    8. How will you control GRC system if you have multiple rulesets activated?
    9. Can we view the changes of a role, happened in PFCG, through GRC?
    10. How will you mitigate a user against an authorization object which is decided as sensitive by Business?
    11. Give an example of SOD with object level control & also decide the Risk implication from the Technical standpoint.
    12. Is it possible to assign two roles with different validity period to a user in one shot through GRC? If yes, how?
    13. What's the use of Detour path? How Fork path differs from Detour path?
    14. How can you enable self password reset facility in GRC?
    15. Can we have customized actions for creating request types in CUP?
    16. Which SOX rules got inherited in SAP GRC?
    17. How many types of Background job you are familiar with? Why Role/Profile & User Sync. job is required?
    18. Where from can we change the default expiration time for mitigating controls? What's the default value for the same?
    19. How will you do the mass import of role in GRC?
    20. Explain the total configuration & utility of SPM?
    21. Can we create Logical systems in GRC? If yes, how & what can be the advantages & disadvantages of the same?
    22. Can we have different set of number ranges activated for request generation?
    23. Explain, how can we create derived roles in ERM? What will be the significant changes in methodology for creating composite roles?


    Some SAP Security Questions:
    1. How a transaction code works?
    2. Can we set any password limitations/exceptions in SAP? If yes, how?
    3. What's the basic difference in between SU22 & SU24?
    4. What exactly is SU25? What's the significance of it's 2a,2b,2c & 2d sections?
    5. Other than SU53, how can you get missing authorisation details?
    6. How can we reset the password for 1000 users at one shot? Is it possible?
    7. Is it possible to derive a role which is not having any t-code but have some manually entered authorization objects? If yes, how?
    8. Can we reset our self SAP password? Please note, you don't have SU01's authorization.
    9. Suppose my Dev system has 3 clients. In one of the client, I'm making some changes in a tcode. Will the changes get reflected in other client's also? If yes, how?
    10. Through which tcode I can do a mass user comparision? What's the daily background job for the same?
    11. What does PRGN_STAT & TCODE_MOD table consist of?
    12. What does we check through SM50 & SM51?
    13. Which are the necessary objects for controlling the t-code SU01?
    14. Can we give display access for DEBUGGING to a user? If yes, how?
    15. What are the SAP default Service users & what are their default passwords? What password does system bydefault generate for these Service User/s while installing a new client within the system?
    16. From where we can create new Authorization field?
    17. Is it possible to assign ABAP role to Portal user? If yes, how?
    18. How can we gain control over Infotypes?
    19. Why we have to generate the profile again after saving the authorization data while role creation/modification?
    20. When does a profile become 11 character string?
    21. How can we find out the roles that got directly generated into Production & not imported from Quality System? Please note, you don't have any Quality user id.
    22. How CUA can help from Management standpoint of a Business, having SAP installed?
  • 26 Jan 2010 9:39 am Guest Helpful Answer
    GRC is a tool that helps improve controls. From a security perspective it automates monitoring of SoD's, allows automated provisioning of emergency access and automation of the user provisioning process

    Security Q's:
    Explain the authorisation concept in detail
    Explain how config relates to security
    Explain why SU53 is not always accurate

    GRC Q's:
    Explain in detail how the different components of the Access Controls suite integrate with each other
    Explain the key problem areas in implementation of RAR
    Explain the key problem areas in implementation of CUP

    Please note, I will not provide model answers for the above questions. If you can provide clear, correct answers to the above then you will demonstrate understanding of the products rather than being able to memorise transactions.
  • 23 Dec 2010 12:52 pm kiran Helpful Answer
    1.How a transaction code works?
    Ans:1.It check in su01
    2.It checks for s_tcode authorization object
    3.Then it will check minimal authorization table TSTCA
    4.Then it will check Su24 tcode VS Autho Object
    5.Then it wil check for authorization check indicators


    2. Can we set any password limitations/exceptions in SAP? If yes, how?
    Ans:yes we can
    For that we have to set the parameters in RZ10
    Like :login/falield_to_user_auto_unlock
    Login/fails_to_user_session_end
    Login/min_password_letter:
    Login/min_password_len:
    Login/min_password_digit:
    Login/min_password_uppercase:
    Login/min_password_lowercase:
    Login/min_password_diff:
    Login/min_password_:special :
    Login/no_automatic_user_sapstar:
    Login/disable_multi_gui_login:
    Login/multi_logon_users;
    Login/system_client: etc




    3. What's the basic difference in between SU22 & SU24?
    Ans:
    SU22:it wil update the values in table USOBT,USOBX
    SU24:it will update the values in tables USOBT_C,USOBX_C

    4. What exactly is SU25? What's the significance of it's 2a,2b,2c & 2d sections?
    Ans: The main use of SU25 insulation of profile Generator. It is a one time activity .when u run this it will copy the values from table USOBT,USOBX to USOBT_C,USOBTX_C.
    USOBT=T.code VS autho Objects
    USOBX=T.code VS Autho Object and check indicator



    5. Other than SU53, how can you get missing authorisation details?
    Ans:
    Using ST01 system trace .
    6. How can we reset the password for 1000 users at one shot? Is it possible?
    Ans:By setting the parameter login/password_max_reset_valid
    Also using user user group I think but I am not sure

    7. Is it possible to derive a role which is not having any t-code but have some manually entered authorization objects? If yes, how?
    Ans:

    8. Can we reset our self SAP password? Please note, you don't have SU01's authorization.
    Ans:


    9. Suppose my Dev system has 3 clients. In one of the client, I'm making some changes in a tcode. Will the changes get reflected in other client's also? If yes, how?

    Ans:yes only the cross client Objects wil get Reflect

    10. Through which tcode I can do a mass user comparision? What's the daily background job for the same?
    Ans:sm36 by scheduling repot periodically or SA38 by running report
    Report name : pfcg_time_dependency

    11. What does PRGN_STAT & TCODE_MOD table consist of?

    Ans:
    12. What does we check through SM50 & SM51?
    Ans: SM50 local work process over view
    SM51global Work Process over view

    13. Which are the necessary objects for controlling the t-code SU01?
    Ans:S_USER_GRP,S_USER_AGR

    14. Can we give display access for DEBUGGING to a user? If yes, how?
    Ans:
    15. What are the SAP default Service users & what are their default passwords? What password does system bydefault generate for these Service User/s while installing a new client within the system?
    Ans:Default users DDIC,SAP* .default passwords master password,pass.

    16. From where we can create new Authorization field?
    Ans:SU20

    17. Is it possible to assign ABAP role to Portal user? If yes, how?
    Ans:

    18. How can we gain control over Infotypes?

    19. Why we have to generate the profile again after saving the authorization data while role creation/modification?
    Ans:

    20. When does a profile become 11 character string?
    Ans:

    21. How can we find out the roles that got directly generated into Production & not imported from Quality System? Please note, you don't have any Quality user id.
    Ans:

    22. How CUA can help from Management standpoint of a Business, having SAP installed?
    Ans:
    By using CUA we can maintains the users form central system or client
  • 24 Apr 2014 4:43 pm SAP Training Helpful Answer

    Some GRC Questions:

    1. What are the components of GRC?

    ANS: 1. ACCESS CONTROL 2. PROCESS CONTROL 3. RISK MANAGEMENT 4. GLOBAL TRADE SYSTEM  5. NOTA FISCAL ELECTRONICA

     


×