1

SAP GRC
INTERVIEW
QUESTIONS

Phone/Whatsapp: +1 (515) 309-7846 (USA)

Email: [email protected]
Website: www.zarantech.com
 1 1

SAP GRC Interview Questions

Q1. Explain the Personalization tab within a role?

A. Personalization is a way to save information that could be common to users, I meant to a
user role… E.g. you can create SAP queries and manage authorizations by user groups. Now
this information can be stored in the personalization tab of the role. (I supposed that it is a
way for SAP to address his ambiguity of its concept of user group and roles: is “user group”
a grouping of people sharing the same access or is it the role who is the grouping of people
sharing the same access)

Q2. Is there a table for authorizations where I can quickly see the values entered in a group of
fields?
A. In particular, I am looking to find the field values for P_ORGIN across a number of
authorization profiles, without having to drill down on each profile and authorization.

Q3. How can I do a mass delete of the roles without deleting the new roles?
A. There is an SAP-delivered report that you can copy, remove the system type check, and run.
To do a landscape with delete, enter the roles to be deleted in a transport, run the delete
program or manually delete and then release the transport and import them into all clients
and systems.
It is called: AGR_DELETE_ALL_ACTIVITY_GROUPS.
To use it, you need to tweak/debug and replace the code as it has a check that ensures it is
deleting SAP-delivered roles only. Once you get past that little bit, it works well.

Q4. Someone has deleted users in our system, and I am eager to find out who. Is there a table
where this is logged?
A. Debug or use RSUSR100 to find the info. Run transaction SUIM and down its Change
documents.

Q5. How to insert missing authorization?

A. su53 is the best transaction with which we can find the missing authorizations and we can
insert those missing authorizations through pfcq.

Q6. What is the difference between a role and a profile?

A. Role and profile go hand in hand. The profile is bought in by a role. The role is used as a
template, where you can add T-codes, and reports. The profile is one that gives the user
authorization. When you create a role, a profile is automatically created.

Phone/Whatsapp: +1 (515) 309-7846 (USA) Email: [email protected]

www.zarantech.com
 1 1

Q7. What profile versions?

A. Profile versions are nothing but when you modify a profile parameter through an RZ10 and
generated a new profile is created with a different version and it is stored in the database.
User role templates are predefined activity groups in SAP consisting of transactions,
reports, and web addresses.

Q8. What is the use of role templates?

A. Role templates consist of SAP directed towards transactions, reports, and web addresses.

Q9. What is the difference between a single role & a composite role?
A. A role is a container that collects the transaction and generates the associated profile. A
composite role is a container that can collect several different roles.

Q10. Is it possible to change the role template? How?

A. Yes, we can change a user role template. There are exactly three ways in which we can work
with user role templates:
We can use it as they are delivered in sap
We can modify them as per our needs through pfcg
We can create them from scratch.

Q11. How to create users?

A. Execute transaction SU01 and fill in all the fields. When creating a new user, you must enter
an initial password for that user on the Logon data tab. All other data is optional. Click here
for a tutorial on creating a sap user ID.

Q12. What is the difference between USOBX_C and USOBT_C?

A. USOBX_C: The table USOBX_C defines which authorization checks are to be performed
within a transaction and which are not (despite the authority-check command
programmed). This table also determines which authorization checks are maintained in the
Profile Generator.
USOBT_C: The table USOBT_C defines each transaction and for each authorization object
which default values an authorization created from the authorization, the object should have
in the Profile Generator.

Q13. What authorization is required to create and maintain user master records?
A. The following authorization objects are required to create and maintain user master records:
S_USER_GRP: User Master Maintenance: Assign user groups
S_USER_PRO: User Master Maintenance: Assign authorization profile

Phone/Whatsapp: +1 (515) 309-7846 (USA) Email: [email protected]

www.zarantech.com
 1 1

Q14. List R/3 User Types

A. Dialog users are used for individual users. Check for expired/initial passwords Possible to
change your own password. Check for multiple dialog logon

A Service user – Only user administrators can change the password. No check for
expired/initial passwords. Multiple logins permitted
System users are not capable of interaction and are used to perform certain system
activities, such as background processing, ALE, Workflow, and so on.
A Reference user is, like a System user, a general, non-personally related, user.
Additional authorizations can be assigned within the system using a reference user. A
reference user for additional rights can be assigned for every user in the Roles tab.

Q15. What is a derived role?

A. 1. Derived roles refer to roles that already exist. The derived roles inherit the menu
structure and the functions included (transactions, reports, Web links, and so on) from
the role referenced. A role can only inherit menus and functions if no transaction codes
have been assigned to it before.
2. The higher-level role passes on its authorizations to the derived role as default values
which can be changed afterward. Organizational-level definitions are not passed on.
They must be created anew in the inheriting role. User assignments are not passed on
either.
3. Derived roles are an elegant way of maintaining roles that do not differ in their
functionality (identical menus and identical transactions) but have different
characteristics with regard to the organizational level.

Q16. What is a composite role?

A. 1. A composite role is a container that can collect several different roles. For reasons of
clarity, it does not make sense and is therefore not allowed to add composite roles to
composite roles. Composite roles are also called roles.
2. Composite roles do not contain authorization data. If you want to change the
authorizations (that are represented by a composite role), you must maintain the data
for each role of the composite role.
3. Creating composite roles makes sense if some of your employees need authorizations
from several roles. Instead of adding each user separately to each role required, you can
set up a composite role and assign the users to that group.

Phone/Whatsapp: +1 (515) 309-7846 (USA) Email: [email protected]

www.zarantech.com
 1 1

Q17. What does the user compare do?

A. If you are also using the role to generate authorization profiles, then you should note that
the generated profile is not entered in the user master record until the user master records
have been compared. You can automate this by scheduling the report
FCG_TIME_DEPENDENCY on.

Q18. How do I change the name of master/parent role keeping the name of derived/child role
the same? I would like to keep the name of the derived /child role the same and also the
profile associated with the child roles.
A. First, copy the master role using PFCG to a role with the new name you wish to have. Then
you have to generate the role. Now open each derived role and delete the menu. Once the
menus are removed it will let you put new inheritance. You can put the name of the new
master role you created. This will help you keep the same derived role name and also the
same profile name. Once the new roles are done you can transport them. The transport
automatically includes the Parent roles.

Q19. What is the difference between C (Check) and U (Unmentioned)?

A. Background: When defining authorizations using Profile Generator, the table USOBX_C
defines which authorization checks should occur within a transaction and which
authorization checks should be maintained in the PG. You determine the authorization
checks that can be maintained in the PG using Check Indicators. It is a Check Table for
Table USOBT_C.
In USOBX_C there are 4 Check Indicators.

1. CM (Check/Maintain)
An authority check is carried out against this object.
The PG creates an authorization for this object and field values are displayed for
changing.
Default values for this authorization can be maintained.

2. C (Check)
An authority check is carried out against this object.
The PG does not create an authorization for this object, so field values are not
displayed.

3. N (No check)
The authority check against this object is disabled.
The PG does not create an authorization for this object, so field values are not
displayed.
No default values can be maintained for this authorization.

Phone/Whatsapp: +1 (515) 309-7846 (USA) Email: [email protected]

www.zarantech.com
 1 1

4. U (Unmaintained)
No check indicator is set.
An authority check is always carried out against this object.
The PG does not create an authorization for this object, so field values are not
displayed.
No default values can be maintained for this authorization.

Q20. Can wildcards be used in authorizations?

A. Authorization values may contain wildcards; however, the system ignores everything after
the wildcard. Therefore, A*B is the same as A*.

Q21. What is the Pfcg dependency cleanup?

A. The Pfcg time dependency background report erases the profiles. Alternatively, you may use
transactions PFUD.

Q22. How we Check if the PFCG_TIME_DEPENDENCY is running for user master reconciliations?
A. Execute SM37 and search for PFCG_TIME_DEPENDENCY

Q23. What is the difference between PFCG, PFCG_TIME_DEPENDENCY&PFUD?

A. PFCG is used to create maintain and modify the roles. PFCG_TIME_DEPENDENCY is a
background job of PFUD. PFUD is used for mass user comparison but the difference is if
you set the background job daily basis it will do mass user comparison automatically

Q24. What happens to change documents when they are transported to the production system?
A. Change documents cannot be displayed in transaction ‘SUIM’ after they are transported to
the production system because we do not have the ‘before input’ method for the transport.
This means that if changes are made, the ‘USR10? the table is filled with the current values
and writes the old values to the ‘USH10? table beforehand.

The difference between both tables is then calculated and the value for the change
documents is determined as a result. However, this does not work when change documents
are transported to the production system.

The ‘USR10? table is automatically filled with the current values for the transport and there
is no option for filling the ‘USH10? table in advance (for the history) because we do not have
a ‘before input’ method to fill the ‘USH10? a table in advance for the transport.

Phone/Whatsapp: +1 (515) 309-7846 (USA) Email: [email protected]

www.zarantech.com
 1 1

Q25. What is the difference between the table buffer and the user buffer?
A. The table buffers are in the shared memory. Buffering the tables increases performance
when accessing the data records contained in the table. Table buffers and table entries are
ignored during startup. A user buffer is a buffer from which the data of a user master record
is loaded when the user logs on. The user buffer has different setting options with regard to
the ‘auth/new_buffering’ parameter.

Q26. What does the Profile Generator do?

A. The Profile Generator creates roles. It is important that suitable user roles, and not profiles,
are entered manually in transaction ‘SU01?. The system should enter the profiles for this
user automatically.

Q27. How many authorizations fit into a profile?

A. A maximum of 150 authorizations fit into a profile. If the number of authorizations exceeds
this marker, the Profile Generator will automatically create more profiles for the role. A
profile name consists of twelve (12) characters and the first ten (10) may be changed when
generated for the first time.

Q28. How Can I massly erase the roles without erasing the new roles?
A. There is an SAP report that removes the system type check and runs. To do a landscape
with delete first enter the deleted roles to be deleted in a transport, run the erased program
or manually erased, and then leave the transport and include it into all kinds of systems. To
use it you have to replace the code and check the SAP delivered roles only.

Q29. What is the rule set in GRC?

A. The collection of rules is nothing but a rule set having a Global rule set.

Q30. What is the landscape of GRC?

A. GRC Landscape is 2 system landscape,
SAP GRC DEV
SAP GRC PRD
In GRC there is no Quality system.

Q31. If UR using 10 firefighter IDS at a time? How will the log report go to the controller?
A. This is assigned to the users with changing roles with high-level comparison.

Phone/Whatsapp: +1 (515) 309-7846 (USA) Email: [email protected]

www.zarantech.com
 1 1

Q32. What is a ruleset? And How to update risk ID in the ruleset?

A. During indirect roles of users Tcodes to P013 and P010 We have to make a comparison
reflected in the SU01 record of the user.

Q33. What is the procedure for role modifications?

A. This task is done PFCG time dependency background job.

Q34. Who will do the user comparison?

A. If changes are to be modified immediately user comparison is prescribed. Contact for more
on SAP GRC online training.

Q35. What is the use of GRC risk management?

A. SAP GRC risk management permits you to manage risk management activities. You should
plan to identify the risk in business and implement measures to manage risk and allow
better decision that improves the performance of the business.

Q36. What are the different types of risks?

A. Operational risk
Strategic risk
Compliance risk
Financial risk

Q37. What is the SAP GRC audit management?

A. It is to improve the audit management process in an organization by documenting artifacts,
organization, work papers, and audit reports. It is to integrate with other governance, risk,
and compliance solutions to marginalize audit management policies and business aims.

Q38. What are global trade services?

A. SAP GRC GTS helps organizations to emphasize cross-border supply into the limits of
international trade management. It has some penalties for international trade regulation
authorities having a single repository of compliance master data and irrespective of the size
of an institution.

Q39. Is it possible to lock all the users at the same time in SAP system?
A. Yes, using Tcode EWZ5.

Phone/Whatsapp: +1 (515) 309-7846 (USA) Email: [email protected]

www.zarantech.com
 1 1

Q40. What is the authorization object and authorization object class?

A. It is to object activities SAP system. It is grouped by different functional areas like finance,
accounting, etc.

Q41. How do you perform in the SAP system using GRC access control?
A. SAP GRC access control uses UNE roles to control the system and administrator actions
which represent the smallest entity of UME role that a user can build access rights.

Q42. What is UME? How does it work?

A. It is a user management engine. It is to use a certain tab. The tab will not display upon user
login. When the user tries to access the logon tab. All available standard UNE have the
assigned action of the admin user.

Q43. What are the CC roles that can be created at implementation?

A. CC reporting view–
Description compliance calibrator display and reporting.
CC rule maintenance
Compliance calibrator rule maintenance.
CC mit maintenance
Compliance calibrator mitigation maintenance.
CC Administration
Compliance calibrator administrator and basic configuration.

Q44. What are the key activities that process control shares with access controlling GRC?
A. In the process control solution, controls are activated as mitigation control in access
control under the SAP GRC 10.0 solution.
Access control and process control share the same organization.
Process control and access control are integrated access risk analyses to monitor
segregation of duties (SOD).

Q45. What is IAM? (Internal Audit management)

A. Internal audit management permits you to the information from risk management and
process control to using audit planning. Audit proposals can be changed to audit
management for processing when required and audit items can be used to generate issues
for reporting. It is to define the audit universe and create and view audit reports.

Phone/Whatsapp: +1 (515) 309-7846 (USA) Email: [email protected]

www.zarantech.com
 1 1

Q46. What are the different activities that can be performed under IAM?
A. The audit universe contains audit entities
Audit risk rating
Audit planning to define the procedure for audit compliance.
Audit issues for audit actions.
Audit reports see what risks are there on auditable entities?

Q47. What is audit risk rating ARR?

A. Audit risk rating is used to define the criteria for an organization to find risk rating and
ranking to risk rating.
You can find a set of auditable entities and risk factors.
As per risk core, you can rate the auditable entities.

Q48. What is the report and analytics work center in GRC?

A. Report and analytics report centers are shared by process control and the analytics work
center consists of compliance section in GRC applications.

Q49. What are the different reports under process control?

A. Evaluation status dashboard, survey result datasheet.

Q50. What are the different phases in GRC risk management?

A. Risk recognition
Rule building and validation
Analysis
Remediation
Mitigation
Continuous compliance

Q51. What is rule building under risk management?

A. Reference the best practice rules for the environment.
Validation of rules
Customize rules and tests
Verify against test user and role cases

Phone/Whatsapp: +1 (515) 309-7846 (USA) Email: [email protected]

www.zarantech.com
 1 1

Q52. What is the difference between preventive mitigation controls and detective mitigation
controls?
A. Configuration
User exit
Security
Define workflow
Custom object

Detective mitigation controls come under

Activity report
Comparison vs. actual review
Budget review
Alerts

Q53. What are the critical Tcodes and authorization objects R/3?
A. User master records are critical one SU01, PFCG, RZ10, RZ11, SU21, Su03, and many more.
S_Tabu_DIS
S_USER_PRO
S_USER_GRP

Q54. Explain about SPM?

A. SPM can be used to maintain and monitor the superuser access in an SAP system. This
enables the super-users to perform emergency activities and critical transactions within a
completely auditable environment. The logs of the SPM user IDs help auditors easily tracing
the critical transactions that have been performed by the Business users

Q55. What is the use of su56?

A. Displays the current user's Authorization Profiles available in the ID. It can also be used to
reset their User buffer to pick up new roles and authorizations.

Q56. What is the use of RSECADMIN?

A. IN SAP BI Reporting Users – Analysis Authorization using transaction RSECADMIN, to
maintain authorizations for reporting users.
RSECADMIN – To maintain analysis authorization and role assignment to the user

Phone/Whatsapp: +1 (515) 309-7846 (USA) Email: [email protected]

www.zarantech.com
 1 1

Q57. What is offline risk analysis?

A. Offline Mode Risk Analysis process is performed with the help of the Risk Identification and
Remediation module in SAP GRC Access Control Suite. Offline mode Analysis helps in
identifying SOD Violations in an ERP System remotely. The data from the system is exported
to flat files and then it can be imported into the CC instance with the help of a data extractor
utility.

It can also be used to remotely analyze an ERP system that may be present in a different
ERP Landscape.

Q58. How can find out whether CUA (Central User Administration) is configured on your sap
system?
A. Execute su01 You can find a tab called system tab... If the system tab is not displayed there
in the su01 screen there is no CUA that is configured.

Q59. How do we test security systems?

A. Through Tcode SU56, We will check the user's buffer

Q60. How we Schedule and administering Background jobs?

A. Scheduling and administrating background jobs can be done by using codes sm36 and
sm37.

Q61. Does s_tabu_dis org level values in a master role gets reflected in the child role?
A. If we do the adjusted derived role in the master role while updating the values in the master
role then values will be reflected in the child roles.

Q62. What is the T-code to get into RAR from R/3?

A. /virsar/ZVRAT

Phone/Whatsapp: +1 (515) 309-7846 (USA) Email: [email protected]

www.zarantech.com
THANK YOU

Corporate Training Course Catalog

https://bit.ly/SAP-course-catalog

SAP Learner Community

https://www.linkedin.com/showcase/sap-learner-community/

Get any SAP Video Training

https://zarantech.teachable.com/courses/category/sap

Phone/Whatsapp: +1 (515) 309-7846

Email: [email protected]
www.zarantech.com