100 REAL TIME SAP GRC Interview Questions and Answers

SAP GRC Interview Questions and Answers :-


1. What is the rule set in GRC?

Collection of rules is nothing but rule set. There is a default rule set in GRC called Global Rule Set.

2. What is the landscape of GRC?

GRC Landscape is 2 system landscape,



in GRC there is no Quality system.

3. Explain about SPM?

SPM can be used to maintain and monitor the super user access in an SAP system. This enables the super-users to perform emergency activities and critical transactions
within a completely auditable environment. The logs of the SPM user IDs help auditors in easily tracing the critical transactions that have been performed by the Business users

4. What is use of su56?

Displays the current users Authorization Profiles available it the ID. Can also be used to reset their User buffer to pick up new roles and authorizations.

5. What is the use of RSECADMIN?

Reporting Users – Analysis Authorization using transaction
RSECADMIN, to maintain authorizations for reporting users.

RSECADMIN – To maintain analysis authorization and role
assignment to user.

SAP GRC Interview Questions and Answers

SAP GRC Interview Questions and Answers

6. What is offline risk analysis?

Offline Mode Risk Analysis process is performed with the help of Risk Identification and Remediation module in SAP GRC Access Control Suite. Offline mode Analysis helpos in identifying SOD Violations in an ERP System remotely. The data from system is exported to flat files and then it can be imported into the CC instance with the help of data extractor utility.

It can also be used to remotely analyze an ERP system which may be present in a different ERP Landscape.

7. How can find out whether CUA (Central User Administration) is configured on your sap system?

Execute su01 You can find out a tab called system tab…. If system tab is not displayed there in su01 screen there
is no CUA is configured.

8. How do we test security systems? What is the use of SU56?

Through Tcode SU56, We will check the users buffer

9. How we Schedule and administering Background jobs?

Scheduling and administrating of background jobs can be done by using tcodes sm36 and sm37

10. What are the Critical Tcodes and Authorization Objects in R/3?

Just to say all the t-codes which can affect roles and user master records are critical ones. SU01, PFCG, RZ10, RZ11, SU21, SU03, Sm37 are some of critical t-codes.
Below are critical objects

11. How we Check if the PFCG_TIME_DEPENDENCY is running for user master reconciliations?

Execute SM37 and search for PFCG_TIME_DEPENDENCY

12. What is ruleset? and how to update risk id in rule set?

Also during indirect asssignment of roles to user using t codes Po13 and po10, we must to do user comparision, so that the roles get reflected in the SU01 record of user.

13. What is the difference between PFCG,PFCG_TIME_DEPENDENCY&PFUD?

PFCG is used to create maintain and modify the roles.
PFCG_TIME_DEPENDENCY is a background job of PFUD.
PFUD is used for mass user comparison but the difference is if you set the background job daily basis it will do mass
user comparison automatically

14. What does user compare do?

If you are also using the role to generate authorization profiles, then you should note that the generated profile is not entered in the user master record until the user master records have been compared. You can automate this by scheduling report FCG_TIME_DEPENDENCY on.

15. Does s_tabu_dis org level values in a master role gets reflected in the child role?

If we do the adjusted derived role in the master role while updating the values in the master role thn values will
be reflected in the child roles.

16. What is the T-code to get into RAR from R/3?


17. How do I change the name of master / parent role keeping the name of derived/child role same? I would like to keep the name of derived /child role same and the profile associated with the child roles.

First copy the master role using PFCG to a role with new name you wish to have. Then you must generate the role. Now open each derived role and delete the menu. Once the menus are removed it will let you put new inheritance. You can put the name of the new master role you created. This will help you keep the same derived role name and the same profile name. Once the new roles are done you can transport it. The transport automatically includes the Parent roles.

18. What is the difference between C (Check) and U (Unmentioned)?


When defining authorizations using Profile Generator, the table USOBX_C defines which authorization checks should occur within a transaction and which authorization checks should be maintained in the PG. aeck Table for Table USOBT_C.

In USOBX_C there are 4 Check Indicators.

CM (Check/Maintain)

-An authority check is carried out against this object.

-The PG creates an authorization for this object and field values are displayed for changing.

-Default values for this authorization can be maintained.

C (Check)

-An authority check is carried out against this object.

-The PG does not create an authorization for this object, so field values are not displayed.

-No default values can be maintained for this authorization.

N (No check)

-The authority check against this object is disabled.

-The PG does not create an authorization for this object, so field values are not displayed.

-No default values can be maintained for this authorization.

U (Unmaintained)

-No check indicator is set.

-An authority check is always carried out against this object.

-The PG does not create an authorization for this object, so field values are not displayed.

-No default values can be maintained for this authorization.

GRC Interview Questions:-

1. What are the components of GRC?
2. What are the upgrades happened in GRC 5.3 from GRC 5.2?
3. Is it possible to have a request type by which we can change the validity period of a user? If possible, then what are the actions?
4. What’s the latest Support Pack for GRC 5.3? How it differs from the previous one?
5. What are the issues faced by you in ERM & CUP after golive?
6. Can we change Single roles, objects & Profile description through mass maintenance of role? If yes, how?
7. What are the prerequisites for creating a workflow for user provisioning?
8. How will you control GRC system if you have multiple rulesets activated?
9. Can we view the changes of a role, happened in PFCG, through GRC?
10. How will you mitigate a user against an authorization object which is decided as sensitive by Business?
11. Give an example of SOD with object level control & also decide the Risk implication from the Technical standpoint.
12. Is it possible to assign two roles with different validity period to a user in one shot through GRC? If yes, how?
13. What’s the use of Detour path? How Fork path differs from Detour path?
14. How can you enable self password reset facility in GRC?
15. Can we have customized actions for creating request types in CUP?
16. Which SOX rules got inherited in SAP GRC?
17. How many types of Background job you are familiar with? Why Role/Profile & User Sync. job is required?
18. Where from can we change the default expiration time for mitigating controls? What’s the default value for the same?
19. How will you do the mass import of role in GRC?
20. Explain the total configuration & utility of SPM?
21. Can we create Logical systems in GRC? If yes, how & what can be the advantages & disadvantages of the same?
22. Can we have different set of number ranges activated for request generation?
23. Explain, how can we create derived roles in ERM? What will be the significant changes in methodology for creating composite roles?
24. Explain in detail how the different components of the Access Controls suite integrate with each other
25. Explain the key problem areas in implementation of RAR
26. Explain the key problem areas in implementation of CUP

SAP GRC Interview Questions and Answers pdf free download ::

Add Comment

Required fields are marked *. Your email address will not be published.