SAP Security Interview Preparation Guide

Download PDF

Before adding custom t-code to a role we should see if there any authorization objects maintained for this t-code in SU24, If not we should maintain. Also we need to find authority check in the program related to the custom t-code by using t-code SE93. If the custom t-code doesnt have auth object sas an exception it should all authorization groups S_TABU_DIS. If the t-code satisfies any one condition we can save and generate the role.

Offline Mode Risk Analysis process is performed with the help of Risk Identification and Remediation module in SAP GRC Access Control Suite. Offline mode Analysis helpos in identifying SOD Violations in an ERP System remotely. The data from system is exported to flat files and then it can be imported into the CC instance with the help of data extractor utility.
It can also be used to remotely analyze an ERP system which may be present in a different ERP Landscape.

It is high importance data should be protect against unauthorized access.

IN SAP BI
Reporting Users – Analysis Authorization using transaction
RSECADMIN, to maintain authorizations for reporting users.

RSECADMIN – To maintain analysis authorization and role
assignment to user.

SPM can be used to maintain and monitor the super user
access in an SAP system. This enables the super-users to
perform emergency activities and critical transactions
within a completely auditable environment. The logs of the
SPM user IDs helps auditors in easily tracing the critical
transactions that have been performed by the Business users

/virsar/ZVRAT

If we do the adjusted derived role in the master role
while updating the values in the master role thn values will
be reflected in the child roles.

Main difference--we can add/delete the tcodes for the
single roles but we cann't do it for the derived roles.

Derived roles..To restrict the user access based on
organizational level values.
Derived role will be inherited by master role and inherit
all the properties except org level values.

parameters : when ever user want some defaults values
when ever he/she excute the t-code we can mainatian some
pid's by taking help of abapers.

we can create roles , transport , copy ,
download,modifications , all these thing done from pfcg t-
code.

PFCG is used to create maintain and modify the roles.
PFCG_TIME_DEPENDENCY is a background job of PFUD.
PFUD is used for mass user comparison but the difference is
if you set the background job daily basis it will do mass
user comparison automatically

not more than 10 authorization fields in object,

150 authorization objects,

312 profiles in a role ,

If changes are to be reflected immediately, user comparison is recommended.

Generally this task is done PFCG_TIME_DEPENDENCY background job which runs once daily so that roles are adjusted after running this report.

Also during indirect asssignment of roles to user using t codes Po13 and po10, we have to to do user comparision, so that the roles get reflected in the SU01 record of user.

This is done when ever role is already assigned to users and changes are done in that role. In order to get the changes adjusted in the roles, user comparision is done.

Just to say all the t-codes which can affect roles and user master records are critical ones. SU01, PFCG, RZ10, RZ11, SU21, SU03, Sm37 are some of critical t-codes.
Below are critical objects
S_TABU_DIS
S_USER_AGR
S_USER_AUT
S_USER_PRO
S_USER_GRP

prerequisites are follows before assigning sap_all to any
user .

1.enabling the audit log ---- using sm19 tcode.
2.retreving the audit log-----using sm20 tcode.

this process follows when your not implementing grc in your
system.

We can restrict autho groups via object S_TABU_DIS, first
we need to create a autho group in SE54 then assign this
autho group in a role by using the object: S_TABU_DIS.

scheduling and administrating of background jobs can be done
by using tcodes sm36 and sm37

Execute SM37 and search for PFCG_TIME_DEPENDENCY

GRC Landscape is 2 system landscape,
1. SAP GRC DEV
2. SAP GRC PRD

in GRC there is no Quality system.