Risk Terminator, an integrated tool in SAP Access Control, provides real-time compliance checking during user provisioning and role maintenance. Among the given options, it can execute a user level risk analysis for the following tools:

C. SU01

D. PFCG

SU01 is the SAP transaction code used for User Maintenance, and PFCG is used for Role Maintenance. Risk Terminator provides risk analysis at these points to help prevent the assignment of potentially risky access.

SCUA (Central User Administration) and PA30 (Maintain HR Master Data) are not directly integrated with Risk Terminator for real-time risk analysis.

If you want to ensure that a risk analysis is performed when using access request management in SAP Access Control, you should:

B. Configure the MSMP workflow stage to require a risk analysis

D. Set the Enable Risk Analysis Form on Submission parameter to Yes

Option B makes sure that a risk analysis is performed at the relevant stage in the MSMP (Multi-Stage, Multi-Path) workflow process. Option D triggers a risk analysis when the access request form is submitted.

Option A, "Set Enable Offline Risk Analysis parameter to Yes", would not ensure risk analysis is done during access request management. This is for offline risk analysis, not for the access request management process.

Option C, "Configure the MSMP workflow path to require a risk analysis", is not a standard configuration option in MSMP. Risk analysis is typically configured at the stage level, not the path level.

Auto-Provisioning in SAP Access Control allows for automatic assignment or removal of access in the target systems. It can be used with the following provisioning types:

A business role in SAP Access Control is a logical grouping of technical roles, responsibilities, and authorizations that are associated with a business process. It is typically used to simplify the assignment of roles and authorizations in a business context.

The correct answers are:

C. They represent a job function

D. They contain one or more technical roles

Business roles in SAP Access Control represent a job function. They are a collection of access rights that are associated with that function.

Business roles can contain one or more technical roles. These technical roles provide the detailed authorizations needed to execute specific tasks within a job function.

Option A, "They can be viewed in transaction PFCG", is not correct because PFCG is used to maintain technical roles in an SAP system, not business roles in SAP Access Control.

Option B, "They are provisioned on target systems", is also not accurate. While the technical roles contained within a business role can be provisioned to target systems, the business role itself, as a higher-level construct, is not provisioned to the target system. It’s maintained within SAP Access Control to facilitate role assignment and management.

Emergency Access Management (EAM) in SAP Access Control is a tool used to provide users with emergency or privileged access in a controlled manner. The correct answers are:

B. Assign a Firefighter ID to a firefighter in SAP Access Control

D. Assign a Firefighter role to a firefighter in a target system

Firefighter ID is a special user ID that is assigned to a firefighter (a user who needs to perform emergency actions). This ID has the necessary authorizations to perform emergency tasks in the target system. The assignment of Firefighter IDs to firefighters is done in SAP Access Control.

Firefighter roles, which are maintained directly in the target system, contain the necessary authorizations for emergency access. These roles are then assigned to the Firefighter ID in the target system.

Option A, "Assign a Firefighter ID to a firefighter owner in SAP Access Control", is not correct as firefighter owners are typically responsible for reviewing and approving the activities performed by firefighters but do not directly use the Firefighter ID.

Option C, "Assign a Firefighter role to a firefighter in SAP Access Control", is not correct as the Firefighter role is assigned to a Firefighter ID in the target system, not in SAP Access Control.