You want to generate a BRFplus Initiator Rule that utilizes an expression of type Decision Table for the SAP_GRAC_ACCESS_REQUEST MSMP Process ID.
Which rule types can you use? Note: There are 2 correct answers to this question.
- A . Class Based Rule
- B . Function Module Based Rule
- C . BRFplus Flat Rule
- D . BRFplus Rule
A,D
BRFplus (Business Rule Framework plus) is an important part of SAP’s approach to enable business rule management. In the context of SAP Access Control and Multi-Stage, Multi-Path (MSMP) workflows, BRFplus is used to create rules for routing, agent determination, notifications, and so on.
To generate a BRFplus Initiator Rule that utilizes an expression of type Decision Table for the SAP_GRAC_ACCESS_REQUEST MSMP Process ID, you can use the following rule types:
Why might you integrate Business Role Management with Business Rules Framework? Note: There are 2 correct answers to this question.
- A . Determine role owner
- B . Determine role methodology
- C . Determine role business area
- D . Determine role naming convention
A,D
The integration of Business Role Management with Business Rules Framework (BRFplus) in SAP can help streamline and automate various processes. In the context of this question, the correct answers are:
Which of the following are required to enable Centralized Emergency Access Management (EAM)? Note: There are 2 correct answers to this question.
- A . Set the Application Type parameter for Emergency Access Management to value ID in the target system UGRC plug-in
- B . Set the Application Type parameter for Emergency Access Management to value ID in SAP Access Control
- C . Set the Enable Decentralized Firefighting parameter for Emergency Access Management to YES
- D . Set the Enable Decentralized Firefighting parameter for Emergency Access Management to NO
B,D
In order to enable Centralized Emergency Access Management (EAM) in SAP Access Control, the following actions are required:
B. Set the Application Type parameter for Emergency Access Management to value ID in SAP Access Control
D. Set the Enable Decentralized Firefighting parameter for Emergency Access Management to NO
With these settings, the Emergency Access Management feature is centralized in the SAP Access Control system, rather than being managed individually in each connected system. Option A is not correct as it refers to configuring settings in the target system plugin, which is not relevant for centralized EAM configuration. Option C is not correct because enabling decentralized firefighting would, by definition, disable centralized EAM.
You are defining connector settings for the connector between your SAP Access Control system and your SAP
S/4HANA system.
Which of the following integration scenarios should you configure? Note: There are 2 correct answers to this question.
- A . AM
- B . S4HANA
- C . PROV
- D . SUPMG
A,C
When configuring the connector settings between your SAP Access Control system and your SAP S/4HANA system, the correct integration scenarios you should configure are:
Your compliance team requires that all changes to access rules be tracked.
Which of the following change logs do you enable? Note: There are 3 correct answers to this question.
- A . Role
- B . Access Rule
- C . Function
- D . Rule Set
- E . Critical Role
B,C,D
If your compliance team requires that all changes to access rules be tracked, you should enable the following change logs in SAP Access Control:
B. Access Rule
C. Function
D. Rule Set
These logs will track any changes made to Access Rules, Functions, and Rule Sets, ensuring a clear audit trail is available for compliance checks.
The option A. Role is incorrect as it tracks changes in roles, not access rules. Similarly, option E. Critical Role logs changes related to roles designated as critical, and not specific to access rule changes.
SAP developed a three phase, six step SoD Risk Management Process for use when implementing Access Risk Analysis.
Which of the following steps are a part of this process? Note: There are 3 correct answers to this question.
- A . Risk Recognition
- B . Mitigation
- C . Analysis
- D . Role Building and Analysis
- E . Rule Set Design
A,B,E
The three-phase, six-step SoD (Segregation of Duties) Risk Management Process developed by SAP for implementing Access Risk Analysis includes the following steps:
Which of the following conditions can you use to configure an escape route in MSMP Workflow? Note: There are 2 correct answers to this question.
- A . No Role Owner
- B . SOD Violation
- C . Approver Not Found
- D . Auto Provisioning Failure
A,C
In MSMP (Multi-Stage Multi-Path) Workflow in SAP Access Control, the configuration of an escape route is generally used to deal with exceptions or error scenarios in the process. An escape route is a path defined in the workflow that is executed when certain conditions are met. Among the options you provided, you can use the following conditions to configure an escape route:
SAP Governance, Risk and Compliance solutions are organized along 4 key themes.
Which of the following are key themes? Note: There are 3 correct answers to this question.
- A . Business Integrity Screening
- B . Access Governance
- C . Cybersecurity and Data Protection
- D . Enterprise Risk and Compliance
- E . Audit Management
B,C,D
SAP Governance, Risk, and Compliance (GRC) solutions are organized along several key themes to provide a holistic and integrated approach to managing the various aspects of governance, risk management, and compliance. From the provided options, the correct key themes are:
B. Access Governance
C. Cybersecurity and Data Protection
D. Enterprise Risk and Compliance
Access Governance involves managing and controlling user access to systems and data, Cybersecurity and Data Protection deals with protecting systems and data from threats, and Enterprise Risk and Compliance involves managing and mitigating business risks and ensuring compliance with regulations.
Option A, Business Integrity Screening, and option E, Audit Management, are not considered key themes themselves but are applications or components within the broader GRC solution and can fall under the above mentioned key themes. For instance, Business Integrity Screening could be part of the Enterprise Risk and Compliance theme and Audit Management could be considered a part of Access Governance or Enterprise Risk and Compliance, depending on the specific use case.
You are tasked with configuring SAP Access Control to retrieve user and authentication information. SAP Access Control supports connector configuration for which of the following functions? Note: There are 3 correct answers to this question.
- A . User Search Data Source
- B . User Detail Data Source
- C . End User Verification
- D . User Identity Federation
- E . User Identity Management
A,B,E
When configuring SAP Access Control to retrieve user and authentication information, you can utilize the following functions:
How can you ensure that a coordinator has the opportunity to review UAR request assignments?
- A . Set the Admin review required before sending tasks to reviewers parameter for UAR to YES
- B . Schedule the Generate new request for UAR rejected request job
- C . Maintain the GRAC_COORDINATOR agent at the approval stage in MSMP Process ID SAP_GRAC_USER_ACCESS_REVIEW
- D . Set the Who are the reviewers? parameter for UAR to COORDINATOR
C
To ensure that a coordinator has the opportunity to review User Access Review (UAR) request assignments, you should:
C. Maintain the GRAC_COORDINATOR agent at the approval stage in MSMP Process ID SAP_GRAC_USER_ACCESS_REVIEW
This parameter ensures that the coordinator (agent with ID GRAC_COORDINATOR) will be part of the approval stage in the workflow for the user access review process. Therefore, the coordinator will have the opportunity to review the UAR requests.
The other options A, B, and D do not specifically give the coordinator an opportunity to review UAR request assignments. They might affect other aspects of the UAR process but not the involvement of the coordinator in the review.
Which of the following jobs are a prerequisite for scheduling a User Access Review (UAR)? Note: There are 3 correct answers to this question.
- A . Action Usage Sync
- B . Role Comparison
- C . Authorization Sync
- D . Role Usage Sync
- E . User/Role/Profile sync
A,C,E
To schedule a User Access Review (UAR) in SAP Access Control, there are certain jobs that must run beforehand to ensure that the necessary data is up to date. The jobs required are:
Which of the following logs can be collected for an Emergency Access Management session? Note: There are 3 correct answers to this question.
- A . Audit log
- B . System log
- C . Change log
- D . GRC Audit log
- E . Application log
A,B,D
In the context of an Emergency Access Management (EAM) session in SAP Access Control, the following logs can be collected:
Which of the following does Emergency Access Management support?
- A . A user can only be assigned to a single Firefighter ID
- B . Both role- and ID-based firefighting at the same time
- C . A Firefighter ID can only be assigned to a single user
- D . Both centralized and decentralized firefighting at the same time
B
Emergency Access Management (EAM) in SAP Access Control supports the following:
B. Both role- and ID-based firefighting at the same time
Role-based firefighting allows specific users to temporarily gain additional access through assigned roles, while ID-based firefighting provides users with a secondary, elevated access ID for a limited time period. Both these methods can be used simultaneously in the same system based on the specific use case.
Option A and Option C are incorrect because a Firefighter ID can be assigned to multiple users, and multiple Firefighter IDs can be assigned to a single user.
Option D is incorrect because while SAP Access Control supports both centralized and decentralized firefighting, they cannot be enabled at the same time. The system either operates in a centralized firefighting mode, where SAP Access Control centrally manages all firefighting logs and activities, or in a decentralized mode, where each connected system manages its own firefighting logs and activities.
You want to configure SAP Access Control to generate alerts to help manage compliance.
What are the available alert capabilities that can be configured? Note; There are 3 correct answers to this question.
- A . Identify a user who has executed a critical action and generate an email notification
- B . Identify a user who has executed conflicting functions and open a support desk message
- C . Identify a user who has executed conflicting functions
- D . Identify a control monitor who has failed to execute defined reports in a timely fashion
- E . Identify a user who has executed a critical action and open a support desk message.
A,C,E
SAP Access Control provides alerting capabilities to help organizations manage compliance. Among the options given, the following are available alert capabilities:
You are updating the configuration of a stage detail during maintenance of your MSMP Workflow configuration. You want to apply the updated configuration to both new and existing requests that are to be processed at the specified stage.
Which configuration setting allows you to do this?
- A . RT Config Change OK
- B . All Roles in Request (Re-evaluate)
- C . Reroute
- D . Display Review Screen
A
When updating the configuration of a stage detail in your MSMP Workflow configuration, if you want the updated settings to apply to both new and existing requests that are processed at the specified stage, the configuration setting you should use is:
Which methods can you use to send a firefight session log to a controller? Note: There are 2 correct answers to this question.
- A . Email
- B . Log Display
- C . Support message
- D . Workflow
A,D
When you need to send a firefight session log to a controller in SAP Access Control, you can use the following methods:
Which component delivers SAP Access Control functionality in SAP GRC 12.0?
- A . UIGRAC01
- B . GRCFND_A
- C . GRCPIERP
- D . GRCPINW
B
The SAP Access Control functionality in SAP GRC 12.0 is delivered by the component:
B. GRCFND_A
The GRCFND_A component is the technical name for the SAP Business Suite Foundation for Governance, Risk, and Compliance (GRC) which includes the foundational components necessary for SAP Access Control.
Options A, C, and D (UIGRAC01, GRCPIERP, GRCPINW) are not the main components responsible for delivering SAP Access Control functionality. They are components that may be related to different parts of the SAP GRC suite or other SAP products.
A Firefighter ID can be assigned to a firefighter using which of the following methods?
- A . By assigning access using an access request
- B . By maintaining the assignment in the Governance, Risk and Compliance plug-in on SAP Access Control
- C . By assigning a Firefighter Role to the user on the target system
- D . By maintaining the assignment in the Governance, Risk and Compliance plug-in on the target system
A
A Firefighter ID in SAP Access Control can be assigned to a firefighter using the following method:
You want to configure Password Self Service (PSS) to allow your end users to easily reset their password and process changes to their name.
Which of the following actions are required before PSS can be used?
- A . Deactivate password maintenance for target system in transaction SU01
- B . Maintain target system connector setting for PSS
- C . Activate the PSS workflow Process ID
- D . Set PSS parameter value to YES in AC Configuration settings
B,C
To configure Password Self Service (PSS) in SAP Access Control to allow end users to reset their password and process changes to their name, you need to perform the following actions:
B. Maintain target system connector setting for PSS
C. Activate the PSS workflow Process ID
Maintaining the target system connector setting for PSS ensures that the target system can communicate with SAP Access Control for the PSS functionality. Activating the PSS workflow Process ID makes sure the workflow for password self-service is activated and ready for use.
Option A, deactivating password maintenance for the target system in transaction SU01, is not correct because SU01 is the transaction to maintain users in the SAP system, and disabling password maintenance here would prevent users from changing their passwords, which contradicts the goal of enabling PSS.
Option D, setting PSS parameter value to YES in AC Configuration settings, is not a standard configuration step for PSS in SAP Access Control as of my knowledge cutoff in September 2021. However, the configuration steps can change based on specific system settings, updates, or customizations. It’s recommended to check the most up-to-date SAP documentation or contact SAP Support for the latest information.
You want to create a transportable BRFplus Routing Rule for MSMP Process ID SAP_GRAC_ACCESS_REQUEST using transaction GRFNMW_DEV_RULES.
What must be done in order for your rule to be transportable?
- A . You must assign a package to the Application after you generate the rule.
- B . You must assign a package to the Function after you generate the rule.
- C . You must assign a package to the Application before you generate the rule.
- D . You must assign a package to the Function before you generate the rule.
C
To make your BRFplus Routing Rule transportable, you should perform the following action:
C. You must assign a package to the Application before you generate the rule.
Packages are used in SAP to organize related development objects together. By assigning the Application to a package before generating the rule, you ensure that the rule (which is an object within the Application) is associated with the package and hence can be included in a transport request. This transport request can then be moved between SAP systems, making the rule transportable.
Options A, B, and D are not correct because assigning a package to the function or application after the rule has been generated does not ensure the rule is included in the transport. It’s important to assign the application to the package before generating the rule to ensure it is properly included in the transport.
Risk Terminator provides the capability to execute a user level risk analysis for which of the following tools? Note: There are 2 correct answers to this question.
- A . SCUA
- B . PA30
- C . SU01
- D . PFCG
C,D
Risk Terminator, an integrated tool in SAP Access Control, provides real-time compliance checking during user provisioning and role maintenance. Among the given options, it can execute a user level risk analysis for the following tools:
C. SU01
D. PFCG
SU01 is the SAP transaction code used for User Maintenance, and PFCG is used for Role Maintenance. Risk Terminator provides risk analysis at these points to help prevent the assignment of potentially risky access.
SCUA (Central User Administration) and PA30 (Maintain HR Master Data) are not directly integrated with Risk Terminator for real-time risk analysis.
How can you make sure that a risk analysis is performed when you use access request management? Note: There are 2 correct answers to this question
- A . Set Enable Offline Risk Analysis parameter to Yes
- B . Configure the MSMP workflow stage to require a risk analysis
- C . Configure the MSMP workflow path to require a risk analysis
- D . Set the Enable Risk Analysis Form on Submission parameter to Yes
B,D
If you want to ensure that a risk analysis is performed when using access request management in SAP Access Control, you should:
B. Configure the MSMP workflow stage to require a risk analysis
D. Set the Enable Risk Analysis Form on Submission parameter to Yes
Option B makes sure that a risk analysis is performed at the relevant stage in the MSMP (Multi-Stage, Multi-Path) workflow process. Option D triggers a risk analysis when the access request form is submitted.
Option A, "Set Enable Offline Risk Analysis parameter to Yes", would not ensure risk analysis is done during access request management. This is for offline risk analysis, not for the access request management process.
Option C, "Configure the MSMP workflow path to require a risk analysis", is not a standard configuration option in MSMP. Risk analysis is typically configured at the stage level, not the path level.
Which of the provisioning types can be used with Auto-Provisioning? Note: There are 2 correct answers to this question.
- A . Direct provisioning
- B . Indirect provisioning
- C . Manual provisioning
- D . Global provisioning
A,B
Auto-Provisioning in SAP Access Control allows for automatic assignment or removal of access in the target systems. It can be used with the following provisioning types:
Which of the following are features of a business role in SAP Access Control? Note: There are 2 correct answers to this question.
- A . They can be viewed in transaction PFCG
- B . They are provisioned on target systems
- C . They represent a job function
- D . They contain one or more technical roles
C,D
A business role in SAP Access Control is a logical grouping of technical roles, responsibilities, and authorizations that are associated with a business process. It is typically used to simplify the assignment of roles and authorizations in a business context.
The correct answers are:
C. They represent a job function
D. They contain one or more technical roles
Business roles in SAP Access Control represent a job function. They are a collection of access rights that are associated with that function.
Business roles can contain one or more technical roles. These technical roles provide the detailed authorizations needed to execute specific tasks within a job function.
Option A, "They can be viewed in transaction PFCG", is not correct because PFCG is used to maintain technical roles in an SAP system, not business roles in SAP Access Control.
Option B, "They are provisioned on target systems", is also not accurate. While the technical roles contained within a business role can be provisioned to target systems, the business role itself, as a higher-level construct, is not provisioned to the target system. It’s maintained within SAP Access Control to facilitate role assignment and management.
Which of the following are possible ways to assign emergency access in Emergency Access Management? Note: There are 2 correct answers to this question.
- A . Assign a Firefighter ID to a firefighter owner in SAP Access Control
- B . Assign a Firefighter ID to a firefighter in SAP Access Control
- C . Assign a Firefighter role to a firefighter in SAP Access Control
- D . Assign a Firefighter role to a firefighter in a target system
B,D
Emergency Access Management (EAM) in SAP Access Control is a tool used to provide users with emergency or privileged access in a controlled manner. The correct answers are:
B. Assign a Firefighter ID to a firefighter in SAP Access Control
D. Assign a Firefighter role to a firefighter in a target system
Firefighter ID is a special user ID that is assigned to a firefighter (a user who needs to perform emergency actions). This ID has the necessary authorizations to perform emergency tasks in the target system. The assignment of Firefighter IDs to firefighters is done in SAP Access Control.
Firefighter roles, which are maintained directly in the target system, contain the necessary authorizations for emergency access. These roles are then assigned to the Firefighter ID in the target system.
Option A, "Assign a Firefighter ID to a firefighter owner in SAP Access Control", is not correct as firefighter owners are typically responsible for reviewing and approving the activities performed by firefighters but do not directly use the Firefighter ID.
Option C, "Assign a Firefighter role to a firefighter in SAP Access Control", is not correct as the Firefighter role is assigned to a Firefighter ID in the target system, not in SAP Access Control.