Which periodic review process allows a role owner to remove roles from the users? UAR Review SoD Review Firefighter Log Review Role Certification Review.
You want to assign an owner when creating a mitigating control. However, you cannot find the user you want to assign as an owner in the list of available users. The user is already assigned as an owner to another mitigating control. The workflow for creating a mitigating control has not yet been approved The user is locked. The user has not been assigned as an owner in the organizational hierarchy.
Which report types require the execution of batch risk analysis? (Choose two.) Ad-hoc risk analysis reports Offline risk analysis reports User level simulation reports Access rules detail reports User and role analysis dashboards.
Where can you define a mitigating control? (3) In the mitigating controls workset in Access Control In the rule setup in Access Control In the Access Control risk analysis result screen In the central process hierarchy in Process Control In the activity setup in Risk Management.
You have created a new end-user personalization (EUP) form. Where can you make use of this EUP form? (Choose two.) In a stage configuration of a workflow In an organizational assignment request In a template-based request In a model user request.
Your customer wants to eliminate false positives from their risk analysis results. How must you configure Access Control to include organizational value checks when performing a risk analysis? (Choose two.) Configure organization rules for each relevant function. Update the functions that contain each relevant action by activating the fields for the required permissions and maintaining a value for each specific organization. Configure organization rules for each relevant risk Configure organization level system parameters to incorporate all organization levels for each relevant risk.
You have maintained an end-user personalization (EUP) form and set a particular field as mandatory. Which additional field attribute settings are required? 2 The field attribute Visible must be set to "Yes". A default value must be maintained for the field. The field attribute Editable must be set to "Yes" The field attribute Visible must be set to "No" The field attribute Editable must be set to "No".
You want to maintain roles using Business Role Management. How do you import the roles from the back-end system? A. Use an SAP transport. Execute the Role Import background job directly in the back-end system. Use the standard import template. Execute the Role Repository Sync program.
Which configuration parameters determine the content of the log generated by the SPM Log Synch job? 3 Enable Risk Change log (1002) Enable Authorization Logging (1100) Retrieve System log (4004) Retrieve OS Command log (4006) Retrieve Audit log (4005).
Which activity can you perform when you use the Test and Generate options in transaction MSMP Rule Generation/Testing (GRFNMW_DEV_RULES)?
Generate and activate a BRFplus flat rule for workflow-related rules. Create a rule type for workflow-related rules. Create an MSMP process ID for workflow-related rules. Generate and activate function modules for workflow-related rules.
Your customer has created a custom transaction code ZFB10N by copying transaction FB10 and implementing a user exit. How can you incorporate the customer enhancement into the global rule set so that it will be available for Risk Analysis?
Update security permissions in all relevant authorization objects, maintain the custom program name in all relevant functions, and generate the access rules. Update all relevant functions with ZFB10N, maintain the permission values for all relevant authorization objects, and generate the access rules. Update all relevant functions with ZFB10N, maintain the permission values in the relevant access risk, and generate the global rule set. Update the relevant access risk with ZFB10N, maintain access rules in all relevant functions, and generate the global rule set.
What is the purpose of role mining?
To consolidate roles by taking actions after running comparisons. To compare authorizations by merging roles during the back-end synchronization To consolidate authorizations by merging roles in one step. To compare roles by running back-end synchronizations.
Which of the following attributes are mandatory when creating business role definition details in Business Role Management? (Choose three.)
Functional Area Company Landscape Project Release Application Type.
What information is available in the audit trail log for access rules? 2
Which terminal ID the change was made from When the change was made Who made the change Who approved the change.
For which purpose can you use organizational value mapping?
To maintain derived roles with organizational units To group roles by organization To maintain composite roles with organizational units To group users by organization.
How does SAP deliver updates to the standard rule set for Access Control?
As BC sets in a Support Package that must be activated in the target system by the system administrator As attachments in an SAP Note that must be entered manually by the system administrator As XML files in an SAP Note that need to be uploaded by the system administrator As BC sets in a Support Package that are automatically activated when the Support Package is deployed.
For which IMG object can you activate the password self-service (PSS) in Access Control
Logical system Connector Cross system Condition group.
You are building a BRFplus Flat rule decision table for use with role provisioning and you want your result set to be derived using the role line item data. You must therefore configure the results column value for the LINE _ITEM_KEY key field. Which field from the context query do you select to achieve this?
ROLE_TYP ITEMNUM CRITLVL ROLE_NAME.
Which connection type do you use for the RFC destination to establish a connection between GRC and an SAP ERP back-end system?
Logical connection TCP/IP connection ABAP connection ABAP driver connection.
Which of the following role provisioning types does Access Control user provisioning support? (Choose three.)
Direct Indirect Auto-provisioning at end of request No provisioning Combined.
Which reviewers can you select using the Access Control configuration parameter 2006 (Who are the reviewers) for user access review (UAR)? (Choose two.)
MANAGER ROLE OWNER RISK OWNER SECURITY LEAD APPROVER.
Which of the following are rule types used in MSMP workflow? 3
Web Service rule ABAP Class-Based rule Function Module-Based rule BRFplus rule ABAP User Exit-Based rule.
How do you manually replicate initiators from a previous version of Access Control so they can be used in BRFplus and a MSMP workflow?
Create multiple initiator rules and assign them to a process ID containing different detour path assignments. Create an initiator rule and assign it to multiple process IDs Create multiple initiator rules and assign them to a process ID Create an initiator rule and assign it to a process ID.
For what purpose can you use the Role Status attribute in Business Role Management?
To organize the authorization structure for your company. To indicate that a role is relevant for a specific project To restrict the roles available for user access requests. To define how essential a role might be for your company.
What does an agent rule determine?
The workflow initiator to be executed The workflow detour routing to be executed The available variables to be used in notifications The approves/recipients for the workflow.
For which of the following scenarios would you activate the end-user logon function?
A user has no access to the Access Control system and needs to submit a request for access A user has been promoted to manager and needs to log on to the Access Control system to approve a pending request. A user has successfully completed validation testing. A user has signed a non-disclosure agreement (NDA).
You need to create an access request workflow for a role assignment that will have two or three approval steps, depending on the role critically level
BRFplus Flat rule MSMP Notification rule MSMP Agent rule BRFplus rule.
You have activated the MSMP workflow Business Configuration (BC) Sets delivered by SAP. However, your customer requires a four-stage workflow for the Access Request process to include an approval by the system owner.
Define a custom notification template and assign it to the corresponding BRFplus Flat rule Deactivate the standard BC Set and create a custom BC Set. Create an additional stage and define the appropriate agent rule. Use an existing agent rule and remove one stage.
How do you enable stage configuration changes to become effective after a workflow has been initiated?
Activate the Path Reroute indicator Activate the Path Override Assignment Type indicator. Activate the Path Reval New Role (Revaluation) indicator. Activate the Runtime Configuration Changes OK indicator.
You have created an agent rule in BRFplus. Which additional configurations do you have to perform to use this agent rule in a workflow? (Choose two.) Define agents and their purposes. Maintain workflow route mappings Link the rule to the appropriate process ID Define notification variables.
Which indirect provisioning types are supported in user provisioning? (Choose three.)
Organization Type Job Position Holder User.
Which agent purposes are available in MSMP workflow? (Choose two.)
Approva Notification Forwarding Routing Rejection.
Which of the following objects can you customize for MSMP workflows? (Choose two.)
Multiple initiator rule IDs for one process ID Multiple paths for one process ID Multiple agent IDs for one stage Multiple notification templates for one process ID.
Which of the following owner types must be assigned to a user to receive the notification that a log report has been generated as the result of a Firefighter session?
Mitigation approver Firefighter ID owner Firefighter ID controller Firefighter role owner.
How are lines and columns linked in a BRFplus initiator decision table?
A column to a column through a logical OR A column to a line through a logical OR column to a column through a logical AND A line to a line through a logical AND.
You want to create a connector to an SAP ERP client. You must therefore define the technical parameters for the Remote Function Call (RFC) destination.
The RFC destination name must begin with the prefix "GRC". The RFC destination name must be the same as the logical system name The RFC destination name must include the installation number of the destination system The RFC destination name must include the IP address of the target destination.
What are Business Configuration (BC) Sets for Access Control? (Choose two.)
A collection of configuration settings designed to populate SAP tables with content A set of system parameter settings A collection of configuration settings designed to populate custom-defined tables with content A set of predefined Customizing settings.
What must you define in order to analyze user access for a critical transaction?
A critical mitigation control A critical role A critical profile A critical access rule.
Which prerequisites must be fulfilled if you want to create a technical role using Business Role Management? (Choose two.)
The role methodology must be defined. Organizational level mapping must be created Role attributes such as business process and subprocess must be defined. The workflow approval path and relevant approvers must be defined. Access risk rules must be generated.
Which of the following actions in Business Role Management require a connection to a target system? (Choose three.) Generation Authorization maintenance (actions and permissions) Risk analysis Approval Testing.
Which combination of rule kind and rule type determines the path upon submission of a request? Agent rule BRFplus Flat Routing rule BRFplus Initiator rule BRFplus Agent rule ABAP Class-Based.
Which transaction do you use to monitor background jobs in Access Control repository synchronization? Schedule Background Jobs (SM36) Test Background Processing (SBTA) Batch Input Monitoring (SM35) Overview of Job Selection (SM37).
Which type of user account does an emergency access user need to log on to a Firefighter session using transaction GRAC_SPM? A user account in the User Management Engine (UME) A user account in the Access Control system A user account in the LDAP system A user account in the target system.
Which of the following IMG activities are common component settings shared across GRC? 3 Maintain plug-in settings. Maintain connection settings. Maintain mapping for actions and connector groups Define a connector. Assign a connector to a connector group.
What does assigning the Logical Group (SOD-LOG) type to a connector group allow you to do? Run a cross-system analysis. Use the connector group for transports to the target system. Monitor the target system. Use the connector group as a business role management landscape.
You have set up your Firefighter IDs in the target system. Which of the following jobs do you have to run to synchronize these IDs and their role assignments with the Access Control system? GRAC_SPM_WORKFLOW_SYNC GRAC_REPOSITORY_OBJECT_SYNC GRAC_SUPER_USER_MGMT_USER GRAC_PFCG_AUTHORIZATION_SYNC.
What do you mitigate using Access Control? Roles Users Risks Functions.
What information must you specify first when you copy a user access request? User ID System ID Role Request number.
Which integration scenarios are specific to Access Control? (Choose three.) Provisioning (PROV) Risk Management (RMGM) Superuser Privilege Management (SUPMG) Automatic Monitoring (AM) Authorization Management (AUTH).
You have identified some risks that need to be defined as cross-system risks. How do you configure your system to enable cross-system risk analysis? 1. Set the analysis scope of the function to cross-system.
2. Create cross-system type connectors.
3. Assign the corresponding connectors to the appropriate connector group.
4. Generate rules 1. Set the analysis scope of the risk to cross-system.
2. Create cross-system type connectors.
3. Assign the corresponding connectors to the appropriate connector group.
4. Generate rules. 1. Set the analysis scope of the risk to cross-system.
2. Create a cross-system type connector group.
3. Assign the corresponding connectors to the connector group.
4. Generate rules. 1. Set the analysis scope of the function to cross-system.
2. Create a cross-system type connector group.
3. Assign the corresponding connectors to the connector group.
4. Generate rules.
Your customer wants to adapt their rule set to include custom programs from their SAP ERP production system. How do you ensure that the custom programs can be maintained properly in the rule set? (Choose three.) Maintain all relevant authorization objects and the associated default field values in transaction SU24 in the GRC system. Synchronize SU24 data for use in Access Control Function maintenance using transaction GRAC_AUTH_SYNC Synchronize SU24 data for use in Access Control Function maintenance using transaction GRAC_REP_OBJ_SYNC. Maintain all relevant authorization objects and the associated default field values in transaction SU24 in the SAP ERP system. Create a custom transaction code for each customer program using transaction SE93 in the SAP ERP system.
Which auto-provisioning options are available in the global provisioning configuration? (Choose three.) Manual Provisioning Indirect Provisioning Auto-Provision at End of Request No Provisioning Combined Provisioning.
Which tasks must you perform to enable a user to begin a central Firefighter session? (Choose three.) Create a user ID for the Firefighter in the target system Assign an owner to the Firefighter Maintain Firefighter ID owners in Access Control owners Maintain reason codes in Superuser Maintenance Assign a controller and a Firefighter to a Firefighter ID.
What data is synchronized when you run the GRAC_REPOSITORY_OBJECT_SYNC report? (Choose three.) Profiles Roles Role usage PFCG authorizations Users.
You create a BRFplus initiator rule for the Access Request approval workflow. Which standard request attribute that is listed as a header data object, as well as a line item data object, can you insert into a condition column? Location Business Process Department Priority.
Why would you generate a new MSMP workflow version? To activate the stage configuration settings To deactivate parallel batch processing To delete the existing workflow configuration settings To change the process global settings.
You want to synchronize the Access Control repository with data from various clients. In which sequence do you execute the synchronization jobs? 1. Repository Object Sync (profile, role, user)
2. PFCG Authorization Sync
3. Action Usage Sync
4. Role Usage Sync 1. PFCG Authorization Sync
2. Action Usage Sync
3. Role Usage Sync
4. Repository Object Sync (profile, role, user) 1. Repository Object Sync (profile, role, user)
2. Action Usage Sync
3. PFCG Authorization Sync
4. Role Usage Sync 1. PFCG Authorization Sync
2. Repository Object Sync (profile, role, user)
3. Action Usage Sync
4. Role Usage Sync.
Which task is mandatory for the successful generation of a workflow? Transport every generated workflow version. Correct errors prior to activating the workflow. Save the workflow version locally. Perform a workflow version simulation.
Who approves the review of the periodic segregation of duties? Mitigation monitors Role owners Mitigation approvers Risk owners.
You have updated authorization data for your roles in the target system using PFCG. You now want to synchronize the authorization data in Business Role Management without changing the existing role attributes. Use the Role Import template. Use the Role Mass Update function. Use the Role Mining function. Use the Mass Role Generation function.
Which Access Control master data is shared with Process Control and Risk Management? Access risk master data Organizational master data Business process master data Subprocess master data.
Which of the following objects can you maintain in the "Maintain Paths" work area of MSMP workflow configuration? (Choose three.) Paths Path versions Rules for path mappings Stage notification settings Stages.
For what purpose can you use the Display Revw Screen setting in MSMP Stage Details? To view the rule result To view the stage configuration To view the initiator rule To view the access request.
How do you enable the Access Control audit trail function for access rules? Activate the relevant configuration parameter using the Customizing Edit Project (SPRO) transaction Activate the table logging parameter using the Profile Parameter Maintenance (RZ11) transaction. Activate table logging using the Table History (SCU3) transaction Activate the security audit log using the Security Audit Configuration (SM19) transaction.
Which process steps should you perform when you define a workflow-related MSMP rule? (Choose two.) Save a bottom expression. Select a result data object. Select result parameters. Save condition parameters.
Which of the following jobs do you have to schedule to collect Firefighter session information? GRAC_SPM_LOG_ARCHIVING GRAC_SPM_WORKFLOW_SYNC GRAC_SPM_LOG_SYNC_UPDATE GRAC_SPM_CLEANUP.
You define a background job using transaction SM36. Which of the following options are start conditions you can use to schedule the background job to run periodically? (Choose two.) Step Class Date/Time Immediate.
Which transaction do you use to access the general Customizing activities for Access Control? MSMP Workflow Configuration (GRFNMW_CONFIGURE) Customizing Edit Project (SPRO) Launchpad Customizing (LPD_CUST) Call View Maintenance (SM30).
What is a mandatory prerequisite for creating business roles in Business Role Management? A condition group must be created. A role methodology must exist. A workflow approval must be configured. A role naming convention must be defined.
Your customer wants a manager to fulfill both MSMP workflow agent purposes. How do you configure this? Maintain the manager agent twice, once for each purpose, using the same agent ID. Maintain the manager agent once and assign both purposes to it without using an agent ID. Maintain the manager agent twice, once for each purpose, using different agent IDs. Maintain the manager agent once and assign both purposes to it using the same agent ID.
Which transaction can you use to customize notification templates? Change Documentation (SII1) SAP Documentation (SE61) Message Maintenance (SE91) Documentation Message Types (WE64).
What is the purpose of a mitigating control? To control the access that is allowed to be assigned to a role To determine which users are allowed to access the system To assign a compensating control to a risk To limit the access that is allowed to be assigned to a use.
Which BRFplus object is used as a container for all other BRFplus objects? Expression Condition Group Application Function.
Which of the following tasks must you perform if you want to enable a user to log on to a Firefighter ID? Schedule the Firefighter Workflow Sync job periodically Run the Firefighter Log Sync job Set up the Firefighter log configuration parameters Create a reason code.
Which of the following is a feature of centralized Emergency Access Management? Reason codes are defined once and assigned per system The Firefighter is required to log on to each target system to perform Firefighter activities. The Firefighter IDs are created centrally in Access Control Administration, reporting, and Firefighter logon are performed on target systems.
You have added a new stage to an existing path and set the approval type to "Any One Approver" (A in the attached screenshot). Now you set the approval type to "All Approvers" in the default stage details of the new stage (B in the attached screenshot A and B None A D.
You maintain rules in the BRFplus framework. For which rule kind can you activate the "Return all matches found" option for the decision table? GRC API rule Agent rule Routing rule Initiator rule.
Which objects must you activate when you create a BRFplus Routing rule? (Choose three.) Initiator Flat Rule Function Application Decision Table Result Column.
You want to update two authorizations that are shared across multiple roles. How do you accomplish this most efficiently? Update each authorization in all roles in two mass role update sessions Update each authorization in one role in multiple mass role update sessions. Update both authorizations in all roles in one mass role update session Update both authorizations in one role in multiple mass role update sessions.
You want to make Risk Analysis mandatory before an approver submits a request. How do you enable this in Access Control? Activate "Exclude objects for batch risk analysis" in the IMG. Set "Show all objects in risk analysis" (parameter ID 1036) to YES Set "Enable risk analysis on form submission" (parameter ID 1071) to YES. Activate the corresponding MSMP stage task setting.
What are the advantages of Mass Mitigation?
2 Integrates directly with transactions SU01, SU10 and PFCG Eliminates the need for system-level mitigation Improves efficiency of the mitigation process Improves mitigation quality control.
You have completed development of your custom MSMP Workflow configuration. Notify the project team and all end users of the change Simulate your new custom configuration Maintain custom initiator rule and rule results Maintain global process initiator mapping.
Your company requires that you CANNOT have more than one access request that is In Process for the same User ID.
End User Personalization settings Parameter Configuration settings Global Provisioning settings Connector Group Field Mapping settings.
Which of the following assignments can be listed in the Access Control Owners table? Firefighter ID Firefighter user ID Firefighter role controller Firefighter ID owner.
Which access control owners are relevant when defining a mitigating control?
2 Role Owner Mitigation Approver Point of Contact Mitigation Monitor.
What are the advantages of Mass Mitigation? Integrates directly with transactions SU01, SU10 and PFCG Improves efficiency of the mitigation process Improves mitigation quality control Eliminates the need for system-level mitigation.
Which of the following activities occur during a role certification?
2 Workflow items are created based on the certification period Periodic review of the role assignment based on the certification period Periodic review of the role content based on the certification period E-mail notifications are created based on the certification period.
What can you use a custom end-user personalization configuration for? Note: There are 3 correct To assign it to the standard access request To assign it to an access request template To restrict a user's ability to approve their own requests To determine fields shown in a workflow item To determine roles that can be assigned on a request .
Which of the following items are mandatory for creating an access request template? Note: There are 2 Correct End user personalization Template description Request type Request description .
How can you make sure that a risk analysis is performed when you use access request management? 2 correct Set Enable Offline Risk Analysis parameter to Yes Configure the MSMP workflow stage to require a risk analysis Configure the MSMP workflow path to require a risk analysis Set the Enable Risk Analysis Form on Submission parameter to Yes .
Which of the following are required to enable Certralized Emergency Access Management (EAM)? 2 Correct Set the Application Type parameter for Emergency Access Management to value ID in the target system UGRC plug-in Set the Application Type parameter for Emergency Access Management to value ID in SAP Access Control Set the Enable Decentralized Firefighting parameter for Emergency Access Management to YES Set the Enable Decentralized Firefighting parameter for Emergency Access Management to NO .
SAP developed a three phase, six step SoD Risk Management Process for use when implementing
Access Risk
Analysis.
Which of the following steps are a part of this process? 3 Correct Risk Recognition Mitigation Analysis Role Building and Analysis Rule Set Design .
Which of the following activities can you do in Emergency Access Management (EAM)? Note: There are 2 correct Log on to the Firefighter ID directly with a password Maintain EAM master data in the back-end system Display a log file of performed activities Perform tasks outside of the normal responsibilities .
Which of the following reviewer options does SoD Review support? Manager and Role Owner Manager or Role Owner Manager and Risk Owner Manager or Risk Owner .
|
