C_GRCAC_13

You are updating the configuration of a stage detail during maintenance of your MSMP Workflow configuration. You want to apply the updated configuration to both new and existing requests that are to be processed at the specified stage.

Which configuration setting allows you to do this?

A. RT Config Change OK

B. All Roles in Request (Re-evaluate)

C. Reroute

D. Display Review Screen

View Answer

Answer: A

When updating the configuration of a stage detail in your MSMP Workflow configuration, if you want the updated settings to apply to both new and existing requests that are processed at the specified stage, the configuration setting you should use is:

A. RT Config Change OK

This setting ensures that changes to the configuration are applied retroactively to all requests, new and existing, that are processed at the stage where the configuration was changed.

The options B. "All Roles in Request (Re-evaluate)", C. "Reroute", and D. "Display Review Screen" do not directly control the application of configuration changes to both new and existing requests.

Which of the following does Emergency Access Management support?
A . A user can only be assigned to a single Firefighter ID
B. Both role- and ID-based firefighting at the same time
C. A Firefighter ID can only be assigned to a single user
D. Both centralized and decentralized firefighting at the same time

View Answer

Answer: B

Emergency Access Management (EAM) in SAP Access Control supports the following:

B. Both role- and ID-based firefighting at the same time

Role-based firefighting allows specific users to temporarily gain additional access through assigned roles, while ID-based firefighting provides users with a secondary, elevated access ID for a limited time period. Both these methods can be used simultaneously in the same system based on the specific use case.

Option A and Option C are incorrect because a Firefighter ID can be assigned to multiple users, and multiple Firefighter IDs can be assigned to a single user.

Option D is incorrect because while SAP Access Control supports both centralized and decentralized firefighting, they cannot be enabled at the same time. The system either operates in a centralized firefighting mode, where SAP Access Control centrally manages all firefighting logs and activities, or in a decentralized mode, where each connected system manages its own firefighting logs and activities.

Which of the following are features of a business role in SAP Access Control? Note: There are 2 correct answers to this question.
A . They can be viewed in transaction PFCG
B. They are provisioned on target systems
C. They represent a job function
D. They contain one or more technical roles

View Answer

Answer: C,D

A business role in SAP Access Control is a logical grouping of technical roles, responsibilities, and authorizations that are associated with a business process. It is typically used to simplify the assignment of roles and authorizations in a business context.

The correct answers are:

C. They represent a job function

D. They contain one or more technical roles

Business roles in SAP Access Control represent a job function. They are a collection of access rights that are associated with that function.

Business roles can contain one or more technical roles. These technical roles provide the detailed authorizations needed to execute specific tasks within a job function.

Option A, "They can be viewed in transaction PFCG", is not correct because PFCG is used to maintain technical roles in an SAP system, not business roles in SAP Access Control.

Option B, "They are provisioned on target systems", is also not accurate. While the technical roles contained within a business role can be provisioned to target systems, the business role itself, as a higher-level construct, is not provisioned to the target system. It’s maintained within SAP Access Control to facilitate role assignment and management.

Which of the provisioning types can be used with Auto-Provisioning? Note: There are 2 correct answers to this question.

A. Direct provisioning

B. Indirect provisioning

C. Manual provisioning

D. Global provisioning

View Answer

Answer: A,B

Auto-Provisioning in SAP Access Control allows for automatic assignment or removal of access in the target systems. It can be used with the following provisioning types:

A. Direct provisioning

B. Indirect provisioning

Direct provisioning occurs when access is automatically provisioned to the target system immediately upon approval of the access request. Indirect provisioning, on the other hand, refers to scenarios where provisioning is dependent on a triggering event other than the approval of an access request, such as changes in HR data.

Option C, Manual provisioning, is not compatible with Auto-Provisioning, as it requires manual intervention to assign or remove access.

Option D, Global provisioning, does not exist as a distinct provisioning type in the context of SAP Access Control as of my knowledge cutoff in September 2021. For the most current information, it is recommended to refer to the latest SAP Access Control documentation or SAP Support.

You are tasked with configuring SAP Access Control to retrieve user and authentication information. SAP Access Control supports connector configuration for which of the following functions? Note: There are 3 correct answers to this question.

A. User Search Data Source

B. User Detail Data Source

C. End User Verification

D. User Identity Federation

E. User Identity Management

View Answer

Answer: A,B,E

When configuring SAP Access Control to retrieve user and authentication information, you can utilize the following functions:

A. User Search Data Source

B. User Detail Data Source

E. User Identity Management

User Search Data Source and User Detail Data Source are configurations that allow SAP Access Control to retrieve user data from connected systems. User Identity Management refers to managing identities of users across multiple systems, which includes retrieving and managing user and authentication information.

Option C, End User Verification, and option D, User Identity Federation, while important in the broader context of access control and identity management, are not specific functions supported for connector configuration in SAP Access Control.

You are defining connector settings for the connector between your SAP Access Control system and your SAP

S/4HANA system.

Which of the following integration scenarios should you configure? Note: There are 2 correct answers to this question.

A. AM

B. S4HANA

C. PROV

D. SUPMG

View Answer

Answer: A,C

When configuring the connector settings between your SAP Access Control system and your SAP S/4HANA system, the correct integration scenarios you should configure are:

A. AM (Access Management)

C. PROV (Provisioning)

The AM scenario is used for Risk Analysis and Remediation (RAR) and the Emergency Access Management (EAM), while PROV is used for user provisioning, i.e., creation, modification, and deletion of user access.

The B. S4HANA scenario is not an actual standard integration scenario for SAP Access Control.

The D. SUPMG scenario (Superuser Management) was used in older versions of SAP Access Control but has been replaced by the EAM functionality in newer versions. Therefore, SUPMG is not used in the context of SAP Access Control connecting to an SAP S/4HANA system.

Risk Terminator provides the capability to execute a user level risk analysis for which of the following tools? Note: There are 2 correct answers to this question.
A . SCUA
B. PA30
C. SU01
D. PFCG

View Answer

Answer: C,D

Risk Terminator, an integrated tool in SAP Access Control, provides real-time compliance checking during user provisioning and role maintenance. Among the given options, it can execute a user level risk analysis for the following tools:

C. SU01

D. PFCG

SU01 is the SAP transaction code used for User Maintenance, and PFCG is used for Role Maintenance. Risk Terminator provides risk analysis at these points to help prevent the assignment of potentially risky access.

SCUA (Central User Administration) and PA30 (Maintain HR Master Data) are not directly integrated with Risk Terminator for real-time risk analysis.

Which component delivers SAP Access Control functionality in SAP GRC 12.0?
A . UIGRAC01
B. GRCFND_A
C. GRCPIERP
D. GRCPINW

View Answer

Answer: B

The SAP Access Control functionality in SAP GRC 12.0 is delivered by the component:

B. GRCFND_A

The GRCFND_A component is the technical name for the SAP Business Suite Foundation for Governance, Risk, and Compliance (GRC) which includes the foundational components necessary for SAP Access Control.

Options A, C, and D (UIGRAC01, GRCPIERP, GRCPINW) are not the main components responsible for delivering SAP Access Control functionality. They are components that may be related to different parts of the SAP GRC suite or other SAP products.

You want to create a transportable BRFplus Routing Rule for MSMP Process ID SAP_GRAC_ACCESS_REQUEST using transaction GRFNMW_DEV_RULES.

What must be done in order for your rule to be transportable?
A . You must assign a package to the Application after you generate the rule.
B. You must assign a package to the Function after you generate the rule.
C. You must assign a package to the Application before you generate the rule.
D. You must assign a package to the Function before you generate the rule.

View Answer

Answer: C

To make your BRFplus Routing Rule transportable, you should perform the following action:

C. You must assign a package to the Application before you generate the rule.

Packages are used in SAP to organize related development objects together. By assigning the Application to a package before generating the rule, you ensure that the rule (which is an object within the Application) is associated with the package and hence can be included in a transport request. This transport request can then be moved between SAP systems, making the rule transportable.

Options A, B, and D are not correct because assigning a package to the function or application after the rule has been generated does not ensure the rule is included in the transport. It’s important to assign the application to the package before generating the rule to ensure it is properly included in the transport.

Which of the following jobs are a prerequisite for scheduling a User Access Review (UAR)? Note: There are 3 correct answers to this question.

A. Action Usage Sync

B. Role Comparison

C. Authorization Sync

D. Role Usage Sync

E. User/Role/Profile sync

View Answer

Answer: A,C,E

To schedule a User Access Review (UAR) in SAP Access Control, there are certain jobs that must run beforehand to ensure that the necessary data is up to date. The jobs required are:

A. Action Usage Sync

C. Authorization Sync

E. User/Role/Profile sync

Action Usage Sync updates the usage data of transaction codes, Authorization Sync ensures that the latest role authorizations are available, and User/Role/Profile sync synchronizes the user, role, and profile information between the target system and SAP Access Control.

Option B, Role Comparison, and Option D, Role Usage Sync, while are part of SAP GRC’s general tasks, are not prerequisites for scheduling a User Access Review (UAR).