SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.

COM

SAP Career Success: Focus Faith and Effort

One of the questions which keep coming is how soon I will get a job, so this is a tough
question to answer but it’s also easy to give you the steps to succeed the first step is to
focus.
Focus is measure of how much time you are giving thought to that the task you are
taking for example if you are going to get into SAP audit compliance field than 90% of
your focus has to be thinking about how you can improve your knowledge or gain more
knowledge on SAP audit compliance.

Focus is also basically clearing your time is spent on any other activities and solely
focused on getting knowledge in SAP audit compliance which includes looking for a job
understand the job requirements, the concepts within the SAP audit compliance and
practicing the tasks within SAP for performing SAP Audit Compliance.

For you to focus on any task if you are working you probably how to spend two hours a
day on learning and practicing SAP audit compliance but if you are a student under you
are doing this full time you probably have to spend eight hours a day practicing though
correct so this will give you the needed experience and technical knowledge to go into a
company and perform the task which should be given to you an Auditor

The next thing with you how to take into consideration for you to be successful and SAP
audit compliance Korea use your faith in the carrier what you what you’re going to get
rained on because if you don’t have the faith you will not put the effort so which faith
means basically you need to do your own research to figure out whether this is the right
field which if you want to get into this field or not you can do this research by searching
for jobs within LinkedIn Facebook dice indeed and I got a job portals. so, this can give
you an idea on the demand for this kind of jobs. One more aspect you have to take into
account it’s basically is this something that you want to do.If you think you have the
necessary auditing background or if you do not wanted to get in the Coding. So
 SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM

searching for jobs I’m looking at other research I was in the web will basically validate
your point that this is a good career option for you. Once you are clear about your focus
and Faith the with you how to do it.
One of the problem most of the people have used where space looks shiny object
syndrome which basically means that when they do certain things to look at something
else and then say maybe I should do that and then they once they do that then they look
at something else and then they won’t do that the deciding factor in any success is
basically your effort and perseverance so if you do something just for a little bit and then
just go somewhere else and then do something else and then go to go somewhere else
and do something else you are you will not achieve a task let’s say you aren’t you aren’t
you want to task of building a house you just build a best friend and then go somewhere
else and somebody is asking you to build a garden just go onto i’ll somebody else ask
you for building a bridge you go on build a bridge of somebody else’s family coming in
asking you to build a garage you go to do that so what’s going to happen is eventually
you do multiple task but nothing is complete so once you focus and how feet in what do
you want to do how to put your effort and completing a task so for that I’m not just
saying that you blindly keep on following what do you want to do for a number of years
but at least use the need to give 90 days to 180 days to see whether the career path you
are but showing will use the results. This will not happen and I want to put weeks or 30
days if you need to get at least 90 days minimum on 120 days to six months maximum

Key Terms:
 SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM

Functional POC (Functional Point of Contact):

The person who has the business knowledge like finance, Human resources, Production
Planning etc. The person will understand what the who is working in his team will
require. For example, if he is a Functional POC for finance then he will know what the
Accounts payable clerk will need, what will Accounts Receivable Clerk will need, what
will a Finance manager will need. He is also responsible for defining the business
process and help guide the configuration team.

Production Support Environment:

Let us say you have company which has deployed SAP in USA Locations with 3500
users. Not all the users are in the system and they are using the system. The main
issued will be related to their access in production. If you are working in this
environment, you will be mainly involved working the issues and problem with those
users. The typical issues will be not having access to transaction, Transaction not
working properly, not able to post to company code or plant (SU53 trouble shooting),
user locked, User not having proper printer, parameters, user groups, decimal notations

Release Environment:

Now let us say the company which implemented the software for USA with 3500 user is
going to expand its implementation to Europe with 2000 more users and 5 locations.
You already have 220 roles with 10 derivations which are USA Locations. Now the task
will be to create additional child roles to cover Europe locations. The typical tasks in
release environment will be new role creation, additional restrictions to the roles,
addition additional transaction, testing in Development and Quality Systems, transports
and tracing
 SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM

Info

Remedy Software:

This is the software most companies use to register the issues and assign to appropriate
person to work on the issue. If there is a issues with Oracle Database the issues is
logged and assigned to oracle DBA. If there is a security issues, they will assign it to the
security person.

Some of the other software’s which does the same thing are Peregrine, Heat etc. Does
not worry about this software each client will have their own tool and they will train you
in that tool.

Focus:

Some of the functional Transaction

Distinction between Production support and Release environment

Talk about User administration and Role management in detail

Approval to make changes to Roles and users

Key transaction and Tables

Specific issues you resolved

 SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM

Key Terms

Sandbox:

Typical Users in the System: Technical, Developers, Functional and

Configuration Consultants

System Open

Access: Full except Basis and Security

This is a playground system where you can test out new functionality. Basically, user
can do whatever they want in this system. This system is there to understand the
functionality. If they want to go to a different version of the software or apply any
patch. They will do it in this system before making the changes in the development
system. The System usually starts with the word S. It could SE1, SR1 SS1 SG1 etc

Development System:

Typical Users in the System: Technical, Developers, Functional and

Configuration Consultants

System Open

Access: Full except Basis and Security

This is the system where you will do all your role development. You will also do your
initial testing if the transaction added to the role works. This type of testing is called
unit testing. You will do your tracing, create your transports, update SU24, Create
Custom Transaction and any other development activities in the system. The System
usually starts with the word D. It could DE1, DR1 DS1 DG1 etc. All the functional
consultants will configure the system here. They do test to make sure the
 SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM

functionality works properly, and it is usually called a unit testing. Unit testing is
testing individual pieces of the functionality. This could be Creating an invoice or
Creating a Vendor master, making a payment etc. Some of the customers have a
special client within the Development system called the Configuration Client were
most of the Configuration is performed. They will have a client call the master Data
client where they load the master data.

Quality System:

Typical Users in the System: Technical, Developers, Functional and

Configuration Consultants

System: Closed

System Open

Access: Display except Basis and Security

This is where the full-fledged testing happens. Here you will be working with users
to fix the errors. In this system no changes are allowed. The testing done here is
called integration testing. The System usually starts with the word Q. It could QE1,
QR1 QS1 QG1 etc

Unit testing:

Testers: Functional and Technical Consultants

When you create a role with 5 Transactions (MM02, FB03, MM01, FB01, AS03) in
the SAP System. Then you will create a user id and assign this role. Now the user
will test if he or she can execute each transaction entirely. This testing will usually be
done with a test script. This done to make sure the transaction can independently
work without any error.
 SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM

Integration Testing:

Testers: Limited End Users and Functional and Technical Consultants

Now the roles are tested, and you are putting together role into composite role
based on a job. For example, if you now create a composite role based on a Job
Accounts Payable Clerk. This composite role will have 5 single roles. Now this role
will be used to test the entire accounts payable cycle. Which means the user will test
if you can process the invoice in the system

User Acceptance Testing:

Testers: Mostly End Users and Functional and Technical Consultants

Once the Solution has been developed then before going live the end users will be
involved in the testing. I

Real World Concept Example:

Let say a company is manufacturing cars. They will first test the tires, engine, gears,
seats etc. individually. This individual test is called Unit Test. Then they will assemble
and go for test run. This is called integration testing. In short testing one piece at a
time is unit testing and testing the entire piece is integration testing
 SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM

Tell me about your experience in SAP Security?

I have been working one year in SAP Security mainly in ECC 6.0 Security. My Job
involves User administration, Role administration, Trouble Shooting, interacting with the
functional team to get requirements and tracing transactions. I have worked both in
production support and release environment. In the production support environment, I
have used support tool remedy to track and log tickets. When tickets get assigned to
me, I usually fix the issue with manager’s approval and notify the customer. Some of the
typical issues in User Administration are User not able to logon, Not Valid end date, User
parameter, Printer, Role added but user compare not performed, Not assigned to proper
user group, not assigned to license type and user type. On the role administration side, I
have worked with the functional Security POC (Point of Contact) to help him decide on
options for controlling the transaction. A typical example is MIGO good movement
transaction controlling on Movement type, ME21 purchase transaction on document
type, FB01 on Account Group, XK01 (Vendor management) on Company code and
AS01 Asset on Asset class. I usually do a ST01 or STAUTHTRACE to trace and explain
to the functional person what the different options available for controlling the
transaction are. On the production support side, I usually trouble why the user does not
have the transaction or use SUIM change log to see why they used the access. When
user needs a particular transaction, I do research to help the Functional POC what are
the different roles have that particular transaction. I usually use SUIM to find the roles
which have the transaction. Also familiar with tables AGR_1251 (Table for Roles to
Authorization objects), AGR_USER (Role to Users), AGR_TCODES (Roles to Transaction
Mapping), AGR_TEXT (Role to Texts) and AGR_DEFINE ( Roles created in the system)

What was the SAP System Landscape in your previous client?

We had four separate systems. One is Sandbox, Development Box, Quality Assurance
Box and Production Box. Sandbox, Development and Quality assurance box has 3
clients each. We do our role development in development system and transport roles
to Quality Assurance system for testing and Production System once the testing is
 SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM

complete and signed off by the responsible person. We were on Version ECC 6.0. The
Client has implemented Finance ( FI) , Sales and Distribution ( SD), Controlling ( CO),
Material Management ( MM), Production Planning ( PP) Asset Management ( AM) and
Plant Maintenance ( PM). In the user administration I have extensively used SU01,
SU10 SUIM and SE16 to review USR02, USER_ADDR tables.

Interview Question in SAP User Administration

How did you help the customer with SAP license Audit?

When I was with the Client ABC SAP sent a letter saying that they see some decadency
in the SAP License Count we have reported. So, they wanted to review the SAP License
Count what we have reported and what we have purchased. Then we realized that there
were many users who were counted a professional. When we further investigated what
we found was that the SAP Users were not assigned to any SAP License type, so they
were basically defaulted to the highest SAP License type. Then we used USR06 table
and USMM Transaction to review all the users and classify them properly. The approach
we took are the following

1. Reviewed all the users and properly classified by SAP User Group. We created
new user groups if required. Mainly focused on making sure the end users and
support users are clearly identified by the SAP User Group
2. Then we confirmed our assignment with the SAP Role assignment. For example,
we pulled up all the user assigned to Basis or Security or Functional role and
made sure they are not classified as End Users in the System.
3. Expired and locked all the users who did not use the SAP System for 365 Days,
so they are not counted as SAP Licensed users for the current Calendar year.
4. Cleanup the expired roles and duplicate roles from the SAP System the user
master is clean and valid.
5. All the above Steps were performed based after putting a Change request and
getting approval from the appropriate functional team.
 SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM

6. Once these steps were done, we reran the USMM SAP License report and was
able to demonstrate that the SAP License Count consumed was less that what
we purchased.
7. We wrote the detailed explanation to SAP on the process we followed and were
able to convince SAP on the modified count.
8. This whole effort took us 3 Weeks.

Cleanup Assign Re Run Submit

Users License USMM to SAP

What is the process do your follow to create the users in the System?

In most of the companies I worked we have ticking system which could be remedy or
Heat, Service now, Solution Manager or any custom tool build by the company. So
when the user need access or joins the project he will send a email to the service desk
requesting access. The Service desk will create a ticket and let the SAP Security Team
about the new request. The SAP Security Team will get the approval and attach the
approval to the ticket. The information could be adding specific roles or copy the
specific user to create the new user. Once the user is created, we notify the user about
the user id and password and close the ticket

What were the important information which was included as part of User Administration?

This again depends on the customer. But general best practice is to include First Name,
Last name, Email Address Phone number, printer, and Cost Center.

How as SAP User Groups used for Segregating the Users in the System
 SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM

The user group are key attribute which basically identifies the user in the SAP System. A
good user group naming convention should include User Type Eg End User, Support
User, System Administrator, Developer, Configuration, Sustainment User etc. This way
you can clearly understand the type of users and roles assigned to them. The next thing
will be the location. This way we can run report based on User Location.

How did you review the Users their activity and inactivity and logins?

Typical we run the SUIM User Inactivity report on a weekly basis to produce a
PowerPoint presentation to the Audit Compliance or Cyber Security Team.

What was the process for expiring users from the system and monitoring the
System?

In most of the companies I worked for have policy of Locking / Expiring users when
there is 60 Days of inactivity and removing the roles after 120 Days. When the user must
get un locked the manager has to approve the unlock and role reinstatement has to be
reapproved by the Functional lead

What were the important information which was included as part of User
Administration?

I have been in multiple SAP customer some customers prefer to use last name first
initial as their user id, but recently more and more customers are using employee id
numbers. We must look up the employee ID number from the Company portal which is
linked to the Company active directory. First name, Last Name and Email address are
required field in the first tab. Then based on contractor or Employee we set the expiry
date. Typically, employees are set to 10 years expiry and the contractors are to expire
based on the contract date. All the users are assigned to User groups and valid Printer.
The standard user parameters are included, and company provides information on
updating the user parameter.
 SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM

How many teams where I the company?

We have three main Core teams Sustainment Team, Development Team, Configuration
Team and Basis Team. Within each team they have Functional Lead. The company was
using Finance, Order to Cash, Purchase to Pay, Production Planning, and Human
Resource. So, we had team leads for each team

Process
Owner

Team Lead

Basis Functional Technical

What are the modules did you work?

We had three SAP Security Administrator in out team. I was responsible for supporting
the Finance Team and BW and SRM Systems. I was handling all the tasks from getting
the requirement from the teams, Creating the roles, helping them with unit testing,
integration testing and user acceptance testing. Then was also supporting the Go live
activities like creating users and adding role and fixing any issues with in the SAP
Security Process

P2P- Procure to Pay to Pay O2C- Order to Cash

 SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM

P2P O2C Modules Worked

Role Design FI CO

HR Logistics Support

What was the approval process to addition or removing the transaction?

When a user encounters an error due to transaction not available to him or her then as a
security administrator look for the transaction in SUIM to see if there are any other roles
which has the transaction. Then get approval from the functional lead for adding the role
to the user. This approval can be documented in an email or ticket. It is better to do it in
Ticket for tracking purposes. If you have SAP GRC then you can do the tracking in the
SAP GRC System with a request. When there are occasions to add or remove
transactions then you must discuss with the functional lead and propose a change
request which goes through an approval process. Once approved the changes can be
implemented in the SAP System. Before the changes can be moved into the production
you have to complete the testing in the Development and Quality System.
 SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM

Change Request
Testinig in QA Move Changes to Update
to Make the
and DEV System Production Documentation
Change

How did figure what are the object restrictions required for the transactions

When it comes to SAP ECC system, we basically rely on SU24 entries and the object
populated in the SAP Role when the transaction is inserted into the role. Further high-
level restrictions come the functional lead. For example, it could be move types,
Document types, Material Views, Infotype / Sub Types. There are some customers who
want to review every role and suggest restrictions for the object. In this case you must
sit with the functional person and review the role and explain the options available for
restriction. This takes time but you will have better control on the role. One of the key
things we must do as SAP Security Administrator is to document these restrictions, so
people can follow them in future.

What was the process for moving the transports into Quality and Production System?

As an SAP Security administrator, I will create the transport request and have its peer
reviewed by team member in the SAP Security or Basis Team. If the company is using
charm then the request is created in the Solution Manager or else we complete a
document the transport number and ticket number which is associated with and
explanation on the issue it is resolving. The Test lead will review the documentation and
the test results to confirm that all the documentation is complete. Once approved the
transport will be moved from one system to other by the SAP Basis team member or in
the case of Charm it move based on approval.

Any Complex issues resolved. Like Debugging the transaction

 SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM

Use of Mass Change Transaction SU10

The Customer wanted to add a role to 5000 Users in the System. Then they wanted me
to remove the role from 2000 Users. So, I went to the table AGR_USERS. Then I
identified the Date of the role was added. Then I picked the users by Particular date.
Then Used SU10 to remove the roles from those users.

Re instating the Removed Profiles form User

Users Dropped during transports.

Difference between single role and composite roles

Some common problems you resolved- RFC User Tracing in SM20, User Permissions
for Batch Job, Restricting Users to BDC Authorization, Security issues with Workflow

What was the auditing process for User Create Role Create and the Frequency?

Did you use CUA

Did you use SECPOL and what the instance?

SECPOL is a transaction which gives us the ability to exempt some users from having
complying with the SAP Security Policies. In one of the Customer we had ware house
workers who were not able to maintain15 character long Complex SAP Password and
change is password every 45 Days. So, we had to exempt them from this requirement.
So, we configured a group call ware house worker and configured the password length
to 8 Characters and password change option to 90 Days. Then we assigned to the users
in the transaction SU01. We also carefully monitored the users to make sure this is not
getting abused. We run the report in SUIM and submit the report to the auditors.
 SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM

Tracing the Transaction in SAP System:

Today we are going to look at what will be the interview questions which can come
Tracing Functionality which is in SAP System. With Tracing we are basically doing
reverse business engineering. We want to identify which are the authorization objects
which are picked up when we are executing the transaction:

Question: What are the scenarios did you us tracing in the client you worked
before.

TCode List
from Trace Each Update Add Tcode
TSTCT Tcode SU24 to Role
Table

Scenario One: Custom transaction

The customer had 455 custom transactions which must be mapped to the role. The list
of Custom transaction was derived from the Table TSTCT. Alternatively, we can also get
this information for transaction SE93 We wanted to make sure we identify the
authorization objects and the values required so we can update SU24 appropriately.
This will help us reduce the authorization errors and need to do guess work on
authorization objects and values required when we add the transaction to the role. I
used the test script developed by the functional team to execute the transaction and got
help from the development team to properly complete the transaction execution. I was
able to complete the tracing of all the transaction in one week and took me 3 more days
to update the SU24 with authorization object and values. I had had all the transactions in
one Trace file and parsed the file by the transaction code.
 SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM

Scenario Two: Complicated Authorization Issue:

Trace Review Look for

User Log Errors

The User is providing you the SU53 information but still he or she is not able to
complete the Transaction. In this case it was transaction SOAMANAGER and user was
not getting the create button in the Screen. The SU53 is not providing with the right
information. The only option now is to turn the trace on and ask the user to execute the
transaction. In the Old ST01 I had to go the transaction AL08 and see which app server
the user was logged. The transaction SM50 Show me all the application servers
installed in the SAP System. Then Use SM50 to make sure I also logon to the same
application server and turn on the trace. This way I can capture the trace. If you are not
on the same server then the trace does not capture the authorization object error. But
with the new STAUTHTRACE that problem has been resolved. You do not have to worry
of the application server where the user is logged on. The new transaction traces the
user authorization from all the application servers.
 SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM

Scenario Three: Sensitive Transactions

List of Identify find out

Secure
Sensitive key the
the role.
Tcode Fields objects

This was a Pharma customer and I was instructed to wanted to properly security
Material Master, Customer master and Vendor master transaction to make sure the
sensitive information is not displayed. In the material master we wanted to secure the
MRP view, in the Vendor master we wanted to secure the Federal ID number and in the
customer master we wanted to secure the Credit Care Number. We wanted the
sensitive information to be display for certain key users and all other users should not be
able to see this information. So, I traced the transaction and identified the exact
authorization object and values. Then we both positive and negative test to make sure
the transaction is secured properly. We also made sure test cases are developed so this
can be tested when there is any system upgrade or patch applied which affect the
transactions.
 SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM

Scenario Four: Sensitive Transactions

HR Info Type Update

Transaction Sub Type SU24

One of the customers in the automobile industry wanted to build new roles. This was a
green field implementation (Which is brand new project and never has SAP Before or
using some other ERP Software). The Sap Security Lead wanted to trace all the Change
transaction so that we can include the right authorization object and value. We identified
693 transaction out of the 3000 Transactions they were supposed to use in the SAP
System. We carefully traced the transaction and updated the SU24 appropriately. In one
of the chemical clients I had to trace all the HR Related transaction so identify the info
type and subtype need for securing the transaction properly. Since HR was tricky to
secure, we want to make sure we got the authorization object values right.

Scenario Five: Sensitive Transactions

In most of the cases if you are Dealing with New Systems like SCM CRM BI etc then the
SU24 is not up to date. So, I had to trace most of the transaction during testing or
creation of the role

Scenario SIX: RFC Calls and Batch IDs

 SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM

In this we wanted to restrict the user id in the RFC Connections and Batch ID to
minimum required access. This was an audit issue as both ID has very broad access.
We were able to identify the RFC Function module and restrict S_RFC object with
relevant function module.

Transaction to Trace ST01 ( OLD)

Stauthtrace
SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM
SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM
SAP SECURITY / GRC INTERVIEW GUIDE FROM WWW.EXPRESSGRC.COM