SAP Security & GRC
Complete Notes

Model Answer:

When a user executes any SAP function, the system runs an AUTHORITY-CHECK statement in the ABAP program. First, S_TCODE is checked — if the transaction code is not in the user's roles, access is denied immediately. If S_TCODE passes, SAP checks ALL authorization objects relevant to that transaction against the user's profile values. If ANY object check fails, access is denied. Transaction SU53 shows the exact object, field and required value for the last failed check. The security team uses PFCG to add the missing authorization to the role, generates the profile, and the user logs out and back in to rebuild their user buffer with the new values. The chain is: User action → AUTHORITY-CHECK in ABAP → S_TCODE check → Object checks → Grant or Deny.

Model Answer:

A Single Role contains transactions and authorizations for one specific business function — it generates one profile. A Composite Role combines multiple single roles into one assignment package — it has no authorizations itself, just references. Assigning a composite role assigns all its included single roles simultaneously. A Derived Role inherits its menu and T-code list from a Master Role but has different organizational-level values (company code, plant, sales org). This is the most efficient design for multi-company environments — create the menu once in the master role, derive roles for each org unit with different company code values. Changes to the master role menu automatically propagate to all derived roles.

Model Answer:

Segregation of Duties ensures no single person controls all steps of a critical business process, preventing undetected fraud. Critical SAP examples: P2P — same person creates vendor (FK01) AND processes payment (F110) can create ghost vendors and steal money. Financial — same person posts journal entries AND approves them can manipulate accounts undetected. Security — same person creates users (SU01) AND assigns roles (PFCG) can grant themselves excessive access. SOD is enforced in SAP GRC ARA by comparing user access against a Rule Set of 200+ conflicting function pairs. Violations are categorized as Critical, High, Medium or Low. Critical violations must be remediated; others can be mitigated with compensating controls.

Model Answer:

Firefighter (EAM) provides temporary elevated access for production emergencies with a complete audit trail. Standard process: (1) A production emergency occurs. (2) The user requests a Firefighter ID from the FF Owner — typically via GRC workflow or phone in an emergency. (3) The FF Owner approves and assigns the specific FF ID. (4) The user logs in with the FF ID — every transaction executed and every table accessed is automatically logged. (5) The log is automatically emailed to the FF Controller, who MUST review and acknowledge within 24 hours. This is mandatory — unreviewed logs are an immediate SOX finding. (6) The access is revoked after the emergency is resolved. The key difference from permanent access: every action is logged, a second person (Controller) reviews everything, and access is temporary.

Model Answer:

Five major areas change: (1) Fiori UI — security now requires three layers: traditional PFCG backend roles, OData service activation (/IWFND/MAINT_SERVICE), and Fiori catalog/group assignment (/UI2/FLPD_CONF). All three must be configured. (2) Business Partner — replaces separate Vendor and Customer masters. New authorization objects BP_BPTC and BUPR_BUPA must be added to affected roles. (3) Universal Journal — ACDOCA replaces BKPF/BSEG and other FI/CO tables; some authorization objects changed. (4) T-code deprecation — many classic T-codes replaced by Fiori apps, making T-code-centric roles partly invalid. (5) Embedded Analytics — CDS views introduce new authorization concepts not present in ECC. Best practice: build new roles from scratch for S/4HANA rather than migrating ECC roles.

Model Answer:

Step 1: Ask the user to immediately run SU53 after the error — it captures the exact authorization object, field and required value that was missing. Step 2: Note the failing object (e.g., F_BKPF_BUK, field BUKRS, required value 1000). Step 3: Check the user's roles in SU01 to understand current access. Step 4: Identify which role should contain this authorization based on the user's job function. Step 5: Open the role in PFCG, go to Authorizations tab, find the failing object, and add the correct organizational value. Step 6: Generate the role profile (critical — without generation the change has no effect). Step 7: Ask the user to log out completely and log back in (user buffer refresh). Step 8: Test the original action. Step 9: Document the change with a change management ticket for audit trail. Never make production changes without a change ticket.

Model Answer:

SUIM (User Information System) is SAP's built-in reporting tool for security-related information. Key reports: (1) Users with critical profiles — find all users with SAP_ALL or SAP_NEW (immediate audit findings). (2) Users who can execute a specific transaction — who can run SU01? FB01? (3) Transactions executable by a specific user — what can user JSMITH run? (4) Users assigned to a specific role — who has Z_FI_POSTING_SR? (5) Authorization object values — who has BUKRS=1000 in F_BKPF_BUK? (6) Locked users — list all locked accounts. (7) Dormant users — users who haven't logged in since a date. (8) Role contents — what does role Z_FI_POST contain? SUIM is used by security teams, internal audit and external auditors. Always run SUIM proactively before an audit to identify issues yourself before auditors do.

Model Answer:

Five types: (1) Dialog — standard user for human-initiated interactive work via SAP GUI. Password policy fully applies — expiry, complexity, history. Use for all regular end users. (2) System — for background processing, batch jobs and RFC. Cannot log in interactively. Password expires only on a set date. Use for scheduled jobs and system-to-system interfaces. (3) Communication — for RFC connections between SAP systems. Similar to System but designed for system-to-system calls. (4) Service — allows multiple people to share one ID, typically for internet or portal scenarios. No automatic expiry — requires careful password management. Never assign excessive authorizations. (5) Reference — cannot log in at all. Used as a template to assign a standard profile set to other users. Common mistake: using Dialog users for batch jobs — password expires at 2 AM and the job fails. Always use System users for background processing.