Question.

How can you ensure that a coordinator has the opportunity to review UAR request assignments?

A. Maintain the GRAC_COORDINATOR agent at the approval stage in MSMP Process ID SAP
GRAC_USER_ACCESS_REVIEW

B. Set the Who are the reviewers? parameter for UAR to COORDINATOR

C. Set the Admin review required before sending tasks to reviewers parameter for UAR to YES

D. Schedule the Generate new request for UAR rejected request job

Answers C

Question. 2

You have created a BRFplus Initiator Rule for MSMP Process ID SAP GRAC_ACCESS_REQUEST using
transaction GRFNMW_DEV_RULES. However, the Decision Table was not generated.Where can you
manually create a Top Expression for your rule?

A. Expression

B. Data Object

C. Function

D. Application

Answers A

Question. 3

You are creating an Initiator rule and want to build a condition using header attributes.Which of the
following attributes can you use?Note: There are 2 correct answers to this question.

A. Functional Area

B. Subprocess

C. Prerequisite

D. Company

Answers A D

Question. 4

Which component plug-ins contain SAP Access Control functionality for SAP S/4HANA? Note: There
are 2 correct answers to this question.

A. UIGRAC01

B. GRCPIERP
C. GRCPINW

D. GRCFND A

Answers B C

Question. 5

Which of the following are possible ways to assign emergency access in Emergency Access
Management? Note: There are 2 correct answers to this question.

A. Assign a Firefighter role to a firefighter in SAP Access Control

B. Assign a Firefighter ID to a firefighter owner in SAP Access Control

C. Assign a Firefighter role to a firefighter in a target system

D. Assign a Firefighter ID to a firefighter in SAP Access Control

Answers A D

Question. 6

What are provisioning types that can be used with Auto-Provisioning?Note: There are 2 correct
answers to this question.

A. End of each path

B. Direct

C. End of request

D. Indirect

Answers B D

Question. 7

Which of the following logs can be collected for an Emergency Access Management session?Note:
There are 2 correct answers to this question.

A. SLG1 Application Log

B. Security Audit Log

C. System Log

D. Usage Procedure Log

Answers B C

Question. 8
Which of the following are prerequisites for using the Remediation View to remove a role following
risk analysis? Note: There are 2 correct answers to this question.

A. Role definitions have been maintained in Business Role Management.

B. Process ID SAP_GRAC_ACCESS_REQUEST has been configured.

C. The Role Usage Sync job has been executed successfully.

D. Process ID SAP GRAC_ROLE_APP has been configured.

Answers A B

Question. 9

Which of the following steps are part of the SoD Risk Management Process for rule set
implementation and Access Risk Analysis? Note: There are 3 correct answers to this question.

A. Risk Recognition

B. Role Building and Validation

C. Analysis

D. Remediation

E. Activation

Answers A C D

Question. 10

Which of the following allows you to control how many access requests can be active for a user and
a system at the same time?

A. End User Personalization

B. BRFplus flat rule

C. Stage Details

D. AC Parameter Configuration

Answers A

Question. 11

You are tasked with configuring SAP Access Control to retrieve user and authentication
information.SAP Access Control supports a connector configuration for which of the following
functions?Note: There are 2 correct answers to this question.

A. User Authentication Data Source data type IDM

B. User Detail Data Source data type SU01

D. User Search Data Source data type HR

Answers B D

Question. 12

Which of the following tasks can you complete using the Role Certification process? Note: There are
2 correct answers to this question.

A. Determine if the role is designed correctly

B. Send work item for role review

C. Determine if the role is assigned correctly

D. Send email notification for role review

Answers A D

Question. 13

You want to generate an MSMP rule for MSMP Process ID SAP_GRAC_ACCESS_REQUEST.Which type
of rule can you generate?Note: There are 2 correct answers to this question.

A. Decision Table

B. Function

C. BRFplus Rule

D. Function Module

Answers C D

Question. 14

Which of the following jobs should be executed before you schedule a User Access Review (UAR)?
Note: There are 2 correct answers to this question.

A. Repository Object Sync

B. Generate data for access request UAR review

C. Update Workflow for UAR request

D. Action Usage Sync

Answers A D

Question. 15
It is mandatory for a Firefighter ID to be assigned to which of the following?

A. Firefighter ID Owner and Firefighter ID Controller

B. Firefighter

C. Firefighter ID Controller

D. Firefighter ID Owner

Answers D

Question. 16

Which of the following conditions are contained in the MSMP Workflow Routing Rules delivered by
SAP?Note: There are 2 correct answers to this question.

A. SOD Violation

B. Auto Provisioning Failure

C. Approver Not Found

D. No Role Owner

Answers B C

Question. 17

Which of the following SAP Access Control applications can be mapped to a BRFplus function? Note:
There are 3 correct answers to this question.

A. Notification Variables

B. Service Level Agreements

C. HR Triggers

D. Initiators

E. Request Multiple Rule Set

Answers B C E

Question. 18

The Consolidated Log Report provides data from which of the following?

A. ABAP debug information

B. ABAP trace execution

C. ABAP dump information

D. SQL command execution

Question. 19

In the SAP GRC landscape, which of the following activities must be taken to ensure that an update
to the access risk rule set in the development system will be available for risk analysis in the
production system? Note: There are 2 correct answers to this question.

A. The access risk rules must be downloaded from the development system and uploaded into the
production system.

B. Access risk rules must be generated and inserted into the corresponding tables in the production
system.

C. Each change to a Function ID or Risk ID must be saved to its own transport request and imported
into the access risk rule set in the production system.

D. The connector to the production system must be configured as the Production Environment
under Access Control -> Maintain Connector Settings.

Answers A B

Question. 20

You want to confirm the identity of an approver when processing an access request.Which MSMP
Workflow stage configuration option can you use?

A. Confirm Approval

B. Comments Mandatory

C. Approval Level

D. Reaffirm Approval

E. You are creating a mitigating control.

Answers D

Question. 21

How do you specify on which system and client the control is executed?

A. Assign an approver or monitor from the desired system

B. Assign a risk definition to the control for the desired system

C. Assign one or more reports to the control from the desired system

D. Assign a rule set for the desired system

Answers B
Question. 22

Which methods can be used to notify a controller of a new EAM session log?Note: There are 2
correct answers to this question.

A. Email

B. Log Display

C. Support Message

D. Workflow

Answers A B

Question. 23

You want to configure SAP Access Control to generate alerts to help manage compliance.What are
the available alert capabilities that can be configured?Note: There are 3 correct answers to this
question.

A. Identify a control monitor who has failed to execute defined reports in a timely fashion.

B. Identify a user who has executed conflicting functions and open a support desk message.

C. Identify a user who has executed a critical action and generate an email notification.

D. Identify a user who has executed conflicting functions.

E. Identify a user who has executed a critical action and open a support desk message.

Answers A C D

Question. 24

SAP Governance, Risk and Compliance solutions are organized along 4 key themes.Which of the
following are key themes?Note: There are 3 correct answers to this question.

A. Audit Management

B. Cybersecurity and Data Protection

C. Enterprise Risk and Compliance

D. Access Governance

E. Business Integrity Screening

Answers B C D

Question. 25
You want to enable a workflow approval process for changes to the master data for the Access Risk
Analysis environment.For which of the following can you enable an approval workflow?Note: There
are 2 correct answers to this question..

A. Mitigation Assignment

B. Function

C. Mitigating Control

D. Role

Answers B C

Question. 26

Which of the following activities can you do in Emergency Access Management (EAM)? Note: There
are 2 correct answers to this question.

A. Display a log file of performed activities

B. Maintain EAM master data in the back-end system

C. Perform tasks outside of the normal responsibilities

D. Log on to the Firefighter ID directly with a password

Answers B C

Question. 27

What can you use a custom end-user personalization configuration for?Note: There are 3 correct
answers to this question.

A. To assign it to the standard access request

B. To determine fields shown in a workflow item

C. To assign it to an access request template

D. To restrict a user's ability to approve their own requests

E. To determine roles that can be assigned on a request

Answers A B C

Question. 28

Which of the following are functions of the SAP Access Control solution?Note: There are 2 correct
answers to this question.

A. Privilege Monitoring

B. Issue Management
C. Manual Control Effectiveness

D. Role Provisioning

Answers A D

Question. 29

You want to configure Password Self Service (PSS) to allow your end users to reset their password
and process changes to their name.Which of the following actions are required before PSS can be
used?

A. Activate PSS manually for each target connector group in activity Maintain Connectors and
Connection Types.

B. Activate PSS manually for each target connector in activity Maintain Connector Settings.

C. Activate PSS for User Authentication Data Source in activity Maintain Data Source Configuration.

D. Map the PSS Application to a BRFplus function ID in activity Maintain AC Applications and BRFplus
Function Mapping.

Answers A B

Question. 30

Which of the following items are mandatory for creating an access request template?Note: There
are 2 correct answers to this question.

A. Access Details

B. Name

C. Role Assignment

D. EUP ID

Answers B D

Question. 31

Activation of which of the following BC Sets is a prerequisite for activating the

A. GRAC_RA_RULESET_SAP_BASIS

B. GRAC_RA_RULESET_COMMON

C. GRAC_RA_RULESET_SAP S4HANA_ALL

D. GRAC_RA_RULESET_SAP HANA

Answers B
Question. 32

In Business Role Management, which of the following actions can be incorporated and enforced in a
Role Methodology?Note: There are 3 correct answers to this question.

A. Mitigation

B. Provisioning

C. Testing

D. Derivation

E. Certification

Answers C D E

Question. 33

Which of the following settings can be configured in both the global and system-specific provisioning
configurations?Note: There are 3 correct answers to this question.

A. Role Delimit Hours

B. Override Assignment Type

C. Account Validation Error

D. Deactivate Password

E. Send Password

Answers A C D

Question. 34

You have been asked to change the email message delivered to an end user when their access
request is rejected.Which of the following actions should you do?Note: There are 3 correct answers
to this question.

A. Replace the SAP standard document object for the message class with a custom document
object.

B. Define a custom notification template in table GRFNVNOTIFYMSG.

C. Update the required text for the standard document object.

D. Configure the Notification Event for all relevant paths and stages in MSMP Workflow.

E. Update the required text using a copy of the standard document object.

Answers B D E
Question. 35

Which of the following represent an Agent Type within MSMP Workflow configuration? Note: There
are 2 correct answers to this question.

A. User Group in SU01

B. Approval

C. PFCG Roles

D. Notification

Answers A C

Question. 36

You are using the End User Login Page link configured in SAP Access Control.What options are
provided for you to use?Note: There are 3 correct answers to this question.

A. Submit a Template Request

B. Review role assignments

C. Create a Simplified Access Request

D. Specify Approver Delegation

E. Register Security Questions

Answers A B E

Question. 37

Which of the following are Service Level Agreement time frame options? Note: There are 2 correct
answers to this question.

A. Fixed by number of days

B. Fixed bi-weekly

C. Fixed by Month

D. Fixed by Date

Answers A D

Question. 38

Which of the following standard roles does SAP deliver for use by the EAM Owner or EAM Controller
or both?Note: There are 2 correct answers to this question.

A. SAP_GRIA_SUPER_USER_MGMT_ADMIN
B. SAP_GRAC_SPM_FFID

C. SAP_GRIA_SUPER_USER_MGMT_USER

D. SAP_GRAC_SUPER_USER MGMT_CNTLR

Answers A D

Question. 39

Which of the following reviewer options does SoD Review support?

A. Manager and Role Owner

B. Manager or Role Owner

C. Manager or Risk Owner

D. Manager and Risk Owner

Answers C

Question. 40

Which of the following are required to create a role in SAP Access Control? Note: There are 3 correct
answers to this question.

A. Business Process

B. Role Methodology

C. Project Release

D. Naming Convention

E. Owners/Approvers

Answers A C D

Question. 41

Which of the following Business Configuration (BC) sets configure a connector group in SAP Access
Control?Note: There are 3 correct answers to this question.

A. GRAC_RA_RULESET_PSOFT

B. GRAC_ACCESS_REQUEST_APPL_MAPPING

C. GRAC_RA_RULESET_BASIS

D. GRAC_RA_RULESET_COMMON

E. GRAC_ROLE_MGMT_LANDSCAPE

Answers A C E
Question. 42

You want to generate a BRFplus Initiator Rule that utilizes an expression of type Decision Table for
the SAP GRAC_ACCESS_REQUEST MSMP Process ID.Which rule types can you use?Note: There are 2
correct answers to this question.

A. BRFplus Rule

B. Function Module Based Rule

C. Class Based Rule

D. BRFplus Flat Rule

Answers A C

Question. 43

Your compliance team requires that all changes to access rules be auditable in the SAP Access
Control application.Which of the following change logs do you enable?Note: There are 3 correct
answers to this question.

A. Role

B. Function

C. Access Rule

D. Critical Role

E. Rule Set

Answers B C E

Question. 44

You want to create an Initiator rule in BRFplus that will route a request to a path and a specific
approver based upon the role Business Process.Which of the following structures contains the
attribute you need?

A. GRFN_MW_S_AGENT_ID

B. GRAC_S_BRF_ROLE_ATT

C. GRAC_DT_REQUEST_FIELD_LABELS

D. GRAC_S_REQUEST_RULE_LINE

Answers D

Question. 45
Which of the following must be specified when defining a mitigating control? Note: There are 2
correct answers to this question.

A. Organization

B. Report

C. Control ID

D. Risk Owner

Answers A C

Question. 46

You are maintaining the Mapping for Actions and Connector Groups activity in Customizing.Which of
the following events should be mapped to the target development system as default when using
Business Role Management?Note: There are 2 correct answers to this question.

A. Role Generation

B. Authorization Maintenance

C. Role Risk Analysis

D. Provisioning

Answers A B

Question. 47

Why might you integrate Business Role Management with Business Rules Framework? Note: There
are 2 correct answers to this question.

A. Determine role methodology

B. Determine role owner

C. Determine role naming convention

D. Determine role type

Answers A B

Question. 48

You are configuring a BRFplus flat rule and you enter the context parameter ITEMNUM into the
LINE_ITEM_KEY field in the result set.When the rule is executed, how will line item data be used
when calculating a rule result?

A. It is evaluated individually.

B. It is averaged.
C. It is compared to other line items.

D. It is aggregated.

Answers A

Question. 49

You want to use the User Analysis Dashboard to evaluate Segregation of Duties violations after your
most recent batch risk analysis has completed. However, when reviewing the data you realize that
the dashboard does not display all of your current users.What do you need do to correct the
problem?

A. Execute the Authorization Synch and then re-execute the user level batch risk analysis.

B. Execute the Action Usage Sync followed by the Role Usage Sync and then re-execute the user
level batch risk analysis.

C. Execute the Repository Object Sync and then re-execute the user level batch risk analysis.

D. Execute the user level batch risk analysis again and remove any exclude objects.

Answers C

Question. 50

You are configuring your MSMP Workflow path and you want to allow an approver to decide which
type of provisioning should occur upon approval.Which configuration options provide this
capability?Note: There are 2 correct answers to this question.

A. Set stage task setting to Override Assignment Type

B. Set global provisioning option for auto-provisioning to manual provisioning

C. Set stage task setting to Allow Manual Provisioning

D. Set system provisioning option for auto-provisioning to manual provisioning

Answers A C

Question. 51

Which of the following SAP Fiori business catalogs are delivered for SAP Access Control? Note: There
are 2 correct answers to this question.

A. SAP_GRC_BC_SCRTYMGR_T

B. SAP_GRC_BC_CMPLNCMGR_T

C. SAP_GRC_BC_COMMRG_T

D. SAP_GRC_BC_COMSPL_T
Answers A B

Question. 52

Which of the following reviewer options does User Access Review support?

A. Manager and Role Owner

B. Manager or Risk Owner

C. Manager or Role Owner

D. Manager and Risk Owner

Answers C

Question. 53

You have created a transportable Initiator BRFplus Flat Rule.Which of the following must be active in
BRFplus for MSMP Workflow to utilize your new rule?Note: There are 2 correct answers to this
question.

A. Expression

B. Path

C. Package

D. Application

Answers A D

Question. 54

SAP delivers multiple MSMP Process IDs. You want to implement an MSMP Workflow that targets
your SAP S/4HANA system.Which BC set do you need to activate as a prerequisite?

A. OBC Set GRC MSMP CONFIGURATION

B. BC Set GRAC_ROLE_MGMT_LANDSCAPE

C. BC Set GRAC_DT_REQUEST_DISPLAY_SECTIONS

D. BC Set GRAC_RA_RULESET_S4HANA_CORE

Answers D

Question. 55

What are condition groups used for in Business Role Management?Note: There are 2 correct
answers to this question.
A. Role Owners

B. Organizational Value Mapping

C. Role Naming Convention

D. Role Methodology

Answers A D

Question. 56

How can you make sure that a risk analysis is performed when you use access request
management?Note: There are 2 correct answers to this question.

A. Set the Enable Risk Analysis Form on Submission parameter to Yes

B. Configure the MSMP workflow path to require a risk analysis

C. Set Enable Offline Risk Analysis parameter to Yes

D. Configure the MSMP workflow stage to require a risk analysis

Answers A D

Question. 57

Which of the following rule sets are delivered in SAP Access Control? Note: There are 3 correct
answers to this question.

A. GRAC_RA_RULESET_SAP_HANA

B. GRAC_RA_RULESET_COMMON

C. GRAC_RA_RULESET_JDE

D. GRAC_RA_RULESET_ERP

E. GRAC_RA_RULESET_S4HANA

Answers A B C

Question. 58

Which of the following are prerequisites for scheduling a Role Usage Sync in SAP Access Control?
Note: There are 2 correct answers to this question.

A. GRCPIERP plug-in has been deployed on target system.

B. An action usage sync has been completed.

C. An authorization sync has been completed.

D. GRCPINW plug-in has been deployed on target system.

Question. 59

You want to deploy the End User Logon Page for your users.Which of the following actions must you
perform for this page to be available?Note: There are 2 correct answers to this question.

A. Activate Web Dynpro service.

B. Activate End User Logon for each target connector.

C. Maintain target system RFC Destination.

D. Configure default user for application logon.

Answers A D

Question. 60

Business Role Management provides which of the following standard reports?Note: There are 3
correct answers to this question.

A. Embedded Action Calls in Programs of SAP System

B. User by Logon Date and Password Change

C. Role Relationship with User/User Group

D. PFCG Change History

E. Transactions Executable for User

Answers C D E

Question. 61

You want to configure your MSMP Workflow stage definition to ensure that a workflow request that
has NOT been processed after a certain period of time can be escalated and approved by another
approver.Which of the following options can you use to configure escalation?Note: There are 3
correct answers to this question.

A. Skip to Next Stage

B. Maintain Fallback Receiver

C. Use Defaults

D. Define an Alternate Approver

E. Escalate to Specified Agent

Answers A C E
Question. 62

You want to use Access Request Management to provision access in a target system.Which of the
following actions are required before access can be provisioned using an access request?Note: There
are 2 correct answers to this question.

A. Maintain Global Provisioning Configuration

B. Maintain custom End User Personalization settings

C. Import role definitions in Business Role Management

D. Maintain System Provisioning Configuration

Answers A D

Question. 63

Which of the following represent a Rule Kind when configuring MSMP Workflow?Note: There are 2
correct answers to this question.

A. Function Module

B. Notification Variable

C. Agent

D. Decision Table

Answers B C

Question. 64

In which order does GRAC_REPOSITORY_OBJECT_SYNC execute the following programs?

A. 1. Role Sync 2. Profile Sync 3. User Sync 4. Role Search Sync

B. 1. Profile Sync 2. Role Sync 3. User Sync 4. Role Search Sync

C. 1. User Sync 2. Role Sync 3. Role Search Sync 4. Profile Sync

D. 1. Profile Sync 2. Role Sync 3. Role Search Sync 4. User Sync

Answers B

Question. 65

Which of the following are required for delivery of the EAM session logs to the controller via the
Firefighter Log Report Review Workflow? Note: There are 3 correct answers to this question.

A. Execution of the Firefighter Log Synch

B. Execution of the Firefighter Workflow Synch

D. Configuration of the Agent ID GRAC_SPM_CNTL_AGENT

E. Assignment of a EAM Owner ID

Answers A B D

Question. 66

You are maintaining an initiator rule in MSMP Workflow.Which of the following must you
specify?Note: There are 2 correct answers to this question.

A. Notification Rule

B. Rule Result

C. Process Initiator

D. Rule Type

Answers B C

Question. 67

In Role Reaffirm, which of the following can review role assignments?

A. Risk Owner

B. Manager

C. Assignment Approver

D. Content Approver

Answers C

Question. 68

You want to create a transportable BRFplus Routing Rule for MSMP Process ID
SAP_GRAC_ACCESS_REQUEST using transaction GRFNMW_DEV_RULES.What must be done in order
for your rule to be transportable?

A. You must assign a package to the Function before you generate the rule.

B. You must assign a package to the Function after you generate the rule.

C. You must assign a package to the Application after you generate the rule.

D. You must assign a package to the Application before you generate the rule.

Answers B
Question. 69

Where can you use a custom field in SAP Access Control?Note: There are 2 correct answers to this
question.

A. End User Personalization

B. Agent Rule

C. Simplified Access Request

D. Control Definition

Answers B C

Question. 70

When would it be necessary to define a subsequent connector?Note: There are 2 correct answers to
this question.

A. When you are defining a cross-system risk

B. When component GRCFND_A requires multiple SAP NetWeaver instances

C. When all resources are NOT available on a specific connector

D. When the SAP Fiori launchpad for a target system connects to a central gateway

Answers C D

Question. 71

How can the data synchronized with GRAC_AUTH_SYNCH be used? Note: There are 2 correct
answers to this question.

A. To populate authorization object text descriptions

B. To define roles in Business Role Management

C. To populate the Role Analysis Dashboard

D. To define a new function

Answers A D

Question. 72

You are implementing Access Request Management.Which integration scenarios should you assign
to the target connector?

A. O PROV, AUTH

B. PROV, ROLMG, SUPMG, AUTH

D. O PROV

Answers D

Question. 73

You have configured a workflow to require an approval for updates to a function that is contained
within a delivered SAP risk.What else must you do enable the approval process?

A. Activate the SAP GRAC_RISK_APPR MSMP Process ID.

B. Set the 1064 Function Maintenance parameter to YES.

C. Set the 1063 Risk Maintenance parameter to YES.

D. Activate the SAP GRAC_FUNC_APPR MSMP Process ID.

Answers B

Question. 74

Which of the following solutions are delivered in component GRCFND_A?Note: There are 2 correct
answers to this question.

A. SAP Risk Management

B. SAP Access Control

C. SAP Global Trade Services

D. SAP Audit Management

Answers A B

Question. 75

Which of the following are required to enable Centralized Emergency Access Management
(EAM)?Note: There are 2 correct answers to this question.

A. Set the Application Type parameter for Emergency Access Management to value ID in SAP Access
Control

B. Set the Application Type parameter for Emergency Access Management to value Role in the
target system GRC plug-in.

C. Set the Enable Decentralized Firefighting parameter for Emergency Access Management to YES

D. Set the Enable Decentralized Firefighting parameter for Emergency Access Management to NO

E. You are configuring the role of connectors in a landscape.

Answers A D
Question. 76

When mapping Action 004 Provisioning, what must you ensure?

A. All connectors in the landscape using provisioning must be mapped to Action 004 Provisioning
with one connector marked as Default.

B. All connectors in the landscape using provisioning must be mapped as Default to Action 004
Provisioning as Default

C. All connectors in the landscape must be mapped to Action 004 Provisioning

D. All connectors classified as Production that are mapped to the PROV Integration Scenario must
be mapped to Action 004 Provisioning.

Answers A

Question. 77

Which of the following components deliver SAP Fiori applications for SAP GRC solutions? Note:
There are 2 correct answers to this question.

A. SAP_UI

B. UIGRAC01

C. UIGRRMPC

D. UIBAS001

Answers B C

Question. 78

Which of the following are prerequisites for implementing Emergency Access Management?Note:
There are 2 correct answers to this question.

A. Users and roles that are used for firefighting activities have been created for the SAP Access
Control system.

B. System-specific Firefight roles have been configured in the SAP Access Control customizing
settings.

C. Users and roles that are used for firefighting activities have been created in the target system.

D. The repository object sync has been completed.

Answers B C

Question. 79
Business Role Management provides which of the following capabilities?Note: There are 3 correct
answers to this question.

A. Facilitate role creation at the function level

B. Enable role level emergency access

C. Align role definitions with business processes

D. Enforce real time risk analysis during role certification

E. Standardize methodology for role assignment

Answers C D E

Question. 80

You are updating an MSMP Workflow. You want the update to apply to both new and existing
requests that have not yet been processed.What must you configure to achieve this result?

A. Task Settings

B. Stage Details

C. EUP

D. Access Request Validation Parameters

Answers A