Q: As an organization increases its collaboration with partners and suppliers, the

consequences of organizational fragmentation diminish.

1. True
2. False
A: 2

Q: SAP's GRC solution embeds GRC into the way companies do business and into every
business process.
1. True
2. False
A:1

Q: Which of the following statements are true?

1. Analyze and Manage Risk can utilize workflow for changes to control master data and
control assignments
2. Access Request Management and Business Role Management use different tables for role
information
3. Access Request Management will allow for a user to be assigned to a mitigation for a
risk
4. Emergency Access Management can utilize Analyze and Manage Risk to show where a
firefighter may have completed both sides of a SoD risk
A: 1,3,4

Q: The unified compliance platform allows complete management of all risks and controls
from a single environment.
1. True
2. False
A: 1

Q: You can find access violations in Process Control and mitigate them with controls that
were documented and certified in Access Control.
A: False

Q: The information architecture leverages the same work centers and navigation across the
GRC solution rather than to completely separate the components.
A: True

Q: In which of the work centers below can you create and maintain organizations?
Choose the correct answers.
1. Setup
2. My Home
3. Rule Setup
4. Master Data
A: 1, 4
Q: Uncontrolled assignment of excessive authorizations can result in users being able to
initiate fraud.
A: True

Q: Which of the following sets of activities should be segregated?

Choose the correct answers.
1. Modify payroll master data and process payroll
2. Change employee HR benefits and process payroll
3. Enter time data and print salary statements to a secured printer
4. Modify time data and modify salary information
A: 1,2

Q: Which of the following items combine to form a rule?

Choose the correct answers.
1. Rule Set
2. Functions
3. Business Rules
4. Risks
A: 2,3,4

Q: What is the purpose of the tasks performed during Phase Two of the SoD Risk
Management process (Analyzing, Remediating, and Mitigating Risk)?
Choose the correct answers.
1. Identify authorization risks in business processes
2. Build and validate rules
3. Provide business process analysts and owners with alternatives for correcting or
eliminating risks
4. Ensure ongoing compliance
A: 3

Q: Continuous compliance involves maintaing compliance and segregation of duties in an

ongoing fashion.
Choose the correct answers.
1. True
2. False
A: 1

Q: Which of the following common components are shared with Process Control and Risk
Management?
Choose the correct answers.
1. Master Data
2. Workflow
3. Role Mining
4. Superuser Access Management
5. Reports and Dashboards
A: 1,2,5
Q: Which of the following statements are true about the GRC 10.0 Architecture and
landscape?
Choose the correct answers.
1. Access Control, Process Control and Risk Management are contained in one ABAP add-on
called GRCFND_A
2. Access Control, Process Control and Risk Management are contained in three ABAP add-
ons called GRCFND_A, GRCFND_R, and GRCFND_P
3. Content Lifecycle Management (CLM) contains functions for transporting GRC business
data, for example AC Rules or PC Controls
4. GRC configuration/customizing is transported using the standard ABAP transport System
A: 1,3,4

Q: Object-level security allows you to limit access by:

Choose the correct answers.
1. Function
2. Risk
3. User
4. Any authorization objects available in Firefighter
5. Any authorization objects available in Role Maintenance
A: 1,2,3,5

Q: If you use Access Control 10.0 with other GRC solutions, you can leverage this
functionality to: Choose the correct answers.
1. Manage PFCG roles used with GRC
2. Create Process Control or Risk Management users
3. Assign GRC PFCG roles to users
4. Perform SoD analysis for PFCG role authorizations
5. Perorm SoD analysis for entity-level authorization
A: 1,2,3,4

Q: Which of the following Integration scenarios apply to Access Control?

Choose the correct answers.
1. AUTH
2. PROV
3. RISKMG
4. ROLMG
5. SUPMG
A: 1,2,4,5

Q: RFC is an interface for communication between SAP client and server to external
programs and data and can enable function calls to SAP systems or external systems.
Choose the correct answers.
1. True
2. False
A: 1
Q: Creating connectors is a Customizing activity that allows you to create Remote Function
Call (RFC) destinations. "
A: True

Q: In Business Role Management, which of the following actions are associated wth the four
phases for which you need to assign a connector?
Choose the correct answers.
1. Role Generation
2. Role Risk Analysis
3. Authorization Maintenance
4. Provisioning
5. Superuser Designation
6. HR Triggers
A: 1,2,3,4,6

Q: Business processes and subprocesses are attributes that you can assign to specific roles.
A: True

Q: BC sets are used for Customizing entries in Access Control.

A: True

Q: You must activate BC sets in clusters for each IMG node.

A: False

Q: Which transaction do you execute to run program GRAC_PFCG_AUTHORIZATION_SYNC?

A: GRAC_AUTH_SYNC

Q: In which of the following modes can the program GRAC_REPOSITORY_OBJECT_SYNC be

executed?
Choose the correct answers.
1. Full Sync Mode
2. Partial Sync Mode
3. Incremental Sync Mode
4. Sequential Sync Mode
A: 1,3

Q: Which of the following programs are included in Repository Object Sync?

Choose the correct answers.
1. GRAC_ROLEREP_PROFILE_SYNC
2. GRAC_ROLEREP_ROLE_SYNC
3. GRAC_ROLEREP_OWNR_SYNC
4. GRAC_ROLEREP_USER_SYNC
A: 1,2,4
Q: Which of the following usage types are synchronized with the Access Control Repository?
Choose the correct answers.
1. User
2. Action
3. Log
4. Role
A: 2,4

Q: Which transaction is used to define background jobs?

Choose the correct answers.
1. SM59
2. SM63
3. SM24
4. SM36
A: 4

Q: Which Start Condition must be selected in order to schedule periodic jobs?

Choose the correct answers.
1. Immediate
2. Date/Time
3. After Job
4. After Event
A: 1,2

Q: Which of the following statements are true about BRFplus rule types? Choose the correct
answers.
1. BRFplus rules can evaluate a request, including individual line items, but the request will
stay intact as a whole
2. BRFplus rules can evaluate a request, but not the individual line items, and the request will
stay intact as a whole
3. BRFplus Flat Rules can evaluate individual line items, but cannot direct each line individually
4. BRFplus Flat Rules can evaluate individual line items and can direct each line Individually
A: 1,4

Q: BRFplus is a Business Rules Management System for ABAP applications.

A: True

Q: There can only be one of these rules for each Process ID in MSMP configuration. Choose
the correct answers.
1. Initiator Rule
2. Agent Rule
3. Routing Rule
4. Service Level Agreements Rule
A: 1
Q: To begin setting up a workflow-related MSMP rule, first create the decision table and
then create the BRFplus objects. "
A: False

Q: It is recommended to generate each BRFplus Rule ID (Function) to its own unique BRFplus
application.
A: True

Q: The Business Rules Framework is defined in the IMG, using the BRFplus Workbench.
A: True

Q: The Top Expression is the framework for the rule conditions and result.
True

Q: Which of the following prerequisites are required?

Choose the correct answers.
1. Perform Automatic Workflow Customizing
2. Activate Event Linkage for AC workflows
3. Define Employee Types
4. Maintain Provisioning Settings
A: 1,2,4

Q: Which of the following are maintained in the Process Global Settings activities?
Choose the correct answers.
1. Identify paths and stages for the Process ID
2. Selection of the Process ID
3. Submission and closing notifications
4. Escape routes for the specific Process ID
A: 2,3,4

Q: Although the work areas for customizing MSMP workflow are numbered, they do not
need to be performed in sequential order.
A: True

Q: You must select a Process ID in the Process Global Settings work area before moving to
a related work area.
A: True

Q: What is the term for the methods used to determine the rules?
Choose the correct answers.
1. ABAP Programs
2. Function Modules
3. BRFplus Flat Rules
4. Rule Types
A: 4
Q: Rules determine results that are to be utilized during the execution of the workflow.
A: True

Q: Defining Approvers in the Maintain Agents work area means that:

Choose the correct answers.
1. The approver can then be assigned to any workflow stage as an approver
2. The approver can then be assigned to one particular stage as an approver
3. The approver can then be assigned to any workflow stage as someone to be notified in
the specific Process ID
4. The approver can then be assigned to any workflow stage as someone to be notified in any
Process ID
A: 1,3

Q: If you select the Agent Type PFCG Roles, this means that all users who have the PFCG
role in their user buffer will be the agent.
A: True

Q: Which of the following statements are true about maintaining Notification Variables and
Templates?
Choose the correct answers.
1. Maintain templates by choosing work area 4: Variables & Templates
2. Add a notification template by executing transaction SE61
3. Maintain message variables in work area 4: Variables & Templates
4. The document class for notification templates is Special Text
A: 3

Q: Work Area 5: Maintain Paths includes configuration settings for which of the following?
Choose the correct answers.
1. Maintaining Paths for a Process ID
2. Maintaining Stages for a path
3. Specifying Escape Routes
4. Maintaining Agent IDs
5. Maintaining Recipient IDs
A: 1,2,3

Q: Which of the following statements are correct?

Choose the correct answers.
1. Stage Task Settings overriede Stage Detail Settings made on the Maintain Path screen.
2. Stage Detail Settings made on the Maintain Path screen override Stage Task Settings
3. Stage Task Settings contain stage default settings
4. Stage Detail Settings contain stage default settings
A: 2,3
Q: Which of the following statements are true about route mapping for MSMP workflow?
Choose the correct answers.
1. Route mapping connects the Rule ID and Rule Result Value to the Path ID that is to be
executed
2. Initiator or Routing rules must already be listed in work area 2: Maintain Rules
3. Detours are only available for a limited number of conditions and cannot be based on
request or line items
4. No routing rules are delivered in the BC set; all must be created
A: 1,2

Q: Generating workflow versions enables the ability to change the workflow configuration
while there are other active running paths.
A: True

Q: You can activate the new workflow version even if there are warnings in the log file.
A: True

Q: Which application components can share a common organization hierarchy?

Choose the correct answers.
1. Access Control and Process Control only
2. Access Control and Risk Management only
3. Process Control and Risk Management only
4. Access Control, Process Control, and Risk Management
A: 4

Q: From which Access Control work center can you view the organization hierarchy?
A: Setup

Q: Mitigating controls are stored in separate locations for Access Control, Process Control,
and Risk Management.
A: False

Q: Which of the following are ways to create a mitigating control within GRC 10.0?
Choose the correct answers.
1. Directly within Access Control
2. When you execute a User Risk Analysis
3. From the User Risk Analysis result view
4. From Process Control within Business Processes
5. From Process Control within Rule Setup
A: 1,3,4

Q: When uploading SoD rules, you must append and not overwrite existing data. "
A: False
Q: Which of the following parameter groups are configured for Analyze and Manage Risk?
Choose the correct answers.
1. Change Log
2. Mitigation
3. Risk Analysis
4. Workflow
5. Superuser Management
A: 1,2,3,4

Q: Which of the following are allowable actions when managing SoD rules?
Choose the correct answers.
1. Generate SoD rules
2. Delete SoD rules
3. Segregate SoD rules
4. Transport SoD rules
A: 1,2,4

Q: Functions are the building blocks for risks, so any changes in functions will have a direct
effect on the access rule set.
A: True

Q: The addition of new functions or changes to existing functions must use the standard
workflow for approvals.
A: False

Q: Which of the following can be viewed in a Change Log report?

Choose the correct answers.
1. Old and New values
2. The person who made the changes
3. The date the changes were made
4. Configuration parameters for component tracking
A: 1,2,3

Q: You can run only one risk analysis at a time.

A: False

Q: In a report, you can drill down on functions to see the user ID of the user who modified
a risk.
A: True

Q: In which order should you perform the following remediation steps?

Match items from 1st column to the corresponding item in 2nd column.
A. Analyze access rights for individual users
B. Identify risks in composite roles
C. Identify risks in single roles
A: CAB
Q: The purpose of remediation is to correct or eliminate SoD violations.
A: True

Q: Multiple systems can be chosen while creating a mitigating control.

A: False

Q: With system-specific mitigation, if User 1 is mitigated for Risk A in three systems, then
User 2 must be mitigated for Risk A in the same three systems.
A: False

Q: Which of the following are true statements?

Choose the correct answers.
1. Mass Mitigation allows you to mitigate multiple risks at once while viewing an Access
Risk Analysis report.
2. Mass Mitigation is not available for customers that do not use System Level Mitigation
3. Mass Mitigation is available for customers that do not use Rule ID Level Mitigation
4. Mass Mitigation increases the risk of user error
A: 1,3

Q: A wild card (*) in the System field means that the mitigation assignment applies to all
systems.
A: True

Q: Which of the following are valid Firefighter Application Types?

Choose the correct answers.
1. Role Based Firefighter Application
2. Function Based Firefighter Application
3. ID Based Firefighter Application
4. Owner Based Firefighter Application
A: 1,3

Q: The purpose of EAM is to allow users to take responsibility for tasks outside their normal
job function by allowing temporary broad, but regulated, access. "
A: True

Q: In ID Based scenarios, firefighters must logon to individual client systems to do

firefighting.
A: False

Q: Before firefighters can do centralized firefighting, EAM must be configured in the IMG
with an Application Type of 1 for Parameter 4000. "
A: True

Q: It is mandatory for a Firefighter ID /Firefighter Role to be assigned to the owner before

further assignments are made, such as for Firefighter Controller.
A: True
Q: Only one firefighter can be assigned to a single ID/role.
A: False

Q: In which order must the following steps be performed to configure a Firefighter ID?
Match items from 1st column to the corresponding item in 2nd column.
A. Create Reason Codes
B. Maintain Access Control Owners
C. Assign a Firefighter ID to Controllers and Firefighters
D. Assign an owner to a Firefighter ID
A: B D C A

Q: The assignment for all systems to which the ID/role has access is done from the Setup
work center. "
A: True

Q: Where do you maintain reason codes?

Choose the correct answers.
1. In the Setup work center under Superuser Maintenance
2. In the ABAP client
3. In the Setup work center under Superuser Assignment
4. In the remote client system
A: 1

Q: Where do you execute a Firefight session?

Choose the correct answers.
1. In the Setup work center under Superuser Maintenance
2. In the ABAP client
3. In the Setup work center under Superuser Assignment
4. In the remote client system
A: 2

Q: One reason code can be created and assigned to multiple client systems. "
A: True

Q: A plug-in handles the procedure for getting data from the client system by fetching the
data and then filtering it into a readable format. "
A: True

Q: Log Collector fetches data from the remote client system. "
A: True

Q: The Log Collection job must be executed in the background. "

A: False

Q: Log reports can be launched under Superuser Management Reports in the Reports and
Analytics work center, as well as from the Consolidated Log Report. "
A: True
Q: Which of the following statements are true about Role Management?
Choose the correct answers.
1. Role attributes are details that define a role during the role definition and creation
process
2. During configuration, you determine values for each attribute
3. During configuration, you assign role attributes to new roles
4. During role creation, you assign the attributes you configured in the IMG
5. During role creation, you determine values for each attribute
A: 1,2,4

Q: Which of the following statements are true about role creation?

Choose the correct answers.
1. Methodology steps allow you to see which phase of the role creation process a role is in
2. The role methodology guides you through the process of defining, generating, and testing
a role
3. Organizations can enforce risk analysis for roles that belong to a particular business
process
4. Organizations can enforce risk analysis for delivered, but not custom, roles
A: 1,2,3

Q: You must define required attributes, but not the methodology steps, before defining a
role methodology process. "
A: False

Q: Which of the following are attributes for a condition group?

Choose the correct answers.
1. Business process
2. Role Type
3. Application
4. Functional Area
5. Expression
A: 1,2,4

Q: Naming conventions are specific to a system landscape and role type. "
A: True

Q: Which of the following statements about Organizational Value Mapping are true?
Choose the correct answers.
1. Organizational Value Mapping allows you to restrict user access by organizational area
2. You can only create an organizational value map for one organizational area at a time
3. You must always create an organizational value map with a primary organizational level
and value
4. Business Role Management uses the primary organizational level to store and search for
the organizational value
A: 1,3,4
Q: In what order should you perform the following steps to set up Role Methodology?
Match items from 1st column to the corresponding item in 2nd column.
A. Assign Condition Group Type to BRFplus Application and Function
B. Define Role Methodology Process and Steps
C. Create BRFplus rule
D. Associate Role Methodology Process to Condition Group
A: C A B D

Q: The Application name and BRFplus Function name values must be entered manually in
the Assign Condition Group to BRFplus Rules configuration. "
A: True

Q: The Condition Group Type is assigned in the front end of the Access Control application.
A: False

Q: Role Methodology steps are created independent of the methodology process.

A: True

Q: Which of the following statements are true with respect to Defining Role Methodology
and Steps?
Choose the correct answers.
1. Actions are fixed.
2. When a new step is created, it does not need to be associated with a pre-defined action.
3. The phase is the label that will be displayed when a role is created.
4. Process steps must be associated to the methodology process.
A: 1,3,4

Q: Which of the following statements are true about associating a role methodology process
to a condition group?
Choose the correct answers.
1. The condition groups should not be tied to the BRFplus rule.
2. The condition groups must be associated with the BRFplus rule.
3. When the BRFplus rule evaluates to TRUE, then the condition group that is mapped to the
rule will be used.
4. When the BRFplus rule evaluates to TRU01, then the condition group that is mapped to the
rule will be used.
A: 2,3

Q: Which of the following statements are true about technical role definition?
Choose the correct answers.
1. Defining attributes like Business Process and Subprocess is a prerquisie to role definition
2. "Go to Phase" allows users to jump to a specific step in the methodology
3. The Provisioning Allowed flag allows the role to be provisioned through access request
4. To derive a role, organization levels must be set and assigned to the master role

Q: You can map roles to a single role and then provision them all together.
A: True
Q: Which of the following statements are true about CUA Composite Roles?
Choose the correct answers.
1. CUA Composite roles can be imported into Access Control using Mass Import
2. Users cannot execute risk analysis for these roles
3. You can change and derive a CUA Composite role
4. The CUA Composite roles defined in Role Management can be provisioned through
Access Control User Provisioning
A: 1,4

Q: Role authorizations are maintained in the front end using the PFCG application. "
A: False

Q: Which of the following statements are true about role authorizations?

Choose the correct answers.
1. You can synchronize authorization data from PFCG into Access Control, but you cannot
push role authorization data from Access Control to the back end system
2. Authorizations are read-only in the Role Management application
3. Authorizations changed at the Master Role cannot be propagated into the derived role
4. The system used for authorization is defined in the IMG
A: 2,4

Q: Which of the following statements are true about business roles?

Choose the correct answers.
1. One or more business roles can be included in a technical role.
2. A business role represents a job function in an organization.
3. If you include multiple single roles in a business role, you must still assign each single role
individually.
4. Risk analysis can be executed at the business role level.
A: 2,4

Q: Before creating a business role, a role methodology and workflow approval must be
created and configured, if these are to be enforced. "
A: True

Q: Role Comparison allows you to:

Choose the correct answers.
1. Compare role definitions between Access Control and the back end system
2. Synchronize authorization data between Access Control and the back end system
3. Compare roles at the Action and Permission level
4. View results for Common Actions, but not for Unique Actions
5. Synchronize only in the background, but not in the foreground

Q: Transaction usage reports allows administrators to identify roles for review and removal.
A: True
Q: Which of the following statements are true about role certification?
Choose the correct answers.
1. Enables a one-time review of role content
2. The Role Approver certifies the role on a periodic basis
3. E-mail reminders are sent based on the certification period
4. Role Certification can be tracked for audit purposes
A: 3,4

Q: Role Certification attributes are defined in the Properties section of the Role
Maintenance Details screen.
A: True

Q: Which of the following statements are true about Role Mass Maintenance?
Choose the correct answers.
1. Mass Role Derivation allows users to derive many roles at once
2. Mass Role Derivation allows users to update organization values for derived roles
3. Mass Role Import allows roles to be imported directly from the back end.
4. Mass Role Update allows users to update role attributes for many roles at one time
A: 2,3,4

Q: Only one authorization object can be updated during each mass update, but all the field
values can be updated together. "
A: True

Q: You can create access requests for user access and organizational assignments. "
A: True

Q: You can create access accounts and assignments for single users, but not for multiple
users.
A: False

Q: What does it mean to create an access request with a model user?

Choose the correct answers.
1. Use the current access request creation process to model a new custom process
2. Create a request with reference to another user
3. Use an existing user's access to model access for a new user
4. Use the generic model user delivered with Access Control as a basis for creating
access for new users
A: 2,3

Q: You cannot use custom field values when creating a request from a template. "
A: False

Q: Once the attributes you chose are copied to the request, you can no longer add more
assignments to the request. "
A: False
Q: Which of the following assignments can be made during Organizational Assignment?
Choose the correct answers.
1. Job
2. Position
3. Default Role
4. Organizational Unit
A: 1,2,4

Q: Which of the following statements are true about access aproval requests?
Choose the correct answers.
1. An access request triggers a pre-defined workflow
2. Depending on the configuration, requestors can modify the workflow path
3. The access request must be provisioned before sign-off at each stage
4. Approvers can be specifically named, or open-ended based on job role
A: 1,4

Q: The Request Approval User Interface behaves according to the stage setting selected by
an administrator while configuring the workflow.
A: True

Q: All workflow stages are configured together and share the same configuration settings.
A: False

Q: Which of the following prerequisites must be completed before scheduling a background

job for Periodic Access Review request? Choose the correct answers.
1. Run the role usage sync job
2. Sync all the roles to the AC repository
3. Sync all the users to the AC repository
4. Sync all the workflow settings to the AC repository
A: 1,2,3

Q: The visibility of buttons in the Approver's Work Inbox UI are determined by the BC set. "
A: False

Q: Before you can assign reviewer coordinator mapping, you must set a request type and
priority for User Access Review Requests in configuration and set Admin Review Required
to YES.
A: True

Q: Where can you find the access requests that you are supposed to review? Choose the
correct answers.
1. In the Access Management work center
2. In the Master Data work center
3. In the My Homework center
4. In the Reports and Analytics work center
A: 3
Q: How do you remove a role during a review?
Choose the correct answers.
1. Choose Propose Removal
2. Choose Actual Removal
3. Choose Mitigate the Risk
4. You cannot remove a role during a review
A: 2

Q: Which of the following statements are true about Role Reaffirm?

Choose the correct answers.
1. Roles must be reaffirmed after a specific period of time
2. You must notify users as part of the review process
3. Maintain the Role Reaffirm period in Access Request Management
4. An automatic periodic requet is generated
A: 1,2

Q: Which view cluster do you maintain to create a new report?

Choose the correct answers.
1. VC_GRFN_REPCUST
2. VC_GRFNCUST
3. VC_GRFNREPCUST
4. VC_GRFN_REP_CUST
A: 3

Q: Put the following steps related to creating custom fields in the correct sequence.
Match items from 1st column to the corresponding item in 2nd column.
A. Create a data type
B. Create the custom fields
C. Assign custom fields to access requests and roles
D. Create a domain
A: D A B C

Q: During the Run phase, you assess operation standards in order to optimize solution
operation and system performance. "
A: True

Q: Which of the groups below may be included on a typical project team?

Choose the correct answers.
1. Business Process Experts
2. End Users
3. Security Experts
4. Senior Management
A: 1,3,4

Q: The most important aspect of project preparation is planning.

A: True
Q: What are the main tasks performed during blueprinting?
Choose the correct answers.
1. Identify business requirements
2. Specify business process design
3. Identify members of the project team
4. Specify solution design, including a fit gap analysis
A: 1,2,4

Q: If previous Access Control versions are involved in a migration/upgrade for multiple

solutions, when must Access Control be migrated? Choose the correct answers.
1. First
2. Last
3. Before Process Control, but after Risk Management
4. After Process Control, but before Risk Management
A: 2

Q: Arrange the following configuration steps in the correct sequence.

Match items from 1st column to the corresponding item in 2nd column.
A. Configure common component settings
B. Perform post-installation tasks
C. Configure Access Control-Specific Settings
D. Activate Rule Set BC Sets for Access Risk Analysis
A: B A D C

Q: At what point do you move from Realization to Final Preparation?

Choose the correct answers.
1. When you conduct the Business Process Definition workshop
2. After you test the implementation
3. When you load the rule set
4. When you promote the solution design from development to testing
A: 4