SAP SECURITY INTERVIEW QUESTIONS & ANSWERS
Q) What is the difference between VIRSA Tool and GRC, and does VIRSA tool support to ECC6.0? & what is GRC? & what is SAP VIRSA Tool ?
Governance, Risk, and Compliance (GRC). The goal of GRC is to help a company efficiently put policies and controls in place to address all its compliance obligations while at the same time gathering information that helps proactively run the business. This means Ethical Business Process should comply with Effective Process controls as per the related industry Business Process and accounting Process and Govt Policy .This GRC process finally Can Concluded with respect to Govt Organizations and Public Organization which are Registered in Local Stock Markets are accountable to have Effective Governance and Process Controls to Protect the Share holder rights and Prevent Organized Corporate Frauds and scams. GRC Tools and IT applications
There are many GRC AUDIT tools in the Market to Facilitate Internal and External Audit of the Companies.
Q) What is SAP VIRSA Tool ?
1) Access controls, 2) Process Controls.
It Has 4 Sections to Audit the system.
1. Compliance Calibrator
2. Role Expert
3. Firefighter
4. Access enforcer.
VIRSA system is now taken over by SAP AG. It has been a part of Netwever and add on now.
VIRSA produced a number of tools, most commonly used was Compliance Calibrator.
SAP acquired VIRSA and integrated their tools into its GRC suite of products which have a wider span than the VIRSA products.
You can use the VIRSA tools in ECC6. As the company no longer sells these products it is an easy way to tell if a candidate does not understand the GRC topic by them referring to when they mean SAP GRC.
GRC as a subject has been hijacked by SAP's use of the term, real GRC is much wider than a set of tools which can automate part of the GRC process
Q) What is FireFighter ? When we are using FireFighter ?
If you have implemented VIRSA/GRC FireFighter is also a normal user ID but having some specific access [Say SU01 or SAP_ALL] as per the needs. User type is kept as "service user' Ex: In your project you are security administrator who does not have access to direct SU01 but you need the access urgently.
Then FFID owner/administrator assigns you a FFID for limited period so that you can perform the task from your login ID and pwd, using t-code /n/VIRSA/VFAT and login with that FFID.
While logging you will be prompted to give business reason for access. Everything you perform in that period [Using FFID] gets recorded for auditing.
Q) What is the difference between SoX & SoD ? What kind of work SoX do as well SoD do ? What is VIRSA ?
SoX - refer to Sarbanes OXley act in the earlier 2000+-.Where it impact all US companies either they operated in US or outside (on other countries). Some people think this act is significant, after fall down of big companies such as Enron etc..
SoD - refer to Segregation of Duties. Basically one person cannot have access to the whole process. The task needs to be segregated so that there is check and balance.
VIRSA - is one of third party tools used to check for SoX compliance in a company. Other than this, there are also other product such as APPROVA and SecurInfo. Nowadays VIRSA have been brought by SAP, and rebrand it as GRC (Governance, Risk and Control).
Q) What is the use of Detour path ? How Fork path differs from Detour path ?
If a WF fulfills a certain condition e.g. SOD violation the original WF ends and takes a predefined alternative route (detour). This workflow can contain other stages and additional approvers.
Fork is a way to split up a workflow from a single initiator between sap and non-sap systems
Q) What is the name of background job in FF that is responsible for sending notification and logs to FF id controller ?
/VIRSA/ZVFATBAK or /n/VIRSA/VFATBAK
Q) What is the Rule Set in GRC ?
Collection of rules is nothing but Rule Set. There is a default Rule Set in GRC called Global Rule Set.
Q) How can you assign FireFighter id’s from one FireFighter Admin to another FireFighter Admin if current Admin leaves from organization without told to anybody ?
Take the UserId of the left over the company person and, go to SE16 T-code and, type table name /VIRSA/zffusers and execute.
In the second column enter the UserId of the left over person and execute and it will give the list of assigned FF_ID'S to that user, note that FF_ID'S and run /n/VIRSA/VFAT T-code and, go to maintain FF_ID's table and replace it with the new person User ID.