SAP Fiori and Risk Management Quiz

Questions and Answers

What is the main purpose of the App Router?

• To enhance graphical user interfaces
• To serve as a database for SAP applications
• To provide a single entry point for node.js based apps (correct)
• To manage user roles and permissions

Which principle is NOT part of the SAP Fiori Design Principles?

• Innovative (correct)
• Delightful
• Simple
• Role-based

What distinguishes the Fiori Launchpad from the Launchpad Designer?

• The Launchpad is used for managing backend data
• The Designer allows users to launch applications directly
• The Launchpad is where users can view and run tiles (correct)
• The Launchpad includes configuration settings for all clients

What type of app in the Fiori library focuses on displaying contextual information?

Fact sheets (D)

Which of the following is a function of the Fiori Launchpad Designer (FLPD)?

To manage catalog, groups, and tiles (A)

What does the risk planning phase primarily involve?

Defining and consolidating all management frameworks (C)

In the context of master data, what is the primary characteristic of local data?

Applies to data within each specific organization (D)

What is the purpose of a security audit in risk management?

To conduct an independent review of system controls (B)

What role does a data source play in SAP risk management?

It connects technical and business aspects of monitoring (C)

Which of the following defines the operation of the 1st level authorization in SAP?

It restricts available users to those assigned to a specific role (D)

Which authorization object is used to grant access for all ABAP Workbench components?

S_DEVELOP (D)

What is the function of the TCode SU24?

Authorization check indicator (A)

Which TCode allows for mass user maintenance?

SU10 (A)

Which authorization object provides display authorization for InfoAreas folders?

S_RS_FOLD (A)

What does the TCode SE16D allow a user to do?

General Table Display (A)

What is the purpose of the authorization object S_RS_COMP1?

Authorization for queries from specific owner (B)

Which of the following TCodes is associated with table maintenance views?

SM30/SM31 (D)

Which authorization object is related to processing a job?

S_BTCH_JOB (B)

What are common weaknesses found in ITGC?

Inadequate user provisioning and de-provisioning (C)

Which of the following is NOT a type of effectiveness test?

Process efficiency evaluation (C)

What is the main purpose of Access Request Management (ARM)?

To provide a framework for requesting and managing user access (D)

Which category is covered by the GRC framework?

Reliability of financial reporting (D)

Which of the following is a critical SAP standard profile?

SAP_ALL (B)

What is the primary benefit of using a Simplified Access Request?

It provides more flexibility in layout. (D)

Which of the following best describes the role of a Controller in the firefighter process?

Reviews logs of firefighter activities. (D)

What does the term Segregation of Duties (SOD) refer to?

Performing two or more conflicting functions. (C)

What is an ID based firefighter application used for?

To manually assign elevated access in the GRC system. (C)

How does Emergency Access Management (EAM) assist users?

By preserving security while solving access crises. (B)

Which feature allows users to assign their approval responsibilities temporarily?

Approval delegation. (B)

Where are STAD files for reporting stored?

In CDHDR & CDPOS. (D)

What capability does the tool for Identity management provide?

Manages the full identity life cycle of users. (B)

What is the main purpose of Single Sign-On (SSO) in SAP Fiori applications?

To sign in without using a password (D)

Which of the following is NOT a user type in SAP HANA?

Anonymous Users (A)

What is a key benefit of using SAP S/4 HANA compared to previous versions?

Real-time analytics capabilities (A)

What are the two types of security roles available in SAP HANA?

Front-end roles and back-end roles (B)

Which approach to SAP S/4 HANA implementation allows for complete re-engineering?

Greenfield Approach (D)

Which tool is used for XS specific security configuration in SAP HANA?

XS Administration tool (D)

What does SAML 2.0 refer to in the context of SAP Fiori?

An SSO mechanism (D)

Which type of user management is associated with Internet users in SAP?

Used for SAP Web Apps (A)

What is the function of the Database Role in SAP HANA?

To grant privileges to database users (D)

Which of the following is a key capability of SAP HANA?

Real-time data analysis (D)

Which component of the SAP S/4 HANA system is used for front-end configuration?

User Admin (C)

What does the term 'database superuser' refer to in SAP HANA?

System User with full privileges (B)

Which user license type is specifically meant for developer use in SAP S/4 HANA?

Enterprise Management for Developer Use (A)

Flashcards

SU01

Transaction code for maintaining users in SAP.

SU10

Transaction code for mass user maintenance in SAP.

PFCG

Transaction code used to maintain and assign authorizations within SAP.

SU24

Transaction code used to check authorization profiles and find unauthorized access.

SE16

Transaction code for accessing and browsing data from SAP tables.

SM30

Transaction code for maintaining data in SAP tables.

SE11

Transaction code for working with SAP Dictionary objects, like tables and structures.

RSCSAUTH

Transaction code for assigning authorizations to programs and other SAP objects.

App Router

A node.js application that serves as a single entry point for SAP applications, using the xs-app.json configuration file to define routes and XSUAA service instance binding.

SAP Fiori

A modern user interface (UI) for SAP software, providing a consistent and role-based experience across various applications.

Fiori Catalog

A collection of applications that a user can access and add to their homepage.

Fiori Group

A predefined set of tiles that appear on a user's homepage.

Fiori Library

A repository that stores metadata for activating and launching SAP Fiori applications.

Risk Response

The phase in risk management where you document and track how you'll address identified risks, including the measures you'll take and their current status. It helps implement internal controls.

Risk Planning

A structured framework that defines the entire risk management process. It includes defining risk categories, setting risk tolerances, and establishing hierarchies.

Continuous Monitoring

A process that continuously monitors controls and ensures compliance. It incorporates automation for compliance testing and monitoring and allows for adding monitoring tools.

Master Data

Data that represents the structure of a company, including its organizational units, employees, and locations.

Business Rule

Rules that define the logic and restrictions for various business processes. They can be used to automate monitoring and enforce access control.

User Provisioning / Deprovisioning

Creating, updating, or deleting user accounts in applications or systems. It involves granting or revoking permissions.

Access Request Management (ARM)

A standard framework for requesting, reviewing, and managing user access to systems and resources.

GRC (Governance, Risk, and Compliance)

A set of controls that help organizations achieve objectives: effective and efficient operations, reliable financial reporting, and legal compliance.

COSO Framework

Developed by COSO (Committee of Sponsoring Organizations of the Treadway Commission), it provides a framework for defining internal controls.

Multi-Compliance Framework

A method for managing multiple compliance initiatives efficiently, covering various areas. Assessment Surveys can include Control Design, Sub-process Design, Self-assessment, and Indirect Entity-level Control Assessment.

Standard Access Request

A specialized request type that includes all the information needed for user access evaluation.

Simplified Access Request

A special type of access request form that allows for greater flexibility in terms of layout and design.

Template Based Request Form

A pre-designed access request form created as a template, providing a consistent structure for requests.

Copy Request

Enables copying the details of an existing access request to quickly create a new one.

Model User

A user profile that serves as a reference point for creating new access requests based on existing user access rights.

Access Request Approval

A process for evaluating access requests to identify potential security risks and ensure appropriate access rights are granted.

GRC System

A system used for identity and access management, often including features like user provisioning, role management, and access request approval.

Firefighter

A type of user within GRC who has specialized temporary elevated access for urgent situations.

Central Hub (SAP Fiori)

The central access point for SAP Fiori applications.

On-premises/Embedded Fiori Deployment

A method of deploying SAP Fiori applications on-premises within your own infrastructure or as embedded components within existing SAP systems.

Catalog ID (SAP Fiori)

A unique identifier used for managing the access and usage of various SAP Fiori apps and their associated functionality.

Catalog Group (SAP Fiori)

A grouping of related SAP Fiori catalogs to streamline access and management.

Security Roles (SAP Fiori)

A set of permissions that define specific access rights and actions that users can perform within SAP Fiori applications.

User Authentication (SAP)

A process that allows users to authenticate and gain access to SAP systems, typically through usernames and passwords.

Single Sign-on (SSO)

A feature that enables users to sign into various applications and systems with only one username and password.

SAML 2.0

A commonly used protocol for managing authentication and authorization, often implemented for single sign-on (SSO) in SAP Fiori applications.

Front-end Roles (SAP Fiori)

Security roles that are used to configure the user interface (UI) and navigation within SAP Fiori applications.

Back-end Roles (SAP Fiori)

Security roles that govern access to specific data and operations within SAP systems, providing comprehensive authorization and data control.

SAP HANA

A powerful in-memory database platform designed to handle large volumes of data and facilitate rapid data analysis and reporting.

SAP HANA Studio

A comprehensive tool used to create and manage user authorizations for SAP HANA.

User Types (SAP HANA)

Types of users in SAP HANA with varying levels of access and privileges.

System User (SAP HANA)

A specialized user in SAP HANA with the highest level of administrative privileges.

Database Roles (SAP HANA)

A collection of privileges assigned to users or other roles in SAP HANA, enabling specific access and actions.

SAP S/4HANA

A comprehensive business suite that runs exclusively on SAP HANA and incorporates a series of functionalities for managing various business processes.

Greenfield Implementation (SAP S/4HANA)

A method of implementing SAP S/4HANA that involves a complete redesign and simplification of processes, leading to faster adoption and innovation.

Brownfield Implementation (SAP S/4HANA)

A method of implementing SAP S/4HANA by migrating from an existing system while maintaining existing business processes, minimizing disruptions.

Study Notes

OBJECT

• Starting transactions include starting web dynpro applications and reports, calling RFC function modules, generic and specific table access, human resource, quality maintenance, plant maintenance, warehouse management, logistics transactions, direct store delivery, and vehicle optimization transactions.
• General authorization object in ABAP Workbench grants access to components.
• Powerful authorization object allows choices for securing components, queries, and specific owners.
• Authorization for queries from specific owners, displays authorization for infoareas folder, authorization for GUI activities, document set, and role check transactions in role.
• Authorization for working with individual workbench objects, analysis maintenance, and job processing.

TCode

• SU01: User maintenance
• SU10: Mass user maintenance
• SU01D: User maintenance display
• PFCG: Role maintenance/Profile Generator
• SU24: Maintain all objects
• SE16: Data browser
• SE16D: General table display

SE17, SM30/SM31, SE11/SE12, RSCSAUTH, SA38, SU25, PFUD, SM01, SM04, SU21, SU20, SU1, SU2, SU3, SUGR, SUPC, SE54, SU02, SU03, SUUM, SECR, SU53, ST01, SU56, SLG1, SUIM, RSA1, RSD1, RSECADMIN, RRMX, /N/UI2/FLP, /N/UI2/FLPD CONF, /N/UI2/FLPD_CUST, PFCGMASSVAL, SUPO, SCC4, SE06

• These are transaction codes. Specific functions relate to ABAP Dictionary, table maintenance, views, and authorization details.

TABLES

• USOBT_C: Contains authorization proposal flags relevant to transactions and applications. Includes objects maintained within an application.
• USOBX_C: Contains all objects maintained in an application, regardless of proposal.
• TDDAT: Used in application and mapping of authorization groups.
• USR01, USR02, USR03, USR04, USR05, USRSTAMP, USREFUS, AGR 1251, and AGR 1252: Contain user data, including logon data, lock status, passwords, profiles, and last modification times.
• AGR_DEFINE, AGR USERS, AGR AGRS: List of authorization objects within a role, role definitions also including parent-derived role mappings, and roles assigned to users.
• TOBJ, USOBT, USOBX, UST04, USR10, USR12, USR40, USGRP, USH02, USER ADDR, AGR_HIER2, AGR PROF, AGR TEXTS, AGR TIME, RSDCHA: These table elements contain additional data about roles, authorization profiles, illegal passwords, user groups, user addresses, hierarchical structures, and other related information.

OLTP, OLAP, INFOPROVIDER, MULTIPROVIDER, DSO

• OLTP refers to transaction-based security.
• OLAP refers to analysis-based security.
• InfoProviders are data sources.
• Multiproviders represent logical structures, allowing data access from InfoCubes.
• DSO (Data Store Objects) are datasets created by merging data from other InfoSources

SAP HANA, USER TYPES

• SAP HANA is ERP software for business operations, financials, logistics, supply chain, and human resources.
• User types include database users (restricted access), standard users (create objects), restricted users (limited privileges), and technical users (administrative tasks).

SAP BTP, GLOBAL ACCOUNT

• SAP BTP refers to the Business Technology Platform, a four part portfolio offering database, application development, and integration, and analytics.
• Global account, sub-accounts, and user management have aspects of accounts, business users, and administrators.

SAP CUSTOMER MESSAGES, GRC, SAP RISK MANAGEMENT

• SAP customer messages are support requests concerning SAP implementation and product defects, handled through GRC.
• GRC manages compliance, using embedded analytics and reporting.
• SAP risk management follows phases for identifying, documenting, and assessing risks.

SAP_NEW, PROFILES, USER PROVISIONING

• SAP_NEW is a profile for system users temporarily associated with upgrades
• Profiles track settings for access rights, controlling user actions.
• User provisioning/deprovisioning is the process of creating, amending, or removing user accounts.

CONTINUOUS MONITORING, MASTER DATA, BUSINESS RULES

• Continuous monitoring tracks and measures compliance.
• Master data, including company organizations and local data is contained within the system.
• Business rules provide a scalable platform for automated processes.

ACCESS REQUEST MANAGEMENT (ARM), EAM

• ARM is a framework for centralized user access requests.
• Emergency Access Management (EAM) enables crisis-solving access without privilege compromise.

OTHER TOPICS

• GRC system, firefighters, controllers, roles, profile data, segregation of duties (SOD), authorization checks, identity and password management, communication, authorization synchronization, and repository object synchronization.
• Security, user management, roles, transactions, access controls, compliance, and risk management.