on 2015 Oct 17 11:03 AM
Is this certification sufficient for sap module security and authorization in terms of employment? Or would I require more certifications such as GRC 10.1 Access Control?
The exam cover many areas such as Role Maintenance, User Admin, Identity Management, AIS, NetWeaver, Secure Infrastructure, Security Assessments, System Audit, User Maintenance, User Authorization Audit.
With all the above I still feel as a Security and Authorisation Consultant there were many key areas missing. Like organisational structures and Indirect Role Assignment.
Can anyone on here tell me if this is really relevant and do I need to know more since I am job hunting and want to be best prepared as a security and authorization consultant.
If there are any security Consultants out there working in the industry please advise or share your thoughts.
Much appreciated.
Dipesh.
Request clarification before answering.
Hi Dipesh,
It is good that you have successfully passed the Certification, which proves that you have adequate knowledge in the Security area in SAP. There are number of Security Consultants around, it would give additional value if you concentrate on GRC. There are not many consultants in Security area with GRC experience.
SAP Certification is NOT a job guarantee program. SAP Certification is one of the ingredient that employer's are looking, but not the only qualification. You must have relevant SAP experience, business process knowledge, education, soft skills, team work, communication, cultural fit, domain knowledge and willing learn etc. these are all the qualities that employers look into. If you have SAP Certification, it would definitely be an added value. If you only have SAP Certification, but not any other above mentioned qualities, then NO employer would be willing to take you. Furthermore, job market in any country is driven by demand-supply theory. No matter what you are having, if you do not have demand for your skills, no employer would be willing to take you.
Please try to improve all the areas that that I have mentioned above, which could make you a complete SAP Consultant.
Hope this helps you.
Kind Regards,
Ravi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ravi,
First and foremost I appreciate your advise. Though I must mention prior to my last comment on my achievement, I do have some experience in GRC AC 10.0. I have ran report in ARA one of the main components in GRC. Furthermore I have good knowledge of segregation of duties (SoD).
I promoted a tool called C3 Remediator for a company in the Middle East.
I demonstrated SoD on users - roles - profiles and org structures. In addition I also preformed simulations using transaction codes and roles for users.
You can have cause for concern that I don't have qualifications for GRC but will consider it in the near future. You are absolutely correct in terms of GRC requirement since it does compliment security and authorizations greatly. Allowing employers to have more confidence of choice of candidate.
I have viewed your profile and see you have great knowledge in the SAP industry as a whole and would be delighted to continue to receive sound advice from you and your colleagues.
Regards
Dipesh
Hi Dipesh
I would not invest more money in certifications until you have a job. Security in SAP is more than just roles and user provisioning. What you have studied is good start and your end user experience with GRC is useful
Part of your career progression is to figure out what area of security you will specalise in - go down the more traditional/functional security path - PFCG/SU24/SU01 or diversify into more system security (SSO, system security - starts getting toward Basis)
Instead of going for GRC certification, I would try to increase functional knowledge overview and general security integration. Look at end to end security solution
knowing about indirect vs direct provisioning is a good interview question and you need to know the steps but it's not a big deal that it wasn't in your certification. You'll work at a site that does directly only, indirect or hybrid. You just need to know how to set it up and what it does as well as benefits
Using PFCG with SU24 integration is essential but knowing what buttons to press is only scratching the surface. By expanding your functional knowledge (high level overview of modules, key transactions, risks for the area, organisational structure and key authorisation objects) will make you are better role maintenance builder. Expanding this knowledge and experience would also improve GRC skills (be able to explain why such a risk in the system exists - why should you avoid allowing a user to maintain vendor bank details and post invoices/payments without any other person validating)? This is where experience and worth for functional security counts
the other area of security - more technical/system is also important when you work in small teams and have to wear several hats.
Also, you then have different security models depending on the component - it's not just about PFCG
You'll never get bored with security and you'll never learn it all
Good luck
Regards
Colleen
Hi Colleen,
I know and understand transaction PFCG is huge and very technical in terms of understanding the objects, fields and values of roles which I feel very confident in, along with SU01 for users IDs.
However when you talk about SU24 that is where all the objects are stored for every transaction with descriptions of the objects. Also this is where a security consultant would identify to see which objects have been maintained and if the client wants to add or activate an existing tcode.
Having a overview on all modules is key and knowing critical objects is always a bonus during meeting and discussion on role build design.
I have read a lot on GRC access control and many employers want security consultants to have knowledge or experience in that area since every user should have a audit trail with their access provisioned.
I am well aware that GRC has a rulebook which states every possible conflict on user access. For those that cannot be avoided like critical roles i.e. Basis roles that can be tricky this is where a mitigation control is placed. Representing acknowledgement for external auditors to approve.
Despite all the above, we can talk for ever on the technicalities of transactions and SAP in general. My point being that employers are looking for consultants with 5 years experience and who have been involved with a few full implementation lifecycle projects.
I am actively seeking work but time is passing by and feel that my current certification is not sufficient in the industry and do not want to be ponding with authorization concept as I am also looking into success factors and SAP Fiori and Hana.
I am not quite sure when you wrote about small teams wearing several hats??
I am grateful for your advise and will exercise the functional side more. You must have great experience and be working in the industry to know what is required essentially from a security consultant.
Thanksyou for your advise
Regards
Dipesh
Hi Colleen,
I just saw your profile and I was delighted to see that you are a very experienced Security Consultant down under in Australia..
Your have a great profile and yes rule of thumb never assign SAP_ALL !
Also your doing success factors which I only know components ESS and MSS on a basic level.
Have a great day since your 12 hours ahead of UK....
as you are in the UK market it might be best to contact recruiters and ask for feedback on your skill
for your level of experience it is quite refreshing that you are demonstrating more than just technical how to knowledge. A lot of junior security know pfcg steps but they have no idea what to put in the fields
If you are going to invest in further training then GRC component sounds like a good progression for your background. You might need to try for audit/risk jobs on SAP systems and then move across that way. In doing this you leverage existing experience and focus on business knowledge
good luck
Hi Dipesh
I would like to do a certification in SAP Authorization but do not know the relevant exam booking code. Can you please assist with the booking code.
Mabuke
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
5 | |
4 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.