cancel
Showing results for 
Search instead for 
Did you mean: 

I am certified as SAP Authorization and Auditing for NetWeaver 7.31

Former Member
0 Kudos
551

Is this certification sufficient for sap module security and authorization in terms of employment? Or would I require more certifications such as GRC 10.1 Access Control?

The exam cover many areas such as Role Maintenance, User Admin, Identity Management, AIS, NetWeaver, Secure Infrastructure, Security Assessments, System Audit, User Maintenance, User Authorization Audit.

With all the above I still feel as a Security and Authorisation Consultant there were many key areas missing. Like organisational structures and Indirect Role Assignment.

Can anyone on here tell me if this is really relevant and do I need to know more since I am job hunting and want to be best prepared as a security and authorization consultant.

If there are any security Consultants out there working in the industry please advise or share your thoughts.

Much appreciated.

Dipesh.

Accepted Solutions (1)

Accepted Solutions (1)

former_member182098
Active Contributor
0 Kudos

Hi Dipesh,

It is good that you have successfully passed the Certification, which proves that you have adequate knowledge in the Security area in SAP. There are number of Security Consultants around, it would give additional value if you concentrate on GRC. There are not many consultants in Security area with GRC experience.

SAP Certification is NOT a job guarantee program. SAP Certification is one of the ingredient that employer's are looking, but not the only qualification. You must have relevant SAP experience, business process knowledge, education, soft skills, team work, communication, cultural fit, domain knowledge and willing learn etc. these are all the qualities that employers look into. If you have SAP Certification, it would definitely be an added value. If you only have SAP Certification, but not any other above mentioned qualities, then NO employer would be willing to take you. Furthermore, job market in any country is driven by demand-supply theory. No matter what you are having, if you do not have demand for your skills, no employer would be willing to take you.

Please try to improve all the areas that that I have mentioned above, which could make you a complete SAP Consultant.

Hope this helps you.

Kind Regards,

Ravi

Former Member
0 Kudos

Hi Ravi,

First and foremost I appreciate your advise. Though I must mention prior to my last comment on my achievement, I do have some experience in GRC AC 10.0. I have ran report in ARA one of the main components in GRC. Furthermore I have good knowledge of segregation of duties (SoD).

I promoted a tool called C3 Remediator for a company in the Middle East.

I demonstrated SoD on users - roles - profiles and org structures. In addition I also preformed simulations using transaction codes and roles for users.

You can have cause for concern that I don't have qualifications for GRC but will consider it in the near future. You are absolutely correct in terms of GRC requirement since it does compliment security and authorizations greatly. Allowing employers to have more confidence of choice of candidate.

I have viewed your profile and see you have great knowledge in the SAP industry as a whole and  would be delighted to continue to receive sound advice from you and your colleagues.

Regards

Dipesh

Colleen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Dipesh

I would not invest more money in certifications until you have a job. Security in SAP is more than just roles and user provisioning. What you have studied is good start and your end user experience with GRC is useful

Part of your career progression is to figure out what area of security you will specalise in - go down the more traditional/functional security path - PFCG/SU24/SU01 or diversify into more system security  (SSO, system security - starts getting toward Basis)

Instead of going for GRC certification, I would try to increase functional knowledge overview and general security integration. Look at end to end security solution

knowing about indirect vs direct provisioning is a good interview question and you need to know the steps but it's not a big deal that it wasn't in your certification. You'll work at a site that does directly only, indirect or hybrid. You just need to know how to set it up and what it does as well as benefits

Using PFCG with SU24 integration is essential but knowing what buttons to press is only scratching the surface. By expanding your functional knowledge (high level overview of modules, key transactions, risks for the area, organisational structure and key authorisation objects) will make you are better role maintenance builder. Expanding this knowledge and experience would also improve GRC skills (be able to explain why such a risk in the system exists - why should you avoid allowing a user to maintain vendor bank details and post invoices/payments without any other person validating)? This is where experience and worth for functional security counts

the other area of security - more technical/system is also important when you work in small teams and have to wear several hats.

Also, you then have different security models depending on the component - it's not just about PFCG

You'll never get bored with security and you'll never learn it all

Good luck

Regards

Colleen

Former Member
0 Kudos

Hi Colleen,

I know and understand transaction PFCG is huge and very technical in terms of understanding the objects, fields and values of roles which I feel very confident in, along with SU01 for users IDs. 

However when you talk about SU24 that is where all the objects are stored for every transaction with descriptions of the objects. Also this is where a security consultant would identify to see which objects have been maintained and if the client wants to add or activate an existing tcode.

Having a overview on all modules is key and knowing critical objects is always a bonus during meeting and discussion on role build design.

I have read a lot on GRC access control and many employers want security consultants to have  knowledge or experience in that area since every user should have a audit trail with their access provisioned.

I am well aware that GRC has a rulebook which states every possible conflict on user access. For those that cannot be avoided like critical roles i.e. Basis roles that can be tricky this is where a mitigation control is placed. Representing acknowledgement for external auditors to approve.  

Despite all the above, we can talk for ever on the technicalities of transactions and SAP in general. My point being that employers are looking for consultants with 5 years experience and who have been involved with a few full implementation lifecycle projects.

I am actively seeking work but time is passing by and feel that my current certification is not sufficient in the industry and do not want to be ponding with authorization concept as I am also looking into success factors and SAP Fiori and Hana.      

I am not quite sure when you wrote about small teams wearing several hats??

I am grateful for your advise and will exercise the functional side more. You must have great experience and be working in the industry to know what is required essentially from a security consultant.

Thanksyou for your advise

Regards

Dipesh

Former Member
0 Kudos

Hi Colleen,

I just saw your profile and I was delighted to see that you are a very experienced Security Consultant down under in Australia..

Your have a great profile and yes rule of thumb never assign SAP_ALL !

Also your doing success factors which I only know components ESS and MSS on a basic level.

Have a great day since your 12 hours ahead of UK....

Colleen
Product and Topic Expert
Product and Topic Expert
0 Kudos

as you are in the UK market it might be best to contact recruiters and ask for feedback on your skill

for your level of experience it is quite refreshing that you are demonstrating more than just technical how to knowledge. A lot of junior security know pfcg steps but they have no idea what to put in the fields

If you are going to invest in further training then GRC component sounds like a good progression for your background. You might need to try for audit/risk jobs on SAP systems and then move across that way. In doing this you leverage existing experience and focus on business knowledge

good luck

Answers (1)

Answers (1)

former_member594367
Discoverer
0 Kudos

Hi Dipesh

I would like to do a certification in SAP Authorization but do not know the relevant exam booking code. Can you please assist with the booking code.

Mabuke

Former Member
0 Kudos

Hi Mabuke

I have no clue about booking code for exam. I did my exam in UK through Pearson VUE.

They requested that I purchase tokens which was a few days process but the exam date was within a week once I bought the tokens.

Good luck !