Hi Colleen,
I know and understand transaction PFCG is huge and very technical in terms of understanding the objects, fields and values of roles which I feel very confident in, along with SU01 for users IDs.
However when you talk about SU24 that is where all the objects are stored for every transaction with descriptions of the objects. Also this is where a security consultant would identify to see which objects have been maintained and if the client wants to add or activate an existing tcode.
Having a overview on all modules is key and knowing critical objects is always a bonus during meeting and discussion on role build design.
I have read a lot on GRC access control and many employers want security consultants to have knowledge or experience in that area since every user should have a audit trail with their access provisioned.
I am well aware that GRC has a rulebook which states every possible conflict on user access. For those that cannot be avoided like critical roles i.e. Basis roles that can be tricky this is where a mitigation control is placed. Representing acknowledgement for external auditors to approve.
Despite all the above, we can talk for ever on the technicalities of transactions and SAP in general. My point being that employers are looking for consultants with 5 years experience and who have been involved with a few full implementation lifecycle projects.
I am actively seeking work but time is passing by and feel that my current certification is not sufficient in the industry and do not want to be ponding with authorization concept as I am also looking into success factors and SAP Fiori and Hana.
I am not quite sure when you wrote about small teams wearing several hats??
I am grateful for your advise and will exercise the functional side more. You must have great experience and be working in the industry to know what is required essentially from a security consultant.
Thanksyou for your advise
Regards
Dipesh