2. Critical Action Certain transactions can be termed as critical such as maintain HR Master Data (PA30), create user (SU01). Access to these transactions can enable a user to view/change employee master data and create/delete users from the system respectively. Such transactions fall under Critical Action, any user having this access has a critical action risk.

Exercise 2: List three examples of Critical Action risks. How each of these Critical Action risks can be mitigated?

3. Critical Permission Defining a critical permission risk ensures that risk analysis identifies any employee who has been assigned a potentially risky permission. These permission can be identified by the authorization objects. For instance, the authorization object S_DEVELOP grants a user to create/modify programs within SAP. Another example is S_TCODE, this object enables a user to add transaction codes. An uncontrolled access to such authorization object might jeopardize the Business.

Exercise 3: List three examples of authorization objects that can be classified as Critical Permissions and explain why?