Part 1:
What is SAP Security?
SAP Security is a balancing act for protecting the SAP data and applications from unauthorized use and access. SAP offers different tools, processes and measures for security check to protect these data. SAP security helps to ensure that users can only use the functionality of SAP which is a part of their job.
SAP Systems contain very sensitive and confidential data of their clientele and businesses. Hence, there is a need for a regular audit of an SAP computer system to check its security and data integrity.
For instance, an employee in a warehouse who is responsible for creating a purchase order shall not approve a rightful purchase order or otherwise he may create and approve as many purchase order without any use.
In such scenario, the purchase order approval should be controlled by a higher authority which is a standard security feature.
Security Concepts for SAP
Below are the main Security Concepts in SAP:
- STAD Data
Transaction codes are the front door to get the access to SAP’s functionality. STAD data provide security against unauthorized transaction access. Does it keep a record of information like who accessed certain critical functionality? And when? STAD data can be used to monitor, analyze, audit and maintain the security concept.
- SAP Cryptographic library
SAP Cryptographic Library is the default encryption product delivery by SAP. It is used for providing Secure Network Communication (SNC) between various SAP server components. For front-end components, you need to buy an SNC certified partner product.
- Internet Transaction Server (ITS) Security
To make SAP system application available for access from a web browser, a middleware component called Internet Transaction Server (ITS) is used. The ITS architecture has many built-in security features, such as to run the Wgate and Agate on separate hosts.
- Network Basics (SAPRouter, Firewalls and DMZ, Network Ports)
The basic security tools that SAP uses are Firewalls & DMZ, Network Ports, SAPRouter, etc. A firewall is a system of software and hardware components which define the connections that should pass back and forth between communication partners. SAP Web dispatcher and SAPRouter are examples of application level gateways that you can use for filtering SAP network traffic.
- Web-AS Security(Load Balancing, SSL, Enterprise Portal Security)
SSL (Secure Socket Layer), is a standard security technology for establishing an encrypted link between a server and client. With SSL you can authenticate the communication partners(server & client), by determining the variables of the encryption.
With sap cyber security, both partners are authenticated. The data transferred between the server and client will be protected so any manipulation in the data will be detected. In addition to that data transferred between the client and server is also encrypted. Enterprise portal security guide can be helpful to secure the system by following their guidelines.
- Single Sign-On
The SAP single sign-on function enables you to configure same user credentials to access multiple SAP systems. It helps to reduce administrative costs and security risk associated with maintaining multiple user credentials. It ensures confidentiality through encryption during data transmission.
- AIS (Audit Information System)
AIS or Audit Information System is an auditing tool that you can use to analyze security aspects of your SAP system in detail. AIS is designed for business audits and systems audits. AI presents its information in the Audit InfoStructure.
SAP Security for Mobile SAP Apps
SAP applications are now available on mobile with an increase in the mobile users. But this exposure is a potential threat. The biggest threat for an SAP app is the risk of an employee losing important data of customers.
The good thing about mobile SAP is that most mobile devices are enabled with remote wipe capabilities. And many of the CRM- related functions that organizations are looking to mobilize are cloud-based, which means the confidential data does not reside on the device itself.
Some of the popular mobile SAP security providers are SAP Afaria, SAP Netweaver Gateway, SAP Mobile Academy and SAP Hana cloud.
SAP Security Best Practices Checklist
- Network settings and landscape architecture assessment
- OS security assessment where SAP is deployed
- DBMS security assessment.
- SAP NetWeaver security assessment
- Internal assessment of access control
- Assessment of SAP components like SAP Gateway, SAP Messenger Server, SAP Portal, SAP Router, SAP GUI
- Change and transport procedure assessment
- Assessment of compliance with SAP, ISACA, DSAG, OWASP standards
Part 2 :
1) Explain what is SAP security?
SAP security is providing correct access to business users with respect to their authority or responsibility and giving permission according to their roles.
2) Explain what is “roles” in SAP security?
“Roles” is referred to a group of t-codes, which is assigned to execute particular business task. Each role in SAP requires particular privileges to execute a function in SAP that is called AUTHORIZATIONS.
3) Explain how you can lock all the users at a time in SAP?
By executing EWZ5 t-code in SAP, all the user can be locked at the same time in SAP.
4) Mention what are the pre-requisites that should be taken before assigning Sap_all to a user even there is an approval from authorization controllers?
Pre-requisites follows like
- Enabling the audit log- using sm 19 tcode
- Retrieving the audit log- using sm 20 tcode
5) Explain what is authorization object and authorization object class?
- Authorization Object: Authorization objects are groups of authorization field that regulates particular activity. Authorization relates to a particular action while Authorization field relates for security administrators to configure specific values in that particular action.
- Authorization object class: Authorization object falls under authorization object classes, and they are grouped by function area like HR, finance, accounting, etc.
6) Explain how you can delete multiple roles from QA, DEV and Production System?
To delete multiple roles from QA, DEV and Production System, you have to follow below steps
- Place the roles to be deleted in a transport (in dev)
- Delete the roles
- Push the transport through to QA and production
This will delete all the all roles
7) Explain what things you have to take care before executing Run System Trace?
If you are tracing batch user ID or CPIC, then before executing the Run System Trace, you have to ensure that the id should have been assigned to SAP_ALL and SAP_NEW. It enables the user to execute the job without any authorization check failure.
8) Mention what is the difference between USOBT_C and USOBX_C?
- USOBT_C: This table consists the authorization proposal data which contains the authorization data which are relevant for a transaction
- USOBX_C: It tells which authorization check are to be executed within a transaction and which must not
9) Mention what is the maximum number of profiles in a role and maximum number of object in a role?
Maximum number of profiles in a role is 312, and maximum number of object in a role is 170.
10) What is the t-code used for locking the transaction from execution?
For locking the transaction from execution t-code SM01, is used.
11) Mention what is the main difference between the derived role and a single role?
For the single role, we can add or delete the t-codes while for a derived role you cannot do that.
12) Explain what is SOD in SAP Security?
SOD means Segregation of Duties
it is implemented in SAP in order to detect and prevent error or fraud during the business transaction. For example, if a user or employee has the privilege to access bank account detail and payment run, it might be possible that it can divert vendor payments to his own account.
13) Mention which t-codes are used to see the summary of the Authorization Object and Profile details?
- SU03: It gives an overview of an authorization object
- SU02: It gives an overview of the profile details
14) Explain what is User Buffer?
A user buffer consists of all authorizations of a user. User buffer can be executed by t-code SU56 and user has its own user buffer. When the user does not have the necessary authorization or contains too many entries in his user buffer, authorization check fails.
15) By which parameter number of entries are controlled in the user buffer?
In user buffer number of entries are controlled by the profile parameter
“Auth/auth_number_in_userbuffer”.
16) How many transactions codes can be assigned to a role?
To a role maximum of 14000 transaction codes can be assigned.
17) Mention which table is used to store illegal passwords?
To store illegal passwords, table USR40 is used, it is used to store pattern of words which cannot be used as a password.
18) Explain what is PFCG_Time_Dependency ?
PFCG_TIME_DEPENDENCY is a report that is used for user master comparison. It also clears up the expired profiles from user master record. To directly execute this report PFUD transaction code can also be used.
19) Explain what does USER COMPARE do in SAP security?
In SAP security, USER COMPARE option will compare the user master record so that the produced authorization profile can be entered into the user master record.
20) Mention different tabs available in PFCG?
Some of the important tab available in PFCG includes
- Description: The tab is used to describe the changes made like details related to the role, addition or removal of t-codes, the authorization object, etc.
- Menu: It is used for designing user menus like addition of t-codes
- Authorization: Used for maintaining authorization data and authorization profile
- User: It is used for adjusting user master records and for assigning users to the role
21) Which t-code can be used to delete old security audit logs?
SM-18 t-code is used to delete the old security audit logs.
22) Explain what reports or programs can be used to regenerate SAP_ALL profile?
To regenerate SAP_ALL profile, report AGR_REGENERATE_SAP_ALL can be used.
23) Using which table transaction code text can be displayed?
Table TSTCT can be used to display transaction code text.
24) Which transaction code is used to display the user buffer?
User buffer can be displayed by using transaction code SU56
25) Mention what SAP table can be helpful in determining the single role that is assigned to a given composite role?
Table AGR_AGRS will be helpful in determining the single role that is assigned to a given composite role.
26) What is the parameter in Security Audit Log (SM19) that decides the number of filters?
Parameter rsau/no_of_filters are used to decide the number of filters.
Part 3 :
1) Please explain the personalization tab within a role?
Ans:
- Personalization is a way to save information that could be common to users, I meant to a user role… E.g. you can create SAP queries and manage authorizations by user groups. Now this information can be stored in the personalization tab of the role.
- (I supposed that it is a way for SAP to address his ambiguity of its concept of user group and roles: is “usergroup” a grouping of people sharing the same access or is it the role who is the grouping of people sharing the same access).
2)How to create users?
Ans:
Execute transaction SU01 and fill in all the field. When creating a new user, you must enter an initial password for that user on the Logon data tab. All other data is optional.
3)Frequently used security T-codes
Ans:
- SU01 Create/ Change User SU01 Create/ Change User
- PFCG Maintain Roles
- SU10 Mass Changes
- SU01D Display User
- SUIM Reports
- ST01 Trace
- SU53 Authorization analysis
4)What is the difference between USOBX_C and USOBT_C?
Ans:
- The table USOBX_C defines which authorization checks are to be performed within a transaction and which not (despite authority-check command programmed ). This table also determines which authorization checks are maintained in the Profile Generator.
- The table USOBT_C defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator.
5)Authorization are required to create and maintain user master records?
Ans:
The following authorization objects are required to create and maintain user master records:
- S_USER_GRP: User Master Maintenance: Assign user groups
- S_USER_PRO: User Master Maintenance: Assign authorization profile
- S_USER_AUT: User Master Maintenance: Create and maintain authorizations
6)List R/3 User Types
Ans:
- Dialog users are used for individual user. Check for expired/initial passwords Possible to change your own password. Check for multiple dialog logon
- A Service user – Only user administrators can change the password. No check for expired/initial passwords. Multiple logon permitted
- System users are not capable of interaction and are used to perform certain system activities, such as background processing, ALE, Workflow, and so on.
- A Reference user is, like a System user, a general, non-personally related, user.
- Additional authorizations can be assigned within the system using a reference user. A reference user for additional rights can be assigned for every user in the Roles tab.
7)What is a derived role?
Ans:
- Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the functions included (transactions, reports, Web links, and so on) from the role referenced. A role can only inherit menus and functions if no transaction codes have been assigned to it before.
- The higher-level role passes on its authorizations to the derived role as default values which can be changed afterwards. Organizational level definitions are not passed on. They must be created anew in the inheriting role. User assignments are not passed on either.
- Derived roles are an elegant way of maintaining roles that do not differ in their
- functionality (identical menus and identical transactions) but have different characteristics with regard to the organizational level.
8)What is a composite role?
Ans:
- A composite role is a container which can collect several different roles. For reasons of clarity, it does not make sense and is therefore not allowed to add composite roles to composite roles. Composite roles are also called roles.
- Composite roles do not contain authorization data. If you want to change the authorizations (that are represented by a composite role), you must maintain the data for each role of the composite role.
- Creating composite roles makes sense if some of your employees need authorizations from several roles. Instead of adding each user separately to each role required, you can set up a composite role and assign the users to that group.
- The users assigned to a composite role are automatically assigned to the corresponding (elementary) roles during comparison.
9)What does user compare do?
Ans:
If you are also using the role to generate authorization profiles, then you should note that the generated profile is not entered in the user master record until the user master records have been compared. You can automate this by scheduling report FCG_TIME_DEPENDENCY on a daily.
10)Can we convert Authorization field to Org, field
Ans:
Authorization field can be changed to Organization field using
PFCG_ORGFIELD_CREATE or ZPFCG_ORGFIELD_CREATE
Use SE38 or SA38 to run the above report.
- Organizational level fields should only be created before you start setting up your system. If you create organizational level fields later, you might have to do an impact analysis. The authentication data may have to be postprocessed in roles.
- The fields “Activity”, “ACTVT” and “Transaction code”, “TCD” cannot be converted into an organizational level field.
- In addition, all affected roles are analyzed and the authorization data is adjusted. The values of the authorization field which is now to become the organizational level field are removed and entered into the organizational level data of the role.
11)How many profiles can be assigned to any user master record.
Ans:
- Maximum Profiles that can be assigned to any user is ~ 312. Table USR04 (Profile assignments for users). This table contains both information on the change status of a user and also the list of the profile names that were assigned to the user.
- The field PROFS is used for saving the change flag (C = user was created, M = user was changed), and the name of the profiles assigned to the user.
- The field is defined with a length of 3750 characters. Since the first two characters are intended for the change flag, 3748 characters remain for the list of the profile names per user. Because of the maximum length of 12 characters per profile name, this results in a maximum number of 312 profiles per user.
12)Can you add a composite role to another composite role?
Ans:
- No Q. How to reset SAP* password from oracle database.
- Logon to your database with orasid as user id and run this sql delete from sapSID.usr02 where bname=’SAP*’ and mandt=’XXX’; commit;
- Where mandt is the client.
- Now you can login to the client using sap* and password pass
- SAP Security Interview Questions SAP Security Interview Questions and Answers
13)What is difference between role and profile.
Ans:
A role act as container that collect transaction and generates the associated profile. The profile generator (PFCG) in SAP System automatically generates the corresponding authorization profile. Developer used to perform this step manually before PFCG was introduced bySAP. Any maintenance of the generated profile should be done using PFCG.
14)What is user buffer?
Ans:
- When a user logs on to the SAP R/3 System, a user buffer is built containing all authorizations for that user. Each user has their own individual user buffer.
- For example, if user Smith logs on to the system, his user buffer contains all authorizations of role USER_SMITH_ROLE. The user buffer can be displayed in transaction SU56. A user would fail an authorization check if:
15)The authorization object does not exist in the user buffer
Ans:
The values checked by the application are not assigned to the authorization object in the user buffer
16)Is there a table for authorizations where I can quickly see the values entered in a group of fields?
Ans:
In particular, I am looking to find the field values for P_ORGIN across a number of authorization profiles, without having to drill down on each profile and authorization.
17) How can I do a mass delete of the roles without deleting the new roles?
Ans:
- There is an SAP delivered a report that you can copy, remove the system type check and run. To do a landscape with delete, enter the roles to be deleted in a transport, run the delete program or manually delete and then release the transport and import them into all clients and systems.
- It is called: AGR_DELETE_ALL_ACTIVITY_GROUPS. To use it, you need to tweak/debug & replace the code as it has a check that ensures it is deleting SAP delivered roles only. Once you get past that little bit, it works well.
18)Someone has deleted users in our system, and I am eager to find out who. Is there a table where this is logged?
Ans:
Debug or use RSUSR100 to find the info’s.
Run transaction SUIM and down its Change documents.
19) How to insert missing authorization?
Ans:
SU53 is the best transaction with which we can find the missing authorizations. and we can insert those missing authorization through pfcg.
20)What is the difference between role and a profile?
Ans:
Role and profile go hand in hand. A profile is bought in by a role. The role is used as a template, where you can add T-codes, reports..The profile is one which gives the user authorization. When you create a role, a profile is automatically created.
Top of Form
Bottom of Form
21) What authorization is required to create and maintain user master records?
Ans:
The following authorization objects are required to create and maintain user master records: S_USER_GRP: User Master Maintenance: Assign user groups
S_USER_PRO: User Master Maintenance: Assign authorization profile
S_USER_AUT: User Master Maintenance: Create and maintain authorizations
Q.List R/3 User Types
- A Dialog users are used for individual user. Check for expired/initial passwords Possible to change your own password. Check for multiple dialog logon
- A Service user – Only user administrators can change the password. No check for expired/initial passwords. Multiple logon permitted
- System users are not capable of interaction and are used to perform certain system activities, such as background processing, ALE, Workflow, and so on.
- A Reference user is, like a System user, a general, non-personally related, user. Additional authorizations can be assigned within the system using a reference user. A reference user for additional rights can be assigned for every user in the Roles tab.
22) What does the user compare do?
Ans:
If you are also using the role to generate authorization profiles, then you should note that the generated profile is not entered in the user master record until the user master records have been compared. You can automate this by scheduling report FCG_TIME_DEPENDENCY on.
23)What is the difference between C (Check) and U (Unmentioned)?
Ans:
Background: When defining authorizations using Profile Generator, the table USOBX_C defines which authorization checks should occur within a transaction and which authorization checks should be maintained in the PG. You determine the authorization checks that can be maintained in the PG using Check Indicators. It is a Check Table for Table USOBT_C.
In USOBX_C there are 4 Check Indicators.
CM (Check/Maintain)
- An authority check is carried out against this object.
- The PG creates an authorization for this object and field values are displayed for changing.
- Default values for this authorization can be maintained.
C (Check)
- An authority check is carried out against this object.
- The PG does not create an authorization for this object, so field values are not displayed.
- No default values can be maintained for this authorization.
N (No check)
- The authority check against this object is disabled.
- The PG does not create an authorization for this object, so field values are not displayed.
- No default values can be maintained for this authorization.
U (Unmaintained)
- No check indicator is set.
- An authority check is always carried out against this object.
- The PG does not create an authorization for this object, so field values are not displayed.
- No default values can be maintained for this authorization.
24) How to find out all roles with T-code SU01?
Ans:
You can use SUIM > Roles by complex criteria or RSUSR070 to find out this.
Go to the Selection by Authorization Value.
In Object 1 put S_TCODE and hit enter.
And put SU01 in Transaction code and hit execute (clock with check) button.
I use authorization object, as you can use this to test any object.
You can also get this information directly from table, if you have access to SE16 or
- SE16N. Execute SE16N
- Table AGR_1251
- Object S_TCODE
- VALUE (low) SU01
25)How to find out all the users who got SU01 ?
Ans:
You can use SUIM >User by complex criteria or (RSUSR002) to find this out.
Go to the Selection by Authorization Value.
In Object 1 put S_TCODE and hit enter.
And put SU01 in Transaction code and hit execute (clock with check) button.
I use authorization object, as you can use this to test any object.
26)How to find out all the roles for one composite role or a selection of composite roles?
Ans:
- Execute SE16N
- Table AGR_AGRS
- Composite roles You can put multiple composite roles using the more button
27)How to find out all the derived roles for one or more Master (Parent) roles?
Ans:
- Execute SE16N
- Table AGR_DEFINE
- Use either agr_name field or Parent_agr field.
28)How can I check all the Organization value for any role?
Ans:
- Execute SE16N
- Table AGR_1252
- Role Type in the role here and hit execute.
- You can always download all the information to spreadsheet also using .
29)How do I restrict access to files through AL11?
Ans:
- First create an alias. Go to t-code AL11 > configure > create alias. Let say we are trying to restrict alias DIR_TEMP which is /tmp. Open PFCG and assign t-code AL11, and change the authorization for S_DATASET as mentioned below Activity 33
- Physical file name /tmp/*
- Program Name with Search Help *
30)How can I add one role to many users?
Ans:
- SU10. If you have less than 16 users then you can paste the userids.
- If you have more than 16 users – Click on Authorization data and click on next to users and upload from clipboard .
- Hit the change button and go to the role tab and add the roles to be assigned and hit save.
31)What are the Best practices for locking expired users?
Ans:
Lock the user. Remove all the roles and profiles assigned to the user. Move them to TERM User group.
32)How can be the password rules enforced ?
Ans:
Password rules can be enforced using profile parameter. Follow the link to learn more about the profile parameter.
33)How to remove duplicate roles with different start and end date from user master?
Ans:
You can use PRGN_COMPRESS_TIMES to do this. Please refer to note 365841 for more info.
34)How come the users have authorization in PFCG, but user still complains with no authorization?
Ans:
Make sure the user master is compared. May be the there is a user buffer overflow
Also check the profile- Follow the instruction below.
SUIM > User by complex criteria.
Put the userid of user who is having issue.
Execute
35)How can I have a display all roles.?
Ans:
Copy sap_all and open the role and change the activity to 03 and 08
36)How can I find out all actvt in sap?
Ans:
All possible activities (ACTVT) are stored in table TACT (transaction SM30), and also the valid activities for each authorization object can be found in table TACTZ (transaction SE16).
37)How many fields can be present in one Authorization object?
Ans:
10 fields.
38)How to check the table Logs ?
Ans:
First, we need to check if the logging is activated for table using tcode SE13. If table logging is enabled then we can see the table logs in t-code SCU3.
39)What’s the basic difference in between SU22 & SU24 ?
Ans:
SU22 displays and updates the values in tables USOBT and USOBX, while SU24 does the same in tables USOBT_C and USOBX_C. The _C stands for Customer. The profile generator gets its data from the _C tables. In the USOBT and USOBX tables the values are the SAP standard values as shown in SU24. With SU25 one can (initially) transfer the USOBT values to the USOBT_C table.
40) Which Authorization Objects are Checked in Role Maintenance ?
Ans:
The role maintenance functions (and the profile generator) check the following authorization objects.
Authorization Object | Description |
S_USER_AUT | User master maintenance: AuthorizationsThis authorization object defines which authorizations the administrator can process. You can use the activities to specify the types of processing (such as creating, deleting, displaying change documents). |
S_USER_GRP | User master maintenance: User groupsThe authorization object is used in role maintenance when assigning users to roles and during the user master comparison.You can divide user administration between several administrators with this authorization object, by assigning only a certain user group to an administrator. You can use the activities to specify the administrator’s processing types for the group (such as creating, deleting, and archiving). |
S_USER_PRO | User master maintenance: Authorization profilesProfiles are protected with this authorization object. You can use the activities to specify the administrator\’s processing types for the profile (such as creating, deleting, and archiving). |
S_USER_AGR | Authorization system: Check for rolesThis authorization object protects roles. The roles combine users into groups to assign various properties to them; in particular, transactions and authorization profiles.You can use this authorization object together with the authorization objects S_USER_GRP, S_USER_AUT, S_USER_PRO, S_USER_TCD, and S_USER_VAL to set up a distributed user administration. |
S_USER_TCD | Authorization system: Transactions in rolesThis authorization object determines the transactions that an administrator can assign to a role, and the transactions for which he or she can assign transaction authorization (object S_TCODE).Note that a user can only maintain ranges of transactions for the S_TCODE authorization object in the Profile Generator if he or she has full authorization for the S_USER_TCD authorization object. Otherwise, he or she can only maintain individual values for the S_TCODE object. |
S_USER_VAL | Authorization system: Field values in rolesThis authorization object allows the restriction of values that a system administrator can insert or change in a role in the Profile Generator.This authorization object relates to all field values with the exception of the values for the object S_TCODE.The authorization to include transactions in a role or to change the transaction start authorization in a role is linked to the authorization object S_USER_TCD. |
S_USER_SYS | Authorization object for system assignment in the Central User Administration (CUA).You can distribute users from a central system to various child systems of a system group. The object S_USER_SYS is used to check the systems to which the user administrator can assign the users. This authorization object is also checked when setting up the CUA. |
S_USER_SAS | User master maintenance: System-specific assignmentsThe authorization object S_USER_SAS is checked in transactions SU01, SU10, PFCG, and PFUD when you assign roles, profiles, and systems to users. It represents a development of the authorization objects S_USER_GRP, S_USER_AGR, S_USER_PRO, and S_USER_SYS, which the system previously checked when users made assignments. If you do not activate the authorization object S_USER_SAS using the Customizing switch, the previously-used authorization objects are checked.To activate authorization object S_USER_SAS, use transaction SM30 to create the Customizing switch CHECK_S_USER_SAS with the value YES in the table PRGN_CUST. All authorization checks for the objects S_USER_AGR, S_USER_PRO, S_USER_GRP, and S_USER_SYS with the activity assign are replaced by authorization checks for the object S_USER_SAS. |
S_USER_ADM | Administration functions for user and authorization administration.The authorization object S_USER_ADM protects general Customizing and administration tasks for user and authorization administration. It consists solely of the authorization field S_ADM_AREA.Until now, there was only the fixed value CHKSTDPWD, with which special users (such as SAP*) could be displayed, including their default passwords. SAP extends additional fixed values as required for other general administration functions in the area of user and authorization administration, which are listed in SAP Note 704307. |
41) Which T-Codes are used to see overview of the Authorization Object and Profile details?
Ans:
SU03 – overview of any authorization Object
SU02 – to see the details of profiles.
SU21 also provides the same editing structure as SU03 but we can create a new authorization object using SU21. Here, we need to click on “Display Object Documentation“ button to see the documentation for the authoriztion Object and we need to click on “Permitted activity values“ to see the list of permitted activities for the fields.
These details are fetched from table TACT.
42)How to restrict the user access to one particular table in display mode ?
Ans:
If the system is BASIS 700, we can use the authorization object S_TABU_NAM. In this auth. Object, we can maintain the values for required activity and the table name.
If the system version is lower than 700, and the table is z* table then
- Create a new authorization Group using SE54.
- Assign the table in question to the newly created authorization Group in table TDDAT using SM30.
If the table is SAP standard table then we can restrict user access by creating new tcode in SE93.
43)What is a user buffer ?
Ans:
When a user logs on to the SAP R/3 System, a user buffer is built containing all authorizations for that user. Each user has their own individual user buffer. For example, if user Smith logs on to the system, his user buffer contains all authorizations of role USER_SMITH_ROLE. The user buffer can be displayed in transaction SU56.
A user would fail an authorization check if:
- The authorization object does not exist in the user buffer
- The values checked by the application are not assigned to the authorization object in the user buffer
- The user buffer contains too many entries and has overflowed. The number of entries in the user buffer can be controlled using the system profile parameter auth/number_in_userbuffer.
44) What is the user type for a background jobs user?
Ans:
- System User
- Communication User
45) How to troubleshoot problems for background user?
Ans:
using system Trace ST01
46)There are two options in the PFCG while modifying a role. One change authorizations and another expert mode-what is the difference between them?
Ans:
Change authorization: This option we will use when we create new role and modify old role
Expert mode: i. Delete and recreate authorizations and profile
(All authorizations are recreated. Values which had previously been maintained, changed or entered manually are lost. Only the maintained values for organizational levels remain.)
- Edit old status(The last saved authorization data for the role is displayed. This is not useful if transactions in the role menu have been changed.)
- Read old data and merge with new data(If any changes happen in SU24 Authorizations we have to use this)
47)If we give Organizational values as * in the master role and want to restrict the derived roles for a specific country, how do we do?
Ans:
We have to maintain org level for the country based on the plant and sales area etc in the derived Role.
48)What is the table name to see illegal passwords?
Ans:
USR40
49)What is the table name to see the authorization objects for a user?
Ans:
USR12
50)What are two main tables to maintain authorization objects?
Ans:
USOBT, USOBX
51) How to secure tables in SAP?
Ans:
Using Authorization group (S_TABU_DIS, S_TABU_CLI) in T.Code SE54
52)What are the critical authorization objects in Security?
Ans:
S_user_obj,s_user_grp, s_user_agr , s_tabu_dis, s_tabu_cli , s_develop ,s_program
53)Difference between USOBT and USOBX tables?
Ans:
- USOBT-Transaction VS Authorization objects
- USOBX- Transaction VS Authorization objects check indicators
54)Use of Firefighter application
Ans:
Whenever the request coming from the user for new authorization .the request goes to firefighter owner. FF owner proved the FF ID to the normal user then the user (security admin) will assign the authority to those users (end user)
55)Where do we add the FF ids to the SAP user ids?
Ans:
Go to Tcode /n/virsa/vfat >>goto fireFighter tab the give the ffID to firefighter with validity
56)Different types of users
Ans:
- Diolag user
- service user
- system user
- communication user
- refrences user
57)Different types of roles?
Ans:
- Single role
- Composite role
- Derived role
58) Can a single role be used as a master role?
Ans:
yes
59)How to create a derived role?
Ans:
Go to PFCG type the Role name starting with Z .click on create role icon. Then right side you will find derived from here types the parent Role name
60) How to copy 100 roles from a client 800 to client 900?
Ans:
Add all 100 roles as one single composite Role and Transfer the Composite role automatically the 100 Role will transfer to the target client (Using SCC1)
61)User reports that they lost the access. We check in SUIM and no change docs found. How do you troubleshoot
Ans:
Maybe user buffer full or role expired
62)What is the correct procedure for Mass Generation of Roles?
Ans:
Using T.Code –SUPC
63)What is the T.Code SQVI? What is the main usage of this SQVI?
Ans:
SQVI -Quick View
64) How can we maintain Organizational values? How can we create Organizational?
Ans:
PFCG_ORGFIELD_CREATE in t-code SA38
65) I want to see the list of roles assigned to 10 different users. How do you do it?
Ans:
- Goto se16 > agr_users then mention the 10 users name
- Goto SUIM > role by complex selection > type user names
66)What do you mean by User Buffer? How does it work with the user’s Authorizations?
Ans:
User buffer means user context it contains user related information i.e.) authorizations, parameters, reports, earlier acceded screens .We can see the user context using T.Code –SU56
67)What is the advantage of CUA from a layman/manager point of view?
Ans:
CUA used for maintaining and manage the users centrally.
68) What is the purpose of these Org. values?
Ans:
Values: it’s used to restrict the user by values e.g. Sale order value (1-100) it means the user can create only 100 sales orders not more than that
69) What is the main purpose of Parameters Groups & Personalization tabs in SU01 and Miniapps in PFCG?
Ans:
Parameter tab: it’s used to auto fills some of the values during the creation of orders
- Personalization tab is used to restrict the user in selection criteria E.g.: while selecting pay slip it will show only last month pay slip by default. If u select the attendances it will show current month by default
- Miniapps- we can add some mini-applications like calculator, calendar etc
70)How many maximum profiles we can assign to one user?
Ans:
312
71)How do you identify SAP standard roles?
Ans:
SAP standard roles will start with “SAP*”
72)How do you assign SAP standard role to user or what is the procedure to assign SAP standard role?
Ans:
It’s good to avoid direct assignment of SAP standard roles and copy SAP standard role to a new role and assign it to the users.
73) There is no authorization profile assigned to a role whether its considered as composite role?
Ans:
No its not considered as composite role and it’s a incomplete single role
74)What are the role types available?
Ans:
- Single role
- Composite role
- Derived role
- Master role
- Copy role
75) What is the relationship between parent role and derived role?
Ans:
Parent role is the place where we maintain list of tcodes and derived role will inherit all the authorizations from parent role except Org values.
76)What are the values for user lock?
Ans:
- 00 – not locked
- 32 – Locked Globally by administrator
- 64 – Locked by administrator
- 128 – Locked due to incorrect logon attempt
77)How do you deactivate a authorization object globally?
Ans:
Goto tcode SU25 and select step 5. Deactivate authorization object globally
78) If all users are locked mistakenly and how do you login to sap system
Ans:
Check link how to unlock SAP* at OS level
79) Which authorization object used to check transaction codes?
Ans:
S_tcode
80) Which authorization object is used to check HR transaction codes?
Ans:
P_tcode
81)Why do we need to create a TR for a role?
Ans:
Roles are developed in development system and tested in quality system and moved to production system, so that’s why we need to create a transport request for a role when its created/changed
82)List out important security tcodes
Ans:
- PFCG Role Maintenance
- SM19 Security Audit Configuration
- SM20 Security Audit Log Assessment
- ST01 System Trace
- SU01 User Maintenance
- SU02 Maintain Authorization Profiles
- SU03 Maintain Authorizations
- SU10 User Mass Maintenance
- SU21 Maintain Authorization Objects
- SU24 Auth. Obj. Check Under Transactions
- SU25 Upgrade Tool for Profile Generator
- SU53 Display Check Values
- SUIM User Information System
83)What are the mandatory fields while creating a username?
Ans:
Password and last name
84)How do you create usernames in SAP?
Ans:
Goto transaction SU01 and creating a new username, you must enter an initial password for that user on the Logon data tab and last name in address tab
85)What are the authorization objects are required to create and maintain user master records?
Ans:
- S_USER_GRP: User Master Maintenance: Assign user groups
- S_USER_PRO: User Master Maintenance: Assign authorization profile
- S_USER_AUT: User Master Maintenance: Create and maintain authorizations
Part 4 :
- Distinguish between the functions of USOBX_C and USOBT_C?
USOBX_C | USOBT_C |
This gives personal information about which particular authorization checks need execution inside the transaction and which authorization check doesn’t need to be. | This table gives information regarding the proposal data of the authorization that includes the data related to an authorization which is useful for transactions |
This table also looks at the checks which are present in the profile generator. | It looks at the default set values that need to be present in the profile generator. |
- What is SAP security?
The main role of SAP security is to provide the right access for users with business according to their responsibility and the authority that they hold. And permission is supposed to be given as per their roles in any of the organizations or departments.
- What does one mean by roles as far as SAP security is concerned?
Roles are nothing but the transactional codes these are generally found in groups. These codes are given to take out a specific business assignment. So all these t-codes or roles require some specific privileges to implement any function as far as SAP security is concerned. And these special privileges are known as authorization.
- Elaborate on how all users can be locked at the same time at SAP security?
It is possible to lock every user at the same time at SAP security. One has to implement a transactional code EWZ5 for doing this particular task.
- Comment on the necessary steps that need to be taken prior to assigning a task for users even when approval is given from the authorities or the authorized controllers.
There are certain steps that need to be taken prior to handing over or giving SAP_all to any of the users. These steps are necessary even when it has the approval of someone in the position of authority. These pre-requisite includes the following.
- The first is to enable the log of the audit. This can be done using a transactional code of sm 19.
- The second step is to retrieve the log of the audit. This can be done by using a transactional code of sm 20.
- Elaborate on the meaning of authorization object class and the meaning of authorization object.
It is very essential to understand the meaning of the authorization object and that of the authorization object class. The authorization object is nothing but the groups of the field of authorization which looks after the function of a specific activity. Authorization is related to a specific action only whereas the field of authorization looks after the security administrators.
It helps in the configuration of the particular values in any action which is required. As far as authorization object class is concerned it is an umbrella term under which authorization object is taken into consideration. These are put into groups by some departments which include accounting, HR, finance, and some more.
- How can one delete numerous roles from Production Systems, DEV, and QA?
There are certain steps that make it possible to delete numerous roles from the above-mentioned systems. These steps are as follows:
- Firstly one needs to put the roles that are supposed to be deleted in transport.
- Secondly, delete the said roles from there.
- Thirdly one has to send transport across the production and QA.
- This way one can delete numerous roles.
- Explain the steps that need to be taken before one has to execute the Run system trace.
There are a few things that need to be done before one wants to execute the Run system trace. If one is going to trace the CPIC or the user id then prior to executing the Run system then one has to make sure that they said ID is given to someone that is either SAP_new or SAP_all.
This has to be done because this ensures that one is able to execute the work without any kind of checking failure by authorization.
- What is the highest amount of profiles and the highest amount of objects in the roles?
Three hundred and twelve is the highest amount of profile that a role can have. And a role can have one hundred and seventy highest amount of object.
- Mention the transactional code for separating the execution from the transaction and locking any transaction.
The transactional code which is used to lock the transaction from the execution is SM01.
- What are the differences between a single role and a derived role?
The main difference is that of dealing with the transactional codes. When one deals with a single role then the transactional codes can be added or deleted easily. But if one is dealing with a derived role then a person is not able to add or delete any transactional code. This is the most important difference that one needs to know about a single role and derived role.
- Within SAP security, what is SOD?
- SOD stands for Segregation of Duties.
- SOD is implemented in SAP to detect and prevent fraud during business transactions.
- If one has to go through the summary of the Profile and Authorization Object then what transactional code needs to be used?
- In case if one person has to go through the summary for profile and authorization object then there are two different transactional codes are to be used.
- For the summary of any authorization, object one has to use the transactional code of SU03. And if one needs the summary of profile details then one has to use the transactional code of SU02.
- Explain what is user buffer?
Whenever a user logs into the SAP R/3 system, a user buffer is built where it has all the authorizations associated with the user. So basically, each user will have their user buffer.
For example:
- If Krishna is a user and tries to log on to the system, then buffer would have all the authorization information under USER_KRISHNA_ROLE.
- On the other hand, the user would fail to log on to the system, under the below scenarios:
- For the user, authorization information doesn’t exist in the user buffer
- If the user buffer has many entries and is flooded with authorization information. In this case, the number of entries can be restricted or limited by using a profile parameter called “auth/number_in_userbuffer”.
- What parameter is used in the user buffer? For controlling the excess of entries
The user buffer looks at the entries and it has to control the entries because they shouldn’t exceed. The parameter which is used is the following, auth/auth_number_in_userbuffer.
- What is the number of transactional codes that can be given to a particular role?
A role can have a transactional code of as many as fourteen thousand.
- In order to stock the illegal passwords what table is usually used?
In order to stock or accumulate the illegal password a table called USR40 is usually used. This particular table stores various patterns and arrangements of words that cannot be implemented while making any password.
- What is known by PFCG Time dependency?
The PFCG time dependency is nothing but a report which is normally used for comparison of the user master. The PFCG Time dependency also makes sure to wipe away any profiles from the main record which seem to have expired and are of no use. There is also a transactional code that can be employed in order to execute this particular action. The transactional code which is used to do this is PFUD.
- What is the role of users compare in SAP security?
The role of user comparison in the sap security is that it helps in the comparison of the master records of the user. This helps in entering the authorized profile which is produced into the main records.
- What are the different types of tabs that are present in the PFCG?
There are a lot of important and essential tabs that are present in the PFCG. The following tabs are included in the PFCG.
- The first is the description tab. This tab is essential for describing any changes which are made such as the details which are related to any role. Mentioning if there are any additions or removal of any transactional codes. Also mentioning if there are any changes in the authorization object and many more.
- The second is the menu tabs. It is essential to design the user menu such as the addition of any transactional codes.
- The third is the authorization tabs. This tab is used for the maintenance of the authorization profile and authorization data.
- The third is the user. This tab is used for any adjustment in the main user record and for assigning the users to any roles.
- What is the T-code that is used to delete all the old security audit logs?
SM-18 T-code is the transactional code that is used to delete all the old security audit logs.
- Which program or report one must use to regenerate the profile of SAP?
If one has to regenerate the profile of sap all then one has to use the following report or program:
AGR_REGENERATE_SAP_ALL
- If one wants the display the text of transactional code then which of the table will be used?
If a person wants to display the text of the transactional code then the TSTCT table will be used.
- If a user buffer needs to be displayed then what transactional code will be used?
If a user buffer needs to be displayed when the following transactional code will be used; the code is SU56.
- Which table of the SAP can be used for determining single roles that are given for a certain role?
If one has to know the single roles the table which is used is AGR_AGRS.
- If one has to see the number of filters in the SM19 which is the Security audit log then which parameter is used?
The parameter which is used for deciding on the number of filters is as follows; rsau/no_of_filters.
- Explain the derived role?
The derived role is an already present role. This role receives functions and menu structure which is present in the role referenced. This function of inheriting by the roles is only possible when no type of transactional code is assigned prior. The roles at the highest level will pass on the authorizations as a default to derived roles and this can be changed later on.
Certain levels are not passed to the derived roles and they need to be created newly this includes the organizational definitions as well as assignments of the user. Derived roles are well-designed and have a fixed functionality which means it has the same menus and transactions. But the characteristics are different as far as the level of organization is concerned.
- Explain the working of a composite role?
- On the other hand, a composite level role is like a big container that can collect numerous varied roles. These types of roles do not have any data about authorization. In case of any changes in the authorization since composite roles represent it, data needs to be maintained regarding every role of every composite role.
- The creation of the composite roles is only useful when some of the employees in the organization require authorization from various roles. So, in that case, the composite role can be set and the user can be assigned to that group. This is time-saving rather than separately assigning every user to each different role.
- When a user is assigned to one composite role, then during comparison they are spontaneously assigned to other elementary roles.
- Which transactional codes are most commonly used in SAP security?
The transactional codes which are most commonly used in SAP security are SU53 for authorization of analysis, ST01 for trace, SUIM for the reports, SU01D for the display user, SU10 for bulk changes, PFCG to maintain roles, and SU01 for the creation or changing the user.
- What are role templates?
The role templates are nothing but the activity clusters which are predetermined. These clusters or groups consist of reports, web addresses, and transactions.
- Explain the process of creating a user group in the SAP system?
The following are the steps that are involved in terms of creating a user group in the SAP system.
- Use the T-code SUGR, execute it
- Provide a name for the user group in the text box.
- After providing the name for the user group, click on create button
- Now, key in the description and click on the Save button.
- This completes the user group created in the SAP system.
- How do you check the transport requests created by other users?
By using the SE10 t-code we can find the transport requests created by other users.
- How do you find user-defined, security parameters for system default values?
By using t-code RSPFPAR we can ding user-defined and system default security parameters.
- What is the process to assign a logical system to a client?
The logical system can be assigned to a client by using a specific T-code, i.e. SCC4. This needs to be done with utmost care because it might alter other configurations like CUA ( if it is configured).
- Why do we use t-code SU25?
If you want to copy data from USBOT, USBOX to tables USOBT_C and USOBX_C, then we can use t-code SU25.
- Why do we use the ST01 t-code?
ST01 t-code is used to trace the user authorizations.
- What are the derived roles in SAP?
- Derived roles are defined by other existing roles called master roles.
- Derived roles inherit features from a master role like functions, menu structure, transactions, reports, weblinks, etc.
- Why do we use t-code SU56?
T-code SU56 is used to display the current user buffer which authorization is assigned in the user master record.
- How do you lock multiple users at a time in SAP?
We can lock multiple users using the SU01 t-code. Go to SU01 t-code and enter user names to be locked.
40 Which T-code do you use to create authorization groups?
We can create authorization groups in SAP using SE54 T-code.
- What is the maximum number of roles that can be assigned to a user?
In SAP, the maximum number of roles that can be assigned is 312.
- What are the different layers of Security in SAP?
SAP supports multiple layers of security, they are:
- Authentication
- Authorization
- Integrity
- Privacy
- Obligation
- How can you get the user list in SAP?
We can get the user list by using SM04/AL08 transaction code.
- How do you check background jobs?
Using the SM37 transaction code we can check the background jobs.
- Which transaction code is used to manage lack entries?
Transaction code SM12 is used to manage lock entries.
- Explain what is the difference between a role and a profile?
To be honest, there is no much difference between a role and a profile, they go hand in hand. A Role is nothing but a combination of authorizations and combinations. This information is stored in the form of Profiles. At any given point in time, it can be more than one profile associated with a role. By creating a role, a profile is automatically generated.
- Explain what do you mean by “Profile Versions”?
If any parameter is modified within a profile, it automatically creates an updated version of the same profile. The process is repeated whenever there is modification is made within a profile. All of these profiles are saved into the database with a naming convention. The stored files of the same profile are considered as Profile versions.
- What is the main difference between a single role and a composite role?
A role is nothing but a container that has or collects the information related to transactions and generates the necessary profile. On the other hand, a composite role is also a container that has information about different roles.
- List out SAP security T-codes?
The following are a list of frequently used SAP security T-codes:
SAP T-code | Description |
PFGC | This T-code is used for maintaining roles. |
SU10 | This T-code is used for handling users. |
SU01 | This T-code is used for creating the user or changing the user. |
ST01 | This T-code is used for tracing the system. |
SU53 | This T-code is used for analyzing authorization |
- Explain how a password rule can be enforced?
The process is very straightforward. If password rules need to be enforced then the user has to a profile parameter for the same. If this parameter is used then the password rules will be applied automatically.
- Explain how to check the table logs and what are the T-codes to be used for the same?
To check whether the table logs are available, firstly one has to check whether the logging function is activatable or not for a particular table. This can be done by using Tcode SE13. If the table is enabled for logging then the table legs can be seen using T-code SCU3.
- Can you please let me know the highest permitted number of profiles in a role and the highest permitted number of objects in a role?
- The highest permitted number of profiles in a role is 312.
- The highest permitted number of objects in a role is 150.
- Do you know Transaction-code to lock the transaction execution?
The Transaction-code that is used for locking the transaction execution is SM01.
- Can you please let us know how many transaction codes can be assigned to a particular role?
we can assign at least 14000 transactions to a particular role.
- What is the process to check the transport checks created by another user?
Using T-code SE10 will provide an option to enter the user name. After providing the user name information, we will have the ability to check the transport requests that were created by other sets of users.
- Explain what is the use of SU25 T-code?
The main use of the SU25 T-code is: the data is copied from one set of tables to another set of tables. The data is copied from USOBT and USOBX to USOBT_C and USOBX_C.
- What is the use of the authorization object S_TABU_LIN?
Generally, the authorization object is to provide access to all the tables on the row level.
- What is a T-code in SAP?
A T-code is nothing but a transaction code. This is used for the running program in an SAP application.
- What are the user types for background jobs?
User types for background jobs are:
- System user
- Communication user
- What is the transaction code that is used to troubleshoot the problem for a background user?
Transaction code that is used to troubleshoot the problem for a background user in ST01
- What are the different types of users within the SAP system?
Below are the different types of users that are within the SAP system.
- Dialog user
- Service user
- System user
- Communication user
- Reference user
Part 5 :
- What is the user type for a background jobs user?
Ans: 1 System User, 2. Communication User
- How to troubleshoot problems for background user?
Ans: using system Trace ST01
- There are two options in the PFCG while modifying a role. One change authorizations and another expert mode-what is the difference between them?
Ans: Change authorization: This option we will use when we create new role and modify old role
Expert mode: i. Delete and recreate authorizations and profile
(All authorizations are recreated. Values which had previously been maintained, changed or entered manually are lost. Only the maintained values for organizational levels remain.)
- Edit old status(The last saved authorization data for the role is displayed. This is not useful if transactions in the role menu have been changed.)
iii. Read old data and merge with new data(If any changes happen in SU24 Authorizations we have to use this)
- If we give Organizational values as * in the master role and want to restrict the derived roles for a specific country, how do we do?
Ans: We have to maintain org level for the country based on the plant and sales area etc in the derived Role.
- What is the table name to see illegal passwords?
Ans: USR40
- What is the table name to see the authorization objects for a user?
Ans: USR12
- What are two main tables to maintain authorization objects?
Ans: USOBT, USOBX
- How to secure tables in SAP?
Ans: Using Authorization group (S_TABU_DIS, S_TABU_CLI) in T.Code SE54
- What are the critical authorization objects in Security?
Ans:S_user_obj,s_user_grp, s_user_agr , s_tabu_dis, s_tabu_cli , s_develop ,s_program
- Difference between USOBT and USOBX tables?
Ans: 1.USOBT-Transaction VS Authorization objects
- USOBX- Transaction VS Authorization objects check indicators
- Use of Firefighter application
Ans: Whenever the request coming from the user for new authorization .the request goes to firefighter owner. FF owner proved the FF ID to the normal user then the user (security admin) will assign the authority to those users (end user)
- Where do we add the FF ids to the SAP user ids?
Ans:Go to Tcode /n/virsa/vfat >>goto fireFighter tab the give the ffID to firefighter with validity
- How to create FF ids?
Ans:
- Different types of users
Ans: 1.Diolag user 2.service user 3.system user 4.communication user 5.refrences user
- Different types of roles?
Ans: 1.Single role 2.Composite role 3.Derived role
- Can a single role be used as a master role?
Ans: yes
- How to create a derived role?
Ans: Go to PFCG type the Role name starting with Z .click on create role icon. Then right side you will find derived from here types the parent Role name
- HR Security: How to create structural authorizations in HR
Ans:
- HR Security: What are the objects for HR and what is the importance of each HR object
Ans: P_PERNR object is used by a Person to see data related to his Personal Number
P_ORGXX HR: Master Data – Extended Check
- How to copy 100 roles from a client 800 to client 900?
Ans: Add all 100 roles as one single composite Role and Transfer the Composite role automatically the 100 Role will transfer to the target client (Using SCC1)
- User reports that they lost the access. We check in SUIM and no change docs found. How do you troubleshoot
Ans: Maybe user buffer full or role expired
- What is the correct procedure for Mass Generation of Roles?
Ans: Using T.Code –SUPC
- What is the T.Code SQVI? What is the main usage of this SQVI?
Ans: SQVI -Quick View
- How can we maintain Organizational values? How can we create Organizational?
Ans: PFCG_ORGFIELD_CREATE in t-code SA38
- I want to see the list of roles assigned to 10 different users. How do you do it?
Ans:
- Goto se16 > agr_users then mention the 10 users name
- Goto SUIM > role by complex selection > type user names
- What do you mean by User Buffer? How does it work with the user’s Authorizations?
Ans: User buffer means user context it contains user related information i.e.) authorizations, parameters, reports, earlier acceded screens .We can see the user context using T.Code –SU56
- What is the advantage of CUA from a layman/manager point of view?
Ans: CUA used for maintaining and manage the users centrally.
- What is the purpose of these Org. values?
Ans: Values: it’s used to restrict the user by values e.g. Sale order value (1-100) it means the user can create only 100 sales orders not more than that
- What is the main purpose of Parameters Groups & Personalization tabs in SU01 and Miniapps inPFCG?
Ans:
- Parameter tab: it’s used to auto fills some of the values during the creation of orders
- Personalization tab is used to restrict the user in selection criteria E.g.: while selecting pay slip it will show only last month pay slip by default. If u select the attendances it will show current month by default
- Miniapps- we can add some mini-applications like calculator, calendar etc
- How many maximum profiles we can assign to one user?
Ans: 312
- What is the name of a critical auth object for table access through SE16?
- S_TABU_DIS
Part 6 :
Q1) What is meant by SAP Security?
Ans: Security is one of the prominent modules in SAP. It provides right access to the business users/clients with respective authorities and responsibilities that they hold. Permissions are given according to their roles in any department of the firms.
Q2) Elaborate on the term “Roles” in SAP Security?
Ans: In SAP Security, the term roles are referred to as a transactional code nothing but T-codes. These transactional codes are assigned to carry out the primary business tasks. Each role or t-code in SAP requires specific privileges to carry out the function in SAP, which is known as Authorizations.
Q3) What is the difference between USOBX_C and USOBT_C?
Ans: Following are the key differences between USOBX_C and USOBT_C:
USOBX_C | USOBT_C |
USOBX_C gives individual data about which specific approval checks need execution inside the transaction, and which approval check doesn’t need. | USOBT_C table gives data concerning the proposal information of the approval that incorporates the information identified with approval which is helpful for transactions.
|
This table additionally takes a look at the checks which are available in the profile generator. | It takes as a default of set qualities which should be available in the profile generator.
|
Q4) Elaborate on how users can be locked at a time in SAP Security?
Ans: By executing transaction code EWZ5 in SAP Security module, all users can lock at a time while doing a specific task.
Q5) Tell what are the Prerequisites That Should Be Taken Before Assigning Sap_all To A User Even There Is An Approval From Authorization Controllers?
Ans: Following are the prerequisites that should consider everyone before assigning SAP_all to the user even they have authorization controllers approval:
- Enabling the audit log- using sm 19 t-code
- Retrieving the audit log- using sm 20 t-code
Q6) Explain about the Authorization Object and Authorization object class?
Ans: First and foremost, you need to understand the importance of the Authorization object and Authorization object class.
The Authorization object is only the gatherings of the field of approval which takes care of the capacity of a particular action. Authorization is correlated with a particular activity just while the field of authorization takes care of security management. It helps in the design of the specific qualities in any activity which is required.
It is an umbrella term under which the authorization object is contemplated. These are placed into bunches by certain departments which includes HR, accounting, finance and many more.
Q7) Explain how you can delete the numerous roles from production systems, QA, and DEV?
Ans: Following are the certain steps which are possible to delete the numerous role from the production systems, QA, DEV:
- Place the roles to be deleted in a transport (in dev)
- Delete the roles
- Push the transport through to QA and production
- This will delete all the all roles
Q8) Tell what the maximum number of profiles and objects in the roles is?
Ans: In SAP Security module, a role can have 312 maximum number of profiles and 150 maximum number of objects.
Q9) Elaborate on the steps that need to be taken before executing the run system trace?
Ans: There are a couple of things that should be done before executing the Run framework. You need to follow the CPIC or the client id, at that point preceding executing the Run framework, then one needs to ensure that they said ID is given to somebody that is either SAP_new or SAP_all. This must be done on the grounds that they ensure one can execute the work without checking the failure by the authorization.
Q10) Differentiate the differences between a single and derived role?
Ans: The key difference between Single role and Derived role is the transactional code.
In Single role, users can add or delete the transactional code easily. But in the Derived role, users cannot add or delete the transactional code.
Q11) Mention the transactional codes that go through the summary of the Authorization profile and object details?
Ans: Following are the two transactional codes that go through the summary of the authorization profile and object details.
- Users can use SU03 transaction code to go through the summary of authorization objects.
- Users can use SU02 transaction code to go through the summary of authorization profiles.
Q12) Mention the transaction code that is used for locking the transaction from execution?
Ans: SM01 transaction code is used for locking the transaction from execution.
Q13) Elaborate SOD in SAP Security module?
Ans: In SAP Security, SOD stands for Segregation of Duties which is implemented to prevent and detect the business transaction errors.
Q14) Tell me which parameter is used in the user buffer to control the excess of entries?
Ans: In the Sap Security module, the Profile parameter is used to control the excess of entries in the user buffer. Following the path is used auth/auth_number_in_userbuffer.
Q15) Explain about User Buffer in SAP Security?
Ans: A user buffer contains all authorizations of a user, which means whenever a user login to the SAP R/3 system, it builts user buffer where it is associated with the user authorizations. So each user will have their own use buffer.
Let us consider an instance: If user X login to the SAP R/3 system, then it built a user buffer that would have all user authorization with the name of USER_X_ROLE. If in case, user X may fail to log in to the system due to the following scenarios:
- User authorization data may not exist in the user buffer
- And the user buffer may have more number of entries which means the authorization data may flood away.
Q16) Which SAP table can determine the single role which is assigned to the composite role in SAP Security module?
Ans: AGR_AGRS SAP table can determine the single role that is assigned to the composite role in SAP Security module.
Q17) Tell which transactional code is used to display the user buffer in SAP?
Ans: AL08 transaction code is used to display the user buffer in SAP
Q18) Mention which table is used to display the transaction code text in SAP Security?
Ans: To display the transaction code text, users can use the TSTCT table.
Q19) How to delete all old security audit logs in Sap Security?
Ans: Using SM-18 transaction code, a user can delete all old security audit logs in SAP.
Q20) Explain about reports or programs that can be used to regenerate all SAP profiles?
Ans: To regenerate all SAP profiles users should follow the path: AGR_REGENERATE_SAP_ALL.
Q21) Explain about different tabs that are available in PFCG?
Ans: Following are various tabs which play a key role in PFCG:
- Description Tab: This is the basic and important tab in PFCG which helps to describe the changes that are made in such as authorization objects, the details that are related to roles, and removing or deleting the transaction codes.
- Menu Tab: This tab is used to design the user menus such as the addition of transaction codes.
- Authorization Tab: This tab is used for maintaining the authorized data and authorized profiles.
- User Tab: This tab is used for regulating the user records and assigning users to their particular roles.
Q22) Explain about PFCG time dependency in SAP?
Ans: The PFCG time dependency is the only report which is ordinarily utilized for comparing the client report. The PFCG Time dependency likewise makes a point to wipe away any profiles from the principle record which appear to have lapsed and are of no utilization. There is additionally a transactional code which can be utilized so as to execute this specific activity. The transactional code, which is utilized to do this is PFUD.
Q23) Explain the role of user compare in SAP Security?
Ans: The role of user compare in SAP is to help the comparison of the master records of the client and which helps to create authorized profiles by using the master records.
Q24) Tell how many transaction codes can be assigned to a role in SAP?
Ans: Maximum of 14000 transaction codes can be assigned to a role in SAP.
Q25) Which table is used to store illegal passwords?
Ans: USR40 table is used to accumulate illegal passwords and stores in various arrangements and patterns of words that cannot be implemented while creating the passwords.
Q26) What is the use of SU25 transaction code in SAP?
Ans: SU25 transaction code is used to copy the information from USBOT, USBOX to USOBT_C, USOBX_C tables.
Q27) Which transaction code is used to find the user-defined and security parameters for system default values?
Ans: RSPFPAR transaction code is used to find the user-defined and security parameters for system default values.
Q28) Which transaction is used to check the transport requests that are created by the users?
Ans: SE10 Transaction code is used to check the transport requests that are created by the users.
Q29) What is the process for creating the user group in SAP Security?
Ans: Following are the steps that are involved in the process for creating the user group in SAP Security:
- SUGR transaction code is used and executed.
- Give a name to the user group in the text box.
- Now click on the create button to provide a name to the user group.
- Describe the key and save the button.
- These are steps to make the user group in the SAP System.
Q30) Explain the process to assign a logical system for a user?
Ans: Using the SCC4 transaction code, a logical system is assigned to the user and checks it before transferring to the user because it might alter the configurations in CUA.
Q31) What is meant by Derived Role in SAP?
Ans: This role acquires menu structure and functions which are available in the reference role. They are acquiring the function by the roles which are just conceivable when no type of transaction code is allocated earlier. The functions at the most elevated level will give the approvals as a default to determining roles and can change this later on. Certain levels are not passed to the inferred roles, and should make them recently; this incorporates the authoritative definitions just as tasks of the client. Determined jobs are very much planned and have fixed usefulness which implies it has similar menus and exchanges. Be that as it may, the attributes are distinctive, taking everything into account.
Q32) Which security audit lo and parameter is used to see the number of filters in SM19?
Ans: rsau/no_of_filters is used to check the audit and maximum amount of filters in SM19.
Q33) Explain the working of a composite role?
Ans: A composite level role resembles a major holder which can gather various composite roles. These sorts of roles don’t have any information about approval. If there should arise an occurrence of any adjustments in the approval since composite roles present to it, should keep the information concerning each part of each composite role. Formation of the composite roles is just valuable when a portion of the representatives in the association requires approval from different jobs. Thus, it can set the composite role and can appoint the client to that gathering. This is efficient instead of independently relegating each client to each unique role. At the point when a client is allocated to one composite role, at that point during the examination, they are precipitously doled out to other rudimentary roles.
Q34) Explain about the role templates?
Ans: The role templates are also known as activity clusters which are nothing by predetermined. These activity clusters consist of transactions, web addresses, and reports.
Q35) Mention the most commonly used transaction codes in SAP Security?
Ans: Following are the most commonly used transaction codes in SAP Security:
- SU53 transaction code is used for authorization and analysis.
- ST01 is used to trace the information.
- SUIM is used for reports.
- SU01D is used for displaying the users.
- SU10 is used for modifying the information.
- PFCG is used to maintain the roles.
- SU01 is used to create or change users.
Q36) List out different types of users in SAP System?
Ans: Following are the various types of users in SAP System:
- Service User
- Communication User
- Dialogue User
- Reference User
- System user
Q37) How many user types are there for background jobs?
Ans: Following are two types of user for background jobs:
- Communication user
- System user
Q38) Which transaction code is used to troubleshoot the problem for background jobs?
Ans: ST01 transaction code is used to troubleshoot the problem for background jobs.
Q39) What is meant by T-codes?
Ans: T-code means transaction code which is used for running a program in SAP application.
Q40) Explain the use of the SU25 T-Code in SAP?
Ans: SU25 transaction code is used to copy the information from one table to another table. For instance, the data is copied from USOBX and USOBT to USOBT_C and USOBX_C.
Q41) Explain the use of authorization objects S_TABU_LIN?
Ans: Authorization object is used to provide access to all row-level tables in SAP.
Q42) How to check the table logs and what transaction codes are used to check the table logs?
Ans: Users need to check if the logging function is active or not for a specific table, and this can be done by using SE13 transaction code. If the table log is already enabled for a specific table, then use SCU3 transaction code to check the table logs in SAP.
Q43) Do you know which transaction code is used to lock the transaction execution?
Ans: SM01 transaction code is used to lock the transaction execution in SAP System.
Q44) Explain the procedure to check the transport checks that are created by another user?
Ans: SE10 transaction code is used to check the transport checks in the SAP System. It will provide you with a text box to enter the user name information, and then it validates the information to check the transport requests that are created by other users.
Q45) How is a password rule enforced?
Ans: The password rule is enforced if the user has a profile parameter for the same. If the user uses the parameter, then password rules are automatically applied.
Q46) Which transaction code is used to manage the lock entities in the SAP System?
Ans: SM12 transaction code is used to manage the lock entities in the SAP System.
Q47) Which transaction code is used to check the background jobs?
Ans: SM37 transaction code is used to check the background jobs.
Q48) Which transaction code is used to get the user list in the SAP Security System?
Ans: SM04/AL08 transaction codes are used to get the user list in the SAP Security System.
Q49) Explain different layers of SAP Security System?
Ans: Following are various layers that support security system in SAP:
- Authentication
- Authorization
- Integrity
- Privacy
- Obligation
Q50) How many roles can be assigned to the user in the SAP System?
Ans: Maximum 312 role can be assigned to the user in the SAP System.
Q51) How do you lock multiple users at a time in the SAP System?
Ans: Use SU01 transaction code to lock multiple users at a time in the SAP System.
Q52) Which transaction code is used to create authorization groups in the SAP System?
Ans: Use SE54 transaction code to create authorization groups in the SAP System.
Q53) What is the use of SU56 transaction code in the SAP System?
Ans: SU56 transaction code is used to display the current user buffer, which all authorizations are assigned in the user master record.
Q54) What is the use of ST01 transaction code in the SAP System?
Ans: ST01 transaction code is used to trace the user authorizations in the SAP System.
Q55) Explain the difference between role and profile in SAP?
Ans: There is a slight difference in role and profile. A role is used as a template where you can insert reports, transaction code and more. In comparison, profiles permit user authorization. In Sap, when you create a role, a profile is created automatically.
Q56) What is meant by profile version in SAP System?
Ans: When you amend the existing parameter with the RZ10 transaction code, the existing parameter will update the version of the same profile automatically. This process is repeated whenever there are amends in the profile. And all these profiles stored in the database.
Q57) Explain the differences between a single role and composite role in the SAP System?
Ans: Single role is also known as a container which stores all the information which are related to the business transactions, and with this information, it generates or maintains the profiles.
A composite role is also known as a container which contains the information about different roles in the SAP System.
Q58) List out some of the SAP Security transaction codes in the SAP System?
Ans: Following are some of the SAP Security transaction codes in the SAP System:
- PFGC – This T-code is used for maintaining roles.
- SU10 – This T-code is used for handling users.
- SU01-This T-code is used for creating the user or changing the user.
- ST01 – This T-code is used for tracing the system.
- SU53- This T-code is used for analysing authorisation
Q59) What authorizations are required to maintain and create the user master records in the SAP System?
Ans: Following authorizations are required to create and maintain the user master records in the SAP System:
- S_USER_GRP: Assign user group.
- S_USER_AUT: Maintain and create authorization.
- S_USER_PRO: Assign authorization profile.
Q60) How to insert Missing authorization in SAP System?
Ans: SU53 transaction code helps the user to find the missing authorization and PFCG transaction help the user to insert the code into the profile.
Q61) How can I do a mass delete of the roles without deleting the new role in the SAP System?
Ans: Using AGR_DELETE_ALL_ACTIVITY_GROUPS to delete the mass roles without deleting the new roles in the SAP.
Q62) Someone Has Deleted Users In Our System, And I Am Eager To Find Out Who. Is There A Table Where This Is Logged?
Ans: You can find by debugging the system or using RSUSR100 transaction code to find the information.
Q63) Is There A Table For Authorizations Where I Can Quickly See The Values Entered In A Group Of Fields?
Ans: Using P_ORIGIN transaction code, you can see the values that are entered in a group of fields.