SAP Security Interview Questions & Answers

Question 1. Explain What Is Sap Security?

Answer :

SAP security is providing correct access to business users with respect to their authority or responsibility and giving permission according to their roles.

Question 2. Explain What Is “roles” In Sap Security?

Answer :

“Roles” is referred to a group of t-codes, which is assigned to execute particular business task. Each role in SAP requires particular privileges to execute a function in SAP that is called AUTHORIZATIONS.

Question 3. Explain How You Can Lock All The Users At A Time In Sap?

Answer :

By executing EWZ5 t-code in SAP, all the user can be locked at the same time in SAP.

Question 4. Mention What Are The Pre-requisites That Should Be Taken Before Assigning Sap_all To A User Even There Is An Approval From Authorization Controllers?

Answer :

Pre-requisites follows like

• Enabling the audit log- using sm 19 tcode
• Retrieving the audit log- using sm 20 tcode

Question 5. Explain What Is Authorization Object And Authorization Object Class?

Answer :

Authorization Object: Authorization objects are groups of authorization field that regulates particular activity. Authorization relates to a particular action while Authorization field relates for security administrators to configure specific values in that particular action.

Authorization object class: Authorization object falls under authorization object classes, and they are grouped by function area like HR, finance, accounting, etc.

Question 6. Explain How You Can Delete Multiple Roles From Qa, Dev And Production System?

Answer :

To delete multiple roles from QA, DEV and Production System, you have to follow below steps:

• Place the roles to be deleted in a transport (in dev)
• Delete the roles
• Push the transport through to QA and production
• This will delete all the all roles

Question 7. Explain What Things You Have To Take Care Before Executing Run System Trace?

Answer :

If you are tracing batch user ID or CPIC, then before executing the Run System Trace, you have to ensure that the id should have been assigned to SAP_ALL and SAP_NEW. It enables the user to execute the job without any authorization check failure.

Question 8. Mention What Is The Difference Between Usobt_c And Usobx_c?

Answer :

USOBT_C: This table consists  the authorization proposal data which contains the authorization data which are relevant for a transaction
USOBX_C: It tells which authorization check are to be executed within a transaction and which must not

Question 9. Mention What Is The Maximum Number Of Profiles In A Role And Maximum Number Of Object In A Role?

Answer :

Maximum number of profiles in a role is 312, and maximum number of object in a role is 150.

Question 10. What Is The T-code Used For Locking The Transaction From Execution?

Answer :

For locking the transaction from execution t-code SM01, is used.

Question 11. Mention What Is The Main Difference Between The Derived Role And A Single Role?

Answer :

For the single role, we can add or delete the t-codes while for a derived role you cannot do that.

Question 12. Explain What Is Sod In Sap Security?

Answer :

SOD means Segregation of Duties; it is implemented in SAP in order to detect and prevent error or fraud during the business transaction. For example, if a user or employee has the privilege to access bank account detail and payment run, it might be possible that it can divert vendor payments to his own account.

Question 13. Mention Which T-codes Are Used To See The Summary Of The Authorization Object And Profile Details?

Answer :

SU03: It gives an overview of an authorization object
SU02: It gives an overview of the profile details

Question 14. Explain What Is User Buffer?

Answer :

A user buffer consists of all authorizations of a user. User buffer can be executed by t-code SU56 and user has its own user buffer. When the user does not have the necessary authorization or contains too many entries in his user buffer, authorization check fails.

Question 15. By Which Parameter Number Of Entries Are Controlled In The User Buffer?

Answer :

In user buffer number of entries are controlled by the profile parameter “Auth/auth_number_in_userbuffer”.

Question 16. How Many Transactions Codes Can Be Assigned To A Role?

Answer :

To a role maximum of 14000 transaction codes can be assigned.

Question 17. Mention Which Table Is Used To Store Illegal Passwords?

Answer :

To store illegal passwords, table USR40 is used, it is used to store pattern of words which cannot be used as a password.

Question 18. Explain What Is Pfcg_time_dependency?

Answer :

PFCG_TIME_DEPENDENCY is a report that is used for user master comparison.  It also clears up the expired profiles from user master record. To directly execute this report PFUD transaction code can also be used.

Question 19. Explain What Does User Compare Do In Sap Security?

Answer :

In SAP security, USER COMPARE option will compare the user master record so that the produced authorization profile can be entered into the user master record.

Question 20. Mention Different Tabs Available In Pfcg?

Answer :

Description: The tab is used to describe the changes made like details related to the role, addition or removal of t-codes, the authorization object, etc.

Menu: It is used for designing user menus like addition of t-codes

Authorization: Used for maintaining authorization data and authorization profile

User: It is used for adjusting user master records and for assigning users to the role.

Question 21. Which T-code Can Be Used To Delete Old Security Audit Logs?

Answer :

SM-18 t-code is used to delete the old security audit logs.

Question 22. Explain What Reports Or Programs Can Be Used To Regenerate Sap_all Profile?

Answer :

To regenerate SAP_ALL profile, report AGR_REGENERATE_SAP_ALL can be used.

Question 23. Using Which Table Transaction Code Text Can Be Displayed?

Answer :

Table TSTCT can be used to display transaction code text.

Question 24. Which Transaction Code Is Used To Display The User Buffer?

Answer :

User buffer can be displayed by using transaction code AL08.

Question 25. Mention What Sap Table Can Be Helpful In Determining The Single Role That Is Assigned To A Given Composite Role?

Answer :

Table AGR_AGRS will be helpful in determining the single role that is assigned to a given composite role.

Question 26. What Is The Parameter In Security Audit Log (sm19) That Decides The Number Of Filters?

Answer :

Parameter rsau/no_of_filters are used to decide the number of filters.

Question 27. Please Explain The Personalization Tab Within A Role?

Answer :

Personalization is a way to save information that could be common to users, I meant to a user role…  E.g. you can create SAP queries and manage authorizations by user groups. Now this information can be stored in the personalization tab of the role.  (I supposed that it is a way for SAP to address his ambiguity of its concept of user group and roles: is “usergroup” a grouping of people sharing the same access or is it the role who is the grouping of people sharing the same access).

Question 28. Is There A Table For Authorizations Where I Can Quickly See The Values Entered In A Group Of Fields?

Answer :

In particular I am looking to find the field values for P_ORGIN across a number of authorization profiles, without having to drill down on each profile and authorization. AGR_1251 will give you some reasonable info.[sociallocker]

Question 29. How Can I Do A Mass Delete Of The Roles Without Deleting The New Roles?

Answer :

here is a SAP delivered report that you can copy, remove the system type check and run. To do a landscape with delete, enter the roles to be deleted in a transport, run the delete program or manually delete and then release the transport and import them into all clients and systems.

It is called: AGR_DELETE_ALL_ACTIVITY_GROUPS. To used it, you need to tweak/debug & replace the code as it has a check that ensure it is deleting SAP delivered roles only. Once you get past that little bit, it works well.

Question 30. Someone Has Deleted Users In Our System, And I Am Eager To Find Out Who. Is There A Table Where This Is Logged?

Answer :

• Debug or use RSUSR100 to find the info’s.
• Run transaction SUIM and down its Change documents.

Question 31. How To Insert Missing Authorization?

Answer :

su53 is the best transaction with which we can find the missing authorizations.and we can insert those missing authorization through pfcg.

Question 32. What Is The Difference Between Role And A Profile?

Answer :

Role and profile go hand in hand. Profile is bought in by a role. Role is used as a template,  where you can add T-codes, reports..Profile is one which gives the user authorization.  When you create a role, a profile is automatically created.

Question 33. What Profile Versions?

Answer :

Profile versions are nothing but when u modifies a profile parameter through a RZ10 and generates a new profile is created with a different version and it is stored in the database.

Question 34. What Is The Use Of Role Templates?

Answer :

User role templates are predefined activity groups in SAP consisting of transactions, reports and web addresses.

Question 35. What Is The Different Between Single Role & Composite Role?

Answer :

A role is a container that collects the transaction and generates the associated profile.  A composite roles is a container which can collect several different roles.

Question 36. Is It Possible To Change Role Template? How?

Answer :

Yes, we can change a user role template.  There are exactly three ways in which we can work with user role templates

• we can use it as they are delivered in sap
• we can modify them as per our needs through pfcg
• we can create them from scratch.

For all the above specified we have to use pfcg transaction to maintain them.

Question 37. Sap Security T-codes?

Answer :

• Frequently used security T-codes
• SU01 Create/ Change User SU01 Create/ Change User
• PFCG Maintain Roles
• SU10 Mass Changes
• SU01D Display User
• SUIM Reports
• ST01 Trace
• SU53 Authorization analysis

Question 38. How To Create Users?

Answer :

Execute transaction SU01 and fill in all the field. When creating a new user, you must enter an initial password for that user on the Logon data tab. All other data is optional. Click here for tutorial on creating sap user id.

Question 39. What Is The Difference Between Usobx_c And Usobt_c?

Answer :

The table USOBX_C defines which authorization checks are to be performed within a transaction and which not (despite authority-check command programmed ). This table also determines which authorization checks are maintained in the Profile Generator.  The table USOBT_C  defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator.

Question 40. What Authorization Are Required To Create And Maintain User Master Records?

Answer :

The following authorization objects are required to create and maintain user master records:

•S_USER_GRP: User Master Maintenance: Assign user groups

•S_USER_PRO: User Master Maintenance: Assign authorization profile

•S_USER_AUT: User Master Maintenance: Create and maintain authorizations

Question 41. What Is A Derived Role?

Answer :

Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the functions included (transactions, reports, Web links, and so on) from the role referenced. A role can only inherit menus and functions if no transaction codes have been assigned to it before.

•The higher-level role passes on its authorizations to the derived role as default values which can be changed afterwards. Organizational level definitions are not passed on. They must be created anew in the inheriting role. User assignments are not passed on either.

•Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identical menus and identical transactions) but have different characteristics with regard to the organizational level.

Question 42. What Is A Composite Role?

Answer :

A composite role is a container which can collect several different roles. For reasons of clarity, it does not make sense and is therefore not allowed to add composite roles to composite roles. Composite roles are also called roles.
•Composite roles do not contain authorization data. If you want to change the authorizations (that are represented by a composite role), you must maintain the data for each role of the composite role.
•Creating composite roles makes sense if some of your employees need authorizations from several roles. Instead of adding each user separately to each role required, you can set up a composite role and assign the users to that group.
•The users assigned to a composite role are automatically assigned to the corresponding (elementary) roles during comparison.