SAP Security Interview Questions and

Answers :-
1. What is SAP security?
SAP security is providing correct access to business users with respect to their
authority or responsibility and giving permission according to their roles.
2. What is roles in SAP security?
Roles is referred to a group of t-codes, which is assigned to execute
particular business task. Each role in SAP requires particular privileges to
execute a function in SAP that is called AUTHORIZATIONS.
3. Explain how you can lock all the users at a time in SAP?
By executing EWZ5 t-code in SAP, all the user can be locked at the same time
in SAP.

SAP SECURITY Interview Questions and Answers

4. Mention what are the pre-requisites that should be taken before

assigning Sap_all to a user even there is an approval from
authorization controllers?
Pre-requisites follows like
Enabling the audit log- using sm 19 tcode
Retrieving the audit log- using sm 20 tcode
5. What is authorization object and authorization object class?
Authorization Object: Authorization objects are groups of authorization field
that regulates particular activity. Authorization relates to a particular action
while Authorization field relates for security administrators to configure
specific values in that particular action.
Authorization object class: Authorization object falls under authorization
object classes, and they are grouped by function area like HR, finance,
accounting, etc.
6. Explain how you can delete multiple roles from QA, DEV and
Production System?
To delete multiple roles from QA, DEV and Production System, you have to
follow below steps
Place the roles to be deleted in a transport (in dev)
Delete the roles
Push the transport through to QA and production
This will delete all the all roles
7. What things you have to take care before executing Run System
Trace?
If you are tracing batch user ID or CPIC, then before executing the Run
System Trace, you have to ensure that the id should have been assigned to
SAP_ALL and SAP_NEW. It enables the user to execute the job without any
authorization check failure.
8. Mention what is the difference between USOBT_C and
USOBX_C?
USOBT_C: This table consists the authorization proposal data which contains
the authorization data which are relevant for a transaction
USOBX_C: It tells which authorization check are to be executed within a
transaction and which must not
9. Mention what is the maximum number of profiles in a role and
maximum number of object in a role?
Maximum number of profiles in a role is 312, and maximum number of object
in a role is 150.
10. What is the t-code used for locking the transaction from
execution?
For locking the transaction from execution t-code SM01, is used.
11. Mention what is the main difference between the derived role
and a single role?
For the single role, we can add or delete the t-codes while for a derived role
you cannot do that.
12. What is SOD in SAP Security?
SOD means Segregation of Duties; it is implemented in SAP in order to detect
and prevent error or fraud during the business transaction. For example, if a
user or employee has the privilege to access bank account detail and payment
run, it might be possible that it can divert vendor payments to his own
account.
13. Mention which t-codes are used to see the summary of the
Authorization Object and Profile details?
SU03: It gives an overview of an authorization object
SU02: It gives an overview of the profile details
14. What is User Buffer?
A user buffer consists of all authorizations of a user. User buffer can be
executed by t-code SU56 and user has its own user buffer. When the user does
not have the necessary authorization or contains too many entries in his user
buffer, authorization check fails.
15. By which parameter number of entries are controlled in the
user buffer?
In user buffer number of entries are controlled by the profile parameter
Auth/auth_number_in_userbuffer.
16. How many transactions codes can be assigned to a role?
To a role maximum of 14000 transaction codes can be assigned.
17. Mention which table is used to store illegal passwords?
To store illegal passwords, table USR40 is used, it is used to store pattern of
words which cannot be used as a password.
18. What is PFCG_Time_Dependency ?
PFCG_TIME_DEPENDENCY is a report that is used for user master
comparison. It also clears up the expired profiles from user master record. To
directly execute this report PFUD transaction code can also be used.
19. What does USER COMPARE do in SAP security?
In SAP security, USER COMPARE option will compare the user master record
so that the produced authorization profile can be entered into the user master
record.
20. Mention different tabs available in PFCG?
Some of the important tab available in PFCG includes
Description: The tab is used to describe the changes made like details related
to the role, addition or removal of t-codes, the authorization object, etc.
Menu: It is used for designing user menus like addition of t-codes
Authorization: Used for maintaining authorization data and authorization
profile
User: It is used for adjusting user master records and for assigning users to
the role
21. Which t-code can be used to delete old security audit logs?
SM-18 t-code is used to delete the old security audit logs.
22. What reports or programs can be used to regenerate SAP_ALL
profile?
To regenerate SAP_ALL profile, report AGR_REGENERATE_SAP_ALL can
be used.
23. Using which table transaction code text can be displayed?
Table TSTCT can be used to display transaction code text.
24. Which transaction code is used to display the user buffer?
User buffer can be displayed by using transaction code AL08
25. Mention what SAP table can be helpful in determining the
single role that is assigned to a given composite role?
Table AGR_AGRS will be helpful in determining the single role that is
assigned to a given composite role.
26. What is the parameter in Security Audit Log (SM19. that
decides the number of filters?
Parameter rsau/no_of_filters are used to decide the number of filters.
27. What is the rule set in GRC?
Collection of rules is nothing but rule set. There is a default rule set in GRC
called Global Rule Set.
28. What is use of su56?
Displays the current users Authorization Profiles available ti the ID. Can also
be used to reset their User buffer to pick up new roles and authorizations.
29. What is use of derived roles and where it is used?
Derived roles are also called as Child Roles and Master Roles are called as
Parent Roles.
Derived Roles refers to the roles that already exist. As name indicates Derived
roles are derived from other role (Master Role).
Derived ROles inherits the menu structure and functions included
(transactions, reports, Weblinks and so on) from the role referenced. The
default authorization values of the derived role are that of the inherited role.
The Org Levels are to be maintained in the derived Role
30. How to lock all the users at a time?
This is one way to lock the users by executing Tcode EWZ5.
another way is by executing su10 authoriztion tab.
evaluate the users list transfer execute
31. How can find out whether CUA(Central User Administration) is
configured on your sap system?
Execute su01
You can find out a tab called system tab.
If system tab is not displayed there in su01 screen there is no CUA is
configured.
32. One of the user logged into Production System, changed a table
and then logged out. How will you track him?
We need to login to the system the change has taken, Go to
SM20 you need to select the date and time or range in time
tab, select * in the user tab once you key in all the
inputs be sure to select the servers or instance on left
hand side and then execute.
you need to select the user master record.
You will get report for user master record, find the user
id in the list
33. How do we test security systems. What is the use of SU56?
Through Tcode SU56, We will check the users buffer
34. What is the landscape of GRC?
GRC Landscape is 2 system landscape,
1. SAP GRC DEV
2. SAP GRC PRD
in GRC there is no Quality system.
35. How we Check if the PFCG_TIME_DEPENDENCY is running for
user master reconciliations?
Execute SM37 and search for PFCG_TIME_DEPENDENCY
36. How we Schedule and administering Background jobs?
scheduling and administrating of background jobs can be done
by using tcodes sm36 and sm37
37. How we Restrict the auth groups for table maintain, creating
Auth group using SE54 to built new Auth groups to restrict tables
via auth object S_TABU_DIS?
We can restrict autho groups via object S_TABU_DIS, first
we need to create a autho group in SE54 then assign this
autho group in a role by using the object: S_TABU_DIS.
38. What are the prerequisites we should take before assigning
sap_all to a user even we have approval from authorization
controllers?
prerequisites are follows before assigning sap_all to any
user .
1.enabling the audit log - using sm19 tcode.
2.retreving the audit logusing sm20 tcode.
this process follows when your not implementing grc in your system.
39. What are the Critical Tcodes and Authorization Objects in R/3?
Just to say all the t-codes which can affect roles and user master records are
critical ones. SU01, PFCG, RZ10, RZ11, SU21, SU03, Sm37 are some of critical
t-codes.
Below are critical objects
S_TABU_DIS
S_USER_AGR
S_USER_AUT
S_USER_PRO
S_USER_GRP
40. If u r using 10 firefighter ids at a time? How will the log reports
goes to controller?
This is done when ever role is already assigned to users and changes are done
in that role. In order to get the changes adjusted in the roles, user comparision
is done.
41. What is ruleset? and how to update risk id in rule set?
Also during indirect asssignment of roles to user using t codes Po13 and po10,
we have to to do user comparision, so that the roles get reflected in the SU01
record of user.
42. What is the procedure for Role modifications? explain with
example?
Generally this task is done PFCG_TIME_DEPENDENCY background job
which runs once daily so that roles are adjusted after running this report.
43. Who will done user comparison?
If changes are to be reflected immediately, user comparison is recommended.
44. What is the maximum number of profiles in a role?
312 profiles in a role ,
45. What is the maximum number of authorization objects in a
role?
150 authorization objects,
46. What is the maximum number of authorization in an object?
not more than 10 authorization fields in object,
47. What is the difference between
PFCG,PFCG_TIME_DEPENDENCY&PFUD?
PFCG is used to create maintain and modify the roles.
PFCG_TIME_DEPENDENCY is a background job of PFUD.
PFUD is used for mass user comparison but the difference is
if you set the background job daily basis it will do mass
user comparison automatically
48. What does the Profile Generator do?
we can create roles , transport , copy ,download,modifications , all these thing
done from pfcg t-code.
49. What is the main purpose of Parameters, Groups &
Personalization tabs?
parameters : when ever user want some defaults values
when ever he/she excute the t-code we can mainatian some
pids by taking help of abapers.
50. Tell me about derived role?
Derived roles..To restrict the user access based on organizational level values.
Derived role will be inherited by master role and inherit all the properties
except org level values.
51. What is the main difference between single role and a derived
role?
Main differencewe can add/delete the tcodes for the single roles but we
cannt do it for the derived roles.
52. Does s_tabu_dis org level values in a master role gets reflected
in the child role?
If we do the adjusted derived role in the master role while updating the values
in the master role thn values will be reflected in the child roles.
53. What is the T-code to get into RAR from R/3?
/virsar/ZVRAT
54. Explain about SPM?
SPM can be used to maintain and monitor the super user access in an SAP
system. This enables the super-users to perform emergency activities and
critical transactions within a completely auditable environment. The logs of
the SPM user IDs helps auditors in easily tracing the critical transactions that
have been performed by the Business users
55. What is the use of RSECADMIN?
IN SAP BI
Reporting Users Analysis Authorization using transaction
RSECADMIN, to maintain authorizations for reporting users.
RSECADMIN To maintain analysis authorization and role
assignment to user.