SAP Security Interview Questions

Explain what is SAP security?

SAP security is providing correct access to business users with respect to their authority or responsibility and giving permission according to their roles.

Explain what is “roles” in SAP security?

“Roles” is referred to a group of t-codes, which is assigned to execute particular business task. Each role in SAP requires particular privileges to execute a function in SAP that is called AUTHORIZATIONS.

Which Authorization Objects are checked in Role Maintenance?

The role maintenance functions (and the profile generator) check the following authorization objects.

Authorization Object Description
S_USER_AUT User master maintenance: Authorizations
This authorization object defines which authorizations the administrator can process. You can use the activities to specify the types of processing (such as creating, deleting, displaying change documents).
S_USER_GRP User master maintenance: User groups
The authorization object is used in role maintenance when assigning users to roles and during the user master comparison.
You can divide user administration between several administrators with this authorization object, by assigning only a certain user group to an administrator. You can use the activities to specify the administrator’s processing types for the group (such as creating, deleting, and archiving).
S_USER_PRO User master maintenance: Authorization profiles
Profiles are protected with this authorization object. You can use the activities to specify the administrator\’s processing types for the profile (such as creating, deleting, and archiving).
S_USER_AGR Authorization system: Check for roles
This authorization object protects roles. The roles combine users into groups to assign various properties to them; in particular, transactions and authorization profiles.
You can use this authorization object together with the authorization objects S_USER_GRP, S_USER_AUT, S_USER_PRO, S_USER_TCD, and S_USER_VAL to set up a distributed user administration.
S_USER_TCD Authorization system: Transactions in roles
This authorization object determines the transactions that an administrator can assign to a role, and the transactions for which he or she can assign transaction authorization (object S_TCODE).
Note that a user can only maintain ranges of transactions for the S_TCODE authorization object in the Profile Generator if he or she has full authorization for the S_USER_TCD authorization object. Otherwise, he or she can only maintain individual values for the S_TCODE object.
S_USER_VAL Authorization system: Field values in roles
This authorization object allows the restriction of values that a system administrator can insert or change in a role in the Profile Generator.
This authorization object relates to all field values with the exception of the values for the object S_TCODE.
The authorization to include transactions in a role or to change the transaction start authorization in a role is linked to the authorization object S_USER_TCD.
S_USER_SYS Authorization object for system assignment in the Central User Administration (CUA).
You can distribute users from a central system to various child systems of a system group. The object S_USER_SYS is used to check the systems to which the user administrator can assign the users. This authorization object is also checked when setting up the CUA.
S_USER_SAS User master maintenance: System-specific assignments
The authorization object S_USER_SAS is checked in transactions SU01, SU10, PFCG, and PFUD when you assign roles, profiles, and systems to users. It represents a development of the authorization objects S_USER_GRP, S_USER_AGR, S_USER_PRO, and S_USER_SYS, which the system previously checked when users made assignments. If you do not activate the authorization object S_USER_SAS using the Customizing switch, the previously-used authorization objects are checked.
To activate authorization object S_USER_SAS, use transaction SM30 to create the Customizing switch CHECK_S_USER_SAS with the value YES in the table PRGN_CUST. All authorization checks for the objects S_USER_AGR, S_USER_PRO, S_USER_GRP, and S_USER_SYS with the activity assign are replaced by authorization checks for the object S_USER_SAS.
S_USER_ADM Administration functions for user and authorization administration.
The authorization object S_USER_ADM protects general Customizing and administration tasks for user and authorization administration. It consists solely of the authorization field S_ADM_AREA.
Until now, there was only the fixed value CHKSTDPWD, with which special users (such as SAP*) could be displayed, including their default passwords. SAP extends additional fixed values as required for other general administration functions in the area of user and authorization administration, which are listed in SAP Note 704307.

Explain how you can lock all the users at a time in SAP?

By executing EWZ5 t-code in SAP, all the user can be locked at the same time in SAP.

Mention what are the pre-requisites that should be taken before assigning Sap_all to a user even there is an approval from authorization controllers?

Pre-requisites follows like

Enabling the audit log- using sm 19 tcode

Retrieving the audit log- using sm 20 tcode

Please explain the personalization tab within a role?

Personalization is a way to save information that could be common to users, I meant to a user role…  E.g. you can create SAP queries and manage authorizations by user groups. Now this information can be stored in the personalization tab of the role.  (I supposed that it is a way for SAP to address his ambiguity of its concept of user group and roles: is “usergroup” a grouping of people sharing the same access or is it the role who is the grouping of people sharing the same access).

Is there a table for authorizations where I can quickly see the values entered in a group of fields?

In particular I am looking to find the field values for P_ORGIN across a number of authorization profiles, without having to drill down on each profile and authorization. AGR_1251 will give you some reasonable info.

How can I do a mass delete of the roles without deleting the new roles ?

There is a SAP delivered report that you can copy, remove the system type check and run. To do a landscape with delete, enter the roles to be deleted in a transport, run the delete program or manually delete and then release the transport and import them into all clients and systems.

It is called: AGR_DELETE_ALL_ACTIVITY_GROUPS. To used it, you need to tweak/debug & replace the code as it has a check that ensure it is deleting SAP delivered roles only. Once you get past that little bit, it works well.

Someone has deleted users in our system, and I am eager to find out who. Is there a table where this is logged?

Debug or use RSUSR100 to find the info’s.

Run transaction SUIM and down its Change documents.

How to insert missing authorization?

su53 is the best transaction with which we can find the missing authorizations and we can insert those missing authorization through pfcg.

What is the difference between role and a profile?

Role and profile go hand in hand. Profile is bought in by a role. Role is used as a template,  where you can add T-codes, reports..Profile is one which gives the user authorization.  When you create a role, a profile is automatically created.

What profile versions?

Profile versions are nothing but when u modifies a profile parameter through a RZ10 and generates a new profile is created with a different version and it is stored in the database.

What is the use of role templates?

User role templates are predefined activity groups in SAP consisting of transactions, reports and web addresses.

What is the different between single role & composite role?

A role is a container that collects the transaction and generates the associated profile.  A composite roles is a container which can collect several different roles.

Is it possible to change role template? How?

Yes, we can change a user role template.  There are exactly three ways in which we can work with user role templates

– we can use it as they are delivered in sap

– we can modify them as per our needs through pfcg

– we can create them from scratch.

For all the above specified we have to use pfcg transaction to maintain them.

SAP Security T-codes?

Frequently used security T-codes

SU01 Create/ Change User SU01 Create/ Change User

PFCG Maintain Roles

SU10 Mass Changes

SU01D Display User

SUIM Reports

ST01 Trace

SU53 Authorization analysis

How to create users?

Execute transaction SU01 and fill in all the field. When creating a new user, you must enter an initial password for that user on the Logon data tab. All other data is optional. Click here for turotial on creating sap user id.

What is the difference between USOBX_C and USOBT_C?

The table USOBX_C defines which authorization checks are to be performed within a transaction and which not (despite authority-check command programmed ). This table also determines which authorization checks are maintained in the Profile Generator.  The table USOBT_C  defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator.

What authorization are required to create and maintain user master records?

The following authorization objects are required to create and maintain user master records: •S_USER_GRP: User Master Maintenance: Assign user groups

  • S_USER_PRO: User Master Maintenance: Assign authorization profile
  • S_USER_AUT: User Master Maintenance: Create and maintain authorizations

Q.List R/3 User Types

A.1.Dialog users are used for individual user. Check for expired/initial passwords Possible to change your own password. Check for multiple dialog logon

2.A Service user – Only user administrators can change the password. No check for expired/initial passwords. Multiple logon permitted

3.System users are not capable of interaction and are used to perform certain system activities, such as background processing, ALE, Workflow, and so on.

4.A Reference user is, like a System user, a general, non-personally related, user. Additional authorizations can be assigned within the system using a reference user. A reference user for additional rights can be assigned for every user in the Roles tab.

Explain what is authorization object and authorization object class?

Authorization Object: Authorization objects are groups of authorization field that regulates particular activity. Authorization relates to a particular action while Authorization field relates for security administrators to configure specific values in that particular action.

Authorization object class: Authorization object falls under authorization object classes, and they are grouped by function area like HR, finance, accounting, etc.

Explain how you can delete multiple roles from QA, DEV and Production System?

To delete multiple roles from QA, DEV and Production System, you have to follow below steps

Place the roles to be deleted in a transport (in dev)

Delete the roles

Push the transport through to QA and production

This will delete all the all roles

Explain what things you have to take care before executing Run System Trace?

If you are tracing batch user ID or CPIC, then before executing the Run System Trace, you have to ensure that the id should have been assigned to SAP_ALL and SAP_NEW. It enables the user to execute the job without any authorization check failure.

Mention what is the difference between USOBT_C and USOBX_C?

USOBT_C: This table consists  the authorization proposal data which contains the authorization data which are relevant for a transaction

USOBX_C: It tells which authorization check are to be executed within a transaction and which must not.

Mention what is the maximum number of profiles in a role and maximum number of object in a role?

Maximum number of profiles in a role is 312, and maximum number of object in a role is 150.

What is the t-code used for locking the transaction from execution?

For locking the transaction from execution t-code SM01, is used.

Mention what is the main difference between the derived role and a single role?

For the single role, we can add or delete the t-codes while for a derived role you cannot do that.

Explain what is SOD in SAP Security?

SOD means Segregation of Duties; it is implemented in SAP in order to detect and prevent error or fraud during the business transaction. For example, if a user or employee has the privilege to access bank account detail and payment run, it might be possible that it can divert vendor payments to his own account.

What is a derived role?

Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the functions included (transactions, reports, Web links, and so on) from the role referenced. A role can only inherit menus and functions if no transaction codes have been assigned to it before.

  • The higher-level role passes on its authorizations to the derived role as default values which can be changed afterwards. Organizational level definitions are not passed on. They must be created anew in the inheriting role. User assignments are not passed on either.
  • Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identical menus and identical transactions) but have different characteristics with regard to the organizational level.

What is a composite role?

A composite role is a container which can collect several different roles. For reasons of clarity, it does not make sense and is therefore not allowed to add composite roles to composite roles. Composite roles are also called roles.

  • Composite roles do not contain authorization data. If you want to change the authorizations (that are represented by a composite role), you must maintain the data for each role of the composite role.
  • Creating composite roles makes sense if some of your employees need authorizations from several roles. Instead of adding each user separately to each role required, you can set up a composite role and assign the users to that group.
  • The users assigned to a composite role are automatically assigned to the corresponding (elementary) roles during comparison.

What does user compare do?

If you are also using the role to generate authorization profiles, then you should note that the generated profile is not entered in the user master record until the user master records have been compared. You can automate this by scheduling report FCG_TIME_DEPENDENCY on.

How do I change the name of master / parent role keeping the name of derived/child role same? I would like to keep the name of derived /child role same and also the profile associated with the child roles.

Firstcopy the master role using PFCG to a role with new name you wish to have. Then you have to generate the role. Now open each derived role and delete the menu. Once the menus are removed it will let you put new inheritance. You can put the name of the new master role you created. This will help you keep the same derived role name and also the same profile name. Once the new roles are done you can transport it. The transport automatically includes the Parent roles.

What is the difference between C (Check) and U (Unmentioned)?

Background: When defining authorizations using Profile Generator, the table USOBX_C defines which authorization checks should occur within a transaction and which authorization checks should be maintained in the PG. You determine the authorization checks that can be maintained in the PG using Check Indicators. It is a Check Table for Table USOBT_C.

In USOBX_C there are 4 Check Indicators.

  • CM (Check/Maintain)

-An authority check is carried out against this object.

-The PG creates an authorization for this object and field values are displayed for changing.

-Default values for this authorization can be maintained.

  • C (Check)

-An authority check is carried out against this object.

-The PG does not create an authorization for this object, so field values are not displayed.

-No default values can be maintained for this authorization.

  • N (No check)

-The authority check against this object is disabled.

-The PG does not create an authorization for this object, so field values are not displayed.

-No default values can be maintained for this authorization.

  • U (Unmaintained)

-No check indicator is set.

-An authority check is always carried out against this object.

-The PG does not create an authorization for this object, so field values are not displayed.

-No default values can be maintained for this authorization.

Mention which t-codes are used to see the summary of the Authorization Object and Profile details?

SU03: It gives an overview of an authorization object

SU02: It gives an overview of the profile details

Explain what is User Buffer?

A user buffer consists of all authorizations of a user. User buffer can be executed by t-code SU56 and user has its own user buffer.  When the user does not have the necessary authorization or contains too many entries in his user buffer, authorization check fails.

By which parameter number of entries are controlled in the user buffer?

In user buffer number of entries are controlled by the profile parameter “Auth/auth_number_in_userbuffer”.

How many transactions codes can be assigned to a role?

To a role maximum of 14000 transaction codes can be assigned.

Mention which table is used to store illegal passwords?

To store illegal passwords, table USR40 is used, it is used to store pattern of words which cannot be used as a password.

Explain what is PFCG_Time_Dependency ?

PFCG_TIME_DEPENDENCY is a report that is used for user master comparison.  It also clears up the expired profiles from user master record. To directly execute this report PFUD transaction code can also be used.

Explain what does USER COMPARE do in SAP security?

In SAP security, USER COMPARE option will compare the user master record so that the produced authorization profile can be entered into the user master record.

Mention different tabs available in PFCG?

Some of the important tab available in PFCG includes

Description: The tab is used to describe the changes made like details related to the role, addition or removal of t-codes, the authorization object, etc.

Menu: It is used for designing user menus like addition of t-codes

Authorization: Used for maintaining authorization data and authorization profile

User: It is used for adjusting user master records and for assigning users to the role.

Which t-code can be used to delete old security audit logs?

SM-18 t-code is used to delete the old security audit logs.

Explain what reports or programs can be used to regenerate SAP_ALL profile?

To regenerate SAP_ALL profile, report AGR_REGENERATE_SAP_ALL can be used.

Using which table transaction code text can be displayed?

Table TSTCT can be used to display transaction code text.

Which transaction code is used to display the user buffer?

User buffer can be displayed by using transaction code SU56

Mention what SAP table can be helpful in determining the single role that is assigned to a given composite role?

Table AGR_AGRS will be helpful in determining the single role that is assigned to a given composite role.

What is the parameter in Security Audit Log (SM19) that decides the number of filters?

Parameter rsau/no_of_filters are used to decide the number of filters.

How many fields can be present in one Authorization object?

10 fields.

Which T-Codes are used to see overview of the Authorization Object and Profile details?

  1. SU03 – overview of any authorization Object
    SU02 – to see the details of profiles.

SU21 also provides the same editing structure as SU03 but we can create a new authorization object using SU21. Here, we need to click on “Display Object Documentation“ button to see the documentation for the authoriztion Object and we need to click on “Permitted activity values“ to see the list of permitted activities for the fields.

These details are fetched from table TACT.

How to restrict the user access to one particular table in display mode ?

If the system is BASIS 700, we can use the authorization object S_TABU_NAM. In this auth. Object, we can maintain the values for required activityand thetable name.
If the system version is lower than 700, and the table is z* table then

Create a new authorization Group using SE54.

Assign the table in question to the newly created authorization Group in table TDDAT using SM30.

If the table is SAP standard table then we can restrict user access by creating new tcode in SE93.

How to check the table Logs ?

First, we need to check if the logging is activated for table using tcode SE13. If table logging is enabled then we can see the table logs in t-code SCU3.

What’s the basic difference in between SU22 & SU24 ?

SU22 displays and updates the values in tables USOBT and USOBX, while SU24 does the same in tables USOBT_C and USOBX_C. The _C stands for Customer. The profile generator gets its data from the _C tables. In the USOBT and USOBX tables the values are the SAP standard values as shown in SU24. With SU25 one can (initially) transfer the USOBT values to the USOBT_C table.

What is the difference between USOBX_C and USOBT_C ?

The table USOBX_C defines which authorization checks are to be performed within a transaction and which not (despite authority- check command programed). This table also determines which authorization checks are maintained in the Profile Generator.
The table USOBT_C defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator.

What does user compare do ?

If you are also using the role to generate authorization profiles, then you should note that the generated profile is not entered in the user master record until the user master records have been compared. You can automate this by scheduling report PFCG_TIME_DEPENDENCY on a daily or by executing the t-code PFUD.

Can we convert Authorization field to Organizational field ?

Authorization field can be changed to Organization field using PFCG_ORGFIELD_CREATEor ZPFCG_ORGFIELD_CREATE.
Use SE38 or SA38 to run the above report.

Organizational level fields should only be created before you start setting up your system. If you create organizational level fields later, you might have to do an impact analysis. The authentication data may have to be post processed in roles.

The fields “Activity“, “ACTVT” and “Transaction code“, “TCD” cannot be converted into an organizational level field.

In addition, all affected roles are analyzed and the authorization data is adjusted. The values of the authorization field which is now to become the organizational level field are removed and entered into the organizational level data of the role.
Note: Table for Organizational Element- USORG. Refer to Note 323817 for more detail.

What is user buffer?

When a user logs on to the SAP R/3 System, a user buffer is built containing all authorizations for that user. Each user has their own individual user buffer. For example, if user Smith logs on to the system, his user buffer contains all authorizations of role USER_SMITH_ROLE. The user buffer can be displayed in transaction SU56.
A user would fail an authorization check if:

The authorization object does not exist in the user buffer

The values checked by the application are not assigned to the authorization object in the user buffer

The user buffer contains too many entries and has overflowed. The number of entries in the user buffer can be controlled using the system profile parameter auth/number_in_userbuffer.

How to remove duplicate roles with different start and end date from user master?

You can use PRGN_COMPRESS_TIMES to do this. Please refer to note 365841 for more info.