1) Explain what is SAP security?
SAP security is providing correct access to business users with respect
to their authority or responsibility and giving permission according to their
roles.
2) Explain what is “roles” in SAP
security?
“Roles” is referred to a group of t-codes, which is assigned to execute
particular business task. Each role in SAP requires particular privileges to
execute a function in SAP that is called AUTHORIZATIONS.
3) Explain how you can lock all the
users at a time in SAP?
By executing EWZ5 t-code in SAP, all the user can be locked at the same
time in SAP.
4) Mention what are the pre-requisites
that should be taken before assigning Sap_all to a user even there is an
approval from authorization controllers?
Pre-requisites follows like
·
Enabling the audit log- using sm 19 tcode
·
Retrieving the audit log- using sm 20 tcode
5) Explain what is authorization object
and authorization object class?
·
Authorization Object: Authorization objects are groups of authorization field that
regulates particular activity. Authorization relates to a particular action
while Authorization field relates for security administrators to configure
specific values in that particular action.
·
Authorization object class: Authorization object falls under authorization object classes, and
they are grouped by function area like HR, finance, accounting, etc.
6) Explain how you can delete multiple
roles from QA, DEV and Production System?
To delete multiple roles from QA, DEV and Production System, you have to
follow below steps
·
Place the roles to be deleted in a transport (in
dev)
·
Delete the roles
·
Push the transport through to QA and production
This will delete all the all roles
7) Explain what things you have to take
care before executing Run System Trace?
If you are tracing batch user ID or CPIC, then before executing the Run
System Trace, you have to ensure that the id should have been assigned to
SAP_ALL and SAP_NEW. It enables the user to execute the job without any
authorization check failure.
8) Mention what is the difference
between USOBT_C and USOBX_C?
·
USOBT_C: This table consists the authorization proposal data which
contains the authorization data which are relevant for a transaction
·
USOBX_C: It tells which authorization check are to be executed within a transaction
and which must not
9) Mention what is the maximum number
of profiles in a role and maximum number of object in a role?
Maximum number of profiles in a role is 312, and maximum number of
object in a role is 150.
10) What is the t-code used for locking
the transaction from execution?
For locking the transaction from execution t-code SM01, is used.
11) Mention what is the main difference
between the derived role and a single role?
For the single role, we can add or delete the t-codes while for a derived
role you cannot do that.
12) Explain what is SOD in SAP Security?
SOD means Segregation
of Duties; it is implemented in SAP in order to detect and prevent
error or fraud during the business transaction. For example, if a user or
employee has the privilege to access bank account detail and payment run, it
might be possible that it can divert vendor payments to his own account.
13) Mention which t-codes are used to
see the summary of the Authorization Object and Profile details?
·
SU03: It gives
an overview of an authorization object
·
SU02: It
gives an overview of the profile details
14) Explain what is User Buffer?
A user buffer consists of all authorizations of a user. User buffer can
be executed by t-code SU56 and user has its own user buffer. When the
user does not have the necessary authorization or contains too many entries in
his user buffer, authorization check fails.
15) By which parameter number of
entries are controlled in the user buffer?
In user buffer number of entries are controlled by the
profile parameter “Auth/auth_number_in_userbuffer”.
16) How many transactions codes can be
assigned to a role?
To a role maximum of 14000 transaction codes can be assigned.
17) Mention which table is used to
store illegal passwords?
To store illegal passwords, table USR40 is used, it is used to store
pattern of words which cannot be used as a password.
18) Explain what is
PFCG_Time_Dependency ?
PFCG_TIME_DEPENDENCY is a report that is used for user master comparison. It also
clears up the expired profiles from user master record. To directly execute
this report PFUD transaction code can also be used.
19) Explain what does USER COMPARE do
in SAP security?
In SAP security, USER COMPARE option will compare the user master record
so that the produced authorization profile can be entered into the user master
record.
20) Mention different tabs available in
PFCG?
Some of the important tab available in PFCG includes
·
Description: The tab is used to describe the changes made like details related
to the role, addition or removal of t-codes, the authorization object, etc.
·
Menu: It is
used for designing user menus like addition of t-codes
·
Authorization: Used for maintaining authorization data and authorization profile
·
User: It is
used for adjusting user master records and for assigning users to the role
·
21) Which t-code can be used to delete
old security audit logs?
SM-18 t-code is used to delete the old security audit logs.
22) Explain what reports or programs
can be used to regenerate SAP_ALL profile?
To regenerate SAP_ALL profile, report AGR_REGENERATE_SAP_ALL can be
used.
23) Using which table transaction code
text can be displayed?
Table TSTCT can be used to display transaction code text.
24) Which transaction code is used to
display the user buffer?
User buffer can be displayed by using transaction code AL08
25) Mention what SAP table can be
helpful in determining the single role that is assigned to a given composite
role?
Table AGR_AGRS will
be helpful in determining the single role that is assigned to a given composite
role.
26) What is the parameter in Security
Audit Log (SM19) that decides the number of filters?
Parameter rsau/no_of_filters are
used to decide the number of filters.
SET
2
1. How to create the user group in
SAP system?
Ans :
Ans :
User group can be created by performing the below
steps:
·
Execute the t-code SUGR
·
Enter the name of user group to be
created in the textbox
·
Click on the create the button
·
Enter the description and click on
save button
2. How to find the Transport requests
containing the specific role?
Ans :
The list of Transport requests containing the specific role can be retrieved by performing below steps:
Ans :
The list of Transport requests containing the specific role can be retrieved by performing below steps:
·
Execute the t-code SE03
·
Double click on option “Search
for Objects in requests/Tasks” under node “Objects in Requests” in left panel of screen. This
will take us to new screen.
·
In object selection screen, enter the
field value as ACGR and check the checkbox present at left
side.
·
Enter the role name for which we need
the list of transport request.
·
In screen “Request/Task Selection” screen (below section of the same
screen), check the status of the requests which we need in the list
·
Click on execute button
3. How to check the transport
requests created by other user?
Ans:
The t-code SE10 provide the option to enter the user name. By using this facility, we can search the transport requests created by other users.
Ans:
The t-code SE10 provide the option to enter the user name. By using this facility, we can search the transport requests created by other users.
4. How to generate the list of roles
having authorization objects with status as “maintained”?
Ans:
This list can be generated by using the table AGR_1251 as below:
Ans:
This list can be generated by using the table AGR_1251 as below:
·
Execute the t-code SE16
·
Enter the table name as AGR_1251 and
hit enter button
·
Enter the field value as “G” in field “Object Status” and click on execute
The same table can be used to
generate the list of roles with authorization objects having status modified
and manual with field values M and U respectively.
5. How to find the email ids if given
a list of users (say 100)?
Ans:
The list of email ids for given users can be generated by performing the below steps:
Ans:
The list of email ids for given users can be generated by performing the below steps:
·
Execute the t-code SE16
·
Enter the table name as USR21.
·
Upload the list of users using
multiple selection option and execute. This will give us the list of users and
their respective person numbers
·
Extract this data to excel sheet
·
Now, go back to SE16 and enter table
name ADR6
·
Upload the list of person number
extracted from table USR21 and execute
·
Now, table ADR6 will give us the list
of person numbers and their email ids.
·
Download the list in excel and
perform V-look up in excel to map the email ids of users with their SAP IDs
6. How to find user defined, system
default values for security parameters?
Ans :
The values for parameters can be checked by using the t-code RSPFPAR. After executing the t-code, given the parameter name and click on execute.
Ans :
The values for parameters can be checked by using the t-code RSPFPAR. After executing the t-code, given the parameter name and click on execute.
7. How to assign the logical system
to client?
Ans :
Logical system can be assigned to client by using the t-code SCC4. We need to be very careful while doing this change as it can affect the CUA (if configured).
Ans :
Logical system can be assigned to client by using the t-code SCC4. We need to be very careful while doing this change as it can affect the CUA (if configured).
8. Which entities are not distributed
while distributing the authorization data from master role to derived roles?
Ans:
During the distribution of authorization data from master role to derived roles, Organizational values and user assignment are not distributed. The Org. values and user assignments are specific to individual roles hence has no bearing on master-derived role relationship.
Ans:
During the distribution of authorization data from master role to derived roles, Organizational values and user assignment are not distributed. The Org. values and user assignments are specific to individual roles hence has no bearing on master-derived role relationship.
9. How to assign the multiple roles
to more than 20 users in one shot in t-code SU10?
Ans :
To perform this mass role assignment, we need to follow below steps in SU10:
Ans :
To perform this mass role assignment, we need to follow below steps in SU10:
·
In SU10 home screen, click on the
button “Authorization Data”
·
This will take to the new screen
similar to screen in t-code SUIM -> User by complex search criteria. Enter
the search criteria for users needed to be changed in SU10 and execute the same
·
Once the list of users is reflected,
click on “select all” button on left top corner of the list
and click on “Transfer” button. This will take us back to SU10 screen
with all the selected users in users
·
Now, click on select all button in
SU10 home screen and then click on change button.
·
Above step will take us to the next
screen where you can perform the role assignment as in normal case of SU10
t-code
10. What is the use of SU25 t-code?
Ans:
The t-code SU25 is used to copy the data from tables USOBT and USOBX to tables USOBT_C and USOBX_C. Generally, this t-code needs to be executed after the installation of system upgrade so that the values in customer tables are updated accordingly.
Ans:
The t-code SU25 is used to copy the data from tables USOBT and USOBX to tables USOBT_C and USOBX_C. Generally, this t-code needs to be executed after the installation of system upgrade so that the values in customer tables are updated accordingly.
11. What is the use of authorization
object S_TABU_LIN?
Ans:
This authorization object is used to provide the access to tables on row level.
Ans:
This authorization object is used to provide the access to tables on row level.
12. What are the authorization groups
and how to create them?
Ans :
Authorization groups are the units comprising of tables for common functional area. Generally, each table is assigned to a authorization group due to this reason we need to mention the value of authorization group while restricting the access to table in authorization object S_TABU_DIS.
The authorization group can be created by using the t-code SE54. The assignment of tables to authorization group can be checked by using table TDDAT.
Ans :
Authorization groups are the units comprising of tables for common functional area. Generally, each table is assigned to a authorization group due to this reason we need to mention the value of authorization group while restricting the access to table in authorization object S_TABU_DIS.
The authorization group can be created by using the t-code SE54. The assignment of tables to authorization group can be checked by using table TDDAT.
13. What is SOX (Sarbanes Oxley)?
Ans:
Sarbanes-Oxley is a US law passed in 2002 to strengthen corporate governance and restore investor confidence. Act was sponsored by US Senator Paul Sarbanes and US Representative Michael Oxley.
Ans:
Sarbanes-Oxley is a US law passed in 2002 to strengthen corporate governance and restore investor confidence. Act was sponsored by US Senator Paul Sarbanes and US Representative Michael Oxley.
The Sarbanes-Oxley Act is legislation
enacted in response to the high-profile Enron and WorldCom financial scandals
to protect shareholders and the general public from accounting errors and
fraudulent practices in the enterprise. Sarbanes-Oxley defines which records
are to be stored and for how long. The legislation not only affects the
financial side of corporations, but also affects the IT departments whose job
it is to store a corporation’s electronic records. The Sarbanes-Oxley Act
states that all business records, including electronic records and electronic
messages, must be saved for “not less than five years”. The
consequences for non-compliance are fines, imprisonment, or both. IT
departments are increasingly faced with the challenge of creating and
maintaining a corporate records archive in a cost-effective fashion that
satisfies the requirements put forth by the legislation.
Organizations should be able to
guarantee the integrity of some of their operations like PTP or OTC which can
have quiet a significant impact on the way the financial statements are
projected if not controlled.
Organizations today are thereby
moving in direction of automating their softwares for SOX compliance. A key
factor towards achieving SOX compliance is to seperate the duties amongst
individuals to such an extent that no one person has the authorization to
fulfill a complete cycle say procurement or sales.
14. How to create a query in SAP R/3
system?
Ans:
The query can be created and executed using the t-code SQVI:
Ans:
The query can be created and executed using the t-code SQVI:
·
Execute the t-code SQVI.
·
Enter the name of query to be created
and click on create button.
·
Enter the Title and comments for
query and select the data source such as table or table join.
·
Select the preferred view as Basis
Mode or Layout Mode and click on continue button.
·
Above step will take us to the new
screen, add the respective table on which we need to create a query.
·
If Data source is selected as table
join, select the respective tables as needed and joining fields.
·
Save and come to main screen. Here,
you need to select the fields to be displayed in output and their sequence.
The query can be created and executed
using the t-code SQVI.
15. What is the use of ST01? What are
the return codes of t-code ST01
Ans:
Transaction code ST01 is used to trace the user authorizations. This can be useful if we need to check which all the authorizations have been checked in background when any t-code is being executed by the business user.
Ans:
Transaction code ST01 is used to trace the user authorizations. This can be useful if we need to check which all the authorizations have been checked in background when any t-code is being executed by the business user.
Below are the return codes of ST01 :
·
0 – Authorization check passed
·
1 – No Authorization
·
2 – Too many parameters for
authorization check
·
3 – Object not contained in user
buffer
·
4 – No profile contained in user
buffer
·
6 – Authorization check incorrect
·
7,8,9 – Invalid user buffer
SET3
SAP Security Interview
Questions and answers
Question.1 Please
explain the personalization tab within a role?
Answer: Personalization
is a way to save information that could be common to
users, I meant to a user role… E.g. you can create SAP queries and manage
authorizations by user groups. Now this information can be stored in the
personalization tab of the role. (I supposed that it is a way for SAP to
address his ambiguity of its concept of user group and roles: is “usergroup” a
grouping of people sharing the same access or is it the role who is the
grouping of people sharing the same access).
Question.2 Is
there a table for
authorizations where I can quickly see the values entered in a group of
fields?
Answer: In
particular I am looking to find the field values for P_ORGIN across a number of
authorization profiles, without having to drill down on each profile and
authorization. AGR_1251 will give you some reasonable info.
[sociallocker]
[sociallocker]
Question.3 How
can I do a mass delete of the roles without deleting the new roles ?
Answer: There
is a SAP delivered report that you can copy, remove the system type check and
run. To do a landscape with delete, enter the roles to be deleted in a
transport, run the delete program or manually delete and then release the transport
and import them into all clients and systems.
It is called: AGR_DELETE_ALL_ACTIVITY_GROUPS.
To used it, you need to tweak/debug & replace the code as it has a check
that ensure it is deleting SAP delivered roles only. Once you get past that
little bit, it works well.
Question.4 Someone
has deleted users in our system, and I am eager to find out who. Is there a
table where this is logged?
Answer: Debug
or use RSUSR100 to find the info’s.
Run transaction SUIM and down its Change
documents.
Question.5 How
to insert missing authorization?
Answer: su53
is the best transaction with which we can find the missing authorizations.and
we can insert those missing authorization through pfcg.
Question.6 What
is the difference between role and a profile?
Answer: Role
and profile go hand in hand. Profile is bought in by a role. Role is used as a
template, where you can add T-codes, reports..Profile is one which gives
the user authorization. When you create a role, a profile is
automatically created.
Question.7 What
profile versions?
Answer: Profile
versions are nothing but when u modifies a profile parameter through a RZ10 and
generates a new profile is created with a different version and it is stored in
the database.
Question.8 What
is the use of role templates?
Answer: User
role templates are predefined activity groups in SAP consisting of
transactions, reports and web addresses.
Question.9 What
is the different between single role & composite role?
Answer: A
role is a container that collects the transaction and generates the associated
profile. A composite roles is a container which can collect several
different roles
Question.10 Is
it possible to change role template? How?
Answer: Yes,
we can change a user role template. There are exactly three ways in which
we can work with user role templates
– we can use it as they are delivered in sap
– we can modify them as per our needs through
pfcg
– we can create them from scratch.
For all the above specified we have to use
pfcg transaction to maintain them.
Question.11 SAP
Security T-codes?
Answer:
Frequently used security T-codes
SU01 Create/ Change User SU01 Create/ Change
User
PFCG Maintain Roles
SU10 Mass Changes
SU01D Display User
SUIM Reports
ST01 Trace
SU53 Authorization analysis
Question.12 How
to create users?
Answer: Execute
transaction SU01 and fill in all the field. When creating a new user, you must
enter an initial password for that user on the Logon data tab. All other data
is optional. Click here for turotial on creating sap user id.
Question.13 What
is the difference between USOBX_C and USOBT_C?
Answer: The
table USOBX_C defines which authorization checks are to be performed within a
transaction and which not (despite authority-check command programmed ). This
table also determines which authorization checks are maintained in the Profile
Generator. The table USOBT_C defines for each transaction and for
each authorization object which default values an authorization created from
the authorization object should have in the Profile Generator.
Question.14 What
authorization are required to create and maintain user master records?
Answer: The
following authorization objects are required to create and maintain user master
records: •S_USER_GRP: User Master Maintenance: Assign user groups
•S_USER_PRO: User Master Maintenance: Assign
authorization profile
•S_USER_AUT: User Master Maintenance: Create
and maintain authorizations
Q.List R/3 User Types
A.1.Dialog users are used for individual user.
Check for expired/initial passwords Possible to change your own password. Check
for multiple dialog logon
2.A Service user – Only user administrators
can change the password. No check for expired/initial passwords. Multiple logon
permitted
3.System users are not capable of interaction
and are used to perform certain system activities, such as background
processing, ALE, Workflow, and so on.
4.A Reference user is, like a System user, a
general, non-personally related, user. Additional authorizations can be
assigned within the system using a reference user. A reference user for additional
rights can be assigned for every user in the Roles tab.
Question.15 What
is a derived role?
Answer: Derived
roles refer to roles that already exist. The derived roles inherit the menu
structure and the functions included (transactions, reports, Web links, and so
on) from the role referenced. A role can only inherit menus and functions if no
transaction codes have been assigned to it before.
•The higher-level role passes on its
authorizations to the derived role as default values which can be changed
afterwards. Organizational level definitions are not passed on. They must be
created anew in the inheriting role. User assignments are not passed on either.
•Derived roles are an elegant way of
maintaining roles that do not differ in their functionality (identical menus
and identical transactions) but have different characteristics with regard to
the organizational level.
Question.16 What
is a composite role?
Answer: A
composite role is a container which can collect several different roles. For
reasons of clarity, it does not make sense and is therefore not allowed to add
composite roles to composite roles. Composite roles are also called roles.
•Composite roles do not contain authorization
data. If you want to change the authorizations (that are represented by a
composite role), you must maintain the data for each role of the composite
role.
•Creating composite roles makes sense if some
of your employees need authorizations from several roles. Instead of adding
each user separately to each role required, you can set up a composite role and
assign the users to that group.
•The users assigned to a composite role are
automatically assigned to the corresponding (elementary) roles during
comparison.
Question.17 What
does user compare do?
Answer: If
you are also using the role to generate authorization profiles, then you should
note that the generated profile is not entered in the user master record until
the user master records have been compared. You can automate this by scheduling
report FCG_TIME_DEPENDENCY on.
Question.18 How
do I change the name of master / parent role keeping the name of derived/child
role same? I would like to keep the name of derived /child role
same and also the profile associated with the child roles.?
Answer: Firstcopy the master role using
PFCG to a role with new name you wish to have. Then you have to generate the
role. Now open each derived role and delete the menu. Once the menus are
removed it will let you put new inheritance. You can put the name of the new
master role you created. This will help you keep the same derived role name and
also the same profile name. Once the new roles are done you can transport it.
The transport automatically includes the Parent roles.
Question.19 What
is the difference between C (Check) and U (Unmentioned)?
Answer: Background:
When defining authorizations using Profile Generator, the table USOBX_C defines
which authorization checks should occur within a transaction and which
authorization checks should be maintained in the PG. You determine the
authorization checks that can be maintained in the PG using Check Indicators.
It is a Check Table for Table USOBT_C.
In USOBX_C there are 4 Check Indicators.
•CM (Check/Maintain)
-An authority check is carried out against
this object.
-The PG creates an authorization for this
object and field values are displayed for changing.
-Default values for this authorization can be
maintained.
•C (Check)
-An authority check is carried out against
this object.
-The PG does not create an authorization for
this object, so field values are not displayed.
-No default values can be maintained for this
authorization.
•N (No check)
-The authority check against this object is
disabled.
-The PG does not create an authorization for
this object, so field values are not displayed.
-No default values can be maintained for this
authorization.
•U (Unmaintained)
-No check indicator is set.
-An authority check is always carried out
against this object.
-The PG does not create an authorization for
this object, so field values are not displayed.
-No default values can be maintained for this
authorization.[/sociallocker]
SET 4
SAP SECURITY INTERVIEW QUESTIONS
Q. Role Naming Procedures
I am trying to determine the best
role naming procedures. We are doing a security set-up redesign and would
like to use “Generally Accepted Security Role Naming Practices.” We are a
global company with decentralized SAP set-up with SAP instances for each
region.
A: The intent of developing a naming convention for SAP
access is to facilitate long-term maintenance of Security, enhance auditing
features, and improve the periodic review of access. The following is a
proposal for the naming convention guidelines for Roles, Profiles and
Authorizations. Note: Composite Role naming conventions are not covered as they
are NOT recommended for use.
Naming Conventions: Roles ‘Z’ or
‘Y’ is not needed as part of the naming convention. SAP Security is
Master Data, not configuration or repository object and therefore does not need
the standard development name space. The ‘:’ is the customer designation.
Role name template:
xxxx;yyyy_Describe_org.
Designate xxxx as major company
division, (i.e, Jones, Inc., Parts, etc.). : is the Customer Role
designation;
yyyy is the Functional area in SAP
such as Financial Accounts Payable (FIAP) or Materials Management Warehouse
Maintenance (MMWM).
Under Describe give brief
description of Role, i.e., INVOICE_PROCESSOR; Org is any major organizational
designations such as plant, sales org or warehouse.
Example: J:FIAP_INVOICE_PROCESSOR
is Jones, Inc. Financial Accounts Payable Invoice Processor for the company.
Jones, Inc. is the company, so
there is no need to use the _org designation. If this role did ALL or
cross company, then a designation would be needed.
Note: If you set the
configuration for Session Manager to sort the roles for display, they sort in
alphabetical order by technical name. Your generic System roles
(Printing, RFC, GUI control, SU56, SU53, SU3, SMX) should sort to the bottom;
yyyy should be Cross Application, or XA.
Q. Display Only SM59
SM59 text mentions it can be used
for Display/Maintain RFC Connections, how can you make this transaction code
display only?
A: SM59 is for Display AND Change. There is no
display only version. Sorry, it can’t be done.
Q. APO Authorizations
Regarding APO authorizations, can
you limit to display only in the product master using transaction code
/SAPAPO/MAT1?
A: For the /SAPAPO/MAT1, make sure you have only 03 on
C_APO_PROD.
Q. Tcode /SAPAPO/SDP94
In the planning book screen,
certain buttons are missing when using tcode /SAPAPO/SDP94. Neither the
“Selection Window” nor the “Display Dependant Objects” buttons are visible.
A: Maintain C_APO_FUN to have C_SELCTION, C_SELE and
C_SELORG on field APO_FUNC and the name of the planning area on APO_PAREA to
make sure /SAPAPO/SDP94 is fully functional and viewable.
Q. Comparing user assignments
How do you compare two user’s role
assignments? (i.e., What roles is user FOO missing to have exactly the
same roles as user BAR?)
A: In tcode SUIM there is a report to compare users/ roles
and selected output.
The best way to make user BAR have
the same access as user FOO is to have one role with the access and assign it
to each of them once in tcode SU01. Ensure that this is the only role
they have.
If this becomes too complicated,
use a program to read in the AGR_USERS tables for two users, and lay out the
role assignments side by side showing where the role assignment gaps are.
Q. Table names
What is the table name which houses
the full list of activities? (01 change, 02, 03 display, etc…)?
A: The table is TACT. Possible activities for
one authorized object is: TACTZ.
The list of additional activities
is extensive. Go to the profile generator/authorizations screen, pick up
any autho object and get to the selection screen for possible activities. Right
click and you will see “More values – F7” for a complete list of activities.
Note: May not work for all
“activity” fields. In the field for F_REGU_BUK, for example, the values
are kept are in a pull-down menu in the transaction F110.
Q. Cost center field in SU01
What is the purpose of the cost
center field in the SU01 user master record?
A: It is most likely used to allocate costs of system usage
to cost centers. Some use it for internal reporting. It is accessible in some
of the ALV reports in SUIM.
Q. Security report scheduling
Are there any periodic security
reports that need to be scheduled to monitor during maintenance?
A: Try running user compare – RHAUTUPD_NEW
SUIM table sync –
SUSR_SYNC_USER_TABLES
Other valuable reports:
USTxx Sync to USRxxx (custom
program)
RHPROFL0 (for security by position)
Lock/delete inactive users (custom
program)
Delete orphaned
authorizations/profile (custom program)
Delete orphaned address info.
RHAUTUPD_NEW
Critical User monitoring report and
notification (custom program)
Q. Querying restricted roles
Is it possible to query all roles
that have a particular Organizational Level Restriction? (e.g. Company Code,
Plant, Division, etc.?)
A: You can get all the roles that have an authorization for
a particular object that contain a company code or plant or other authorization
value. Those reports are in transaction SUIM.
Q. Accidental deletions
Users in our system were deleted
when they shouldn’t have been. To determine how this happened, can I
retrace the function or is it logged on a table?
A: Debug or use RSUSR100 to find the information.
Q. Accidental deletions 2
While working in development
server, my session was deleted by another user. Is there a way to find
the user that deleted it, the system number and the related data?
A: Try using TX STAT (or STAD, depends on release)
and look for someone who has used TX SM04.
With that, you can kill the
session. If more than one user has used the same tcode at the given time,
SM21 has the entry logged for it.
You can find who ran SM04 and
delete that user’s session.
Q. Conflicting combinations
How do you find the typical
conflicting combinations of authorization objects in HR, like conflicting
tcodes, infotypes and clusters?
A: If you are looking for conflicts within HR, there aren’t
many. Some companies use security measures to limit payroll information,
update disciplinary actions, promotion potential and medical to specific
individuals. It is not done with tcodes, but with limited Info types.
SAP HR is written as a central set
of tcodes with access limited by data.
The main tcodes are PA40, PA30 and
PA20, HR org management is the PA10, PA03, PA13 or the POME and “run Payroll”.
Concentrate on the Info types not
necessarily the tcodes not objects as they all use P_ORGIN (or what you
configure). The only anomaly is P_ABAP which can override P_ORGIN.
Q. The Parameters tab
What is the “Parameters” tab in the
SU01 user maintenance screen for?
A: The “Parameters” tab allows users to pre-set entries in
order to fill field values in tcodes without having to re-key. Also used
for “Set Preferences.”
Q. Org Level Tables
Is there a comprehensive list of
all the Org Level Tables?
A: Try table AUTHX via SE16.
If it is not loaded or incomplete,
use the underlying source structures in SE11, including structures: AUTHA,
AUTHB, AUTHC and a few others (search on AUTH*). Look for the Check table
or value tables. Note: If AUTHX is not loaded, there is a report to
load it.
Q. Setting values in authorization objects
When setting values in an auth obj,
is there a way to exclude a specific value without compromising the access of
the others?
Example: I’m trying to restrict
S_TABU_DIS to allow certain people to see all the auth groups except SS.
If someone creates an auth group in the system, we want the people with this
role to see the added group without us going back into the role and adding the
value via pfcg.
A: Set the values to be included – 00 to SR and ST to ZZ,
this would exclude SS.
Q. Authorization reports
How are authorization reports
generated? The reports should include activity by object and be
accessible to all users with access.
A: Run SUSR_SYNC_USER_TABLES and then try tcode SUIM/report
RSUSR002. Enter your object in Object 1 and press enter. Follow the
prompts.
Q. Movement types
How do you restrict users on
Movement types and certain storage locations in transaction MB1B? The
only object displayed in SU24 for MB1B, with a combination of Movement type and
Storage location, is M_MSEG_LGO. How do we enable the system to check
this object in MB1B? Or, how can we restrict users on a combination of
Storage location and Movement type in transaction MB1B?
A: Storage location must be configured to check
authorization on each storage location. SAP does not do this by default
so there is no ST01 trace of it until you configure it. This is done in the IMG
(tcode SPRO).
If you get the help documentation
of M_MSEG_LGO (using SU21), there is a link with the correct customizing tcode
which turn on/off the authority check on it (under material management-stocks).
This works only for good movements,
not for display stocks content.
Q. Login/disable_multi_gui_login
Will activating parameter
login/disable_multi_gui_login affect workflow?
A: No, the key is the GUI in the parameter.
Workflow does not initiate a GUI logon but a logon in the “background” or via
RFC to a non-GUI display session.
Q. Expert mode
What is the Expert mode in Profile
generation? What are the options for its use?
A: Expert mode merges existing authorizations with
new auths as they are added to the role. The auths display tells you which
authorization objects have been added or changed. This is a time-saver in that
it clearly lists changes and what to maintain.
Note: Always work in Expert mode.
Q. Accessing authorization objects
Is there a table where I can access
the name of a particular Authorization Object? Possibly a SUIM report?
A: Start with SU24; it will give the
objects/transactions in pfcg use.
After SU24 there are tables USOBT_C
and USOBX_C.
SU25, Step 1 is mandatory to
initialize these tables. Note: Read Help carefully before executing SU25, Step
1.
Q. Display transaction code in PFCG?
How do you display the transaction
code in the Menu folder using PFCG?
A: With and existing role, the transactions may be
entered straight into the S_TCODE auth object, not the menu.
If the subfolder “Menu” in PFCG
displays the list of transactions with only text appearing and not transaction
codes, the option needs to be changed.
Q. Explain what is SAP security?
SAP security is providing correct
access to business users with respect to their authority or responsibility and
giving permission according to their roles.
Q. Explain what is “roles” in SAP security?
“Roles” is referred to a group of
t-codes, which is assigned to execute particular business task. Each role in
SAP requires particular privileges to execute a function in SAP that is called
AUTHORIZATIONS.
Q. Explain how you can lock all the users
at a time in SAP?
By executing EWZ5 t-code in SAP,
all the user can be locked at the same time in SAP.
Q. Mention what are the pre-requisites that
should be taken before assigning Sap_all to a user even there is an approval
from authorization controllers?
Pre-requisites follows like
·
Enabling the audit log- using sm 19
tcode
·
Retrieving the audit log- using sm
20 tcode
Q. Explain what is authorization object
and authorization object class?
·
Authorization
Object:Authorization objects are groups of
authorization field that regulates particular activity. Authorization relates
to a particular action while Authorization field relates for security
administrators to configure specific values in that particular action.
·
Authorization
object class:Authorization object falls under
authorization object classes, and they are grouped by function area like HR,
finance, accounting, etc.
Q. Explain how you can delete multiple
roles from QA, DEV and Production System?
To delete multiple roles from QA,
DEV and Production System, you have to follow below steps
·
Place the roles to be deleted in a
transport (in dev)
·
Delete the roles
·
Push the transport through to QA
and production
This will delete all the all roles
Q. Explain what things you have to take
care before executing Run System Trace?
If you are tracing batch user ID or
CPIC, then before executing the Run System Trace, you have to ensure that the
id should have been assigned to SAP_ALL and SAP_NEW. It enables the user to
execute the job without any authorization check failure.
Q. Mention what is the difference between
USOBT_C and USOBX_C?
·
USOBT_C:This table consists the authorization proposal
data which contains the authorization data which are relevant for a transaction
·
USOBX_C:It tells which authorization check are to be executed
within a transaction and which must not
Q. Mention what is the maximum number of
profiles in a role and maximum number of object in a role?
Maximum number of profiles in a
role is 312, and maximum number of object in a role is 150.
Q. What is the t-code used for locking the
transaction from execution?
For locking the transaction from
execution t-code SM01, is used.
Q. Mention what is the main difference between
the derived role and a single role?
For the single role, we can add or
delete the t-codes while for a derived role you cannot do that.
Q. Explain what is SOD in SAP Security?
SOD means Segregation
of Duties; it is implemented in SAP in order to detect and
prevent error or fraud during the business transaction. For example, if a user
or employee has the privilege to access bank account detail and payment run, it
might be possible that it can divert vendor payments to his own account.
Q. Mention which t-codes are used to see the
summary of the Authorization Object and Profile details?
·
SU03: It gives an overview of an authorization object
·
SU02:It gives an overview of the profile details
Q. Explain what is User Buffer?
A user buffer consists of all
authorizations of a user. User buffer can be executed by t-code SU56 and user
has its own user buffer. When the user does not have the necessary
authorization or contains too many entries in his user buffer, authorization
check fails.
Q. By which parameter number of entries are
controlled in the user buffer?
In user buffer number of entries
are controlled by the profile parameter “Auth/auth_number_in_userbuffer”.
Q. How many transactions codes can be assigned
to a role?
To a role maximum of 14000
transaction codes can be assigned.
Q. Mention which table is used to store illegal
passwords?
To store illegal passwords, table
USR40 is used, it is used to store pattern of words which cannot be used as a
password.
Q. Explain what is PFCG_Time_Dependency?
PFCG_TIME_DEPENDENCY is a report that is used for user master comparison.
It also clears up the expired profiles from user master record. To directly
execute this report PFUD transaction code can also be used.
Q. Explain what does USER COMPARE do in SAP
security?
In SAP security, USER COMPARE
option will compare the user master record so that the produced authorization
profile can be entered into the user master record.
Q. Mention different tabs available in PFCG?
Some of the important tab available
in PFCG includes
·
Description:The tab is used to describe the changes made like
details related to the role, addition or removal of t-codes, the authorization
object, etc.
·
Menu:It is used for designing user menus like addition of
t-codes
·
Authorization:Used for maintaining authorization data and
authorization profile
·
User:It is used for adjusting user master records and for
assigning users to the role
Q. Which t-code can be used to delete old
security audit logs?
SM-18 t-code is used to delete the
old security audit logs.
Q. Explain what reports or programs can be used
to regenerate SAP_ALL profile?
To regenerate SAP_ALL profile,
report AGR_REGENERATE_SAP_ALL can be used.
Q. Using which table transaction code text can
be displayed?
Table TSTCT can be used to display
transaction code text.
Q. Which transaction code is used to display
the user buffer?
User buffer can be displayed by
using transaction code AL08
Q. Mention what SAP table can be helpful in
determining the single role that is assigned to a given composite role?
Table AGR_AGRS will
be helpful in determining the single role that is assigned to a given composite
role.
Q. What is the parameter in Security Audit Log
(SM19) that decides the number of filters?
Parameter rsau/no_of_filters are
used to decide the number of filters.
Q. How to create the user group in SAP system?
1. User group can be created by performing the below steps:
2. Execute the t-code SUGR
3. Enter the name of user group to be created in the
textbox
4. Click on the create the button
5. Enter the description and click on save button
Q. How to find the Transport requests
containing the specific role?
The list of Transport requests
containing the specific role can be retrieved by performing below steps:
·
Execute the t-code SE03
·
Double click on option “Search
for Objects in requests/Tasks” under node “Objects
in Requests” in left panel of screen. This will take us
to new screen.
·
In object selection screen, enter
the field value as ACGR and check the
checkbox present at left side.
·
Enter the role name for which we
need the list of transport request.
·
In screen “Request/Task Selection”
screen (below section of the same screen), check the status of the requests
which we need in the list
·
Click on execute button
Q. How to check the transport requests created
by other user?
The t-code SE10 provide the option
to enter the user name. By using this facility, we can search the transport
requests created by other users.
Q. How to generate the list of roles having
authorization objects with status as “maintained”?
This list can be generated by using
the table AGR_1251 as below:
Execute the t-code SE16
Enter the table name as AGR_1251
and hit enter button
Enter the field value as “G” in
field “Object Status” and click on execute
The same table can be used to
generate the list of roles with authorization objects having status modified
and manual with field values M and U respectively.
Q. How to find the email ids if given a list of
users (say 100)?
The list of email ids for given
users can be generated by performing the below steps:
·
Execute the t-code SE16
·
Enter the table name as USR21.
·
Upload the list of users using
multiple selection option and execute. This will give us the list of users and
their respective person numbers
·
Extract this data to excel sheet
·
Now, go back to SE16 and enter
table name ADR6
·
Upload the list of person number
extracted from table USR21 and execute
·
Now, table ADR6 will give us the
list of person numbers and their email ids.
·
Download the list in excel and
perform V-look up in excel to map the email ids of users with their SAP IDs
Q. How to find user defined, system default
values for security parameters?
The values for parameters can be
checked by using the t-code RSPFPAR. After executing the
t-code, given the parameter name and click on execute.
Q. How to assign the logical system to client?
Logical system can be assigned to
client by using the t-code SCC4. We need to be very
careful while doing this change as it can affect the CUA (if configured).
Q. Which entities are not distributed while
distributing the authorization data from master role to derived roles?
During the distribution of
authorization data from master role to derived roles, Organizational values and
user assignment are not distributed. The Org. values and user assignments are
specific to individual roles hence has no bearing on master-derived role
relationship.
Q. How to assign the multiple roles to more
than 20 users in one shot in t-code SU10?
To perform this mass role
assignment, we need to follow below steps in SU10:
·
In SU10 home screen, click on the
button “Authorization Data”
·
This will take to the new screen
similar to screen in t-code SUIM -> User by complex search criteria. Enter
the search criteria for users needed to be changed in SU10 and execute the same
·
Once the list of users is
reflected, click on “select all” button on
left top corner of the list and click on “Transfer” button.
This will take us back to SU10 screen with all the selected users in users
·
Now, click on select all button in
SU10 home screen and then click on change button.
·
Above step will take us to the next
screen where you can perform the role assignment as in normal case of SU10
t-code
Q. What is the use of SU25 t-code?
The t-code SU25 is used to copy the
data from tables USOBT and USOBX to tables USOBT_C and USOBX_C. Generally, this
t-code needs to be executed after the installation of system upgrade so that
the values in customer tables are updated accordingly.
Q. What is the use of authorization object
S_TABU_LIN?
This authorization object is used
to provide the access to tables on row level.
Q. What are the authorization groups and how to
create them?
Authorization groups are the units
comprising of tables for common functional area. Generally, each table is
assigned to a authorization group due to this reason we need to mention the
value of authorization group while restricting the access to table in
authorization object S_TABU_DIS.
The authorization group can be created by using the t-code SE54. The assignment of tables to authorization group can be checked by using table TDDAT.
The authorization group can be created by using the t-code SE54. The assignment of tables to authorization group can be checked by using table TDDAT.
Q. What is SOX (Sarbanes Oxley)?
Sarbanes-Oxley is a US law passed
in 2002 to strengthen corporate governance and restore investor confidence. Act
was sponsored by US Senator Paul Sarbanes and US Representative Michael Oxley.
The Sarbanes-Oxley Act is
legislation enacted in response to the high-profile Enron and WorldCom
financial scandals to protect shareholders and the general public from
accounting errors and fraudulent practices in the enterprise. Sarbanes-Oxley
defines which records are to be stored and for how long. The legislation not
only affects the financial side of corporations, but also affects the IT
departments whose job it is to store a corporation’s electronic records. The
Sarbanes-Oxley Act states that all business records, including electronic
records and electronic messages, must be saved for “not
less than five years”. The consequences for non-compliance are
fines, imprisonment, or both. IT departments are increasingly faced with the
challenge of creating and maintaining a corporate records archive in a
cost-effective fashion that satisfies the requirements put forth by the
legislation.
Organizations should be able to
guarantee the integrity of some of their operations like PTP or OTC which can
have quiet a significant impact on the way the financial statements are
projected if not controlled.
Organizations today are thereby
moving in direction of automating their softwares for SOX compliance. A key
factor towards achieving SOX compliance is to seperate the duties amongst
individuals to such an extent that no one person has the authorization to
fulfill a complete cycle say procurement or sales.
Q. How to create a query in SAP R/3 system?
1. The query can be created and executed using the t-code
SQVI:
2. Execute the t-code SQVI.
3. Enter the name of query to be created and click on
create button.
4. Enter the Title and comments for query and select the
data source such as table or table join.
5. Select the preferred view as Basis Mode or Layout Mode
and click on continue button.
6. Above step will take us to the new screen, add the
respective table on which we need to create a query.
7. If Data source is selected as table join, select the
respective tables as needed and joining fields.
8. Save and come to main screen. Here, you need to select
the fields to be displayed in output and their sequence.
9. The query can be created and executed using the t-code
SQVI.
Q. What is the use of ST01? What are the return
codes of t-code ST01
Transaction code ST01 is used to
trace the user authorizations. This can be useful if we need to check which all
the authorizations have been checked in background when any t-code is being
executed by the business user.
0 – Authorization check passed
1 – No Authorization
2 – Too many parameters for
authorization check
3 – Object not contained in user
buffer
4 – No profile contained in user
buffer
6 – Authorization check incorrect
7,8,9 – Invalid user buffer
Q. Please explain the personalization tab
within a role?
Personalization is
a way to save information that could be common to users, I meant to a
user role… E.g. you can create SAP queries and manage authorizations by
user groups. Now this information can be stored in the personalization tab of
the role. (I supposed that it is a way for SAP to address his ambiguity of
its concept of user group and roles: is “usergroup” a grouping of people
sharing the same access or is it the role who is the grouping of people sharing
the same access).
Q. Is there a table for
authorizations where I can quickly see the values entered in a group of fields?
In particular I am looking to find
the field values for P_ORGIN across a number of authorization profiles, without
having to drill down on each profile and authorization. AGR_1251 will give you
some reasonable info.
Q. How can I do a mass delete of the roles
without deleting the new roles ?
There is a SAP delivered report
that you can copy, remove the system type check and run. To do a landscape with
delete, enter the roles to be deleted in a transport, run the delete program or
manually delete and then release the transport and import them into all clients
and systems.
It is called:
AGR_DELETE_ALL_ACTIVITY_GROUPS. To used it, you need to tweak/debug &
replace the code as it has a check that ensure it is deleting SAP delivered
roles only. Once you get past that little bit, it works well.
Q. Someone has deleted users in our system, and
I am eager to find out who. Is there a table where this is logged?
1. Debug or use RSUSR100 to find the info’s.
2. Run transaction SUIM and down its Change documents.
Q. How to insert missing authorization?
su53 is the best transaction with
which we can find the missing authorizations.and we can insert those missing
authorization through pfcg.
Q. What is the difference between role and a
profile?
Role and profile go hand in hand.
Profile is bought in by a role. Role is used as a template, where you can
add T-codes, reports..Profile is one which gives the user authorization.
When you create a role, a profile is automatically created.
Q. What profile versions?
Profile versions are nothing but
when u modifies a profile parameter through a RZ10 and generates a new profile
is created with a different version and it is stored in the database.
Q. What is the use of role templates?
User role templates are predefined
activity groups in SAP consisting of transactions, reports and web
addresses.
Q. What is the different between single role
& composite role?
A role is a container that collects
the transaction and generates the associated profile. A composite roles
is a container which can collect several different roles
Q. Is it possible to change role template? How?
Yes, we can change a user role
template. There are exactly three ways in which we can work with user
role templates
1. – we can use it as they are delivered in sap
2. – we can modify them as per our needs through pfcg
3. – we can create them from scratch.
For all the above specified we have
to use pfcg transaction to maintain them.
Q. SAP Security T-codes?
Frequently used security T-codes
1. SU01 Create/ Change User SU01 Create/ Change User
2. PFCG Maintain Roles
3. SU10 Mass Changes
4. SU01D Display User
5. SUIM Reports
6. ST01 Trace
7. SU53 Authorization analysis
Q. How to create users?
Execute transaction SU01 and fill
in all the field. When creating a new user, you must enter an initial password
for that user on the Logon data tab. All other data is optional. Click here for
turotial on creating sap user id.
Q. What is the difference between USOBX_C and
USOBT_C?
The table USOBX_C defines which
authorization checks are to be performed within a transaction and which not
(despite authority-check command programmed ). This table also determines which
authorization checks are maintained in the Profile Generator. The table
USOBT_C defines for each transaction and for each authorization object
which default values an authorization created from the authorization object
should have in the Profile Generator.
Q. What authorization are required to create
and maintain user master records?
The following authorization objects
are required to create and maintain user master records: •S_USER_GRP: User
Master Maintenance: Assign user groups
·
S_USER_PRO: User Master
Maintenance: Assign authorization profile
·
S_USER_AUT: User Master
Maintenance: Create and maintain authorizations
Q. List R/3 User Types
1. Dialog users are used for
individual user. Check for expired/initial passwords Possible to change your
own password. Check for multiple dialog logon
2. A Service user – Only user
administrators can change the password. No check for expired/initial passwords.
Multiple logon permitted
3. System users are not capable of
interaction and are used to perform certain system activities, such as
background processing, ALE, Workflow, and so on.
4. A Reference user is, like a
System user, a general, non-personally related, user. Additional authorizations
can be assigned within the system using a reference user. A reference user for
additional rights can be assigned for every user in the Roles tab.
Q. What is a derived role?
Derived roles refer to roles that
already exist. The derived roles inherit the menu structure and the functions
included (transactions, reports, Web links, and so on) from the role
referenced. A role can only inherit menus and functions if no transaction codes
have been assigned to it before.
·
The higher-level role passes on its
authorizations to the derived role as default values which can be changed
afterwards. Organizational level definitions are not passed on. They must be
created anew in the inheriting role. User assignments are not passed on either.
·
Derived roles are an elegant way of
maintaining roles that do not differ in their functionality (identical menus
and identical transactions) but have different characteristics with regard to
the organizational level.
Q. What is a composite role?
A composite role is a container
which can collect several different roles. For reasons of clarity, it does not
make sense and is therefore not allowed to add composite roles to composite
roles. Composite roles are also called roles.
·
Composite roles do not contain
authorization data. If you want to change the authorizations (that are
represented by a composite role), you must maintain the data for each role of
the composite role.
·
Creating composite roles makes
sense if some of your employees need authorizations from several roles. Instead
of adding each user separately to each role required, you can set up a
composite role and assign the users to that group.
·
The users assigned to a composite
role are automatically assigned to the corresponding (elementary) roles during
comparison.
Q. What does user compare do?
If you are also using the role to
generate authorization profiles, then you should note that the generated
profile is not entered in the user master record until the user master records
have been compared. You can automate this by scheduling report
FCG_TIME_DEPENDENCY on.
Q. What is the difference between C (Check) and
U (Unmentioned)?
Background: When defining
authorizations using Profile Generator, the table USOBX_C defines which
authorization checks should occur within a transaction and which authorization
checks should be maintained in the PG. You determine the authorization checks
that can be maintained in the PG using Check Indicators. It is a Check Table
for Table USOBT_C.
In USOBX_C there are 4 Check
Indicators.
CM (Check/Maintain):
-An authority check is carried out
against this object.
-The PG creates an authorization
for this object and field values are displayed for changing.
-Default values for this
authorization can be maintained.
C (Check):
-An authority check is carried out
against this object.
-The PG does not create an
authorization for this object, so field values are not displayed.
-No default values can be
maintained for this authorization.
N (No check):
-The authority check against this
object is disabled.
-The PG does not create an
authorization for this object, so field values are not displayed.
-No default values can be maintained
for this authorization.
U (Unmaintained):
-No check indicator is set.
-An authority check is always
carried out against this object.
-The PG does not create an
authorization for this object, so field values are not displayed.
-No default values can be maintained
for this authorization.
QUESTIONS
security grc interview questions
1. What are the components of
GRC?
2. What are the upgrades happened
in GRC 5.3 from GRC 5.2?
3. Is it possible to have a
request type by which we can change the validity period of a user? If possible,
then what are the actions?
4. What's the latest Support Pack
for GRC 5.3? How it differs from the previous one?
5. What are the issues faced by
you in ERM & CUP after golive?
6. Can we change Single roles,
objects & Profile description through mass maintenance of role? If yes,
how?
7. What are the prerequisites for
creating a workflow for user provisioning?
8. How will you control GRC
system if you have multiple rulesets activated?
9. Can we view the changes of a
role, happened in PFCG, through GRC?
10. How will you mitigate a user
against an authorization object which is decided as sensitive by Business?
11. Give an example of SOD with
object level control & also decide the Risk implication from the Technical
standpoint.
12. Is it possible to assign two
roles with different validity period to a user in one shot through GRC? If yes,
how?
13. What's the use of Detour
path? How Fork path differs from Detour path?
14. How can you enable self
password reset facility in GRC?
15. Can we have customized
actions for creating request types in CUP?
16. Which SOX rules got inherited
in SAP GRC?
17. How many types of Background
job you are familiar with? Why Role/Profile & User Sync. job is required?
18. Where from can we change the
default expiration time for mitigating controls? What's the default value for
the same?
19. How will you do the mass
import of role in GRC?
20. Explain the total
configuration & utility of SPM?
21. Can we create Logical systems
in GRC? If yes, how & what can be the advantages & disadvantages of the
same?
22. Can we have different set of
number ranges activated for request generation?
23. Explain, how can we create
derived roles in ERM? What will be the significant changes in methodology for
creating composite roles?
good info SAP Integration Services
ReplyDelete