SAP BASIS INTERVIEW QUESTIONS & ANSWERS 1

SAP BASIS INTERVIEW QUESTIONS & ANSWERS

:-


1) What is difference between 4.7, ECC 5 and ECC6 from SAP Security point of view?
SAP GRC which is a security tool can be implemented only to ECC 5.0 and ECC 6.0 but not to the
4.7EE.
SAP 4.7 is an ABAP based system, here we can see only about R/3 security.

SAP ECC5.0 and SAP ECC6.0 included both ABAP + JAVA stacks, means enterprise portal also
included here we can have both R/3 security for ABAP stack and JAVA stack security which includes
in
portal concept(Enterprise Portal Security).

SAP GRC which is a security tool can be implemented only to ECC 5.0 and ECC 6.0 but not to the
4.7EE.

2) What do you mean by profile and object?
Well, profile is a authorization profile and where as object can be an authorization class or
authorization
object or field and value. So, to make up a profile it requires several objects.....

More precisely profile is set of different authorizations for different objects. It means when you create
role
and go for generating profile whatever the list of transactions you have added in role menu its
corresponding
objects automatically fetch up by profile generator. For which transaction which objects get fetch up
this you
can check using SU24 tcode only objects with check/maintain status get fetch up by profile generator
during
profile generation. And for better understanding you just keep in mind for every tcode there are certain
set of
objects. And Each objects has different fields and its value is called its value i.e. 01, 02, 03 create,
change,
display respectively.

3) What is the profile?
Profile is what a user can do within that role that is assigned to the user.
When a role is created; a profile is created based on the authorization data i.e. object class,
authorization
object, filed and values.
The word "profile" is used in 2 different concepts.

1) Authorization Profiles
2) System Profiles

Authorization Profile:This profile is the one created when a role is created and is called as
authorization profile.
System Profile: This profile exists to change the parameters for the instances...

4) I want a list of users along with roles for a client? How to do it?
We can use tcode se16 in it AGR_USERS uname: enter the user ids and AGRname: role name
Youcan get in SUIM also.

5) In an environment of derived roles; a user is asking for a t-code; which is not found in suim
in search of roles? What will u do?
1. Check if the tcode exists or not.
2. Try to search the role with S_tcode and then putting the tcode in "roles by complex selection
criteria"
3. You should at least get SAP standard role which should not be assigned.

So after doing all these you are not able to find any end user role available in system.
Next step is the proposal of adding the tcode to a suitable role.
as it's a derived role envi---> need to add the tcode in template / parent role
Take approval from BPR/role owner for role modification. They will decide which parent role to
change.
Change role [by adding the tcode] in Dev and transport to rest of the sys in landscape

6) Can u secure profiles? If so , how to do it ?
Yes you can. Secure Profile S_User_PRF

7) I want to lock all the users except sap* and DDIC of a particular client ?
SU10
F4 on user id field
Change the hit list restriction according to users present
Enter
It will bring all available users
Remove SAP* and DDIC from list
Select all and enter
It will bring u back to SU10
With all users except SAP* and DDIC
Select all
Lock
it will lock your user also
(OR)
We can do it by ewz5

8) I want to delete 1000 users of a particular client, how can I do it?
You can create a SECATT script to delete the users which is easy to create and easy to execute.
You can also delete users of a particular client by using t-code su10.

9) Can u tell me some of the password related parameters ?
Password related parameters are:
login/min_password_lng (Defines minimum length for password)
login/min_password_digits
login/password_expiration_time

These are the main parameters - which can be maintained via RZ10
(OR)
You can go to t-code se16
Write login/* and enter ... then u will get all login parameters
Here there is no need of remembering

10) How can I assign a same role to 200 users?
You can do using PFCG- > enter the role -> change -> go to users tab -> paste the users -> click on
user
comparison-> complete comparison -> Save the role - it's done
(OR)
One can also use "Authorization Data" functionality in transaction SU10 to complete this task.
SAP BASIS INTERVIEW QUESTIONS & ANSWERS 2


SAP BASIS INTERVIEW QUESTIONS & ANSWERS
:-

1) A user is asking for a t-code to assign? How do you assign the t-code?
First we have to check if user has access to particular tcode. If not then run suim with roles by
complex
selection criteria -->put object1 as S_tcode as the required tcode and hit execute button. The query will
fetch you a result of roles. Select a role that has minimum authorization and satisfy the user
requirement.
And assign the role to user.

2) A user is not able to execute a t-code; how do you solve that? What are the different reasons that
might be existing?
Reason:
1. Tcode does not exist
2. User context missing auth for that tcode
3. User comparison is not current

How to solve:
1.check if the user is having the tcode or not.
by SUIM--> role by complex selection criteria [s_bce_68001425]
2. if the tcode is not assigned to user -->assign suiatablle role after taking approval. Make sure to user
compare to update the user master record
3.if the tcode is available for the user and user still cant access--> ask for result of SU53 screen shot,
there might be some other authorization which is missing for the user
4.we can also trace the user's auth check by use of st01 fine searching user's missing access by
analyzing
st01 report and rc.

3) What is difference between se16 and sm31?
SE16: table display
SM31: table, view modification

4) What are the authorization objects which are always present in user master record?
For user master record as u must be knowing that different tabs of UMR..So as per my understanding
As
UMR stores information of users...Like his name, roles assigned to him, License data.
Objects which are always present for UMR are:
S_USER_AGR, S_USER_GRP,S_USER_AUT,S_USER_PRO and each of this object has its own
importance...
bcoz S_USER_AGR helps to maintain roles assigned, S_USER_GRP helps to maintain Auth. group
in Logon Data and S_USER_AUT AND S_USER_PRO helps to maintain set of Auth. profiles and
different
Authorizations included in each profile.

5) What is use of System Task Tab on menu bar in PFCG?
Role creation, change and delete.

6) How can we Lock transaction? What happens exactly?
In SM01 transaction we can lock the transactions; we can lock one or many at a time in the system.
After locking transactions, it wont allow any body to use the transaction.
(OR)
SM01 transaction can use to lock the transactions; we can lock one or many at a time in the system.
When a user starts a transaction, the system checks in table TSTC whether the transaction code is valid
and
whether the system administrator has locked the transaction.

7) What is Use of SM35P and SM35 is there any difference between these two?
Tcode SM35P use to display/monitor sessions. Using Tcode SM35 you the run/process the sessions in
background
or foreground.

8) Is there any transaction to see Transport Log.? Means, Which data or roles have been transported
from which system at what time?
SE01 transaction is use to see Transport Log.
By clicking tab "DISPLAY" you can able to see the logs.
You can also see the roles or data has been transported from which system at what time.

9) Which role is commonly used?
Composite and single role commonly used.

10) How to find the already locked users list before a particular date?
Example: list of users already locked before 01/01/2010
Goto SUIM - USERS - USERS BY COMPLEX SELECTION CRITERIA,scroll down to the bottom,
goto ADDTIONAL SELECTION CRITERIA, then give the validity date and check the check box of
the option
LOCKED USERS ONLY, then execute, u will get the list of the locked users.

SAP BASIS INTERVIEW QUESTIONS & ANSWERS 3



SAP BASIS INTERVIEW QUESTIONS & ANSWERS
:-


1) Under description; in creating a role what should be written over there ....what does your
company follows ?
Description of role defines the role related activity in short. Just seeing the description of the role, one
can easily know the role details, like
Role belongs to which SAP module (MM/PP/FICO)
The Company code/Org level values
Restricted values can also be mentioned there
Activity performed after assigning that particular role.

2) What is the correct procedure for Mass Generation of Roles ?
1)Tcode SPUC is for mass generation of roles. Or you can use scripts
2)Program SAPPROFC_NEW inserted roles to be generated and execute.
3)PFCG > Utilities > Mass Generation

3) Can we assign generated profiles to users directly ?
No, we can't assign a generated profile to user directly; we have to as the role associated with that
particular profile
The best practice is not to assign profile to a user master record. But then we can assign...
Check it for example, assign sap_all to a user master record and can actually work.
So, yes a profile can be assigned to user and can work.

4) How many maximum profiles we can assign to one user ?
apprx 312

5) In which way we can assign single role to many users (more than 5000 users) ?
Go to Su10
Click on authorization data
Click on multiple selection button beside user input field a pop up will appear-->click on green import
from text file
Give the destination of the excel sheet where you have already kept 5000 users
Execute-->execute-->select all -->transfer this will bring all 5000 users in su10
Now change--> role tab--> assign the single role-->save

6) I want to see list of roles assigned to 10 different users. How do you do it ?
1.Go to SE16 Transaction
2.Type agr_users and go to next screen
3.in the users field I have the list of user ids
4.Result
(OR)
GO to suim -->ROLES-->By user assignment
Click multiple selection
Select users ans execute
Now you get a list roles assign to selected users

7) What is the advantage of CUA from a layman/manager point of view ?
CUA - Central User Administration
Advantage of CUA is to lessen the time by creating users in one single system, and distribute it to the
respective systems (where the user id is requested)Helps in avoiding logging to each individual
systems. Layman point of view we dont have any advantage, But SAP security admin point it takes
lesser time for user Admin.

8) how do we create firefigter Id in VIRSAs VRAT ?
First create service user and mapp this user in /n/virsa/vFat

9) What is the procedure to delete a role ?
First add the role that need to be deleted in a Transport.
Then delete it. If there is no transport already, then create one for it and then add the role marked for
deletion to it and then only we have to delete the role.
If the role is deleted without adding it to a transport then we will not be able to delete the same role in
other systems like Acceptance / Quality / Production in CUA Environment.

10) What is the main difference between role and profile ?
Roles are the set of authorizations.
Profiles are sub component of roles.
We can assign role to user but not profile.

Roles are collection of different transactions, reports/web links where its profile is nothing but set of
authorizations which defines the behavior of transactions listed in Role Menu. And another difference
could be we canassign roles to user using PFCG but we cannot assign manually created or generated
profile directly to users using PFCG.
SAP BASIS INTERVIEW QUESTIONS & ANSWERS 4


SAP BASIS INTERVIEW QUESTIONS & ANSWERS
:-


1) How do I assign roles to a specific group, not to a specific user, and apply the roles to all users
in that group? This particular group has four users?
Go to suim,enter the user group name in user by complex selection criteria, execute user's list,execute
su10 enter list of user's and assign role to them

2) What is fire fighter? When we are using fire fighter?
Fire Fighter is used if you have implemented Virsa/GRC
Fire Fighter is Virsa tool, this used to execute critical tcode when doing configuration
Fire fighter is also a normal user ID but having some specific access [Say Su01 or SAP_ALL] as per
the needs. User type is kept as "service user'
When it is used: Say, in your project you are security administrator who
Does not have access to direct SU01 but you needs the access urgently.
Then FFID owner/administrator assigns you a FFID for limited period so that you can perform the task
from your login ID and pwd, using tcode /n/virsa/vfat and login with that FFID.
While logging you will be prompted to give business reason for access.
Everything you perform in that period [Using FFID]gets recorded for auditing.

3) I need to give authorization to a user to su01 tcode but the delete options should not
work..i.e. the user should be able to Create, disp, change etc but not delete on su01. How cam i
do this?
delete the 06 activity from s_user_grp,

4) What are the components in VIRSA tool and GRC?
In GRC we have these tools:
Access Enforcer
Complaince Caliber
Role expert
Fire Fighter
In VERAS Tool we have: VRAT and VFAT

5) How to create new authorization object?
Using SU21 we can create the New Authorization Object

6) Can anyone tell me what the use of SU24 and SU25 transaction code is exactly?
SU25: A transaction that copies SAP defaults from USBOT & USOBX to USOBT_C and USOBX_C.
USOBT is a table that consists of transactions and authorization objects. It stores default values of
authorization from authorization objects.
USOBX is a table that defines the necessary authorization checks that needs to be performed within a
transaction.
Initially both tables USOBT and USOBX consist of default values. These two tables are then used for
fill up of the customer tables USBOT_C and USOBT_X through the transaction SU25.
SU24: A transaction that maintains the assignment of authorization objects in the customer tables
USOBT_C and USOBX_C.

7) What is the difference b/w Copy Roles and Derived Roles?
In derived role, all the transactions of parent role r copied but not the org structure and auth. and we
cant add more transactions in derived role.
In copy roles all the transactions with auth are copied

8) What is temp role and copy role?
Temp role: - it is the sap standard role, which is defined by sap.
Copy role: - copy from an existing role is copy role.

9) How to transport roles?
1. Create a transport request in SE10.
2. PFCG - please specify the role name - press the transport button(truck icon).
*** In case of multiple roles, go to utilities-mass transport**
3. There will be three info screens. Give tick mark.
4. Give the transport request number, which you created in SE10.
5. Press ok.
6. To confirm the changes, go to se10 and see your request number, right click and verify the roles are
attached.

10) What are various user types?
Dialog (A)
System (B)
Communication (C)
Service (S)
Reference (L)

Dialog users are used for individual user. Check for expired/initial passwords.Possible to change your
own password. Check for multiple dialog logon

A Service user - Only user administrators can change the password.No check for expired/initial
passwords. Multiple logon permitted

System users are not capable of interaction and are used to perform certain system activities, such as
background processing, ALE, Workflow, and so on.

A Reference user is, like a System user, a general, non-personally related, user. Additional
authorizations can be assigned within the system using a reference user. A reference user for additional
rights can be assigned for every user in the Roles tab.
SAP BASIS INTERVIEW QUESTIONS & ANSWERS 5


SAP BASIS INTERVIEW QUESTIONS & ANSWERS
:-



1.Can you kill a Job?
Yes - SM37 - select - kill

2.If you have a long running Job, how do you analyse?
Use transaction SE30.

3.What is private mode? When does user switch to private mode?
Private mode is a mode where the heap data is getting exclusively allocated by the
user and is no more shared across the system. This happens when your extended
memory is exhausted.

4.How to uncar car/sar files in a single shot?
on Unix: $ for i in *.SAR; do SAPCAR -xvf $i; done

5.Which table contains the details related to Q defined in SPAM? Is there a way
to revert back the Q defined? If yes, How?
There is a "delete" button when you define the queue. If you already started the
import it's no more possible since the system will become inconsistent.

6.What is mysap?
It's a term for all the systems that in a contract (e. g. a MySAP business suite consist
of ERP2005, CRM2005, SRM2005).

7.What is ASAP?
It's an old term for an implementation strategy. Blueprint -> prototype -> goLive (if
you want to say it in one sentence).

8.Describe how SAP handles Memory Management?
ST02 / ST03 In general via table buffers, you could go into the whole Work Process,
roll in, roll out, heap (private) memory, etc. however just as a Unix or DBA admin
would know, is you look this up when needed for the exact specifics.

9.Using Tcode SGEN I have generated 74% job and later I have terminated the
job. I wish to start generating from where it stopped I have refreshed but to no
chance nothing was done. How should I further proceed so as to complete the
remaining job ?
Start SGEN again and select the same you have selected before. It will popup and ask
if you want to start from scratch or generate the just the remaining.

10.When we should use Transactional RFC ?
A "transactional RFC" means, that either both parties agree that the data was correctly
transfered - or not. There is no "half data transfer".

11.What is osp$ mean? What if user is given with this authorisation?
OPS$ is the mechanism the <SID>adm users uses to connect to the database.

12.What is a developer key? and how to generate a developer key?
The developer key is a combination of you installation number, your license key (that
you get from http://service.sap.com/licensekey) and the user name. You need this for
each person that will make changes (Dictionary or programs) in the system.

13.How to see when were the optimizer stats last time run? We are using win2k,
oracle 9, sapr/3 46c.
Assumed DB=Oracle
Select any table lets take MARA here but you should do the same for MSEG and few
others to see whether the dates match or not.Run the following command on the
command prompt :-
select last_analyzed from dba_tables where table_name like '%MARA%';
This gives you a straight answer .Else you can always fish around in DB14 for seeing
when the optimzer stats were updated.

14.I would like to know the version or name of SAP that is implemented in real
time?
This is a very generic question and really depends on what you are implementing
(modules).
The history of the "R/3" is
3.0D Basis 300
3.0E Basis 300
3.0F Basis 300
3.1H Basis 310
3.1I Basis 310
4.0B Basis 400
4.5B Basis 450
4.6C Basis 460
4.71 Basis 6.20
4.72 Basis 6.20
5.00 Basis 6.40 (ECC 5.0 - Enterprise Core components)
6.00 Basis 7.00 (ECC 6.0) - actually in RampUp
All of those have increased business functionality and interfaces to other systems
(CRM, BW etc.)

15.How should I set priority for Printing say like user, team lead, project
manager?
There's nothing like "priority" settings for spool processes. Just define more (profile
parameter rdisp/wp_no_spool) processes so people don't need to wait.

16.What is the use of Trusted system. I know that there is no need of UID and
PWD to communicate with partner system. In what situation it is good to go for
Trusted system ?
E. g. if you have an R/3 system and a BW system and don't want to maintain
passwords. Same goes for CRM and a lot of other systems/applications.

17.Why do you use DDIC user not SAP* for Support Packs and SPAM?
Do _NOT_ use neither DDIC nor SAP* for applying support packages. Copy DDIC
to a separate user and use that user to apply them

18.What is the systems configuration required to implement SAP.. i.e for
production,development and QAS servers the hard disk space, RAM, Processor
This also depends on what your are implementing, how many users will work on the
system, how many records in what area are created etc.
We need a BIG database system and an even bigger application servers.

19.Let me know if my understanding below is correct:
1) By default the RFC destination is synchronous
2) Asynchronous RFC is used incase if the system initiated the RFC call no need
to wait for the response before it proceeds to something else.
Yes - that's right.
But keep in mind, that it's not only a technical issue whether to switch to
asynchronous. The application must also be able to handle that correctly.

20.What is the use of profile paramater ztta/roll_area?
The value specifies the size of the roll area in bytes. The roll area is one of several
memory areas, which satisfies the user requests of user programs. For technical
reasons, however, the first 250 KB or so of a user context are always stored in the roll
area, further data
- up to the roll area limit ztta/roll_first,
- in the extended memory, up to the limit ztta/roll_extension or if extended memory is
exhausted, then
- again in the roll area, until the roll area is full, then
- in the local process area, up to the limit abap/heap_area_dia or abap/heap_area_total
or until the address space or the swap space is exhausted.
Followed by termination with errors like
STORAGE_PARAMETERS_WRONG_SET an error code, that points to memory
bottleneck Minimum data transfer with context change; however, the increase helps to
avoid problems (address space, swap space, operating system paging).
SAP BASIS INTERVIEW QUESTIONS & ANSWERS 6

SAP BASIS INTERVIEW QUESTIONS & ANSWERS
:-


Support :-

Q) What are the steps involved in stopping SAP system?
A) Before stopping SAP system we need to check the status of the following
Check if there are any logged on users. Use Transaction Code SM04
Check if there are any Background process is to define SM36
Check if there are any Background processing is going on. Use TC SM37
Check if there is any Batch input session. Use TC SM35
Check if there are any update processes running. Use TC SM13

Client Copy :-

Q) Why do we need to perform a test run?
A) Test run determines which tables are to be changed.

Q) What is the amount of storage space a client will occupy?
A) client without application data needs approximately 150-200 MB of storage space in a DB

Q) Why do we need to do client copy?
A) To create new clients.

Q) Do we need to transport clients between systems (or) what is the procedure for copying clients
between systems?
A) We no longer require to transport clients instead we make a remote client copy.

Q) Why should we not transport the client data?
A) this is explained with the help of a scenario. In target system, we have set up clients whose data
must not be affected. The cross client data must not be imported into the system from outside, since the
cross client data overwrites existing data so that customizing data of other clients in the target system
no longer effects.

Q) what default user has all the authorizations?
A) SAP*. This is the reason for locking this user in different environments.

Spool :-

Q) How to identify how many spool work process are setup in a particular application server?
A) Trans-Code SM51 and select the application server.
Go to SM50 and count the number of work process with SPO

Q) How many spool processes are configured in out entire SAP system?
A) SM66 and check for SPO work process. In select process by choosing Type = Spool and Status =
Wait

Q) Can we change number of spool work process by operation mode switching?
A) No. Only background and dialog work process can be modified.

Q) How to identify how many spool servers are available in your SAP system?
A) SM51 or SM66 and check for application server with at least one spool workprocess.

Q) How to make setting for an individual SAP user so that an output request is not created
immediately for a spool request?
A) SU3 go to Default tab and ensure that output immediately option is not checked.

Q) How to find which printer is defined at OS level of your server?
A) Go to start -> Settings -> Printers (Revisit)

Transport :-

Q) What is a transport group?
A) SAP systems that share a common transport directory tree form a transport group.

Q) What is transport domain controller?
A) R/3 system with the reference configuration is called as the transaction domain controller.

Q) What is transport domain?
A) All R/3 systems that are planned to manage centrally using TMS form a transport domain.

Q) What are the two editor modes in which we can configure the transport routes?
A) 1. Graphical Editor
2. Hierarchical Editor

Q) What are the various configuration methods available in STMS?
A) 1. Single system configuration
2. Development and Production systems
3. Three systems in a group

Q) What is a standard transport layer?
A) This describes the transport route that the data from the development systems follows.

Q) What is SAP transport layer?
A) It is a predefined transport layer for DEV classes of SAP standard objects

Q) What are the three approval steps you need to follow as a part of approval procedure in
QAS?
A) 1. To be approved by system administrator
2. To be approved by department
3. To be approved by request owner

Q) What are the various qualifier option or what are the various import options?
A) There are six import options
1. Leave transport request in queue for later import
2. Import transport request again
3. Overwrite originals
4. Overwrite objects in unconfirmed repairs
5. Ignore unpermitted transport type
6. Ignore predecessor relations