SAP BASIS INTERVIEW QUESTIONS & ANSWERS 1

SAP BASIS INTERVIEW QUESTIONS & ANSWERS :1) What is difference between 4.7, ECC 5 and ECC6 from SAP Security point of view? SAP GRC which is a security tool can be implemented only to ECC 5.0 and ECC 6.0 but not to the 4.7EE. SAP 4.7 is an ABAP based system, here we can see only about R/3 security. SAP ECC5.0 and SAP ECC6.0 included both ABAP + JAVA stacks, means enterprise portal also included here we can have both R/3 security for ABAP stack and JAVA stack security which includes in portal concept(Enterprise Portal Security). SAP GRC which is a security tool can be implemented only to ECC 5.0 and ECC 6.0 but not to the 4.7EE. 2) What do you mean by profile and object? Well, profile is a authorization profile and where as object can be an authorization class or authorization object or field and value. So, to make up a profile it requires several objects..... More precisely profile is set of different authorizations for different objects. It means when you create role and go for generating profile whatever the list of transactions you have added in role menu its corresponding objects automatically fetch up by profile generator. For which transaction which objects get fetch up this you can check using SU24 tcode only objects with check/maintain status get fetch up by profile generator during profile generation. And for better understanding you just keep in mind for every tcode there are certain set of objects. And Each objects has different fields and its value is called its value i.e. 01, 02, 03 create, change, display respectively.

3) What is the profile?

Profile is what a user can do within that role that is assigned to the user. When a role is created; a profile is created based on the authorization data i.e. object class, authorization object, filed and values. The word "profile" is used in 2 different concepts. 1) Authorization Profiles 2) System Profiles

Authorization Profile:This profile is the one created when a role is created and is called as authorization profile. System Profile: This profile exists to change the parameters for the instances... 4) I want a list of users along with roles for a client? How to do it? We can use tcode se16 in it AGR_USERS uname: enter the user ids and AGRname: role name Youcan get in SUIM also. 5) In an environment of derived roles; a user is asking for a t-code; which is not found in suim in search of roles? What will u do? 1. Check if the tcode exists or not. 2. Try to search the role with S_tcode and then putting the tcode in "roles by complex selection criteria" 3. You should at least get SAP standard role which should not be assigned. So after doing all these you are not able to find any end user role available in system. Next step is the proposal of adding the tcode to a suitable role. as it's a derived role envi---> need to add the tcode in template / parent role Take approval from BPR/role owner for role modification. They will decide which parent role to change. Change role [by adding the tcode] in Dev and transport to rest of the sys in landscape 6) Can u secure profiles? If so , how to do it ? Yes you can. Secure Profile S_User_PRF

7) I want to lock all the users except sap* and DDIC of a particular client ?
SU10 F4 on user id field Change the hit list restriction according to users present Enter It will bring all available users Remove SAP* and DDIC from list Select all and enter It will bring u back to SU10 With all users except SAP* and DDIC Select all Lock it will lock your user also (OR) We can do it by ewz5

8) I want to delete 1000 users of a particular client, how can I do it?

You can create a SECATT script to delete the users which is easy to create and easy to execute. You can also delete users of a particular client by using t-code su10.

9) Can u tell me some of the password related parameters ?

Password related parameters are: login/min_password_lng (Defines minimum length for password) login/min_password_digits login/password_expiration_time These are the main parameters - which can be maintained via RZ10 (OR)

You can go to t-code se16 Write login/* and enter ... then u will get all login parameters Here there is no need of remembering 10) How can I assign a same role to 200 users? You can do using PFCG- > enter the role -> change -> go to users tab -> paste the users -> click on user comparison-> complete comparison -> Save the role - it's done (OR) One can also use "Authorization Data" functionality in transaction SU10 to complete this task.

SAP BASIS INTERVIEW QUESTIONS & ANSWERS 2

SAP BASIS INTERVIEW QUESTIONS & ANSWERS :1) A user is asking for a t-code to assign? How do you assign the t-code? First we have to check if user has access to particular tcode. If not then run suim with roles by complex selection criteria -->put object1 as S_tcode as the required tcode and hit execute button. The query will fetch you a result of roles. Select a role that has minimum authorization and satisfy the user requirement. And assign the role to user.

2) A user is not able to execute a t-code; how do you solve that? What are the different reasons that
might be existing? Reason: 1. Tcode does not exist 2. User context missing auth for that tcode 3. User comparison is not current How to solve: 1.check if the user is having the tcode or not. by SUIM--> role by complex selection criteria [s_bce_68001425] 2. if the tcode is not assigned to user -->assign suiatablle role after taking approval. Make sure to user compare to update the user master record 3.if the tcode is available for the user and user still cant access--> ask for result of SU53 screen shot, there might be some other authorization which is missing for the user 4.we can also trace the user's auth check by use of st01 fine searching user's missing access by analyzing st01 report and rc.

3) What is difference between se16 and sm31?

SE16: table display SM31: table, view modification

4) What are the authorization objects which are always present in user master record?
For user master record as u must be knowing that different tabs of UMR..So as per my understanding As

UMR stores information of users...Like his name, roles assigned to him, License data. Objects which are always present for UMR are: S_USER_AGR, S_USER_GRP,S_USER_AUT,S_USER_PRO and each of this object has its own importance... bcoz S_USER_AGR helps to maintain roles assigned, S_USER_GRP helps to maintain Auth. group in Logon Data and S_USER_AUT AND S_USER_PRO helps to maintain set of Auth. profiles and different Authorizations included in each profile.

5) What is use of System Task Tab on menu bar in PFCG?

Role creation, change and delete. 6) How can we Lock transaction? What happens exactly? In SM01 transaction we can lock the transactions; we can lock one or many at a time in the system. After locking transactions, it wont allow any body to use the transaction. (OR) SM01 transaction can use to lock the transactions; we can lock one or many at a time in the system. When a user starts a transaction, the system checks in table TSTC whether the transaction code is valid and whether the system administrator has locked the transaction. 7) What is Use of SM35P and SM35 is there any difference between these two? Tcode SM35P use to display/monitor sessions. Using Tcode SM35 you the run/process the sessions in background or foreground.

8) Is there any transaction to see Transport Log.? Means, Which data or roles have been transported
from which system at what time? SE01 transaction is use to see Transport Log. By clicking tab "DISPLAY" you can able to see the logs. You can also see the roles or data has been transported from which system at what time. 9) Which role is commonly used? Composite and single role commonly used.

10) How to find the already locked users list before a particular date?
Example: list of users already locked before 01/01/2010 Goto SUIM - USERS - USERS BY COMPLEX SELECTION CRITERIA,scroll down to the bottom, goto ADDTIONAL SELECTION CRITERIA, then give the validity date and check the check box of the option LOCKED USERS ONLY, then execute, u will get the list of the locked users.

SAP BASIS INTERVIEW QUESTIONS & ANSWERS 3

SAP BASIS INTERVIEW QUESTIONS & ANSWERS :-

1) Under description; in creating a role what should be written over there ....what does your company follows ? Description of role defines the role related activity in short. Just seeing the description of the role, one can easily know the role details, like Role belongs to which SAP module (MM/PP/FICO) The Company code/Org level values Restricted values can also be mentioned there Activity performed after assigning that particular role. 2) What is the correct procedure for Mass Generation of Roles ? 1)Tcode SPUC is for mass generation of roles. Or you can use scripts 2)Program SAPPROFC_NEW inserted roles to be generated and execute. 3)PFCG > Utilities > Mass Generation 3) Can we assign generated profiles to users directly ? No, we can't assign a generated profile to user directly; we have to as the role associated with that particular profile The best practice is not to assign profile to a user master record. But then we can assign... Check it for example, assign sap_all to a user master record and can actually work. So, yes a profile can be assigned to user and can work. 4) How many maximum profiles we can assign to one user ? apprx 312 5) In which way we can assign single role to many users (more than 5000 users) ? Go to Su10 Click on authorization data Click on multiple selection button beside user input field a pop up will appear-->click on green import from text file Give the destination of the excel sheet where you have already kept 5000 users Execute-->execute-->select all -->transfer this will bring all 5000 users in su10 Now change--> role tab--> assign the single role-->save 6) I want to see list of roles assigned to 10 different users. How do you do it ? 1.Go to SE16 Transaction 2.Type agr_users and go to next screen 3.in the users field I have the list of user ids 4.Result (OR) GO to suim -->ROLES-->By user assignment Click multiple selection Select users ans execute Now you get a list roles assign to selected users 7) What is the advantage of CUA from a layman/manager point of view ? CUA - Central User Administration Advantage of CUA is to lessen the time by creating users in one single system, and distribute it to the respective systems (where the user id is requested)Helps in avoiding logging to each individual systems. Layman point of view we dont have any advantage, But SAP security admin point it takes lesser time for user Admin. 8) how do we create firefigter Id in VIRSAs VRAT ? First create service user and mapp this user in /n/virsa/vFat 9) What is the procedure to delete a role ? First add the role that need to be deleted in a Transport. Then delete it. If there is no transport already, then create one for it and then add the role marked for deletion to it and then only we have to delete the role. If the role is deleted without adding it to a transport then we will not be able to delete the same role in other systems like Acceptance / Quality / Production in CUA Environment.

10) What is the main difference between role and profile ? Roles are the set of authorizations. Profiles are sub component of roles. We can assign role to user but not profile. Roles are collection of different transactions, reports/web links where its profile is nothing but set of authorizations which defines the behavior of transactions listed in Role Menu. And another difference could be we canassign roles to user using PFCG but we cannot assign manually created or generated profile directly to users using PFCG.

SAP BASIS INTERVIEW QUESTIONS & ANSWERS 4

SAP BASIS INTERVIEW QUESTIONS & ANSWERS :1) How do I assign roles to a specific group, not to a specific user, and apply the roles to all users in that group? This particular group has four users? Go to suim,enter the user group name in user by complex selection criteria, execute user's list,execute su10 enter list of user's and assign role to them 2) What is fire fighter? When we are using fire fighter? Fire Fighter is used if you have implemented Virsa/GRC Fire Fighter is Virsa tool, this used to execute critical tcode when doing configuration Fire fighter is also a normal user ID but having some specific access [Say Su01 or SAP_ALL] as per the needs. User type is kept as "service user' When it is used: Say, in your project you are security administrator who Does not have access to direct SU01 but you needs the access urgently. Then FFID owner/administrator assigns you a FFID for limited period so that you can perform the task from your login ID and pwd, using tcode /n/virsa/vfat and login with that FFID. While logging you will be prompted to give business reason for access. Everything you perform in that period [Using FFID]gets recorded for auditing. 3) I need to give authorization to a user to su01 tcode but the delete options should not work..i.e. the user should be able to Create, disp, change etc but not delete on su01. How cam i do this? delete the 06 activity from s_user_grp, 4) What are the components in VIRSA tool and GRC? In GRC we have these tools: Access Enforcer Complaince Caliber Role expert Fire Fighter In VERAS Tool we have: VRAT and VFAT 5) How to create new authorization object? Using SU21 we can create the New Authorization Object 6) Can anyone tell me what the use of SU24 and SU25 transaction code is exactly? SU25: A transaction that copies SAP defaults from USBOT & USOBX to USOBT_C and USOBX_C. USOBT is a table that consists of transactions and authorization objects. It stores default values of authorization from authorization objects. USOBX is a table that defines the necessary authorization checks that needs to be performed within a transaction.

Initially both tables USOBT and USOBX consist of default values. These two tables are then used for fill up of the customer tables USBOT_C and USOBT_X through the transaction SU25. SU24: A transaction that maintains the assignment of authorization objects in the customer tables USOBT_C and USOBX_C. 7) What is the difference b/w Copy Roles and Derived Roles? In derived role, all the transactions of parent role r copied but not the org structure and auth. and we cant add more transactions in derived role. In copy roles all the transactions with auth are copied 8) What is temp role and copy role? Temp role: - it is the sap standard role, which is defined by sap. Copy role: - copy from an existing role is copy role. 9) How to transport roles? 1. Create a transport request in SE10. 2. PFCG - please specify the role name - press the transport button(truck icon). *** In case of multiple roles, go to utilities-mass transport** 3. There will be three info screens. Give tick mark. 4. Give the transport request number, which you created in SE10. 5. Press ok. 6. To confirm the changes, go to se10 and see your request number, right click and verify the roles are attached. 10) What are various user types? Dialog (A) System (B) Communication (C) Service (S) Reference (L) Dialog users are used for individual user. Check for expired/initial passwords.Possible to change your own password. Check for multiple dialog logon A Service user - Only user administrators can change the password.No check for expired/initial passwords. Multiple logon permitted System users are not capable of interaction and are used to perform certain system activities, such as background processing, ALE, Workflow, and so on. A Reference user is, like a System user, a general, non-personally related, user. Additional authorizations can be assigned within the system using a reference user. A reference user for additional rights can be assigned for every user in the Roles tab.

SAP BASIS INTERVIEW QUESTIONS & ANSWERS 5

SAP BASIS INTERVIEW QUESTIONS & ANSWERS :1.Can you kill a Job? Yes - SM37 - select - kill 2.If you have a long running Job, how do you analyse?

Use transaction SE30. 3.What is private mode? When does user switch to private mode? Private mode is a mode where the heap data is getting exclusively allocated by the user and is no more shared across the system. This happens when your extended memory is exhausted. 4.How to uncar car/sar files in a single shot? on Unix: $ for i in *.SAR; do SAPCAR -xvf $i; done 5.Which table contains the details related to Q defined in SPAM? Is there a way to revert back the Q defined? If yes, How? There is a "delete" button when you define the queue. If you already started the import it's no more possible since the system will become inconsistent. 6.What is mysap? It's a term for all the systems that in a contract (e. g. a MySAP business suite consist of ERP2005, CRM2005, SRM2005). 7.What is ASAP? It's an old term for an implementation strategy. Blueprint -> prototype -> goLive (if you want to say it in one sentence). 8.Describe how SAP handles Memory Management? ST02 / ST03 In general via table buffers, you could go into the whole Work Process, roll in, roll out, heap (private) memory, etc. however just as a Unix or DBA admin would know, is you look this up when needed for the exact specifics. 9.Using Tcode SGEN I have generated 74% job and later I have terminated the job. I wish to start generating from where it stopped I have refreshed but to no chance nothing was done. How should I further proceed so as to complete the remaining job ? Start SGEN again and select the same you have selected before. It will popup and ask if you want to start from scratch or generate the just the remaining. 10.When we should use Transactional RFC ? A "transactional RFC" means, that either both parties agree that the data was correctly transfered - or not. There is no "half data transfer". 11.What is osp$ mean? What if user is given with this authorisation? OPS$ is the mechanism the <SID>adm users uses to connect to the database. 12.What is a developer key? and how to generate a developer key? The developer key is a combination of you installation number, your license key (that you get from http://service.sap.com/licensekey) and the user name. You need this for each person that will make changes (Dictionary or programs) in the system. 13.How to see when were the optimizer stats last time run? We are using win2k, oracle 9, sapr/3 46c. Assumed DB=Oracle

Select any table lets take MARA here but you should do the same for MSEG and few others to see whether the dates match or not.Run the following command on the command prompt :select last_analyzed from dba_tables where table_name like '%MARA%'; This gives you a straight answer .Else you can always fish around in DB14 for seeing when the optimzer stats were updated. 14.I would like to know the version or name of SAP that is implemented in real time? This is a very generic question and really depends on what you are implementing (modules). The history of the "R/3" is 3.0D Basis 300 3.0E Basis 300 3.0F Basis 300 3.1H Basis 310 3.1I Basis 310 4.0B Basis 400 4.5B Basis 450 4.6C Basis 460 4.71 Basis 6.20 4.72 Basis 6.20 5.00 Basis 6.40 (ECC 5.0 - Enterprise Core components) 6.00 Basis 7.00 (ECC 6.0) - actually in RampUp All of those have increased business functionality and interfaces to other systems (CRM, BW etc.) 15.How should I set priority for Printing say like user, team lead, project manager? There's nothing like "priority" settings for spool processes. Just define more (profile parameter rdisp/wp_no_spool) processes so people don't need to wait. 16.What is the use of Trusted system. I know that there is no need of UID and PWD to communicate with partner system. In what situation it is good to go for Trusted system ? E. g. if you have an R/3 system and a BW system and don't want to maintain passwords. Same goes for CRM and a lot of other systems/applications. 17.Why do you use DDIC user not SAP* for Support Packs and SPAM? Do _NOT_ use neither DDIC nor SAP* for applying support packages. Copy DDIC to a separate user and use that user to apply them 18.What is the systems configuration required to implement SAP.. i.e for production,development and QAS servers the hard disk space, RAM, Processor This also depends on what your are implementing, how many users will work on the system, how many records in what area are created etc. We need a BIG database system and an even bigger application servers. 19.Let me know if my understanding below is correct: 1) By default the RFC destination is synchronous

2) Asynchronous RFC is used incase if the system initiated the RFC call no need to wait for the response before it proceeds to something else. Yes - that's right. But keep in mind, that it's not only a technical issue whether to switch to asynchronous. The application must also be able to handle that correctly. 20.What is the use of profile paramater ztta/roll_area? The value specifies the size of the roll area in bytes. The roll area is one of several memory areas, which satisfies the user requests of user programs. For technical reasons, however, the first 250 KB or so of a user context are always stored in the roll area, further data - up to the roll area limit ztta/roll_first, - in the extended memory, up to the limit ztta/roll_extension or if extended memory is exhausted, then - again in the roll area, until the roll area is full, then - in the local process area, up to the limit abap/heap_area_dia or abap/heap_area_total or until the address space or the swap space is exhausted. Followed by termination with errors like STORAGE_PARAMETERS_WRONG_SET an error code, that points to memory bottleneck Minimum data transfer with context change; however, the increase helps to avoid problems (address space, swap space, operating system paging).

SAP BASIS INTERVIEW QUESTIONS & ANSWERS 6

SAP BASIS INTERVIEW QUESTIONS & ANSWERS :Support :Q) What are the steps involved in stopping SAP system? A) Before stopping SAP system we need to check the status of the following Check if there are any logged on users. Use Transaction Code SM04 Check if there are any Background process is to define SM36 Check if there are any Background processing is going on. Use TC SM37 Check if there is any Batch input session. Use TC SM35 Check if there are any update processes running. Use TC SM13

Client Copy :Q) Why do we need to perform a test run? A) Test run determines which tables are to be changed. Q) What is the amount of storage space a client will occupy? A) client without application data needs approximately 150-200 MB of storage space in a DB Q) Why do we need to do client copy? A) To create new clients. Q) Do we need to transport clients between systems (or) what is the procedure for copying clients between systems?

A) We no longer require to transport clients instead we make a remote client copy. Q) Why should we not transport the client data? A) this is explained with the help of a scenario. In target system, we have set up clients whose data must not be affected. The cross client data must not be imported into the system from outside, since the cross client data overwrites existing data so that customizing data of other clients in the target system no longer effects. Q) what default user has all the authorizations? A) SAP*. This is the reason for locking this user in different environments.

Spool :Q) How to identify how many spool work process are setup in a particular application server? A) Trans-Code SM51 and select the application server. Go to SM50 and count the number of work process with SPO Q) How many spool processes are configured in out entire SAP system? A) SM66 and check for SPO work process. In select process by choosing Type = Spool and Status = Wait Q) Can we change number of spool work process by operation mode switching? A) No. Only background and dialog work process can be modified. Q) How to identify how many spool servers are available in your SAP system? A) SM51 or SM66 and check for application server with at least one spool workprocess. Q) How to make setting for an individual SAP user so that an output request is not created immediately for a spool request? A) SU3 go to Default tab and ensure that output immediately option is not checked. Q) How to find which printer is defined at OS level of your server? A) Go to start -> Settings -> Printers (Revisit)

Transport :Q) What is a transport group? A) SAP systems that share a common transport directory tree form a transport group. Q) What is transport domain controller? A) R/3 system with the reference configuration is called as the transaction domain controller. Q) What is transport domain? A) All R/3 systems that are planned to manage centrally using TMS form a transport domain. Q) What are the two editor modes in which we can configure the transport routes? A) 1. Graphical Editor 2. Hierarchical Editor Q) What are the various configuration methods available in STMS? A) 1. Single system configuration 2. Development and Production systems 3. Three systems in a group Q) What is a standard transport layer? A) This describes the transport route that the data from the development systems follows. Q) What is SAP transport layer? A) It is a predefined transport layer for DEV classes of SAP standard objects

Q) What are the three approval steps you need to follow as a part of approval procedure in QAS? A) 1. To be approved by system administrator 2. To be approved by department 3. To be approved by request owner Q) What are the various qualifier option or what are the various import options? A) There are six import options 1. Leave transport request in queue for later import 2. Import transport request again 3. Overwrite originals 4. Overwrite objects in unconfirmed repairs 5. Ignore unpermitted transport type 6. Ignore predecessor relations