Professional Documents
Culture Documents
SAP Security Questions
SAP Security Questions
Elaborate about your complete SAP experience and yes be true with them.
2. Tell me your daily monitoring jobs and most of them you worked on?
As a part of my daily job being a SAP Security consultant i have to take care of tickets
monitoring and assigning them within the team. I have to take care of critical incidents and
emphasize them on high priority for their faster resolution. I have to troubleshoot different
authorization issues that come across in daily work with the users.
3. Which version of SAP are you working on? Is it a java stack or ABAP stack?
Derived roles. To restrict the user access based on organizational level values. Derived role
will be inherited by master role and inherit all the properties except org level values.
5. What is the main difference between single role and a derived role?
Main difference--we can add/delete the T-codes for the single roles but we can’t do it for
the derived roles.
6. Does S_TABU_DIS org level values in a master role gets reflected in the child role?
If we do the adjusted derived role in the master role while updating the values in the master
role than values will be reflected in the child roles.
RAR is Java stack. It was ABAP when it was called as Complance Calibrator.
9. What is the report which states the critical T-codes? and also What is the T-code?
RSUSR005
/virsar/ZVRAT
12. What is the difference between Execution and Simulation in GRC RAR?
Simulation: It will simulate the existing access with additional access before assigning the
roles and provides the SOD's report after assigning the roles
Execution: will execute the user existing access and provides the report SOD reports for
user existing access. It will be 2 option ignore mitigation yes and ignore mitigation no.
13. Difference between User Group in “Logon Data” and “Groups” tab in SU01?
The difference between Logon data group you can map one user with only one group. But
in groups you can map one user with multiple groups.
The group that are showing in logon data is identification of user which group he is belongs
to and the group tab is to add that user in multiple groups...like ex:- If i am a basis employee
we will group him at logon tab... And we want to add this guy into more groups we will add
those at group tab......
14. Security admin kept trace on a user. But while analyzing it is showing that "zero
records" found. Then what to do?
In General, the production system will be running on multiple application servers, check
whether the user and the security admin are logged in to the same application server or
not? Through the transaction code SM51.
SU24: Authorization check under Transaction. SU24 can access customized tables USOBX_C
and USOBT_C
SU22: Authorization objects in transactions. SU22 can access standard tables USOBX and
USOBT
SU21: Maintain authorization Object
16. What are the advantages of GRC in Segregation of Duties (SoD) when we compare
with VIRSA?
17. There is one derived role, if i copy the role of derived role will the parent or master
role will be the same for the new which is derived from the derived role, if so why if
not why?
yes, if I copy the role from a derived role then that parent role of that derived role will
become as a parent role to the new role which we have derived from the other derived role
because for that particular derived role will get all the transactions and authorizations from
the parent role only so, if we copy a role then all the transaction with authorization copied
from other role from where we are copying that might be parent role/derived role.
It's a customer specific enterprise structures which are subjected to authorization check
vary by module. It maintains:
Company code
Controlling Area
Plant
Purchase Order and so on....
Ideally there is no limit on number of composite roles/single roles that can be assigned to a
user. But keep this in mind that user buffer can hold only 312 profiles in it for a user. Hence
there is no use of assigning roles more than 312 profiles to a user. For extending the
authorization more than 312 profiles use reference user.
SAP_ALL is said to be good example for composite role so is there any single role limit in
SAP_ALL. So there is no limit for adding single roles in composite role...
20. What is the difference between ECC security and RAR security when GRC is used,
when similar functionality can be performed SAP R3 level (ECC)?
RAR (Risk analysis and Remediation) is a tool that is used for analysis of risk analysis and its
remediation as name suggests. This tool determines all potential risks that arise if a t-Code
object/role/auth is assigned to a user. Also this tool helps to remediate that risk using
mitigation technique.
Simply we can say one thing like In ECC system you can’t find any risk while assigning the
roles.
But in RAR tool it will check the RISK of that particular assignment and if risk is their then we
can mitigate and simulate to that risk I mean it’s purely for SOD (segregation of duties)
SOD stands for segregation of duties. It is a primary internal control to prevent the risk,
identify a problem and take corrective action. It is achieved by assuring that no single user
has control over all phases of business transactions.
E.G.: the staff who creates a purchase order must not approve the same; there must be a
different person to approve that.
11. how we Restrict the auth groups for table maintain, creating Auth group using SE54 to
built new Auth groups to restrict tables via auth object S_TABU_DIS
We can restrict authorization groups via object S_TABU_DIS, first we need to create a
authorization group in SE54 then assign this authorization group in a role by using the
object: S_TABU_DIS.
13. What is the difference between Parent role and Composite role?
Where Parent role concept comes in Derived role. Where one role is derived from other
role (Like inheritance. Whatever the changes you made to parent role will automatically
applied to derived role also
One can also use "Authorization Data" functionality in transaction SU10 to complete this
task.
USOBX_C defines which authorization checks are to be performed within a transaction and
which are not. This table also determines which authorization checks are maintained in the
Profile Generator.
USOBT_C defines for each transaction and for each authorization object which default
values an authorization created from the authorization object should have in the Profile
Generator.
USOBT is SAP delivered table where as USOBT_C is customer table. After the initial fill, you
can modify the customer tables, and therefore the behavior of the Profile Generator, if
required.
21. If we add org level elements in a master role will it reflect in child role and how
AGR_1252 will act as a barrier?
Org level elements does not effect in child roles.AGR_1252 show the information of
Org.values related to role.
22. How to do mass user to role assignment using SECATT, will u use SU01 or SU10?
Explain why you will use SU10 not SU01?
We can assign role to mass users using SU10. We can do the same with SECATT.
23. Can SU10 can be used for mass password reset? Why not?
Password reset option not available in SU10 for mass user maintenance
24. If you want to reset the password for say 100 users in Production how will you do?
2A -->This compares the Profile Generator data from the previous release with the data for
the current release. New default values are written in the customer tables for the Profile
Generator. You only need to perform a manual adjustment later (in step 2B) for
transactions in which you changed the settings for check indicators and field values. You can
also display a list of the roles to be checked (step 2C).
2B-->If you have made changes to the check indicators or field values in transaction
“SU24”, you can compare these with the new SAP defaults.
You can see the values delivered by SAP and the values that you changed next to each
other, and can make an adjustment, if desired. You can assign the check indicators and field
values by double-clicking the relevant line.
26. What is the difference between Derived Role & Copy Role? Can't we just do a copy
instead of deriving it when both have the same characteristics or inputs or functions?
Derived role: Derived role inherits all properties from Master role. It means all
authorizations. If u made any changes in master role it will reflect in child role but not vice
versa. We can't add any authorizations in derived role. But we can maintain org levels.
Copy role: Copying role means creating a role same as from existing role. It’s name should
be changed. There is no relation between existing role and copied role.
We can create roles, transport, copy, download, modifications, and these entire things done
from PFCG t-Code.
29. What is the main purpose of Parameters, Groups & Personalization Tabs?
parameters: when ever user want some defaults values when ever he/she execute the t-
code we can maintain some pid's by taking help of abapers.
Group: based on user roles and responsibilities security admin can assign to particular
group.
Personalization: this data provides by sap itself based on t-codes which are maintained at
menu tab.
31. What happens to change documents when they are transported to the production
system?
Change documents cannot be displayed in transaction 'SUIM' after they are transported to
the production system because we do not have the 'before input' method for the transport.
This means that if changes are made, the 'USR10' table is filled with the current values and
writes the old values to the 'USH10' table beforehand.
The difference between both tables is then calculated and the value for the change
documents is determined as a result. However, this does not work when change documents
are transported to the production system. The 'USR10' table is automatically filled with the
current values for the transport and there is no option for filling the 'USH10' table in
advance (for the history) because we do not have a 'before input' method to fill the 'USH10'
table in advance for the transport.
SU22: is maintained standard t-codes and their standard authorization object (USOBX and
USOBT).
SU24: here we can maintain customer related t-code and their authorization objects
(USOBX_C and USOBT_C).
35. What is the landscape of GRC?
36. What is the difference between Template role & Derive role?
SE16: SE16 is a data browse and it is used to view the contents of the table and we cannot
change or append new fields to the existing structure of the table as we cannot view the
structure level display using the SE16.
SE16N: The transaction code SE16N (general table display) is an improved version of the old
data browser (SE16). It has been around for some time, but is not widely known amongst
Consultants and end users of SAP. It looks a bit different to the old “data browser”
functionality (SE16).
** Once you have entered your table name, type "&SAP_EDIT" without the quotation marks
into the transaction code. This enables editing functionality on SE16N and allows you to
make table changes. This allows you to access both configuration and data tables which
may be otherwise locked in a production environment.
** Whilst this may appear to be a short cut and allow you to access a back door which is
normally shut, this hidden feature should be used with caution in any SAP client - especially
a live or production system.
Limitations of SE16N:
**You can only output one table at a time. If you wish to output more than one table you
can use the available reporting tools or the QuickViewer (transaction code SQVI)
functionality within SAP.
38. Is it possible to assign two roles with different validity period to a user in one shot
through GRC? If yes, how
If you are talking about GRC Access enforcer tool then there is option of validity period for
role while creating access enforcer request. When you go to button "Select roles" and when
you search and add role in Role Tab you can see column Validity period which you can
change. And you can add multiple roles to one user by just performing "Add" role activity. I
hope this is what you are asking for.
39. How to get the E-Mail address for 100 users at a time?
SECATT script / to get email address of the no. of users go to SE16 ADR6 give the
person number or Address number.
To get the Address number or Person number go to the tableUSR21 extracts the data of the
users.
40. While Creating BW roles what are the Authorization Objects we will use?
41. While Creating Single role what will be happened in the functional side, when entered
the Template role in the derived role tab.
Don't NO
42. When we changed the password for more users(for example:100 users)
43. (A) Where the password will be stored (B) from where you can Re-Collect the
password and (C) how will you communicate the password to all users at a time.
44. What is Virsa? Once you entered in to the screen what it will perform?
Before GRC comes into picture there were other tools which are running in the market in
order to do analysis. Those are VIRSA and APPROVA. Both are an INDIAN Companies and
VIRSA developed Tools like Firefighter, Compliance Calibrator, Access Enforcer and Role
expert to do risk analysis but In the Year 2006 VIRSA took over by SAP and it changed names
as Superuser Privilege Management (SPM), Risk Analysis and Remediation (RAR), Compliant
User Provisioning CUP) and Enterprise Role Management (ERM) respectively.
Virsa FireFighter for SAP: enables super-users to perform emergency activities outside the
parameters of their normal role, but to do so within a controlled, fully auditable
environment. The application assigns a temporary ID that grants the super-user broad yet
regulated access & tracks and logs every activity the super-user performs using that
temporary ID.
There is no SM24 t-code in SAP. Coming to SU24, here we can maintain the assignment of
Authorization Objects by entering into particular t-code and we can check the relation
between the t-code and concern authorization objects and we can make changes according
to business needs. It means maintain Authorizations and its fields and field values.
46. While Creating Single role what will be happened in the functional side, when you
entered the Template role in the derived role tab?
47. What is Dialog users, Batch users and Communicate users. What is the use with
Communicate user?
Dialog user is used by an individual to do all kinds of log on. Batch user is used for
Background processing and communication within the system. Communicate user is used
for external RFC calls. (Across the systems we can connect)
48. Can we add one Composite role in to another Composite role at any urgent user
requests or in normal user requests?
We cannot add a composite role into another composite role but we can add multiple
derived roles into one composite role.
49. In Transport what type of Request we will use. Why don't we use workbench request
in transport?
Most of the time we do transport workbench and customized requests. 95% we do
customized transport as we do settings, configurations, creation etc at DEV system and
transport them to QUA or PRD systems.
Settings, configurations etc are done by BASIS, Security and Functional consultants then
those will be treated as Customized and if ABAPers do programs and packages etc and
transport them then those will be treated as workbench.
50. When we added Authorization Object in Template role, at the same time what will be
happen in Derived role?
51. How to Check Profile parameter. And how to find whether any transport has ended
with error and where we can check?
T-code RZ10 to check Profile Parameter & T-code STMS we can check the Transport error
logs. Click on Import Overview (Truck icon) in STMS screen and in next screen we have
options like: Import Monitor, Import Tracking and Import History.... these will show the
transport issues.
52. How to extract users list like who didn't login since 3 months. And In 90 Days user
locking in which table we will use?
T-code SUIM: Users -> Click on By Logon Date and password change -> Give * in user and
give 90 days in No. days since last logon and check Locked users and then EXECUTE. (OR)
RSUSR200 report to get info
53. What is OSS Connection and System Opening and why we have to open these?
OSS means Online Service System where SAP is going to give Service to R/3 Users.
54. What will have in one single role and how many profiles will be in one SAP CUA
system?
Single role will contain T-codes, Reports and URL's, Profiles and Users. Max profiles are 312.
55. What is the difference between Template role & Derive role?
Template role is nothing but a default role provided by SAP. This template role might be a
single or composite or derived role. Template roles are not generated profiles or
authorizations nor assigned to users and org levels are not maintained.
Derived role is nothing but a single role and it’s derived from a Master role and can restrict
org levels and can assign them to users.
SOX is an adhox standard for financial transparency, trust, and corporate accountability.
It is mandatory for all public owned companies.
There are two main sections 302 and 404.
302 for financial transparency and disclosure and 404 for internal controls.
GxP is a general term for Good (Anything...) Practice quality guidelines and regulations.
These guidelines are used in many fields, including the pharmaceutical and food industries.
The purpose of the GxP quality guidelines is to ensure a product is safe and meets its
intended use. GxP guides quality manufacture in regulated industries including food, drugs,
medical devices and cosmetics.
The most central aspects of GxP are:
Traceability: the ability to reconstruct the development history of a drug or medical device.
Accountability: the ability to resolve who has contributed what to the development and
when.
57. What is the difference between VIRSA Tool and GRC, and does VIRSA tool support to
ECC6.0? & what is GRC? & what is SAP VIRSA Tool?
Governance, Risk, and Compliance (GRC). The goal of GRC is to help a company efficiently
put policies and controls in place to address all its compliance obligations while at the same
time gathering information that helps proactively run the business. This means Ethical
Business Process should comply with Effective Process controls as per the related industry
Business Process and accounting Process and Govt Policy .This GRC process finally Can
Concluded with respect to Govt Organizations and Public Organization which are Registered
in Local Stock Markets are accountable to have Effective Governance and Process Controls
to Protect the Share holder rights and Prevent Organized Corporate Frauds and scams. GRC
Tools and IT applications
There are many GRC AUDIT tools in the Market to Facilitate Internal and External Audit of
the Companies.
Yes, add that role to a transport request first and then delete it from dev system. After
deletion transport it to QA and prod system
62. In creating a role what should we write over there, and what does your company
follows?
Description of role defines, the role related activity in short. Just seeing the description of
the role, one can easily know the role details, like Role belongs to which SAP
module(MM/PP/FICO) The Company code/Org level values Restricted values can also be
mentioned there Activity performed after assigning that particular role.
66. What are the types of requests? And which we create for transportation?
Generally there are two types of transport request.
1) Workbench Request: Client independent, used generally in CUA where change made are
transported to cross client tables.
2) Customizing Request: Client dependent.
67. I want to reset the passwords of 100 users. How do you do it?
Mass Password resetting is the easiest task. Login into LSMW t-code. Create a project,
which is very easy. Record a batch input session. And run it. It hardly takes 2 mins. OR
SECATT script
If you have implemented VIRSA/GRC FireFighter is also a normal user ID but having some
specific access [Say SU01 or SAP_ALL] as per the needs. User type is kept as "service user'
Ex: In your project you are security administrator who does not have access to direct SU01
but you need the access urgently.
Then FFID owner/administrator assigns you a FFID for limited period so that you can
perform the task from your login ID and pwd, using t-code /n/VIRSA/VFAT and login with
that FFID.
While logging you will be prompted to give business reason for access. Everything you
perform in that period [Using FFID] gets recorded for auditing.
Role is a set of function/activity which is assigned to him based on his business role.
Assigning a role to the user does not mean that the user has access to execute those
functions. This is ruled by profiles. Profiles are required to give necessary authorization to
the users through the respective roles.
70. What is the difference between SoX & SoD? What kind of work SoX do as well SoD do?
What is VIRSA? And VRAT, VFAT and how it works in security?
SoX - refer to Sarbanes OXley act in the earlier 2000+-.Where it impact all US companies
either they operated in US or outside (on other countries). Some people think this act is
significant, after fall down of big companies such as Enron etc..
SoD - refer to Segregation of Duties. Basically one person cannot have access to the whole
process. The task needs to be segregated so that there is check and balance.
VIRSA - is one of third party tools used to check for SoX compliance in a company. Other
than this, there are also other product such as APPROVA and SecurInfo. Nowadays VIRSA
have been brought by SAP, and rebrand it as GRC (Governance, Risk and Control).
71. What troubleshooting we get these transactions like SU53, ST01, SUIM and ST22?
SU53: Will give the screen shot last missing authorization of the details for the user ID
ST01: Some times SU53 will be wrong, using ST01 will perform the trace activity will check
for authorization checks for user ID
SUIM: This will used to pull out the authorization reports; usually we will use this T-code by
analyzing the out put results of SU53 and ST01 and will be inputs for SUIM to pull out
authorization reports
72. What is the use of Detour path? How Fork path differs from Detour path?
If a WF fulfills a certain condition e.g. SOD violation the original WF ends and takes a
predefined alternative route (detour). This workflow can contain other stages and
additional approvers.
Fork is a way to split up a workflow from a single initiator between sap and non-sap systems
73. I have deleted single role from composite role now I want to find out the changes in
composite role without using SUIM. Is there any other possibility to get?
74. What is the name of background job in FF that is responsible for sending notification
and logs to FF id controller?
/VIRSA/ZVFATBAK or /n/VIRSA/VFATBAK
Scheduling and administrating of background jobs can be done by using T-codes SM36 and
SM37
76. How to get ticket from end user? Which ticketing tool you are using?
Collection of rules is nothing but Rule Set. There is a default Rule Set in GRC called Global
Rule Set.
78. How can you assign FireFighter id’s from one FireFighter Admin to another FireFighter
Admin if current Admin leaves from organization without told to anybody?
Take the UserId of the left over the company person and, go to SE16 T-code and, type table
name /VIRSA/zffusers and execute.
In the second column enter the UserId of the left over person and execute and it will give
the list of assigned FF_ID'S to that user, note that FF_ID'S and run /n/VIRSA/VFAT T-code
and, go to maintain FF_ID's table and replace it with the new person User ID.
79. What is difference between ECC 4.7, ECC 5 and ECC 6 from SAP Security point of view?
SAP ECC 4.7 is an ABAP based system, here we can see only about R/3 security.
SAP ECC5.0 and SAP ECC6.0 included both ABAP + JAVA stacks, means enterprise portal also
included, here we can have both R/3 security for ABAP stack and JAVA stack security which
includes in portal concept (Enterprise Portal Security).
SAP GRC which is a security tool can be implemented only to ECC 5.0 and ECC 6.0 but not to
the ECC 4.7.
1. Logon to the SAP system and execute transaction code SU01. (Path to SU01 via user
menu : Tools -> Administration -> User Maintenance -> Users
2. Give a username in “User” field and click create. In the next screen, there are various
tabs like Address, Defaults, Parameters, Roles, Profiles etc.
3. In the “Address” tab, fill the necessary fields (Last Name is mandatory).
4. In the “Logon data” tab, select the “User Type” and fill “Initial Password” (Initial
Password is mandatory in all cases except if the “User Type” selected is “Reference”.
5. Similarly fill other information in rest of the tabs viz. “Defaults”, “Parameters”,
“Systems”, “Roles”, “Profiles” etc.
6. Now click on Save. User is created.
83. What mandatory fields need to be filled while creating a user in SAP?
Last name is mandatory for creating any user type. Initial password needs to be given
for all user types except “Reference users“.
84. Which table contains the list of developers (development users) including registered
Developer access keys?
DEVACCESS table contains the list of developers and their developer access keys.
86. What is the difference between authorization user group and logon group?
Authorization user group is used for user management purpose. Each user group is
managed by certain security administrators. Authorization
object S_USER_GRP determines users of which user group can be administered by a
certain user admin. Those users who are not assigned to any user group can be
administered by all the security user admins.
Logon groups are generally created by SAP Basis Administrators and used for logon load
balancing. These are logical groups of users. These users can be assigned to one or more
SAP instances. When a Logon group is assigned to an SAP instance, all users belonging to
that logon group would by default logon to that particular instance. Hence logon group
helps in load balancing.
87. What steps are checked by the system when an interactive user executes a transaction
code?
1. First it is checked whether the transaction is a valid transaction code. This is checked
in TSTC table. If the tcode does not exists, the system gives the message that the
transaction does not exist.
2. If the tcode is a valid tcode, then the system checks whether the tcode is locked or
unlocked. Field CINFO in TSTC is used to determine whether the transaction is locked
or unlocked.
3. The system then checks if the user has necessary tcode value maintained
in authorization object S_TCODE in his/her user buffer. If the authorization object
S_TCODE contains the required tcode, then the system checks whether any
additional authorization check is assigned to the tcode via SE93. This value can be
found on the initial screen of SE93 for that tcode or in TSTCA table.
4. Further authorization check takes place based on the values present in the source
code under “Authority-check” statement and the activity performed by the user.
86. How do we know who made changes to Table data and when?
If checkbox for table Log Changes is enabled, table DBTABLOG keeps all the log data for
the related table.
USOBX_C and USOBT_C are tables which are used for SU24 transaction code.
The table USOBX_C defines the status of authorization checks for authorization objects,
i.e. whether the “check indicator” is set to yes or no. It also defines the proposal status,
i.e. whether the authorization check values are being maintained in SU24 or not.
The table USOBT_C defines the “values” which are maintained for check-maintained
authorization objects.
89. What does the different color light denote in profile generator?
Red – It means that some organizational value has not been maintained in org field in
profile generator.
Yellow – It means that there are some or all fields in certain authorization instances
which are blank (not maintained)
Green – It means that all the authorization fields are maintained (values are assigned).
There is a bit of caution involved here. Make sure that whatever change related to this
conversion is made is done in the initial stage of security role design/system setup. In case
this task is performed at a later stage, there is a risk that this will impact lots of existing
roles. All those roles would require analysis and authorization data will have to be adjusted.
NOTE : Authorization fields TCD (Tcode) and ACTVT (Activity) cannot be converted to org
level fields.
All Activities in SAP are stored in table TACT. All valid activities are stored in table TACTZ.
The tables can be accessed via SE16 tcode.
92. What important authorization objects are required to create and maintain user
master records?
Following are some important authorization objects which are required to create and
maintain user master records:
• S_USER_GRP: User Master Maintenance: Assign user groups
• S_USER_PRO: User Master Maintenance: Assign authorization profile
• S_USER_AUT: User Master Maintenance: Create and maintain authorizations
Table USR40 is used to store illegal passwords. It can be used to store patterns of words
which cannot be used as passwords.
94. Explain the concept of “Status Text for Authorizations” – Standard, Changed,
Maintained and Manual.
A Role is like a container which contains authorization objects, transaction codes etc. A
profile contains authorizations. When a role is generated using PFCG, a profile is
generated which contains authorizations (instances of authorization objects).
Description - We define the role name and role text. We also have a text
description option at the bottom where we can provide other details related to
the role. Those details can be the ticket no through which the role was created,
the various changes (addition/removal of tcodes, authorization objects etc) and
the date when those changes took place and the user who performed that task
etc. It is a good practice to make use of this space as it helps in identifying the
reasons for changes.
Menu - For designing user menus like for addition of tcodes etc.
Authorizations - For maintenance of Authorization data. Also for
generating authorization profile.
User – For assigning users to role and for adjusting user master Records.
When a role is used for generating authorization profile, then the user master
record needs to be compared so that the generated authorization profile can be entered
in the user master record. This comparison is done using tcode PFUD or by scheduling
the report PFCG_TIME_DEPENDENCY.
Maximum number of profiles that can be assigned to any user master record is 312.
Table USR04 contains the profiles assigned to users. The field PROFS in USR04 table is
used for saving the change flag and the name of the profiles assigned to the user. The
change flags are – C which means “User was created” and M which means “User was
changed”. The field PROFS is defined with a length of 3750 characters. Since the first
two characters are intended for the change flag, 3748 characters remain for the list of
the profile names per user. Because of the maximum length of 12 characters per profile
name, this results in a maximum number of 312 profiles per user.
No. A composite role cannot be assigned to another composite role. Single roles are
assigned to composite roles.
The ‘PFCG_TIME_DEPENDENCY’ background report cleans up the profiles (that is, it does
not clean up the roles in the system). Alternatively, transaction code ‘PFUD’ may also be
used for this purpose.
All possible activities (ACTVT) are stored in table TACT , and the valid activities for
each authorization object can be found in table TACTZ.
How to remove duplicate roles with different start and end date from user master?