Sap Ecc

SAP ECC
By Raghu Boddu for SAPSecurityExpert.com
The FAQs in this document are collected, organized, (some are created) by Raghu Boddu for the SAP Security Experts
(SAPSecurityExpert.com) from various sources such as SAP SCN, and other SAP Security forums and websites.
My sincere thanks to those who spent time in addressing the users with suitable and fantastic answers in the forums.
Regards,
Raghu Boddu
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
1. What is SAP?
SAP stands for "Systems Applications and Products in Data Processing." It was founded in 1972
by five former IBM employees in Germany.
The great advantage of SAP is, it creates a common centralized database for all the applications
running in an organization. The application has been assembled in such a versatile way that it
handles the entire functional department within an organization. Today major companies including
Microsoft and IBM are using SAP's Products to run their own businesses.
R/2, which ran on Mainframe architecture, was the first SAP version. Sap's products are generally
focused on Enterprise Resource Planning (ERP). Sap's applications are built around R/3 system which
provides the functionality to manage product operations, cost accounting, assets, materials and
personnel. The R/3 system of SAP runs on majority of platforms including windows 2000 and it uses
the client/sever model.
2. What is ERP?
ERP is a package with the techniques and concepts for the integrated management of business as a
whole, for effective use of management resources, to improve the efficiency of an enterprise.
Initially, ERP was targeted for manufacturing industry mainly for planning and managing core
business like production and financial market. As the growth and merits of ERP package ERP software
is designed for basic process of a company from manufacturing to small shops with a target of
integrating information across the company.
Source – Tech interviews
3. What is IDES?
IDES stands for International Demonstration and Education System. A sample application provided
for faster learning and implementation by SAP. This version is only used for training purpose. IDES
comes with some dummy data, to enable you to quickly learn SAP.
4. How to create users?
User IDs in SAP can be created by following the below procedures:
• Using SU01 transaction code

• Using SU10 transaction code
• Using CATT scripts
Refer the “Learnbasis - User Management Activities in SAP.PDF” document for detailed procedures.
5. What is PFCG?
PFCG is the transaction code used to invoke profile generator tool. SAP Profile Generator is a tool
which can be used to automatically generate and assign authorization profiles.
SAP profile generator reduces the time for authorization implementation. The profile generator
automatically selects authorization objects which are relevant based on the transaction codes added
in the role. An administrator only needs to configure the customer specific settings.
Profile Generator was released with the 3.1G version of SAP and has really changed the way
authorizations were implemented in SAP.
6. What is the difference between USOBX_C and USOBT_C?
The USOBX_C, and USOBT_C tables are called as Customer tables, which should be created using
SU25 transaction code in a fresh implementation or an upgrade.
The table USOBX_C defines which authorization checks are to be performed within a transaction and
also determines which authorization checks are maintained in the Profile Generator.
The table USOBT_C defines for each transaction and for each authorization object which default
values an authorization created from the authorization object should have in the Profile Generator.
7. What authorization are required to create and maintain user master records?
To create/maintain users, the following are the minimum authorization objects which are required:
S_USER_GRP: User Master Maintenance: Assign user groups

S_USER_PRO: User Master Maintenance: Assign authorization profile
S_USER_AUT: User Master Maintenance: Create and maintain authorizations
8. What is a role?
A role is a grouping of privileges, which can be assigned to the users. In the other words, a role is a
collection of transaction codes, reports, and authorization objects which are further restricted based
on the function of the user.
9. What is a derived role?
A derived role is a role which inherits the menu structure and the functions included (transactions,
reports, Web links, and so on) from a reference role.
A role can only inherit menus and functions if no transaction codes have been assigned to it before.
The higher-level role passes on its authorizations to the derived role as default values which can be
changed afterwards.
However, the Organizational level definitions are not inherited to the derived role, which means they
should be maintained individually.
10. What is a composite role?
A composite role is a container which can collect several different roles. It is also called as a collective
role.
Composite roles do not contain authorization data. If you want to change the authorizations (that are
represented by a composite role), you must maintain the data for each role of the composite role.
Creating composite roles makes sense if some of your employees need authorizations from several
roles. Instead of adding each user separately to each role required, you can set up a composite role
and assign the users to that group.
Note that a composite role can’t contain another composite role.
11. What is user comparison?
User Comparison will reconcile the PROFILES within a user's account and make the necessary
changes. This is especially true when you've assigned specific Valid-To dates for the roles on an
account. If the Valid-To (expiry) date of a role has passed, the User Comparison will REMOVE the
profile/role from that account.
As mentioned above, if you see a red button in PFCG this means that a User Comparison should be
executed to help reconcile the profiles for the users. You can also see this in SU01 if a specific role
has a red button.
As a suggestion, SAP recommends running the report PFCG_TIME_DEPENDENCY once a day to

perform a User Comparison and help 'clean up' the User Master Record for your system.
You can also do it manually using transaction code PFUD.
http://help.sap.com/saphelp_bw21c/helpdata/en/52/6711ec439b11d1896f0000e8322d00/content.ht
m
12. What is Security?
Security is the degree of protection against danger, loss, or a business threat.
Security as a form of protection are structures and processes that provide or improve security as a
condition.
In an application level, it is the condition that prevents unauthorized persons from having access to
official information that is safeguarded through various security measures.
13. What is Application Security?
Application security encompasses measures taken throughout the application's life-cycle to prevent
exceptions in the security policy of an application or the underlying system (vulnerabilities) through
flaws in the design, development, deployment, upgrade, or maintenance of the application, .
Below are some of the Security standards and regulations:
• Sarbanes-Oxley Act (SOX)

• Health Insurance Portability and Accountability Act (HIPAA)
• IEEE P1074
• ISO/IEC 7064:2003 Information technology -- Security techniques -- Check character systems
14. What is SAP Security and which security standards and regulations it recommends?
SAP Security also follows the Application Security methods, where in the measures are taken
throughout the SAP's life-cycle to prevent un authorized access to the SAP system. It follows the
Sarbanes-Oxley Act (SOX), which helps the companies to quickly identify any threats and either to fix
them or mitigate them as and when they occur with a periodic review.
Maintaining the system with defined processes in the User Management, Role Management activities
are also a part of these Security standards.
15. What is user buffer?
Whenever a user logs on to the SAP System, a user buffer is built containing all authorizations for
that user. Each user has their own individual user buffer. This can be viewed using transaction code
SU56
A user would fail an authorization check if:
• The authorization object does not exist in the user buffer

• The values checked by the application are not assigned to the authorization object in the user
buffer
• The user buffer contains too many entries and has overflowed. The number of entries in the
user buffer can be controlled using the system profile parameter auth/number_in_userbuffer.
16. How to reset the user buffer? And also the other various buffers?
It is always recommended to make the user logoff and login again to the SAP system, which will
automatically reset the user buffer. However, if you wish to manually reset the buffer for any user, go
to SU53 or SU56 transaction codes, click authorization values, select “Reset User Buffer” option.
However, if you wish to reset the buffer for a different user, select the other user using button.
Please note: resetting of the buffers could change the performance of the entire system.
Below are the various commands to reset the buffers:
/$SYNC - buffers of the application server

/$CUA - CUA buffer of the application server
/$TAB - the TABLE buffers of the application server
/$DYNP - the screen buffer of the application server
17. How many roles/profiles can be assigned to any user?
SAP doesn't restrict on the number of roles assigned. However, the maximum Profiles that can be
assigned to any user is ~ 312.
Table USR04 holds the Profile assignments for users. This table contains both information about the
change status of a user as well as the list of profile names that were assigned to the user.
The PROFS field is used to save the change indicator (C = User created, M = User changed) and the
name of the profiles assigned to the user. The field is defined with a length of 3,750 characters. Since
the first two characters are for the change indicator, 3,748 characters are still available for the list of
profile names per user. Since the maximum length for each profile name is 12 characters, the
maximum number of profiles per user is 312.
Note 841612 delivered a solution for increasing the number of usable profiles per user from 300 to
the maximum value of 312.
18. How can I find out all field values for ACTVT?
All possible activities (ACTVT) are stored in table TACT. Also, the valid activities for each
authorization object can be found in table TACTZ.
19. How can I check all the Organization value in a role?
Execute SE16 or SE16N transaction code. Enter the table name “AGR_1252”. Enter the Role name in
the role field and hit execute.
20. How to remove duplicate roles with different start and end date from user master?
To remove duplicate roles from the user master, perform the following:
1. Go to SE38 (you can also use SA38 transaction code)

2. Enter the program name “PRGN_COMPRESS_TIMES”
3. Click Execute.
4. Enter the Role name (you can also specify a group of roles or users.)
NOTE: A list of user IDs can be specified to remove the duplicate/expired roles.
5. Click Execute.
Simulation Run – will perform a simulation on the mentioned roles/user IDs.
21. How to change the parent role of a derived role?
It is not possible to change the parent role, once a role has inherited the properties from a different
role.
The only option is to delete the derived role which is not required, and create a new derived role with
the new relation ship.
22. How to find derived roles under master roles?
To get a list of derived roles under master roles, perform the following:
• Goto transaction code SE16 or SE16N

• Enter the table name : AGR_DEFINE
• Enter the master role in the second role field ( this field is in the second row) and execute
This will list out all the master & derived roles.
23. How many authorizations fit into a profile?
A maximum of 150 authorization objects fit into a profile. If the number of authorizations exceed, the
Profile Generator will automatically create more profiles for the role.
A profile name consists of twelve (12) characters and the first ten (10) may be changed when
generated for the first time.
24. What is the procedure to convert an Authorization field to Org field ?
Authorization field can be changed to Organization field using the ABAP program
PFCG_ORGFIELD_CREATE. Below are the steps to do the same:
1. Goto SE38 or SA38 transaction code.

2. Enter the ABAP program name.
3. Enter the Authorization field.
4. Click Execute.
Use the Test mode option to identify a list of roles which are affected with this change. Also, note that
organizational level fields should only be created before you start setting up your system. If you
create organizational level fields later, you might have to do an impact analysis.
25. Can I convert ACTVT and TCD authorization fields to Org fields?
The fields "ACTVT" (activity) and "TCD" (transaction code) cannot be converted into an organizational
level field.
26. How a transaction code works?
When user executes a transaction code, the below checks will be done:
• Authorization to the transaction code

• Authorization objects with the required activities/field values.
The authorization for a transaction code is identified with S_TCODE authorization object. Further, the
system will check for the minimum authorization activities/values that are required. Table TSTCA will
list these minimum activities/values that are required.
27. What are the different ways to set password limitations/exceptions in SAP?
Password limitations/exceptions in SAP can be set by following the below ways:
• Profile parameters
• Maintaining forbidden password list in USR40 table.
A complete list of logon parameters with complete description is available in the SAP help website:
http://help.sap.com/saphelp_nw2004s/helpdata/en/22/41c43ac23cef2fe10000000a114084/content.h
tm
For maintaining forbidden password list, refer “Learnbasis - Specifying Impermissible Passwords.PDF”
file.
28. Other than SU53, how can you get missing authorization details?
Missing authorization can be traced out using ST01 trace analysis also. For a detailed procedure, refer
“Learnbasis - Working with Roles & Profiles.PDF” document.
29. How can we reset the password for mass users?
Using SECATT transaction code, create a test script/configuration and use it to reset the password for
mass users. There is no other possibility.
30. Is it possible to derive a role which is not having any t-code but have some manually
entered authorization objects? If yes, how?
No. The imparting role will only inherit the menu structures. The authorization objects that are
manually inserted will not be inherited.
31. Can we reset our self SAP password?
Yes. Every user will have the option to reset his/her own password. In the SAP logon screen enter the
user name and click the New password button.
Note that user will be able to change his/her password only once in a day.
32. I have 3 clients in my Development system. Client 100 is used for new developments,
and initial tests are carried in client 200. How the changes will be reflected in the other
clients?
No. The role/transaction code changes made in 1 client doesn’t reflect in the other clients. The
changes made should be captured in a transport request and should be imported in the other clients
using SCC1 transaction code.
33. Through which transaction code I can do a mass user comparison? What's the daily
background job for the same?
PFUD transaction code is used to perform a mass user comparison. The daily background job that is
scheduled in the system is PFCG_TIME_DEPENDENCY. Below SAP help website provides more
information:
http://help.sap.com/saphelp_46b/helpdata/ru/52/6711ec439b11d1896f0000e8322d00/content.htm
34. Which are the necessary objects for controlling the t-code SU01?
S_USR_GRP and S_USR_AGR are the main authorization objects that control SU01 transaction
code access.
35. From where we can create new Authorization object?
New authorization objects can be created using transaction code SU21. Below are the steps:
1. Goto SU21 transaction code.

2. Click Create, Authorization Object option.
3. Enter Object name, Text, Class.

4. Enter Field names that you wish to include under the authorization object.
For eg: ACTVT, BUKRS etc.,
NOTE: Custom field names can be created using SU20 transaction code.
5. Click Save button.
36. Why the profile should be re-generated after making modifications in the role?
When changes are made in a role, the profile should be re-generated again. This will update the
profile data with the new/modified authorization objects, fields, activities, and values.
If the profile is not re-generated, you will see the Authorizations tab in Red color.
37. How can we find out the roles that got directly generated in the Production system?
Ideally, all the roles should be modified in the Development system, and imported in the Quality and
Production systems.
In critical business situations, the roles are directly modified in the production system. Further, to
normalize the same changes will be carried out in Development again and transported across the
landscape.
To identify the role changes that are made directly in the production environment, you can view the
Role changes under change documents in SUIM transaction code.
38. What are the various ways to re-generated SAP_ALL profile? Why it is required?
There are two ways to re-generate SAP_ALL profile:
1. Using SU21 transaction code.

2. Using ABAP program AGR_REGENERATE_SAP_ALL.
SAP_ALL profile should be re-generated to update the profile with the new authorization objects,
values, and fields. This will also avoid the assignment of SAP_NEW profile.
Regenerate SAP_ALL option in SU21 will regenerate the profile only in the current client. The ABAP
program AGR_REGENERATE_SAP_ALL will regenerate the profile in all the existing clients.
39. What are the 5 steps of the authorization concept conception?
Below are the 5 steps:
Preparation: Set up a team, define communication process

Analysis and Conception: analyze process and determine role framework
Implementation: Creation of roles
Quality assurance and Tests: positive and negative testing
Cutover: production start
40. What are the different types of users that can be created in SAP?
Below are the different types of users:
Dialog: For interactive user

System: For background processing and communication within a System. No dialog possible, no cha
nge of password
Communication: For dialog. Free communication between systems. No dialog possible, no a change
of password.
Service: Dialog user available to anonymous group of users
‐ ‐
Reference: For general, non person related users that allows the assignment of additional,
identical authorizations.
41. What is the meaning of the traffic lights Icons for the authorization maintenance?
Green: All fields below this level have been filled with values
Yellow: There is at least one field (but no organizational levels) below this level for which no data
has been proposed or entered
Red: There is at least one organizational level field below this level for which no value has been
maintained.
42. What are the 4 status texts about authorizations maintenance?
Status text will quickly help you to identify how the authorization object is added/maintained in any
role. Below are the various texts:
Standard: Unchanged from the SAP defaults. It has the values that are added by PFCG
automatically.
Maintained: At least one field in the subordinate levels of the hierarchy was empty by default and
has been maintained.
Changed: The proposed value for at least one field in the subordinate levels of the hierarchy has
been changed from the SAP default value.
Manual: The authorization object is added manually and maintained.
43. How can you deactivate the special properties of SAP*?
To deactivate the special properties of SAP*, set the system profile parameter
login/no_automatic_user_sapstar to a value greater than zero.
44. What is the use of S_TABU_DIS authorization object?
S_TABU_DIS is the authorization object which allows access for table entries. The activity filed
determines the kind of action a user can make on table entries (create, display, change etc.,)
Secondly the field DICBERCLS makes use of the authorization group assigned to the table. You can
check for it in table maintenance generator. Once you give access for one authorization group then
the user will have same access for all tables belonging to that group.
45. Which authorization object grants authorization to maintain cross client tables with the
standard table maintenance transaction?
S_TABU_CLI authorization object enables you to protect cross-client tables from unintentional
accesses. It has the field CLIIDMAINT, in which the value X can be added to grant a user
authorization to maintain cross-client tables. Value ‘ ‘ will retain the authorization to the current client
only.
46. How to identify the list of roles in which S_TCODE is assigned manually?
ABAP program PFCG_AGRS_WITH_MANUAL_S_TCODE will help you to quickly identify the roles
in which S_TCODE is manually included.
In ECC systems this report is obsolete.
47. How to restrict users from scheduling A class jobs?
Authorization object S_BTCH_ADM with "Y" provides the batch administration access to the users. If
this is restricted to "N" or disabled, the user will be restricted to work with only class C (low priority)
jobs and to only his or her own jobs in the client that he or she is logged on to.
48. How to restrict users from deleting jobs of other users?
Restriction of deleting the jobs of other users can be maintained using S_BTCH_ADM and
S_BTCH_JOB authorization objects. When the S_BTCH_ADM value is set to Y, users will be able to
manage the jobs of other users also. The value should be set to N, and also for the S_BTCH_JOB, the
operation DELE should be revoked. This will retain access of deleting users own jobs, but not for the
other users.
49. How to identify the authorization group for a table?
There are 2 ways to identify the authorization group.
Procedure # 1:
1. Go to SE11 transaction code.

2. Enter the table or view name.
3. Click Display button.
4. Go to Utilities menu, Table Maintenance Generator option
You can see the Authorization group associated with the table.
Procedure # 2:
1. Go to SE16
2. Enter TDDAT as the table name
3. Enter the table for which you wish to know the authorization group
4. Click Execute
50. Which table holds the information of all the tables in SAP?
DD02L table holds the information of all the other tables in SAP.
51. What are the different types of tables and how the restrictions are maintained?
The tables can be divided into two groups:
• Cross-client tables and

• Client-dependant [client-specific] tables.
Cross-client tables are the tables that are valid for the whole system, and not only for one client. For
eg: T000 table.
Client-dependent tables are always valid for one client. The classification documented by a technical
setting that can be reviewed by looking up the table DD02L.
The column “client-specific” is relevant. The entry X means, that this is a client-specific table. If the
field is empty, the table is a cross-client table. See below:
In SAP, the table level protection can be done at two different levels:
The first level is the general protection of tables that is covered by the authorization object
S_TABU_DIS. Users who wants to have a table access needs a corresponding authorization on
S_TABU_DIS. The object S_TABU_DIS consists of two fields. The field ACTVT [activity], and the
field DICBERCLS [authorization group].
Valid values for the field ACTVT are:
02 – for create, change, delete

03 – for display
BD - override change lock for customizing distribution
Concerning the values for the field DICBERCLS the assignment and selection is a bit more complex.
Tables are protected by so-called authorization groups. The defined groups are listed in the table
TBRG. The assignment of tables to authorization groups is listed in the table TDDAT.
Every table can only have one authorization group. But every authorization group may protect a
number of tables. Tables that are not especially protected by an explicitly defined authorization group
are protected by the authorization group &NC&. “NC” stands for “Non Classified”.
So that we can conclude as a rule that for maintenance access to tables an authorization on the
object S_TABU_DIS with a corresponding ACTVT as well as a matching authorization group is
required.
The second step in the table access control is based on the object S_TABU_CLI.
To summarize, for accessing client dependent tables an authorization on the object S_TABU_DIS is
required and for accessing cross-client tables for maintenance an authorization on the objects
S_TABU_DIS and S_TABU_CLI is required.
Further, the object S_TABU_LIN was created for further table access limitation.
S_TABU_LIN allows an access granularity down to the line level of the tables.
This is connected to special customizing adjustments, the definition and activation of so-called
organizational criteria.
With the predefinition of organizational criteria like e.g. a plant or a country,

access to tables can then be limited to the lines of the organizational criteria only.
Because of the additional complexity of these fine tuning requirements, this is rarely used in
companies so far.
52. What is a developer access key? How to get it and which table holds this information?
Any ABAP developer can create/work on custom programs (program that start with a "Y" or "Z")
requires a developer access. Assigning the authorizations itself will not provide the access, and the
user should be registered with the developer access key. The same can be obtained from the below
website:
https://www.service.sap.com/licensekey
The key will be valid for only the installation number for which it is registered with SAP.
Table DEVACCESS holds the Developer key information, which can be viewed with SE16.
53. What is the use of TCDCOUPLES table?
TCDCOUPLES is a table which provides you the information of the transaction codes that are called
by a transaction internally. It is used quickly to identify the “CALL TRANSACTIONS” for custom
transaction codes. Also, it is a good method to give backend access to a tcode if we do not want to
enable S_TCODE access for it. After a transaction is called, all those authority checks are performed,
which may not be part of the check in the calling tcode.
54. What is the use of TACT table?
TACT table contains the various activities in the SAP system. All the authorization objects pull the
activity values from this table.
55. What is PDAG?
PDAG stands for Pre Delivered Activity Groups. There are the roles that come along with the SAP
installation. You may quickly see in the system for SAP* roles. The PDAGs are used as templates in
creating the administration and functional roles during the implementations or assigned to the users,
till the custom build roles are available to carry out the configuration changes in the system.
56. When a user is not able to download reports from SAP, what authorization you will
check?
To download various data from SAP system, users should have access to S_GUI authorization object
with activity 60. This authorization is normally added in the common role.
57. What is the use of TSTCA table?
The user calling transaction must have an authorization for the authorization object listed in table
TSTCA in his or her user master record. TSTCA contains the minimum required authorization
objects/values that are required to execute a transaction code. In simple, it makes the transaction
executable.
58. What are variants, and how can they be created?
Variants allow you to save sets of input values for programs that you often start with the same
selections.
There are various methods to create variants. To know the standard process, visit the below link:
http://help.sap.com/saphelp_nw04/helpdata/en/c0/980389e58611d194cc00a0c94260a5/content.htm
To quickly create a variant, execute the report using SA38 or SE38 transaction code, enter all the
values, click Goto menu, Variants, Save as variant option.
The variant can be further loaded using the Get variant icon on any execution screen.
59. What is user master record and which tables holds the User master record
information?
User Master Record is the record that contains important master data for a user in the SAP system.
The user master record contains the assignment of one or more roles to the user. In this way, a user
menu and the corresponding authorizations for the activities contained in the user menu are assigned
to the user. Only users who have a user master record can log on to the system.
User data resides in table USR01-USR31 and USH*. This can be used as a quick way to obtain user
data for any quick reporting such as user type, last logon, or any other information related to users.
The primary header data table is USR02.
60. Which report gives you the information of users with missing address data such as
email ID, phone number etc?
When users are created in the SAP system, their details including address are entered into the
system. For some reasons or the other, it is possible to have users that have incomplete address
data.
Report RSUSR007 is used to generate a list of such users. These users can be reviewed and their
address data completed appropriately.
Please note, it is good practice to have complete address for all users. It helps user organization and
management.
61. What is the difference between a dialog and service type user ID?
A user of the type Service is a dialog user that is available to an anonymous, larger group of users.
Generally, this type of user should only be assigned very restricted authorizations.
For example, service users are used for anonymous system access via an ITS service. Once an
individual has been authenticated, a session that started anonymously using a service user can be
continued as a personal session using a dialog user.
During logon, the system does not check for expired and initial passwords. Only the user
administrator can change the password. Best example is Fire Fighter IDs.
62. What are the maximum number of profiles that can be assigned to a user?
Maximum Profiles that can be assigned to any user is ~ 312. Table USR04 (Profile assignments for
users). This table contains both information on the change status of a user and also the list of the
profile names that were assigned to the user.
The field PROFS is used for saving the change flag (C = user was created, M = user was changed),
and the name of the profiles assigned to the user. The field is defined with a length of 3750
characters. Since the first two characters are intended for the change flag, 3748 characters remain
for the list of the profile names per user. Because of the maximum length of 12 characters per profile
name, this results in a maximum number of 312 profiles per user.
63. How you will allow the functional teams to perform direct changes in the production
environment?
Direct changes in the production system are not allowed. However, there are a few instances where
changes should be made in the production system directly such as number range maintenance,
factory calendar maintenance etc.,
In such cases, a System modification required should be raised and approved by the system owner or
the system controller who owns the system.
After the changes are made, the client will be set to No changes allowed.
64. How to check the dependency of a role?
Dependency of the role can be checked using SE03 transaction code. Dependency of the roles should
be checked before making any changes to the role. Below are the step by step instructions:
1. Goto SE03 transaction code.

2. Click Search for Objects in Requests/Tasks option which is highlighted below:
3. Enter ACGR and the role name, click the check box and click Execute.
This will display all the transport requests that are created for the role entered. Pick the last
Transport request and check the Logs. If the changes are moved to production system, it means the
role has no dependency.
65. What are the various types of transport requests, and explain?
There are Four types of transport requests:
• Customizing request
• Workbench request
• Transport of copies
• Relocation
66. How to create a config role?
Config roles are created during the time of a new implementation and when no other roles are
existed. Following are the steps to create a Config role:
Creating a role from IMG:
Go to SPRO_ADMIN transaction code.

Click Create button.
Enter Project name and click Check mark button.
Enter the project description and click Save
Go to Scope tab, select “Specify project scope by making manual selections in eference IMG” check
box and click “Specify Scope” button
Select the IMG nodes for which access should be provided
Click "Generate Project IMG" button.
Click Generate in the background option when prompted.
Click Save button.
Once the Project is created, we will have to create the role in the Profile Generator:
Go to PFCG transaction code.

Enter the new role name, click Create Role icon.
Enter the description for the role.
Click Save, and goto Menu tab
Click Utilities, Customizing auth. Option as shown below:
Click Add button.
Select IMG project radio box and click Check mark button.
Select the project from the list.
This will add all the transaction codes. However, note that no menu changes are further possible in
the IMG config role and you may not see other buttons also in the Menu tab.
67. What is DEBUG access? And how to restrict it?
Debug access is a critical access that should be restricted in the Production system. It is a way to
look behind all screens, inside the running programs. This also may allow users to see data which is
normally hidden from them according to their authorizations.
Debug access can be provided with the authorization object S_DEVELOP and object type DEBUG.
NOTE – In most of the landscapes the DEBUG access is only assigned to FF IDs.
68. What is the difference between SU53 and ST01?
SU53 is a quick solution to identify any missing authorizations for the users. However, it will only
display the last missing authorization.
ST01 is used in two scenarios:
• To quickly identify the list of authorization objects, fields, values that needs to be included in a
role when you are creating it for the first time.
• To trace for the repetitive missing authorizations
Refer the Learnbasis R/3 Reference document for the complete process on analyzing SU53 and ST01 results.
69. How to give authorization to multiple printers?
Authorization to use a specific printer(s) or other output device(s) can be provided with the
authorization object S_SPO_DEV. The object consists of the field Spool: Output device, where you
can include the SAP names of the output devices for which a user is to be authorized. Example The
value "LT*" authorizes a user to use all printers with beginning with "LT" in spool administration.
70. How to revoke “Import All” transport authorization to a user?
To revoke the Import All requests (The icon), you need to remove the IMPA authorization under
S_CTS_ADMI authorization object.
Also, if you wish to remove individual requests also, the IMPS authorization should be unchecked.
71. What is Secure area? Why it is maintained in the OSS Connection?
OSS – Online service system, which is a service provided by SAP to help on any critical issues in your
SAP instance. When SAP needs to connect to your system to analyze the root cause of the issues,
you will be requested to open an OSS connection. To enable SAP login to your system, an OSS IDhas
to be created and further the user login information should be updated in an area called “Secure
area”.
Also note, all the systems will be listed when you login to service.sap.com and all that you need to
do is to open the system for SAP specifying the number of days till which the connection should be
active using the secure area information.
72. What is the difference between USOBX_C and USOBT_C?
The table USOBX_C defines which authorization checks are to be performed within a transaction and
which not (despite authority-check command programmed). This table also determines which
authorization checks are maintained in the Profile Generator.
The table USOBT_C defines for each transaction and for each authorization object which default
values an authorization created from the authorization object should have in the Profile Generator.
73. How to create a new Authorization object?
To create the authorization object, perform the following:
1. Goto transaction code SU21.

2. Click Create, Authorization object option.
3. Enter all the details as shown in the below screen shot:
4. Click Save button.
5. select the relevant package from the drop down list
6. Save again.
The New authorization objected is created now. Further maintain the default values from SU24
transaction code.
74. If users were not able to run CATT scripts, what changes do you recommend?
If the user can’t run the CATT script, you need to enable the option in SCC4 transaction code. Below
are the steps:
1. Goto SCC4 transaction code.

2. Click Change button.
3. Double-click the client which you wish to allow the CATT scripts.
4. Change the “CATT and eCATT Restrictions” option to Allowed as shown below:
5. Click Save.
75. What are the ways to identify the number of users in a client?
Below are the different ways to identify the # of users in a client:
1. Goto SE16, enter USR02, and click “Number of Entries” button.

2. Goto SUIM transaction codes, Users, Users by complex selection criteria, By user ID, Execute.
Both the ways will give you the count of the user IDs in the system.
76. How to get a list of locked users in a client?

Using the report RSUSR200, you can generate a list of locked users. Alternatively, you can use
RSUSR006.
77. How to generate a list of users who haven’t logged in for the last 30 days?
ABAP Report RSUSR200 can be used to generate a list of users who haven’t logged in the last 30
days. Below is the selection:
78. What is dormant ID review?
Dormant user ID review is identifying the users who haven’t logged in to the system from a long
period. These IDs will be identified using RSUSR200 report or generating a list of IDs from USR02
table. The ERDAT field can be used to identify the last logon date.
79. Which report shows the status of standard system users status in all the clients?
Report RSUSR003 displays the status of the standard system users (SAP* and DDIC) in all the
available clients in the system.
80. What is the use of PFCG_TIME_DEPENDENCY job?
PFCG_TIME_DEPENDENCY is a program used to do the user comparison. It will update the user
master records with new data.
If you schedule the report PFCG_TIME_DEPENDENCY daily before the start of business, the
authorization profiles in the user master will be updated and the users will have only the valid roles.
It users the program RHAUTUPD_NEW.
81. How to perform a mass generation of profiles?
To perform a mass generation of profiles, use transaction code SUPC.
1. In role maintenance (transaction SUPC), choose Utilities, Mass Generation in the role maintenance
(transaction SUPC).
2. Specify the desired selection criteria.
To generate all profiles to be generated automatically (last checkbox), you can further restrict the
role selection in the next screen.
Source – help.sap.com
82. How to run a comparison for a group of roles?
To perform a user comparison, use transaction code PFUD.
83. How to lock/unlock a transaction code. Give some examples on the usage?
A transaction code can be locked using SM01 transaction code. Below are the steps:
1. Goto SM01 transaction code.

2. Enter the transaction code in the Search box which is available at the end of Tcode box.
3. Once the tcode is listed, select the check box, place the cursor in the transaction code box and
click Lock/Unlock button.
Alternative is to press the F2 key.
For eg: SCC5 is locked to further protect the system with Deleting the clients. Even though a user
has authorization to SCC5 transaction code, he will not be able to execute the tcode.
84. How a role is deleted in real-time scenarios?
A role(s) should be deleted in Development system, and further transported across the landscape.
You will not be able to delete the role in a production system directly, since the production
environment is freezed for changes.
Below are the steps to delete a role in real-time scenarios:
1. Create a transport request.

2. Add the role in the transport request.
3. Delete the role.
4. Release the transport request.
5. Import the request in the other systems.
For a detailed procedure, refer the “Learnbasis.com R/3 Working with Roles & Profiles.PDF” document.
85. How to trace a user activity in SAP?
Audit logs for a user can be enabled using SM19 transaction code. Below are the steps:
1. Go to transaction SM19.
2. Select the Filter1 to activate.
3. Click checkbox of Filter 1.
4. Enter the Client and User names to be traced. (NOTE – A * value can be given to trace in all the
clients/for all the users.)
5. In the Audit classes section, click “on” all the auditing functions you need for this profile.
6. In the Events section, click the radio button to the left of the level of auditing you need.
7. Once you have entered all your trace information, click the Save picture-icon.
You will receive an Audit profile saved in the status bar at the bottom of the screen.
Please note that while the user trace has been saved, it is not yet active. To activate the user trace,
see the next sectionActivating a User Audit Profile.
For a detailed procedure, refer the “Learnbasis.com SAP Security Audit Log.PDF” document.
86. How to read the audit logs for a particular user?
Below are the steps to read the audit logs:
1. Log on to any client in the appropriate SAP system.

2. Go to transaction SM20.
3. In the Selection, Audit classes, and Events to select sections of the Security Audit Log: Local
Analysis screen, provide your information to filter the audit information. If you need to trace
the activities of a specific user, be sure to include that user’s ID. Click the Re-read audit log
button.
4. The resulting list is displayed. This list can be printed using the usual methods.
87. What are the various reason codes in ST01?
Below are the various return codes:
Refer the “Learnbasis.com R/3 Working with Roles & Profiles.PDF” document.
88. What are user groups? How to create them?
One of the primary advantages of user groups is to sort the users into logical groups. This allows
users to be categorized based on functional areas/positions.
User Groups also allow segregation of user maintenance, this is especially useful in a large
organization as you can control a specific group of users and give authorization to administer them.
The most important factor identified is that the lack of user groups is an indication that there may be
problems with the user build process. This is very "fuzzy" but is a bit of a warning flag. User groups
can be created using SUGR transaction code.
89. What is the difference between user group in Logon data tab, and Groups tab?
Group for Authorization Check (User group in Logon Data tab):
If you assign a user to a user group for the authorization check on the Logon Data tab, you can
distribute user maintenance tasks among several user administrators. The system administrator can
assign the respective user administrator the right to create and change users in a group. Using the
authorization object User Master Maintenance:User Groups ( S_USER_GRP), you can assign user
groups to different administrators.
Users that are not assigned to any of the groups, can be maintained by all administrators.
General User Groups (Groups tab):
You use the division of users into user groups on the Groups tab primarily to group users for mass
maintenance (transaction SU10). No authorization check can be performed on the user groups
assigned to the users under the Groups tab.
90. How to assign parameters and what are they used for?
Parameters can be assigned to the users from SU01 transaction, Parameters tab. Parameter has
fields that a user wants to get auto filled when he open some transaction code. This field can be filled
with proposed values from SAP memory using a parameter ID.
For example, if a user only has authorization for company code AU50 and he wants the company
code field to be auto-filled in every transaction. For this, a parameter is defined in the parameter ID
column. Fields that refer to the data element are automatically filled with the value 300 in all
subsequent screen templates.
91. How to extract data from tables and what are the minimum authorizations required?
Data from tables can be extracted using SE16 or SE16N transaction code. To download the data, a
user should have authorization to S_GUI with activity 60.
92. How to determine the instance on which user has logged in?
To identify the instance on which user has logged in, go to AL08 transaction code and search for the
user ID.
93. What is an application instance and how different it is from the central instance?
Application instance is a collection of Dialog Work process which is maintain for the load balancing for
the End users.
However, a Central Instance is the combination of Database instance and Dispatcher and Message
Server, Enqeue Server. Note that both the instances will be running under the same SID.
94. How to force logoff an user from the system?
To force logoff an user, perform the following steps:
1. Goto SM04 transaction code.

2. Select the user from the list.
3. Goto User Menu, and select Log Off
However, make note that the user current data will not be saved,
when you force log off. You should be careful when using this
option, especially in the production systems.
95. How to convert manually created profiles in to roles?
It is not recommended to convert profiles to roles manually and the best approach is to create the
roles from the scratch. However, if you wish to create roles from profiles, use SU25 transaction code
and select the option 6, which is highlighted below:
Once you execute, you will be prompted with the list of profiles and you can select the role and click
Optimized option and click when prompted to create a role.
The alternative procedure is to create a role and Insert a profile. Below are the steps:
1. Create a role in PFCG transaction code.

2. Go to Authorizations tab.
3. Create a profile, and click Change Authorization data button.
4. Select “Do not select templates option”.
5. Click Edit, Insert Authorization(s), from Profile option.
6. Select the profile that you want to insert.
7. Click check mark.
96. How to identify the changes done to a user/role in the system?
The Change Documents under SUIM transaction code helps you

to quickly identify the various changes made to Users & Roles:
You may also execute the reports RSUSR102 for change

documents for Authorizations. RSUSR100 for change
documents for Users and RSUSR101 for change document for
Profiles.
97. How to get the user ID list along with the mail IDs?
There is no standard report that gives you this information. You may join tables ADR6 and USR21
by PERSNUMBER. Use SQVI transaction code, if you are allowed to do this, else you may need to use
MS Access to get the report by maintaining the relationship of PERSNUMBER.
98. How to restrict users to have access to their own spools?
Spool access is controlled with S_SPO_ACT authorization object. To restrict the access to users own
spools, you may use the special characters __USERS__
99. What transaction codes should be added in the COMMON role?
Common Role will have transaction codes which are required for every Dialog user in the SAP system.
Below are the list of commonly used transaction codes:
• SU53
• SMX
• SP01
• SP02
• SU3
• SU56
• SBWP
Also, note that it contains commonly required authorization objects such as S_GUI, S_RFC, etc.,
100. How to re-generate SAP_ALL profile using SU21? And why it is required?
If you add any new authorization objects, it is recommended to re-generate the SAP_ALL profile.
Below are the steps to re-generate SAP_ALL:
1. Goto SU21 transaction code.
2. Click “Regenerate SAP_ALL” button.
3. Select Yes when you are prompted to confirm the re-generation.
This will re-generate the SAP_ALL Profile.
101. How to maintain the company address?
Company address can be maintained in 2 ways:
• Using transaction code SUCOMP

• Goto SU01, Environment, Maintain company address:
Both of the options will display the below screen:
Click Create button to create a new company.
102. Can we assign a multiple company addresses to a single user?
No. It’s not possible. A user can be assigned only with 1 company address.
103. How can I change the existing company address?
To change the existing company address, follow the below steps:
1. Goto Su01 transaction code

2. Enter the user name and click Edit
3. Choose one of the below buttons:
The Assign other company address will prompt a list of existing company addresses from which the
required company can be selected. However, the “Assign new company address…” button will allow
you to create new company address.
104. We are unable to modify the users thru SU01 transaction code, and experiencing
"company address locked" error. How to troubleshoot this issue?
This is an identified issue is SAP R/3 version 4.5 and 4.6C. SAP has released a source code correction
for this issue. Refer SAP note: 312714 - Unnecess. lock on company addr. in displ. mode SU01
105. How to setup a company address as default?
To setup a default company code, perform the following:
1. Go to SUCOMP transaction code

2. Select the company address that you wish to set as default.
3. Click Edit.
4. Click Standard Address, Define.
106. Which table contains all the fields currently set as Organizational Levels in PFCG?
Table USORG holds the information of Org fields.
107. How to identify the roles with open authorization objects & organization values?
AGR_WITH_EMPTY_FIELDS report gives you a list of roles with open authorization objects
(unmaintained). You can execute the program from SA38 or SE38.
Similarly the report AGR_WITH_EMPTY_ORGS to list out the Roles with Unmaintained Organization
level fields.
108. When user logs in, instead of SAP easy access screen, he gets into a transaction code
screen. How to disable it?
This issue happens if a transaction code is set as default. To remove this, perform the following:
1. Go to Extras.
2. Select Set Start Transaction (Shift+F7).
3. Remove the transaction code that exists.
109. How should I grant PFCG display access and SU01 maintain access?
Assignment of roles to users in SU01, SU10, and PFCG transaction codes require authorization to
S_USER_GRP with Assign (22) activity and S_USER_AGR with Change (02) activity.
If Change activity is assigned, the user will get access to change roles too.
To limit the authorization to PFCG display, you have to set a switch in PRGN_CUST table. This will
check only S_USER_AGR activity 22 while assigning roles. Below are the steps:
1. Goto transaction code SM30.

2. Enter table name "PRGN_CUST"
3. Click Maintain
4. Add new entry 'ASSIGN_ROLE_AUTH' and value 'ASSIGN’.
For further information, check SAP Note 312682 - Checks when assigning users to roles.
110. Can you have more than one set of org-level values in one role?
No, it is not possible to have more than one set of org-levels. You have to create two separate roles
to achieve this.
111. User has SAP_ALL, and SAP_NEW assigned, but still experiencing Missing
authorizations. What is the issue?
The issue might be due to the following:
• Older version of user buffer

• Generation of SAP_ALL not carried out.
• Authorization object doesn’t exist in the SAP_ALL composite profile.
In most cases the issue occurs due to an old version of the user buffer for authorizations. To resolve
this issue, set the profile parameter auth/new_buffering to switch to the newest version of the
user buffer.
Also, re-generate SAP_ALL profile from SU21 transaction code to update it with the authorization
objects that are added recently.
Further note that a small set of authorizations objects are not a part of SAP_ALL , for e.g. the
authorization object for S_RFCACL. In such case, you have to manually add them through separate
roles.
112. How to transport user groups that are created in transaction code SUGR?
User Groups cannot be transported. They have to be created locally in each client.
113. What are the tables in which customizing settings for the security administration can
be made?
Most of the customizations are carried out in the tables PRGN_CUST and SSM_CUST.
114. What is the difference between SU24 and SU22? What is "orginal data" in SU22
context?
SU22 is used by SAP to create authorization proposals. SU24 is used by customers to adjust these
authorization proposals from SAP.
115. How do you remove a developer's access and developer keys from a system?
Delete the Developer in the table - DEVACCESS.
116. We have removed SU01/SU10/SECATT authorization from the all the roles. However,
some of the users were able to maintain users. How it is possible?
This happens, if the users have a range of tcodes access under S_TCODE with S_USER* authorization
object access.
The tcodes OMDL, OMEH, OMWF, OPF0, OTZ1, OY27, OY28, OY29, OY30 gives access similar to
SU01 transaction code.
Ensure that these tcodes are removed from the assigned list.
117. How to Restrict a user to a access a particular table?
You can define a new authorization group for the specific table using transaction code SE54. Further
you can create a role with S_TABU_DIS, with the specific authorization group.
Read & implement SAP Note 1481950 which defines a concept of securing tables. A new
authorization object S_TABU_NAM which has two fields Activity and TABNAME is added to the
existing objects by SAP. However, this object is valid for SAP_BASIS 700 only.
Some thing to look for is Note 1481950 - New authorization check for generic table access using new
auth object S_TABU_NAM. Remember Bernhard talking about it.
118. What is the difference between Standard & Manual objects in PFCG?
Standard authorization objects are those which are added automatically by PFCG. Manual objects are
the ones that are added manually by the Security folks. It is always recommended to tag the related
authorization objects to the transaction codes from SU24, instead of adding them manually.
119. There are few forbidden password strings added in USR40 table, but still they are
allowed while resetting the password through SU01? What is the issue?
This is not an issue and is by design. The administrators are allowed to set password combinations
which are added in USR40. However, when user tries to change the password, it will check USR40
table for the exception list. There is no way to restrict the administrators from setting up a password
from this list.
Refer Check note 2467 for more info about password policy.
120. The “Assign new password” dialog box remains in the screen (both in SU01, and
while user tries to change his password). It doesn’t allow going further. How to resolve
this?
To resolve the issue perform the following:
1. Call transaction SE80

2. Display function group "SUU5"
3. Open "GUI Status" and double click on "PASSWORD"
4. Press button "Activate" (CTRL+F3)
Refer SAP Note 1487237 - User password cannot be changed in SU01 after upgrade.
121. How to identify the list of ECATT scripts?
To identify the list of ECATT scripts, perform the following:
1. Goto SE16.
2. Enter TADIR
3. Enter ECAT as OBJECT.
4. Enter Z* in the OBJ_NAME
5. Click Execute

Sap Ecc

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sap Ecc

Uploaded by

Copyright:

Available Formats

SAP ECC

By Raghu Boddu for SAPSecurityExpert.com

Source – Tech interviews

4. How to create users?

User IDs in SAP can be created by following the below procedures:

• Using SU01 transaction code

6. What is the difference between USOBX_C and USOBT_C?

S_USER_GRP: User Master Maintenance: Assign user groups

9. What is a derived role?

10. What is a composite role?

11. What is user comparison?

As a suggestion, SAP recommends running the report PFCG_TIME_DEPENDENCY once a day to

You can also do it manually using transaction code PFUD.

12. What is Security?

Security is the degree of protection against danger, loss, or a business threat.

13. What is Application Security?

Below are some of the Security standards and regulations:

• Sarbanes-Oxley Act (SOX)

15. What is user buffer?

A user would fail an authorization check if:

• The authorization object does not exist in the user buffer

Below are the various commands to reset the buffers:

/$SYNC - buffers of the application server

17. How many roles/profiles can be assigned to any user?

19. How can I check all the Organization value in a role?

1. Go to SE38 (you can also use SA38 transaction code)

Simulation Run – will perform a simulation on the mentioned roles/user IDs.

21. How to change the parent role of a derived role?

22. How to find derived roles under master roles?

• Goto transaction code SE16 or SE16N

23. How many authorizations fit into a profile?

24. What is the procedure to convert an Authorization field to Org field ?

1. Goto SE38 or SA38 transaction code.

26. How a transaction code works?

• Authorization to the transaction code

Password limitations/exceptions in SAP can be set by following the below ways:

29. How can we reset the password for mass users?

31. Can we reset our self SAP password?

35. From where we can create new Authorization object?

1. Goto SU21 transaction code.

3. Enter Object name, Text, Class.

For eg: ACTVT, BUKRS etc.,

5. Click Save button.

There are two ways to re-generate SAP_ALL profile:

1. Using SU21 transaction code.

39. What are the 5 steps of the authorization concept conception?

Below are the 5 steps:

Preparation: Set up a team, define communication process

Below are the different types of users:

Dialog: For interactive user

42. What are the 4 status texts about authorizations maintenance?

43. How can you deactivate the special properties of SAP*?

44. What is the use of S_TABU_DIS authorization object?

In ECC systems this report is obsolete.

47. How to restrict users from scheduling A class jobs?

48. How to restrict users from deleting jobs of other users?

49. How to identify the authorization group for a table?

There are 2 ways to identify the authorization group.

1. Go to SE11 transaction code.

• Cross-client tables and

Valid values for the field ACTVT are:

02 – for create, change, delete

With the predefinition of organizational criteria like e.g. a plant or a country,