Professional Documents
Culture Documents
The FAQs in this document are collected, organized, (some are created) by Raghu Boddu for the SAP Security Experts
(SAPSecurityExpert.com) from various sources such as SAP SCN, and other SAP Security forums and websites.
My sincere thanks to those who spent time in addressing the users with suitable and fantastic answers in the forums.
Regards,
Raghu Boddu
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
1. What is SAP?
SAP stands for "Systems Applications and Products in Data Processing." It was founded in 1972
by five former IBM employees in Germany.
The great advantage of SAP is, it creates a common centralized database for all the applications
running in an organization. The application has been assembled in such a versatile way that it
handles the entire functional department within an organization. Today major companies including
Microsoft and IBM are using SAP's Products to run their own businesses.
R/2, which ran on Mainframe architecture, was the first SAP version. Sap's products are generally
focused on Enterprise Resource Planning (ERP). Sap's applications are built around R/3 system which
provides the functionality to manage product operations, cost accounting, assets, materials and
personnel. The R/3 system of SAP runs on majority of platforms including windows 2000 and it uses
the client/sever model.
2. What is ERP?
ERP is a package with the techniques and concepts for the integrated management of business as a
whole, for effective use of management resources, to improve the efficiency of an enterprise.
Initially, ERP was targeted for manufacturing industry mainly for planning and managing core
business like production and financial market. As the growth and merits of ERP package ERP software
is designed for basic process of a company from manufacturing to small shops with a target of
integrating information across the company.
3. What is IDES?
IDES stands for International Demonstration and Education System. A sample application provided
for faster learning and implementation by SAP. This version is only used for training purpose. IDES
comes with some dummy data, to enable you to quickly learn SAP.
Refer the “Learnbasis - User Management Activities in SAP.PDF” document for detailed procedures.
5. What is PFCG?
PFCG is the transaction code used to invoke profile generator tool. SAP Profile Generator is a tool
which can be used to automatically generate and assign authorization profiles.
SAP profile generator reduces the time for authorization implementation. The profile generator
automatically selects authorization objects which are relevant based on the transaction codes added
in the role. An administrator only needs to configure the customer specific settings.
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
Profile Generator was released with the 3.1G version of SAP and has really changed the way
authorizations were implemented in SAP.
The USOBX_C, and USOBT_C tables are called as Customer tables, which should be created using
SU25 transaction code in a fresh implementation or an upgrade.
The table USOBX_C defines which authorization checks are to be performed within a transaction and
also determines which authorization checks are maintained in the Profile Generator.
The table USOBT_C defines for each transaction and for each authorization object which default
values an authorization created from the authorization object should have in the Profile Generator.
7. What authorization are required to create and maintain user master records?
To create/maintain users, the following are the minimum authorization objects which are required:
8. What is a role?
A role is a grouping of privileges, which can be assigned to the users. In the other words, a role is a
collection of transaction codes, reports, and authorization objects which are further restricted based
on the function of the user.
A derived role is a role which inherits the menu structure and the functions included (transactions,
reports, Web links, and so on) from a reference role.
A role can only inherit menus and functions if no transaction codes have been assigned to it before.
The higher-level role passes on its authorizations to the derived role as default values which can be
changed afterwards.
However, the Organizational level definitions are not inherited to the derived role, which means they
should be maintained individually.
A composite role is a container which can collect several different roles. It is also called as a collective
role.
Composite roles do not contain authorization data. If you want to change the authorizations (that are
represented by a composite role), you must maintain the data for each role of the composite role.
Creating composite roles makes sense if some of your employees need authorizations from several
roles. Instead of adding each user separately to each role required, you can set up a composite role
and assign the users to that group.
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
Note that a composite role can’t contain another composite role.
User Comparison will reconcile the PROFILES within a user's account and make the necessary
changes. This is especially true when you've assigned specific Valid-To dates for the roles on an
account. If the Valid-To (expiry) date of a role has passed, the User Comparison will REMOVE the
profile/role from that account.
As mentioned above, if you see a red button in PFCG this means that a User Comparison should be
executed to help reconcile the profiles for the users. You can also see this in SU01 if a specific role
has a red button.
http://help.sap.com/saphelp_bw21c/helpdata/en/52/6711ec439b11d1896f0000e8322d00/content.ht
m
Security as a form of protection are structures and processes that provide or improve security as a
condition.
In an application level, it is the condition that prevents unauthorized persons from having access to
official information that is safeguarded through various security measures.
Application security encompasses measures taken throughout the application's life-cycle to prevent
exceptions in the security policy of an application or the underlying system (vulnerabilities) through
flaws in the design, development, deployment, upgrade, or maintenance of the application, .
14. What is SAP Security and which security standards and regulations it recommends?
SAP Security also follows the Application Security methods, where in the measures are taken
throughout the SAP's life-cycle to prevent un authorized access to the SAP system. It follows the
Sarbanes-Oxley Act (SOX), which helps the companies to quickly identify any threats and either to fix
them or mitigate them as and when they occur with a periodic review.
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
Maintaining the system with defined processes in the User Management, Role Management activities
are also a part of these Security standards.
Whenever a user logs on to the SAP System, a user buffer is built containing all authorizations for
that user. Each user has their own individual user buffer. This can be viewed using transaction code
SU56
16. How to reset the user buffer? And also the other various buffers?
It is always recommended to make the user logoff and login again to the SAP system, which will
automatically reset the user buffer. However, if you wish to manually reset the buffer for any user, go
to SU53 or SU56 transaction codes, click authorization values, select “Reset User Buffer” option.
However, if you wish to reset the buffer for a different user, select the other user using button.
Please note: resetting of the buffers could change the performance of the entire system.
SAP doesn't restrict on the number of roles assigned. However, the maximum Profiles that can be
assigned to any user is ~ 312.
Table USR04 holds the Profile assignments for users. This table contains both information about the
change status of a user as well as the list of profile names that were assigned to the user.
The PROFS field is used to save the change indicator (C = User created, M = User changed) and the
name of the profiles assigned to the user. The field is defined with a length of 3,750 characters. Since
the first two characters are for the change indicator, 3,748 characters are still available for the list of
profile names per user. Since the maximum length for each profile name is 12 characters, the
maximum number of profiles per user is 312.
Note 841612 delivered a solution for increasing the number of usable profiles per user from 300 to
the maximum value of 312.
18. How can I find out all field values for ACTVT?
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
All possible activities (ACTVT) are stored in table TACT. Also, the valid activities for each
authorization object can be found in table TACTZ.
Execute SE16 or SE16N transaction code. Enter the table name “AGR_1252”. Enter the Role name in
the role field and hit execute.
20. How to remove duplicate roles with different start and end date from user master?
To remove duplicate roles from the user master, perform the following:
NOTE: A list of user IDs can be specified to remove the duplicate/expired roles.
5. Click Execute.
It is not possible to change the parent role, once a role has inherited the properties from a different
role.
The only option is to delete the derived role which is not required, and create a new derived role with
the new relation ship.
To get a list of derived roles under master roles, perform the following:
This will list out all the master & derived roles.
A maximum of 150 authorization objects fit into a profile. If the number of authorizations exceed, the
Profile Generator will automatically create more profiles for the role.
A profile name consists of twelve (12) characters and the first ten (10) may be changed when
generated for the first time.
Authorization field can be changed to Organization field using the ABAP program
PFCG_ORGFIELD_CREATE. Below are the steps to do the same:
Use the Test mode option to identify a list of roles which are affected with this change. Also, note that
organizational level fields should only be created before you start setting up your system. If you
create organizational level fields later, you might have to do an impact analysis.
25. Can I convert ACTVT and TCD authorization fields to Org fields?
The fields "ACTVT" (activity) and "TCD" (transaction code) cannot be converted into an organizational
level field.
When user executes a transaction code, the below checks will be done:
The authorization for a transaction code is identified with S_TCODE authorization object. Further, the
system will check for the minimum authorization activities/values that are required. Table TSTCA will
list these minimum activities/values that are required.
27. What are the different ways to set password limitations/exceptions in SAP?
• Profile parameters
• Maintaining forbidden password list in USR40 table.
A complete list of logon parameters with complete description is available in the SAP help website:
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
http://help.sap.com/saphelp_nw2004s/helpdata/en/22/41c43ac23cef2fe10000000a114084/content.h
tm
For maintaining forbidden password list, refer “Learnbasis - Specifying Impermissible Passwords.PDF”
file.
28. Other than SU53, how can you get missing authorization details?
Missing authorization can be traced out using ST01 trace analysis also. For a detailed procedure, refer
“Learnbasis - Working with Roles & Profiles.PDF” document.
Using SECATT transaction code, create a test script/configuration and use it to reset the password for
mass users. There is no other possibility.
30. Is it possible to derive a role which is not having any t-code but have some manually
entered authorization objects? If yes, how?
No. The imparting role will only inherit the menu structures. The authorization objects that are
manually inserted will not be inherited.
Yes. Every user will have the option to reset his/her own password. In the SAP logon screen enter the
user name and click the New password button.
Note that user will be able to change his/her password only once in a day.
32. I have 3 clients in my Development system. Client 100 is used for new developments,
and initial tests are carried in client 200. How the changes will be reflected in the other
clients?
No. The role/transaction code changes made in 1 client doesn’t reflect in the other clients. The
changes made should be captured in a transport request and should be imported in the other clients
using SCC1 transaction code.
33. Through which transaction code I can do a mass user comparison? What's the daily
background job for the same?
PFUD transaction code is used to perform a mass user comparison. The daily background job that is
scheduled in the system is PFCG_TIME_DEPENDENCY. Below SAP help website provides more
information:
http://help.sap.com/saphelp_46b/helpdata/ru/52/6711ec439b11d1896f0000e8322d00/content.htm
34. Which are the necessary objects for controlling the t-code SU01?
S_USR_GRP and S_USR_AGR are the main authorization objects that control SU01 transaction
code access.
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
New authorization objects can be created using transaction code SU21. Below are the steps:
NOTE: Custom field names can be created using SU20 transaction code.
36. Why the profile should be re-generated after making modifications in the role?
When changes are made in a role, the profile should be re-generated again. This will update the
profile data with the new/modified authorization objects, fields, activities, and values.
If the profile is not re-generated, you will see the Authorizations tab in Red color.
37. How can we find out the roles that got directly generated in the Production system?
Ideally, all the roles should be modified in the Development system, and imported in the Quality and
Production systems.
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
In critical business situations, the roles are directly modified in the production system. Further, to
normalize the same changes will be carried out in Development again and transported across the
landscape.
To identify the role changes that are made directly in the production environment, you can view the
Role changes under change documents in SUIM transaction code.
38. What are the various ways to re-generated SAP_ALL profile? Why it is required?
SAP_ALL profile should be re-generated to update the profile with the new authorization objects,
values, and fields. This will also avoid the assignment of SAP_NEW profile.
Regenerate SAP_ALL option in SU21 will regenerate the profile only in the current client. The ABAP
program AGR_REGENERATE_SAP_ALL will regenerate the profile in all the existing clients.
40. What are the different types of users that can be created in SAP?
41. What is the meaning of the traffic lights Icons for the authorization maintenance?
Green: All fields below this level have been filled with values
Yellow: There is at least one field (but no organizational levels) below this level for which no data
has been proposed or entered
Red: There is at least one organizational level field below this level for which no value has been
maintained.
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
Status text will quickly help you to identify how the authorization object is added/maintained in any
role. Below are the various texts:
Standard: Unchanged from the SAP defaults. It has the values that are added by PFCG
automatically.
Maintained: At least one field in the subordinate levels of the hierarchy was empty by default and
has been maintained.
Changed: The proposed value for at least one field in the subordinate levels of the hierarchy has
been changed from the SAP default value.
Manual: The authorization object is added manually and maintained.
To deactivate the special properties of SAP*, set the system profile parameter
login/no_automatic_user_sapstar to a value greater than zero.
S_TABU_DIS is the authorization object which allows access for table entries. The activity filed
determines the kind of action a user can make on table entries (create, display, change etc.,)
Secondly the field DICBERCLS makes use of the authorization group assigned to the table. You can
check for it in table maintenance generator. Once you give access for one authorization group then
the user will have same access for all tables belonging to that group.
45. Which authorization object grants authorization to maintain cross client tables with the
standard table maintenance transaction?
S_TABU_CLI authorization object enables you to protect cross-client tables from unintentional
accesses. It has the field CLIIDMAINT, in which the value X can be added to grant a user
authorization to maintain cross-client tables. Value ‘ ‘ will retain the authorization to the current client
only.
46. How to identify the list of roles in which S_TCODE is assigned manually?
ABAP program PFCG_AGRS_WITH_MANUAL_S_TCODE will help you to quickly identify the roles
in which S_TCODE is manually included.
Authorization object S_BTCH_ADM with "Y" provides the batch administration access to the users. If
this is restricted to "N" or disabled, the user will be restricted to work with only class C (low priority)
jobs and to only his or her own jobs in the client that he or she is logged on to.
Restriction of deleting the jobs of other users can be maintained using S_BTCH_ADM and
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
S_BTCH_JOB authorization objects. When the S_BTCH_ADM value is set to Y, users will be able to
manage the jobs of other users also. The value should be set to N, and also for the S_BTCH_JOB, the
operation DELE should be revoked. This will retain access of deleting users own jobs, but not for the
other users.
Procedure # 1:
You can see the Authorization group associated with the table.
Procedure # 2:
1. Go to SE16
2. Enter TDDAT as the table name
3. Enter the table for which you wish to know the authorization group
4. Click Execute
50. Which table holds the information of all the tables in SAP?
DD02L table holds the information of all the other tables in SAP.
51. What are the different types of tables and how the restrictions are maintained?
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
The tables can be divided into two groups:
Cross-client tables are the tables that are valid for the whole system, and not only for one client. For
eg: T000 table.
Client-dependent tables are always valid for one client. The classification documented by a technical
setting that can be reviewed by looking up the table DD02L.
The column “client-specific” is relevant. The entry X means, that this is a client-specific table. If the
field is empty, the table is a cross-client table. See below:
In SAP, the table level protection can be done at two different levels:
The first level is the general protection of tables that is covered by the authorization object
S_TABU_DIS. Users who wants to have a table access needs a corresponding authorization on
S_TABU_DIS. The object S_TABU_DIS consists of two fields. The field ACTVT [activity], and the
field DICBERCLS [authorization group].
Concerning the values for the field DICBERCLS the assignment and selection is a bit more complex.
Tables are protected by so-called authorization groups. The defined groups are listed in the table
TBRG. The assignment of tables to authorization groups is listed in the table TDDAT.
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
Every table can only have one authorization group. But every authorization group may protect a
number of tables. Tables that are not especially protected by an explicitly defined authorization group
are protected by the authorization group &NC&. “NC” stands for “Non Classified”.
So that we can conclude as a rule that for maintenance access to tables an authorization on the
object S_TABU_DIS with a corresponding ACTVT as well as a matching authorization group is
required.
The second step in the table access control is based on the object S_TABU_CLI.
To summarize, for accessing client dependent tables an authorization on the object S_TABU_DIS is
required and for accessing cross-client tables for maintenance an authorization on the objects
S_TABU_DIS and S_TABU_CLI is required.
Further, the object S_TABU_LIN was created for further table access limitation.
S_TABU_LIN allows an access granularity down to the line level of the tables.
This is connected to special customizing adjustments, the definition and activation of so-called
organizational criteria.
52. What is a developer access key? How to get it and which table holds this information?
Any ABAP developer can create/work on custom programs (program that start with a "Y" or "Z")
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
requires a developer access. Assigning the authorizations itself will not provide the access, and the
user should be registered with the developer access key. The same can be obtained from the below
website:
https://www.service.sap.com/licensekey
The key will be valid for only the installation number for which it is registered with SAP.
Table DEVACCESS holds the Developer key information, which can be viewed with SE16.
TCDCOUPLES is a table which provides you the information of the transaction codes that are called
by a transaction internally. It is used quickly to identify the “CALL TRANSACTIONS” for custom
transaction codes. Also, it is a good method to give backend access to a tcode if we do not want to
enable S_TCODE access for it. After a transaction is called, all those authority checks are performed,
which may not be part of the check in the calling tcode.
TACT table contains the various activities in the SAP system. All the authorization objects pull the
activity values from this table.
PDAG stands for Pre Delivered Activity Groups. There are the roles that come along with the SAP
installation. You may quickly see in the system for SAP* roles. The PDAGs are used as templates in
creating the administration and functional roles during the implementations or assigned to the users,
till the custom build roles are available to carry out the configuration changes in the system.
56. When a user is not able to download reports from SAP, what authorization you will
check?
To download various data from SAP system, users should have access to S_GUI authorization object
with activity 60. This authorization is normally added in the common role.
The user calling transaction must have an authorization for the authorization object listed in table
TSTCA in his or her user master record. TSTCA contains the minimum required authorization
objects/values that are required to execute a transaction code. In simple, it makes the transaction
executable.
Variants allow you to save sets of input values for programs that you often start with the same
selections.
There are various methods to create variants. To know the standard process, visit the below link:
http://help.sap.com/saphelp_nw04/helpdata/en/c0/980389e58611d194cc00a0c94260a5/content.htm
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
To quickly create a variant, execute the report using SA38 or SE38 transaction code, enter all the
values, click Goto menu, Variants, Save as variant option.
The variant can be further loaded using the Get variant icon on any execution screen.
59. What is user master record and which tables holds the User master record
information?
User Master Record is the record that contains important master data for a user in the SAP system.
The user master record contains the assignment of one or more roles to the user. In this way, a user
menu and the corresponding authorizations for the activities contained in the user menu are assigned
to the user. Only users who have a user master record can log on to the system.
User data resides in table USR01-USR31 and USH*. This can be used as a quick way to obtain user
data for any quick reporting such as user type, last logon, or any other information related to users.
The primary header data table is USR02.
60. Which report gives you the information of users with missing address data such as
email ID, phone number etc?
When users are created in the SAP system, their details including address are entered into the
system. For some reasons or the other, it is possible to have users that have incomplete address
data.
Report RSUSR007 is used to generate a list of such users. These users can be reviewed and their
address data completed appropriately.
Please note, it is good practice to have complete address for all users. It helps user organization and
management.
61. What is the difference between a dialog and service type user ID?
A user of the type Service is a dialog user that is available to an anonymous, larger group of users.
Generally, this type of user should only be assigned very restricted authorizations.
For example, service users are used for anonymous system access via an ITS service. Once an
individual has been authenticated, a session that started anonymously using a service user can be
continued as a personal session using a dialog user.
During logon, the system does not check for expired and initial passwords. Only the user
administrator can change the password. Best example is Fire Fighter IDs.
62. What are the maximum number of profiles that can be assigned to a user?
Maximum Profiles that can be assigned to any user is ~ 312. Table USR04 (Profile assignments for
users). This table contains both information on the change status of a user and also the list of the
profile names that were assigned to the user.
The field PROFS is used for saving the change flag (C = user was created, M = user was changed),
and the name of the profiles assigned to the user. The field is defined with a length of 3750
characters. Since the first two characters are intended for the change flag, 3748 characters remain
for the list of the profile names per user. Because of the maximum length of 12 characters per profile
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
name, this results in a maximum number of 312 profiles per user.
63. How you will allow the functional teams to perform direct changes in the production
environment?
Direct changes in the production system are not allowed. However, there are a few instances where
changes should be made in the production system directly such as number range maintenance,
factory calendar maintenance etc.,
In such cases, a System modification required should be raised and approved by the system owner or
the system controller who owns the system.
After the changes are made, the client will be set to No changes allowed.
Dependency of the role can be checked using SE03 transaction code. Dependency of the roles should
be checked before making any changes to the role. Below are the step by step instructions:
3. Enter ACGR and the role name, click the check box and click Execute.
This will display all the transport requests that are created for the role entered. Pick the last
Transport request and check the Logs. If the changes are moved to production system, it means the
role has no dependency.
65. What are the various types of transport requests, and explain?
• Customizing request
• Workbench request
• Transport of copies
• Relocation
Config roles are created during the time of a new implementation and when no other roles are
existed. Following are the steps to create a Config role:
Once the Project is created, we will have to create the role in the Profile Generator:
This will add all the transaction codes. However, note that no menu changes are further possible in
the IMG config role and you may not see other buttons also in the Menu tab.
Debug access is a critical access that should be restricted in the Production system. It is a way to
look behind all screens, inside the running programs. This also may allow users to see data which is
normally hidden from them according to their authorizations.
Debug access can be provided with the authorization object S_DEVELOP and object type DEBUG.
NOTE – In most of the landscapes the DEBUG access is only assigned to FF IDs.
SU53 is a quick solution to identify any missing authorizations for the users. However, it will only
display the last missing authorization.
• To quickly identify the list of authorization objects, fields, values that needs to be included in a
role when you are creating it for the first time.
• To trace for the repetitive missing authorizations
Refer the Learnbasis R/3 Reference document for the complete process on analyzing SU53 and ST01 results.
Authorization to use a specific printer(s) or other output device(s) can be provided with the
authorization object S_SPO_DEV. The object consists of the field Spool: Output device, where you
can include the SAP names of the output devices for which a user is to be authorized. Example The
value "LT*" authorizes a user to use all printers with beginning with "LT" in spool administration.
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
70. How to revoke “Import All” transport authorization to a user?
To revoke the Import All requests (The icon), you need to remove the IMPA authorization under
S_CTS_ADMI authorization object.
Also, if you wish to remove individual requests also, the IMPS authorization should be unchecked.
OSS – Online service system, which is a service provided by SAP to help on any critical issues in your
SAP instance. When SAP needs to connect to your system to analyze the root cause of the issues,
you will be requested to open an OSS connection. To enable SAP login to your system, an OSS IDhas
to be created and further the user login information should be updated in an area called “Secure
area”.
Also note, all the systems will be listed when you login to service.sap.com and all that you need to
do is to open the system for SAP specifying the number of days till which the connection should be
active using the secure area information.
The table USOBX_C defines which authorization checks are to be performed within a transaction and
which not (despite authority-check command programmed). This table also determines which
authorization checks are maintained in the Profile Generator.
The table USOBT_C defines for each transaction and for each authorization object which default
values an authorization created from the authorization object should have in the Profile Generator.
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
4. Click Save button.
5. select the relevant package from the drop down list
6. Save again.
The New authorization objected is created now. Further maintain the default values from SU24
transaction code.
74. If users were not able to run CATT scripts, what changes do you recommend?
If the user can’t run the CATT script, you need to enable the option in SCC4 transaction code. Below
are the steps:
5. Click Save.
75. What are the ways to identify the number of users in a client?
77. How to generate a list of users who haven’t logged in for the last 30 days?
ABAP Report RSUSR200 can be used to generate a list of users who haven’t logged in the last 30
days. Below is the selection:
Dormant user ID review is identifying the users who haven’t logged in to the system from a long
period. These IDs will be identified using RSUSR200 report or generating a list of IDs from USR02
table. The ERDAT field can be used to identify the last logon date.
79. Which report shows the status of standard system users status in all the clients?
Report RSUSR003 displays the status of the standard system users (SAP* and DDIC) in all the
available clients in the system.
PFCG_TIME_DEPENDENCY is a program used to do the user comparison. It will update the user
master records with new data.
If you schedule the report PFCG_TIME_DEPENDENCY daily before the start of business, the
authorization profiles in the user master will be updated and the users will have only the valid roles.
1. In role maintenance (transaction SUPC), choose Utilities, Mass Generation in the role maintenance
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
(transaction SUPC).
2. Specify the desired selection criteria.
To generate all profiles to be generated automatically (last checkbox), you can further restrict the
role selection in the next screen.
Source – help.sap.com
83. How to lock/unlock a transaction code. Give some examples on the usage?
A transaction code can be locked using SM01 transaction code. Below are the steps:
For eg: SCC5 is locked to further protect the system with Deleting the clients. Even though a user
has authorization to SCC5 transaction code, he will not be able to execute the tcode.
A role(s) should be deleted in Development system, and further transported across the landscape.
You will not be able to delete the role in a production system directly, since the production
environment is freezed for changes.
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
For a detailed procedure, refer the “Learnbasis.com R/3 Working with Roles & Profiles.PDF” document.
Audit logs for a user can be enabled using SM19 transaction code. Below are the steps:
1. Go to transaction SM19.
2. Select the Filter1 to activate.
3. Click checkbox of Filter 1.
4. Enter the Client and User names to be traced. (NOTE – A * value can be given to trace in all the
clients/for all the users.)
5. In the Audit classes section, click “on” all the auditing functions you need for this profile.
6. In the Events section, click the radio button to the left of the level of auditing you need.
7. Once you have entered all your trace information, click the Save picture-icon.
You will receive an Audit profile saved in the status bar at the bottom of the screen.
Please note that while the user trace has been saved, it is not yet active. To activate the user trace,
see the next sectionActivating a User Audit Profile.
For a detailed procedure, refer the “Learnbasis.com SAP Security Audit Log.PDF” document.
Refer the “Learnbasis.com R/3 Working with Roles & Profiles.PDF” document.
One of the primary advantages of user groups is to sort the users into logical groups. This allows
users to be categorized based on functional areas/positions.
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
User Groups also allow segregation of user maintenance, this is especially useful in a large
organization as you can control a specific group of users and give authorization to administer them.
The most important factor identified is that the lack of user groups is an indication that there may be
problems with the user build process. This is very "fuzzy" but is a bit of a warning flag. User groups
can be created using SUGR transaction code.
89. What is the difference between user group in Logon data tab, and Groups tab?
If you assign a user to a user group for the authorization check on the Logon Data tab, you can
distribute user maintenance tasks among several user administrators. The system administrator can
assign the respective user administrator the right to create and change users in a group. Using the
authorization object User Master Maintenance:User Groups ( S_USER_GRP), you can assign user
groups to different administrators.
Users that are not assigned to any of the groups, can be maintained by all administrators.
You use the division of users into user groups on the Groups tab primarily to group users for mass
maintenance (transaction SU10). No authorization check can be performed on the user groups
assigned to the users under the Groups tab.
90. How to assign parameters and what are they used for?
Parameters can be assigned to the users from SU01 transaction, Parameters tab. Parameter has
fields that a user wants to get auto filled when he open some transaction code. This field can be filled
with proposed values from SAP memory using a parameter ID.
For example, if a user only has authorization for company code AU50 and he wants the company
code field to be auto-filled in every transaction. For this, a parameter is defined in the parameter ID
column. Fields that refer to the data element are automatically filled with the value 300 in all
subsequent screen templates.
91. How to extract data from tables and what are the minimum authorizations required?
Data from tables can be extracted using SE16 or SE16N transaction code. To download the data, a
user should have authorization to S_GUI with activity 60.
92. How to determine the instance on which user has logged in?
To identify the instance on which user has logged in, go to AL08 transaction code and search for the
user ID.
93. What is an application instance and how different it is from the central instance?
Application instance is a collection of Dialog Work process which is maintain for the load balancing for
the End users.
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
However, a Central Instance is the combination of Database instance and Dispatcher and Message
Server, Enqeue Server. Note that both the instances will be running under the same SID.
However, make note that the user current data will not be saved,
when you force log off. You should be careful when using this
option, especially in the production systems.
It is not recommended to convert profiles to roles manually and the best approach is to create the
roles from the scratch. However, if you wish to create roles from profiles, use SU25 transaction code
and select the option 6, which is highlighted below:
Once you execute, you will be prompted with the list of profiles and you can select the role and click
Optimized option and click when prompted to create a role.
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
The alternative procedure is to create a role and Insert a profile. Below are the steps:
97. How to get the user ID list along with the mail IDs?
There is no standard report that gives you this information. You may join tables ADR6 and USR21
by PERSNUMBER. Use SQVI transaction code, if you are allowed to do this, else you may need to use
MS Access to get the report by maintaining the relationship of PERSNUMBER.
Spool access is controlled with S_SPO_ACT authorization object. To restrict the access to users own
spools, you may use the special characters __USERS__
Common Role will have transaction codes which are required for every Dialog user in the SAP system.
Below are the list of commonly used transaction codes:
• SU53
• SMX
• SP01
• SP02
• SU3
• SU56
• SBWP
Also, note that it contains commonly required authorization objects such as S_GUI, S_RFC, etc.,
100. How to re-generate SAP_ALL profile using SU21? And why it is required?
If you add any new authorization objects, it is recommended to re-generate the SAP_ALL profile.
Below are the steps to re-generate SAP_ALL:
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
2. Click “Regenerate SAP_ALL” button.
3. Select Yes when you are prompted to confirm the re-generation.
No. It’s not possible. A user can be assigned only with 1 company address.
The Assign other company address will prompt a list of existing company addresses from which the
required company can be selected. However, the “Assign new company address…” button will allow
you to create new company address.
104. We are unable to modify the users thru SU01 transaction code, and experiencing
"company address locked" error. How to troubleshoot this issue?
This is an identified issue is SAP R/3 version 4.5 and 4.6C. SAP has released a source code correction
for this issue. Refer SAP note: 312714 - Unnecess. lock on company addr. in displ. mode SU01
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
105. How to setup a company address as default?
106. Which table contains all the fields currently set as Organizational Levels in PFCG?
107. How to identify the roles with open authorization objects & organization values?
AGR_WITH_EMPTY_FIELDS report gives you a list of roles with open authorization objects
(unmaintained). You can execute the program from SA38 or SE38.
Similarly the report AGR_WITH_EMPTY_ORGS to list out the Roles with Unmaintained Organization
level fields.
108. When user logs in, instead of SAP easy access screen, he gets into a transaction code
screen. How to disable it?
This issue happens if a transaction code is set as default. To remove this, perform the following:
1. Go to Extras.
2. Select Set Start Transaction (Shift+F7).
3. Remove the transaction code that exists.
109. How should I grant PFCG display access and SU01 maintain access?
Assignment of roles to users in SU01, SU10, and PFCG transaction codes require authorization to
S_USER_GRP with Assign (22) activity and S_USER_AGR with Change (02) activity.
If Change activity is assigned, the user will get access to change roles too.
To limit the authorization to PFCG display, you have to set a switch in PRGN_CUST table. This will
check only S_USER_AGR activity 22 while assigning roles. Below are the steps:
For further information, check SAP Note 312682 - Checks when assigning users to roles.
110. Can you have more than one set of org-level values in one role?
No, it is not possible to have more than one set of org-levels. You have to create two separate roles
to achieve this.
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
111. User has SAP_ALL, and SAP_NEW assigned, but still experiencing Missing
authorizations. What is the issue?
In most cases the issue occurs due to an old version of the user buffer for authorizations. To resolve
this issue, set the profile parameter auth/new_buffering to switch to the newest version of the
user buffer.
Also, re-generate SAP_ALL profile from SU21 transaction code to update it with the authorization
objects that are added recently.
Further note that a small set of authorizations objects are not a part of SAP_ALL , for e.g. the
authorization object for S_RFCACL. In such case, you have to manually add them through separate
roles.
112. How to transport user groups that are created in transaction code SUGR?
User Groups cannot be transported. They have to be created locally in each client.
113. What are the tables in which customizing settings for the security administration can
be made?
Most of the customizations are carried out in the tables PRGN_CUST and SSM_CUST.
114. What is the difference between SU24 and SU22? What is "orginal data" in SU22
context?
SU22 is used by SAP to create authorization proposals. SU24 is used by customers to adjust these
authorization proposals from SAP.
115. How do you remove a developer's access and developer keys from a system?
116. We have removed SU01/SU10/SECATT authorization from the all the roles. However,
some of the users were able to maintain users. How it is possible?
This happens, if the users have a range of tcodes access under S_TCODE with S_USER* authorization
object access.
The tcodes OMDL, OMEH, OMWF, OPF0, OTZ1, OY27, OY28, OY29, OY30 gives access similar to
SU01 transaction code.
Ensure that these tcodes are removed from the assigned list.
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com
117. How to Restrict a user to a access a particular table?
You can define a new authorization group for the specific table using transaction code SE54. Further
you can create a role with S_TABU_DIS, with the specific authorization group.
Read & implement SAP Note 1481950 which defines a concept of securing tables. A new
authorization object S_TABU_NAM which has two fields Activity and TABNAME is added to the
existing objects by SAP. However, this object is valid for SAP_BASIS 700 only.
Some thing to look for is Note 1481950 - New authorization check for generic table access using new
auth object S_TABU_NAM. Remember Bernhard talking about it.
118. What is the difference between Standard & Manual objects in PFCG?
Standard authorization objects are those which are added automatically by PFCG. Manual objects are
the ones that are added manually by the Security folks. It is always recommended to tag the related
authorization objects to the transaction codes from SU24, instead of adding them manually.
119. There are few forbidden password strings added in USR40 table, but still they are
allowed while resetting the password through SU01? What is the issue?
This is not an issue and is by design. The administrators are allowed to set password combinations
which are added in USR40. However, when user tries to change the password, it will check USR40
table for the exception list. There is no way to restrict the administrators from setting up a password
from this list.
Refer Check note 2467 for more info about password policy.
120. The “Assign new password” dialog box remains in the screen (both in SU01, and
while user tries to change his password). It doesn’t allow going further. How to resolve
this?
Refer SAP Note 1487237 - User password cannot be changed in SU01 after upgrade.
1. Goto SE16.
2. Enter TADIR
3. Enter ECAT as OBJECT.
4. Enter Z* in the OBJ_NAME
5. Click Execute
Copyrighted article under Creative commons. Attribution-Noncommercial-No Derivative Works 2.5 India.
All rights reserved with the author & SAPSecurityExpert.com