Saturday, 15 November 2014

SAP Security Interview Questions And Answers Part -2

1. How do you identify SAP standard roles?
SAP standard roles will start with “SAP*”

2. How do you assign SAP standard role to user or what is the procedure to assign SAP standard role?
It’s good to avoid direct assignment of SAP standard roles and copy SAP standard role to a new role and assign it to the users.

3. There is no authorization profile assigned to a role whether its considered as composite role?
No its not considered as composite role and it’s a incomplete single role

4. What are the role types available?
  • Single role
  • Composite role
  • Derived role
  • Master role
  • Copy role

5. What is the relationship between parent role and derived role?
Parent role is the place where we maintain list of tcodes and derived role will inherit all the authorizations from parent role except Org values.

6. What are the values for user lock?
  • 00 - not locked
  • 32 – Locked Globally by administrator
  • 64 – Locked by administrator
  • 128 – Locked due to incorrect logon attempt

7. How do you deactivate a authorization object globally?
Goto tcode SU25 and select step 5. Deactivate authorization object globally

8. If all users are locked mistakenly and how do you login to sap system
Check link how to unlock SAP* at OS level

9. Which authorization object used to check transaction codes?
S_tcode

10. Which authorization object is used to check HR transaction codes?
P_tcode

11. Why do we need to create a TR for a role?
Roles are developed in development system and tested in quality system and moved to production system, so that’s why we need to create a transport request for a role when its created/changed

12. List out important security tcodes
PFCG                 Role Maintenance
SM19                 Security Audit Configuration
SM20                 Security Audit Log Assessment
ST01                 System Trace
SU01                 User Maintenance
SU02                 Maintain Authorization Profiles
SU03                 Maintain Authorizations
SU10                 User Mass Maintenance
SU21                 Maintain Authorization Objects
SU24                 Auth. Obj. Check Under Transactions
SU25                 Upgrade Tool for Profile Generator
SU53                 Display Check Values
SUIM                 User Information System

13. What are the mandatory fields while creating a username?
Password and lastname

14. What is the difference between USOBX_C and USOBT_C?
Table USOBX_C defines which authorization checks are to be performed within a transaction and which not (despite authority-check command programmed ) when its executed. This table also determines which authorization checks are maintained in the Profile Generator.
Table USOBT_C  defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator.

15. How do you create usernames in SAP?
Goto transaction SU01 and creating a new username, you must enter an initial password for that user on the Logon data tab and last name in address tab


16. What are the authorization objects are required to create and maintain user master records?
  • S_USER_GRP: User Master Maintenance: Assign user groups
  • S_USER_PRO: User Master Maintenance: Assign authorization profile
  • S_USER_AUT: User Master Maintenance: Create and maintain authorizations

17. List R/3 User Types
  • Dialog - users are used for individual user. Check for expired/initial passwords Possible to change your own password. Check for multiple dialog logon
  • Service user - Only user administrators can change the password. No check for expired/initial passwords. Multiple logon permitted
  • System - users are not capable of interaction and are used to perform certain system activities, such as background processing, ALE, Workflow, and so on.
  • Reference - user is, like a System user, a general, non-personally related, user. Additional authorizations can be assigned within the system using a reference user. A reference user for additional rights can be assigned for every user in the Roles tab.
  • Communication data – GUI logon not possible and and check for expired/initial passwords and its used for RFC connections

18. What does user compare do?
If you are also using the role to generate authorization profiles, then you should note that the generated profile is not entered in the user master record until the user master records have been compared. You can automate this by scheduling report FCG_TIME_DEPENDENCY on.

19. What is the difference between the table buffer and the user buffer?
The table buffers are in the shared memory. Buffering the tables increases performance when accessing the data records contained in the table. Table buffers and table entries are ignored during startup. A user buffer is a buffer from which the data of a user master record is loaded when the user logs on. The user buffer has different setting options with regard to the 'auth/new_buffering' parameter.


20. How do you find out who has deleted a user from your system, Is there a table where this is logged?
Debug or use RSUSR100 to find the info's.
Run transaction SUIM and down its Change documents.

21. What is the difference between role and a profile?
Role and profile go hand in hand, Profile is bought in by a role.
Role is used as a template, where you can add T-codes, reports. Profile is one which gives the user authorization.  When you create a role, a profile is automatically created.

22. What is system profile version?
Profile versions are nothing but when you modify a profile parameter in RZ10 and generates a new profile is created with a different version and it is stored in the database and physical backup file is created as .bak.

23. What is the use of role templates?
User role templates are predefined activity groups in SAP consisting of transactions, reports and web addresses.

24. What is the different between single role & composite role?
A role is a container that collects the transaction and generates the associated profile.  A composite roles is a container which can collect several different roles

25. Is it possible to change role template? How?
Yes, we can change a user role template. 
  • we can use it as they are delivered in sap
  • we can modify them as per our needs through PFCG
  • we can create them from scratch
SAP Security Interview Questions And Answers Part -1
SAP Security Interview Questions And Answers Part - 3


Please do share if you like this post:)

No comments:

Post a Comment

Note: only a member of this blog may post a comment.