Thursday, 23 July 2015
Sunday, 19 July 2015
SUIM Reports/ABAP Reports Required for SAP Security Team
RSUSR000 Currently Active Users
RSUSR002 Users by Complex Selection Criteria
RSUSR002_ADDRESS Select users by address data
RSUSR003 Check the Passwords status of Users SAP* and DDIC in All Clients
RSUSR004 Restrict User Values to the Following Simple Profiles and Auth. Objects
RSUSR005 List of Users with Critical Authorizations
RSUSR006 Locked Users and Users with Incorrect Logons
RSUSR007 Display Users with Incomplete Address Data
RSUSR008 Critical Combinations of Authorizations at Transaction Start
RSUSR008_009_NEW List of Users with Critical Authorizations
RSUSR009 List of Users With Critical Authorizations
RSUSR010 Transactions for User, with Profile or Authorization
RSUSR011 Lists of transactions after selection by user, profile or objects
RSUSR012 Search authorizations, profiles and users with specified object values
RSUSR020 Profiles by Complex Selection Criteria
RSUSR030 Authorizations by Complex Selection Criteria
RSUSR040 Authorization Objects by Complex Selection Criteria
RSUSR050 Comparisons
RSUSR060 Where-used lists
RSUSR061 Enter Authorization Fields
RSUSR070 Roles by Complex Selection Criteria
RSUSR080 Users by License Data
RSUSR100 Change Documents for Users
RSUSR101 Change Documents for Profiles
RSUSR102 Change Documents for Authorizations
RSUSR200 List of Users According to Logon Date and Password Change
RSUSR300 Set External Security Name for All Users
RSUSR301 Fill non-checking transactions with auth.object S TCODE
RSUSR302 Delete authorization check on object S TCODE from table TSTCA
RSUSR304 Reload Table TSTCA From Table TSTCA_C
RSUSR400 Test Environment Authorization Checks (SAP Systems Only)
RSUSR401 Report to give all SAPCPIC users profile S_A.CPIC
RSUSR402 Download user data for CA manager from Secude
RSUSR403 Assign Profile S_A.CPIC to User SAPCPIC in Current Client
RSUSR404 Conversion Program for Authorizations of Basis Development Environment
RSUSR405 Reset all user buffers in all clients (uncritical)
RSUSR406 Automatically Generate Profile SAP_ALL
RSUSR406_OLD Automatically Generate Profile SAP_ALL
RSUSR408 XPRA: Conversion of USOBX-OKFLAG, USOBX-MODIFIED for upgrade tool
RSUSR409 Transfer all translated titles to generated transaction codes
RSUSR421 Clean-up report: TSTC-CINFO if no check in TSTCA
RSUSR500 User Administration: Compare Users in Central System
RSUSR500D Report RSUSR500D
RSUSR998 Call Reporting Tree Info System
RSUSREXT Enter Correct SNC Names in Table View VUSREXTID (from SAP R/3 4.5)
RSUSREXTID Enter Correct SNC Names in Table View VUSREXTID (from SAP R/3 4.5)
RSUSRLOG Log Display for Central User Administration
RSUSRSCUC CUA: Synchronization of the Company Addresses
RSUSRSUIM User Information System
RSUSR_S_USER_SAS Activate Authorization Object S_USER_SAS
RSUSR_S_USER_SAS_01 Complete Authorization Data for S_USER_SAS in Roles
RSUSR_S_USER_SAS_02 Convert Authorization Defaults
RSUSR_SYSINFO_PROFILE Report cross-system information/profile
RSUSR_SYSINFO_ROLE Report cross-system information/role
RSUSR_SYSINFO_ZBV Report cross-system information/CUM
Wednesday, 15 July 2015
Critical Authorization Objects
|
S.No
|
Auth.Object
|
Description
|
|
1
|
S_TABU_DIS
|
Used to protect tables using authorization groups with activity
|
|
2
|
S_TABU_CLI
|
Auth object used to protect cross client tables
|
|
3
|
S_TABU_LIN
|
Auth object used to tables based on line items
|
|
4
|
S_TABU_NAM
|
New auth object to table access based on names
|
|
5
|
S_PROGRAM
|
Used to run ABAP reports/programs via SA38
|
|
6
|
S_DEVELOP
|
Auth object used to control ABAP objects or debug access
|
|
7
|
S_USER_AGR
|
Used to control roles
|
|
8
|
S_USER_AUT
|
Checked during authorization maintenance
|
|
9
|
S_USER_GRP
|
Used control user groups
|
|
10
|
S_USER_PRO
|
Used for profile maintenance
|
|
11
|
S_BDC_MONI
|
Used to protect batch input monitoring
|
|
12
|
S_BTCH_JOB
|
Used for background job monitoring and administration
|
|
13
|
S_BTCH_ADM
|
Used for background job administration
|
|
14
|
S_BTCH_NAM
|
User level control for background job scheduling
|
|
15
|
S_SPO_ACT
|
Used for spool administration which controls S_ADMI_FCD
|
|
16
|
S_ADMI_FCD
|
Basis administration like spool and monitoring
|
|
17
|
S_SPO_PAGE
|
Used to control name of the o/p device and number of pages
|
Monday, 13 July 2015
SAP BI/BW Security with Step by Step Procedure
Here is a very good SCN blog post for SAP BW/BI Security with Step by Step procedure by Kamaljeet Kharbanda
Saturday, 11 July 2015
SAP Security Interview Questions And Answers Part - 3
1. What is reference user type?
Reference username used to assign delegation/temp access to a user
i.e example a user is going for a holiday during that time we need to assign another employee to take responsibility to avoid business impact, so that can be achieved using reference user type, You can assign a ref user in roles tab
2. How do you create an authorization object?
i.e example a user is going for a holiday during that time we need to assign another employee to take responsibility to avoid business impact, so that can be achieved using reference user type, You can assign a ref user in roles tab
2. How do you create an authorization object?
Go to SU21 and select authorization class and create an authorization object and maintain authorization fields and maintain authority check for it
3. Is it possible to convert authorization fields into organization fields and what are the exception/restrictions for it?
ABAP report PFCG_ORGFIELD_CREATE used to convert authorization fields into ORG level, similarly report PFCG_ORGFIELD_DELETE used to convert org level field into non org fields
a. Only create Organizational level fields before you start setting up your system. If you create organizational level fields later, the authorization data for roles may have to be post processed.
b. The fields "Activity", "ACTVT" and "Transaction code", "TCD" cannot be converted into an organizational level field.
Refer: OSS note 323817
4. How do you extract user email address?
USR21 and ADR6 tables are used to get user email address in SAP.
Enter the username in USR21 tcode and execute it, now you will get “person number” and copy it which users email address required and enter those person numbers to ADR6 table and execute it and you will get the email address
5. How to extract parent and derived role relation?
Table AGR_DEFINE used to check parent and derived role relationship
6. How do you create authorization groups?
SE54 tcode used to create authorization groups for tables and programs
7. How do you restrict a table to particular person or team?
Create an authorization group for the table which needs to be protected and add the auth group to S_TABU_DIS auth object filed value and give it activities like, create, delete, display, etc..
8. In which table you will check authorization group created for a particular table?
TBRG table used to check available authorization groups and TBRGT holds auth group with description
9. What are the ORG fields in sap?
1. Company code
2. Controlling area
3. Division
4. Sales organization
5. Plant
6. Business area
7. Purchasing organization
8. Credit control area
9. Account type
10. What are status light in authorization page for authorization fields in PFCG?
1. Red – Org level not maintained
2. Yellow – atleast one filed left open
3. Green – all fields are maintained
11. What is the difference between R/3 security and BW security?
R/3 security mainly based on transaction and controlled via authorization objects using profiles and roles
BW security is mainly based on analysis authorization using RSECADMIN tcode and very few tcodes compare to R/3 and we should secure Info objects, info cubes, ODS and quires
BW authorizations are primarily focused on data not on transaction codes and divided into two main areas authorization for administrator workbench and authorization for business explorer
Authorization objects for field level security in reporting are created as and when needed.
12. Which authorization object gives end user to execute/view a query in BW?
- S_RS_COMP
- S_RS_COMP1
- S_RS_FOLD
13. What is the use of SU24 tcode?
SU24(check indicator) holds the relationship between tcode and authorization objects in customer tables USOBX_C and USOBT_C tables which values are pulled during role creation
SU24 used to maintain all the objects that are checked during tcode execution
14. How do you check authorization check for a tcode?
Check SU24 for authorization object and its proposal also we can check the ABAP report as well
15. What is the authorization object which gives developer debug authorization?
S_DEVELOP with activity 01, 02 or 03
16. How do you secure/give access to a custom report to users without giving SE38 tcode access?
Create an authorization group for that report to secure it and give SA38 tcode authorization for execution of the custom report or create a custom transaction code and maintain authority check and assign to users via role.
17. How do you create a custom tcode?
SE93 is the tcode used to create a custom tcode
18. How do you create a transport request?
SE01, SE09, SE10 tcodes are used to create a transport request and also we can create during customization time like, PFCG, SE38, BD54, etc..
19. What are the types of transport requests?
- Custom transport request
- Workbench transport request
- Transport of copies
- Relocation
20. What is the difference between custom and workbench transport requests?
- Workbench requests are those involve changes to cross client customizing and repository objects, those objects are independent of the client and the requests are used to transport changed repository objects and changed system settings from cross client tables
- Customizing requests involve changes to client dependent objects, so custom transport request used to copy and transport requests that are client specific
21. How do you schedule a background job
SM36 used to schedule background jobs
22. Have you worked on upgrade and steps involved?
Yes
2A. Compare with SAP values
2B. Compare affected transaction codes
2C. Roles to be checked
2D. Display changed transaction codes
23. What is expert mode in PFCG?
Expert mode in PFCG used to maintain existing roles it has following options
- Delete and recreate authorization and profiles
- Edit old status
- Read old status and merge with new data
24. Which table you can check the relation between composite roles and child roles?
AGR_AGRS
25. What are the license types you assign to end users while creating it?
- Application professional users
- Application limited professional users
- Application ESS user
26. You are not allowed to assign any roles to user profile further what would be the reason for it?
User must have exceeded the limitation for profiles assignment i.e 312
27. Have you worked with auditors?
Yes with internal auditors and explain it
28. Which table used to view roles and org level values?
Table AGR_1252 maintains relationship between roles and org field values
29. Which table used to view roles and authorization objects and its values?
Table AGR_1251 maintains relationship between roles, authorization objects and its field values
30. Where do you delete old audit logs?
SM18
31. Where do you look lock entries?
SM12
32. Which authorization object gives you SM12 authorization other than S_tcode?
S_ENQUE
33. Where do you reset user buffer?
SU56
34. What is the mandatory field in address tab in SU01?
Last Name
35. How do you lock a tcode?
SM01 tcode used to lock a tcode
36. Which table stores all ABAP reports?
TRDIR
37. How do you lock users who didn’t log in to SAP more than 90 days?
USR02 tables we can get last login date and time
38. Which table holds all valid activity fields?
TACTZ
39. ABAP report which is used for user reconciliation?
PFCG_TIME_DEPENDENCY
40. Table which holds all possible authorization fields as variables
USVAR
Part -1
Part - 2
Subscribe to:
Posts (Atom)