SAP Security Interview Questions And Answers Part - 3

1. What is reference user type?

Reference username used to assign delegation/temp access to a user
i.e example a user is going for a holiday during that time we need to assign another employee to take responsibility to avoid business impact, so that can be achieved using reference user type, You can assign a ref user in roles tab

2. How do you create an authorization object?

Go to SU21 and select authorization class and create an authorization object and maintain authorization fields and maintain authority check for it

3. Is it possible to convert authorization fields into organization fields and what are the exception/restrictions for it?
ABAP report PFCG_ORGFIELD_CREATE used to convert authorization fields into ORG level, similarly report PFCG_ORGFIELD_DELETE used to convert org level field into non org fields

a.    Only create Organizational level fields before you start setting up your system. If you create organizational level fields later, the authorization data for roles may have to be post processed.

b.    The fields "Activity", "ACTVT" and "Transaction code", "TCD" cannot be converted into an organizational level field.
Refer: OSS note 323817

4. How do you extract user email address?
USR21 and ADR6 tables are used to get user email address in SAP.

Enter the username in USR21 tcode and execute it, now you will get “person number” and copy it which users email address required and enter those person numbers to ADR6 table and execute it and you will get the email address

5. How to extract parent and derived role relation?
Table AGR_DEFINE used to check parent and derived role relationship

6. How do you create authorization groups?
SE54 tcode used to create authorization groups for tables and programs

7. How do you restrict a table to particular person or team?
Create an authorization group for the table which needs to be protected and add the auth group to S_TABU_DIS auth object filed value and give it activities like, create, delete, display, etc..

8. In which table you will check authorization group created for a particular table?
TBRG table used to check available authorization groups and TBRGT holds auth group with description

9. What are the ORG fields in sap?
1.    Company code
2.    Controlling area
3.    Division
4.    Sales organization
5.    Plant
6.    Business area
7.    Purchasing organization
8.    Credit control area
9.    Account type

10. What are status light in authorization page for authorization fields in PFCG?
1.    Red – Org level not maintained
2.    Yellow – atleast one filed left open
3.    Green – all fields are maintained

11. What is the difference between R/3 security and BW security?
R/3 security mainly based on transaction and controlled via authorization objects using profiles and roles
BW security is mainly based on analysis authorization using RSECADMIN tcode and very few tcodes compare to R/3 and we should secure Info objects, info cubes, ODS and quires

BW authorizations are primarily focused on data not on transaction codes and divided into two main areas authorization for administrator workbench and authorization for business explorer
Authorization objects for field level security in reporting are created as and when needed.

12. Which authorization object gives end user to execute/view a query in BW?
-    S_RS_COMP
-    S_RS_COMP1
-    S_RS_FOLD

13. What is the use of SU24 tcode?
SU24(check indicator) holds the relationship between tcode and authorization objects in customer tables USOBX_C and USOBT_C tables which values are pulled during role creation
SU24 used to maintain all the objects that are checked during tcode execution

14. How do you check authorization check for a tcode?
Check SU24 for authorization object and its proposal also we can check the ABAP report as well

15. What is the authorization object which gives developer debug authorization?
S_DEVELOP with activity 01, 02 or 03

16. How do you secure/give access to a custom report to users without  giving SE38 tcode access?
Create an authorization group for that report to secure it and give SA38 tcode authorization for execution of the custom report or create a custom transaction code and maintain authority check and assign to users via role.

17. How do you create a custom tcode?
SE93 is the tcode used to create a custom tcode

18. How do you create a transport request?
SE01, SE09, SE10 tcodes are used to create a transport request and also we can create during customization time like, PFCG, SE38, BD54, etc..

19. What are the types of transport requests?
-    Custom transport request
-    Workbench transport request
-    Transport of copies
-    Relocation

20. What is the difference between custom and workbench transport requests?
-    Workbench requests are those involve changes to cross client customizing and repository objects, those objects are independent of the client and the requests are used to transport changed repository objects and changed system settings from cross client tables
-    Customizing requests involve changes to client dependent objects, so custom transport request used to copy and transport requests that are client specific


21. How do you schedule a background job
SM36 used to schedule background jobs

22. Have you worked on upgrade and steps involved?
Yes
2A. Compare with SAP values
2B. Compare affected transaction codes
2C. Roles to be checked
2D. Display changed transaction codes

23. What is expert mode in PFCG?
Expert mode in PFCG used to maintain existing roles it has following options
-    Delete and recreate authorization and profiles
-    Edit old status
-    Read old status and merge with new data

24. Which table you can check the relation between composite roles and child roles?
AGR_AGRS

25. What are the license types you assign to end users while creating it?
-    Application professional users
-    Application limited professional users
-    Application ESS user

26. You are not allowed to assign any roles to user profile further what would be the reason for it?
User must have exceeded the limitation for profiles assignment i.e 312

27. Have you worked with auditors?
Yes with internal auditors and explain it

28. Which table used to view roles and org level values?
Table AGR_1252 maintains relationship between roles and org field values

29. Which table used to view roles and authorization objects and its values?
Table AGR_1251 maintains relationship between roles, authorization objects and its field values

30. Where do you delete old audit logs?
SM18

31. Where do you look lock entries?
SM12

32. Which authorization object gives you SM12 authorization other than S_tcode?
S_ENQUE

33. Where do you reset user buffer?
SU56

34. What is the mandatory field in address tab in SU01?
Last Name

35. How do you lock a tcode?
SM01 tcode used to lock a tcode

36. Which table stores all ABAP reports?
TRDIR

37. How do you lock users who didn’t log in to SAP more than 90 days?
USR02 tables we can get last login date and time

38. Which table holds all valid activity fields?
TACTZ

39. ABAP report which is used for user reconciliation?
PFCG_TIME_DEPENDENCY

40. Table which holds all possible authorization fields as variables
USVAR

Part -1
Part - 2