SAP Security Interview Questions and

Answers
Question: 1
Explain what is SAP security?
Answer:
SAP security is providing correct access to business users with respect to their authority or
responsibility and giving permission according to their roles.
Question: 2
What is the rule set in GRC?
Answer:
Collection of rules is nothing but rule set. There is a
default rule set in GRC called Global Rule Set.
Question: 3
Explain what is roles in SAP security?
Answer:
Roles is referred to a group of t-codes, which is assigned to execute particular business task.
Each role in SAP requires particular privileges to execute a function in SAP that is called
AUTHORIZATIONS.
Question: 4
What is use of su56?
Answer:
Displays the current users Authorization Profiles available
ti the ID. Can also be used to reset their User buffer to
pick up new roles and authorizations.
Question: 5
Explain how you can lock all the users at a time in SAP?
Answer:
By executing EWZ5 t-code in SAP, all the user can be locked at the same time in SAP.
Question: 6
How can find out whether CUA(Central User Administration) is configured on your sap system?
Answer:
Execute su01
You can find out a tab called system tab....
If system tab is not displayed there in su01 screen there
is no CUA is configured.
Question: 7
Mention what are the pre-requisites that should be taken before assigning Sap_all to a user even
there is an approval from authorization controllers?
Answer:
Pre-requisites follows like
Enabling the audit log- using sm 19 tcode
Retrieving the audit log- using sm 20 tcode
Question: 8
How do we test security systems. What is the use of SU56?

Answer:
Through Tcode SU56, We will check the users buffer
Question: 9
Explain what is authorization object and authorization object class?
Answer:
Authorization Object: Authorization objects are groups of authorization field that
regulates particular activity. Authorization relates to a particular action while
Authorization field relates for security administrators to configure specific values in that
particular action.
Authorization object class: Authorization object falls under authorization object classes,
and they are grouped by function area like HR, finance, accounting, etc.
Question: 10
What is the landscape of GRC?
Answer:
GRC Landscape is 2 system landscape,
1. SAP GRC DEV
2. SAP GRC PRD
Question:11 Explain how you can delete multiple roles from QA, DEV and Production System?
Answer:
To delete multiple roles from QA, DEV and Production System, you have to follow below steps
Place the roles to be deleted in a transport (in dev)
Delete the roles
Push the transport through to QA and production
Question: 12
How we Check if the PFCG_TIME_DEPENDENCY is running for user master reconciliations?
Answer:
Execute SM37 and search for PFCG_TIME_DEPENDENCY
Question: 13
Explain what things you have to take care before executing Run System Trace?
Answer:
If you are tracing batch user ID or CPIC, then before executing the Run System Trace, you have
to ensure that the id should have been assigned to SAP_ALL and SAP_NEW. It enables the user
to execute the job without any authorization check failure.
Question: 14
How we Schedule and administering Background jobs?
Answer:
scheduling and administrating of background jobs can be done
by using tcodes sm36 and sm37
Question: 15
Mention what is the difference between USOBT_C and USOBX_C?
Answer:
USOBT_C: This table consists the authorization proposal data which contains the
authorization data which are relevant for a transaction
USOBX_C: It tells which authorization check are to be executed within a transaction and
which must not
Question: 16

How we Restrict the auth groups for table maintain, creating Auth group using SE54 to
built new Auth groups to restrict tables via auth object S_TABU_DIS?
Answer:
We can restrict autho groups via object S_TABU_DIS, first
we need to create a autho group in SE54 then assign this
autho group in a role by using the object: S_TABU_DIS.
Question: 17
Mention what is the maximum number of profiles in a role and maximum number of object in a
role?
Answer:
Maximum number of profiles in a role is 312, and maximum number of object in a role is
150.
Question: 18
What are the Critical Tcodes and Authorization Objects in R/3?
Answer:
Just to say all the t-codes which can affect roles and user master records are critical ones.
SU01, PFCG, RZ10, RZ11, SU21, SU03, Sm37 are some of critical t-codes.
Below are critical objects
S_TABU_DIS
S_USER_AGR
S_USER_AUT
S_USER_PRO
S_USER_GRP
Question: 19
What is the t-code used for locking the transaction from execution?
Answer:
For locking the transaction from execution t-code SM01, is used.
Question: 20
If u r using 10 firefighter ids at a time? How will the log reports goes to controller?
Answer:
This is done when ever role is already assigned to users and changes are done in that role. In
order to get the changes adjusted in the roles, user comparision is done.
Question: 21
Mention what is the main difference between the derived role and a single role?
Answer:
For the single role, we can add or delete the t-codes while for a derived role you cannot do
that.
Question: 22
What is ruleset? and how to update risk id in rule set?
Answer:
Also during indirect asssignment of roles to user using t codes Po13 and po10, we have to to
do user comparision, so that the roles get reflected in the SU01 record of user.
Question: 23
Explain what is SOD in SAP Security?
Answer:

SOD means Segregation of Duties; it is implemented in SAP in order to detect and prevent
error or fraud during the business transaction. For example, if a user or employee has the
privilege to access bank account detail and payment run, it might be possible that it can
divert vendor payments to his own account.
Question: 24
What is the procedure for Role modifications? explain with example?
Answer:
Generally this task is done PFCG_TIME_DEPENDENCY background job which
runs once daily so that roles are adjusted after running this report.
Question: 25
Explain what is User Buffer?
Answer:
A user buffer consists of all authorizations of a user. User buffer can be executed by t-code
SU56 and user has its own user buffer. When the user does not have the necessary
authorization or contains too many entries in his user buffer, authorization check fails.
Question: 26
Who will done user comparison?
Answer:
If changes are to be reflected immediately, user comparison is recommended.
Question: 27
By which parameter number of entries are controlled in the user buffer?
Answer:
In user buffer number of entries are controlled by the profile parameter
Auth/auth_number_in_userbuffer.
Question: 28
What is the maximum number of authorization objects in a role?
Answer:
150 authorization objects,
Question: 29
How many transactions codes can be assigned to a role?
Answer:
To a role maximum of 14000 transaction codes can be assigned.
Question: 30
What is the difference between PFCG,PFCG_TIME_DEPENDENCY&PFUD?
Answer:
PFCG is used to create maintain and modify the roles.
PFCG_TIME_DEPENDENCY is a background job of PFUD.
PFUD is used for mass user comparison but the difference is
if you set the background job daily basis it will do mass
user comparison automatically
Question: 31
Mention which table is used to store illegal passwords?
Answer:
To store illegal passwords, table USR40 is used, it is used to store pattern of words which cannot
be used as a password.
Question: 32

What does the Profile Generator do?

Answer:
we can create roles , transport , copy ,
download,modifications , all these thing done from pfcg tcode.
Question: 33
Explain what is PFCG_Time_Dependency ?
Answer:
PFCG_TIME_DEPENDENCY is a report that is used for user master comparison. It also clears
up the expired profiles from user master record. To directly execute this report PFUD transaction
code can also be used.
Question: 34
What is the main purpose of Parameters, Groups & Personalization tabs?
Answer:
parameters : when ever user want some defaults values
when ever he/she excute the t-code we can mainatian some
pid's by taking help of abapers.
Question: 35
Explain what does USER COMPARE do in SAP security?
Answer:
In SAP security, USER COMPARE option will compare the user master record so that the
produced authorization profile can be entered into the user master record.
Question: 36
Tell me about derived role?
Answer:
Derived roles..To restrict the user access based on
organizational level values.
Derived role will be inherited by master role and inherit
all the properties except org level values.
Question: 37
Mention different tabs available in PFCG?
Answer:
Some of the important tab available in PFCG includes
Description: The tab is used to describe the changes made like details related to the role,
addition or removal of t-codes, the authorization object, etc.
Menu: It is used for designing user menus like addition of t-codes
Authorization: Used for maintaining authorization data and authorization profile
User: It is used for adjusting user master records and for assigning users to the role
Question: 38
Which t-code can be used to delete old security audit logs?
Answer:
SM-18 t-code is used to delete the old security audit logs.
Question: 39
Does s_tabu_dis org level values in a master role gets reflected in the child role?
Answer:

If we do the adjusted derived role in the master role

while updating the values in the master role thn values will
be reflected in the child roles.
Question: 40
Explain what reports or programs can be used to regenerate SAP_ALL profile?
Answer:
To regenerate SAP_ALL profile, report AGR_REGENERATE_SAP_ALL can be used.
Question: 41
What is the T-code to get into RAR from R/3?
Answer:
/virsar/ZVRAT
Question: 42
Using which table transaction code text can be displayed?
Answer:
Table TSTCT can be used to display transaction code text.
Question: 43
Explain about SPM?
Answer:
SPM can be used to maintain and monitor the super user
access in an SAP system. This enables the super-users to
perform emergency activities and critical transactions
within a completely auditable environment. The logs of the
SPM user IDs helps auditors in easily tracing the critical
transactions that have been performed by the Business users
Question: 44
Which transaction code is used to display the user buffer?
Answer:
User buffer can be displayed by using transaction code AL08
Question: 45
What is offline risk analysis?
Answer:
Offline Mode Risk Analysis process is performed with the help of Risk Identification and
Remediation module in SAP GRC Access Control Suite. Offline mode Analysis helpos in
identifying SOD Violations in an ERP System remotely. The data from system is exported to flat
files and then it can be imported into the CC instance with the help of data extractor utility.
It can also be used to remotely analyze an ERP system which may be present in a different ERP
Landscape.
Question: 46
Mention what SAP table can be helpful in determining the single role that is assigned to a given
composite role?
Answer:
Table AGR_AGRS will be helpful in determining the single role that is assigned to a given
composite role.
Question: 47
What is the use of RSECADMIN?
Answer:

IN SAP BI
Reporting Users Analysis Authorization using transaction
RSECADMIN, to maintain authorizations for reporting users.
RSECADMIN To maintain analysis authorization and role
assignment to user.
Question: 48
What is the parameter in Security Audit Log (SM19) that decides the number of filters?
Answer:
Parameter rsau/no_of_filters are used to decide the number of filters.