SAP Security Interview Questions and Answers

SAP Security Interview Questions

Q1) What is meant by SAP Security?

Ans: Security is one of the prominent modules in SAP. It provides right access to the business users/clients with respective authorities and responsibilities that they hold. Permissions are given according to their roles in any department of the firms. 

Q2) Elaborate on the term “Roles” in SAP Security.

Ans: In SAP Security, the term roles are referred to as a transactional code nothing but T-codes. These transactional codes are assigned to carry out the primary business tasks. Each role or t-code in SAP requires specific privileges to carry out the function in SAP, which is known as Authorizations. 

Q3) What is the difference between USOBX_C and USOBT_C?

Ans: Following are the key differences between USOBX_C and USOBT_C: 

Q4) Elaborate on how users can be locked at a time in SAP Security?

Ans: By executing transaction code EWZ5 in SAP Security module, all users can lock at a time while doing a specific task. 

Q5) Tell what are the Prerequisites That Should Be Taken Before Assigning Sap_all To A User Even There Is An Approval From Authorization Controllers?

Ans: Following are the prerequisites that should consider everyone before assigning SAP_all to the user even they have authorization controllers approval: 

• Enabling the audit log- using sm 19 t-code
• Retrieving the audit log- using sm 20 t-code 

Q6) Explain about the Authorization Object and Authorization object class?

Ans: First and foremost, you need to understand the importance of the Authorization object and Authorization object class.  

The Authorization object is only the gatherings of the field of approval which takes care of the capacity of a particular action. Authorization is correlated with a particular activity just while the field of authorization takes care of security management. It helps in the design of the specific qualities in any activity which is required. 

It is an umbrella term under which the authorization object is contemplated. These are placed into bunches by certain departments which includes HR, accounting, finance and many more.

Q7) Explain how you can delete the numerous roles from production systems, QA, and DEV?

Ans:  Following are the certain steps which are possible to delete the numerous role from the production systems, QA, DEV:

• Place the roles to be deleted in transport (in dev)
• Delete the roles
• Push the transport through to QA and production
• This will delete all the all roles

Want to acquire industry skills and gain complete knowledge of SAP BASIS? Enrol in Instructor-Led live SAP BASIS Training to get Job Ready!

Q8) Tell what the maximum number of profiles and objects in the roles is?

Ans: In SAP Security module, a role can have 312 maximum number of profiles and 150 maximum number of objects. 

Q9) Elaborate on the steps that need to be taken before executing the run system trace?

Ans: There are a couple of things that should be done before executing the Run framework. You need to follow the CPIC or the client id, at that point preceding executing the Run framework, then one needs to ensure that they said ID is given to somebody that is either SAP_new or SAP_all. This must be done on the grounds that they ensure one can execute the work without checking the failure by the authorization. 

Q10) Differentiate the differences between a single and derived role?

Ans: The key difference between Single role and Derived role is the transactional code. 

In Single role, users can add or delete the transactional code easily. But in the Derived role, users cannot add or delete the transactional code. 

Q11) Mention the transactional codes that go through the summary of the Authorization profile and object details?

Ans: Following are the two transactional codes that go through the summary of the authorization profile and object details.

• Users can use SU03 transaction code to go through the summary of authorization objects. 
• Users can use SU02 transaction code to go through the summary of authorization profiles. 

 Q12) Mention the transaction code that is used for locking the transaction from execution? 

Ans: SM01 transaction code is used for locking the transaction from execution.

Q13) Elaborate SOD in the SAP Security module?

Ans: In SAP Security, SOD stands for Segregation of Duties which is implemented to prevent and detect the business transaction errors. 

Q14) Tell me which parameter is used in the user buffer to control the excess of entries?

Ans: In the Sap Security module, the Profile parameter is used to control the excess of entries in the user buffer. Following the path is used auth/auth_number_in_userbuffer. 

Q15) Explain about User Buffer in SAP Security.

Ans: A user buffer contains all authorizations of a user, which means whenever a user login to the SAP R/3 system, it builts user buffer where it is associated with the user authorizations. So each user will have their own use buffer. 

Let us consider an instance:

If user X login to the SAP R/3 system, then it built a user buffer that would have all user authorization with the name of USER_X_ROLE. If in case, user X may fail to log in to the system due to the following scenarios: 

• User authorization data may not exist in the user buffer 
• And the user buffer may have more number of entries which means the authorization data may flood away. 

Q16) Which SAP table can determine the single role which is assigned to the composite role in SAP Security module?

Ans: AGR_AGRS SAP table can determine the single role that is assigned to the composite role in SAP Security module.  

Q17) Tell which transactional code is used to display the user buffer in SAP?

Ans: AL08 transaction code is used to display the user buffer in SAP

Q18) Mention which table is used to display the transaction code text in SAP Security?

Ans: To display the transaction code text, users can use the TSTCT table. 

Q19) How to delete all old security audit logs in Sap Security?

Ans: Using the SM-18 transaction code, a user can delete all old security audit logs in SAP.  

Q20) Explain about reports or programs that can be used to regenerate all SAP profiles?

Ans: To regenerate all SAP profiles users should follow the path: AGR_REGENERATE_SAP_ALL.

Checkout our Blog on SAP Security Tutorial

SAP Security Certification Questions

Q21) Explain about different tabs that are available in PFCG?

Ans: Following are various tabs which play a key role in PFCG: 

1. Description Tab:

This is the basic and important tab in PFCG which helps to describe the changes that are made in such as authorization objects, the details that are related to roles, and removing or deleting the transaction codes. 

2. Menu Tab:

This tab is used to design the user menus such as the addition of transaction codes.  

3. Authorization Tab:

This tab is used for maintaining the authorized data and authorized profiles. 

4. User Tab:

This tab is used for regulating the user records and assigning users to their particular roles.

Q22) Explain about PFCG time dependency in SAP.

Ans: The PFCG time dependency is the only report which is ordinarily utilized for comparing the client report. The PFCG Time dependency likewise makes a point to wipe away any profiles from the principle record which appear to have lapsed and are of no utilization. There is additionally a transactional code that can be utilized so as to execute this specific activity. The transactional code, which is utilized to do this is PFUD.

Q23) Explain the role of the user compared to SAP Security.

Ans: The role of user comparison in SAP is to help the comparison of the master records of the client and which helps to create authorized profiles by using the master records.  

Q24) Tell how many transaction codes can be assigned to a role in SAP.

Ans: A maximum of 14000 transaction codes can be assigned to a role in SAP.

Q25) Which table is used to store illegal passwords?

Ans: USR40 table is used to accumulate illegal passwords and stores them in various arrangements and patterns of words that cannot be implemented while creating the passwords. 

Q26) What is the use of the SU25 transaction code in SAP?

Ans: SU25 transaction code is used to copy the information from USBOT, USBOX to USOBT_C, USOBX_C tables. 

Q27) Which transaction code is used to find the user-defined and security parameters for system default values?

Ans: The RSPFPAR transaction code is used to find the user-defined and security parameters for system default values. 

Q28) Which transaction is used to check the transport requests that are created by the users?

Ans: SE10 Transaction code is used to check the transport requests that are created by the users. 

Q29) What is the process for creating the user group in SAP Security?

Ans: Following are the steps that are involved in the process of creating the user group in SAP Security: 

• SUGR transaction code is used and executed. 
• Give a name to the user group in the text box. 
• Now click on the create button to provide a name to the user group. 
• Describe the key and save the button. 
• These are steps to make the user group in the SAP System. 

Q30) Explain the process to assign a logical system for a user?

Ans: Using the SCC4 transaction code, a logical system is assigned to the user and checked before transferring to the user because it might alter the configurations in CUA. 

Checkout our Blog on SAP BASIS Tutorial

Q31) What is meant by Derived Role in SAP?

Ans: This role acquires menu structure and functions that are available in the reference role. They are acquiring the function by the roles which are just conceivable when no type of transaction code is allocated earlier. The functions at the most elevated level will give the approvals as a default to determining roles and can change this later on. Certain levels are not passed to the inferred roles, and should make them recently; this incorporates the authoritative definitions just as tasks of the client. Determined jobs are very much planned and have fixed usefulness which implies it has similar menus and exchanges. Be that as it may, the attributes are distinctive, taking everything into account.

Q32) Which security audit lo and parameter is used to see the number of filters in SM19?

Ans: rsau/no_of_filters is used to check the audit and maximum amount of filters in SM19.  

Q33) Explain the working of a composite role.

Ans: A composite-level role resembles a major holder which can gather various composite roles. These sorts of roles don't have any information about approval. If there should arise an occurrence of any adjustments in the approval since composite roles are present in it, should keep the information concerning each part of each composite role. Formation of the composite roles is just valuable when a portion of the representatives in the association requires approval from different jobs. Thus, it can set the composite role and can appoint the client to that gathering. This is efficient instead of independently relegating each client to each unique role. At the point when a client is allocated to one composite role, at that point during the examination, they are precipitously doled out to other rudimentary roles.

Q34) Explain about the role templates.

Ans: The role templates are also known as activity clusters which are nothing predetermined. These activity clusters consist of transactions, web addresses, and reports. 

Q35) Mention the most commonly used transaction codes in SAP Security.

Ans: Following are the most commonly used transaction codes in SAP Security:

• SU53 transaction code is used for authorization and analysis. 
• ST01 is used to trace the information. 
• SUIM is used for reports.
• SU01D is used for displaying the users.
• SU10 is used for modifying the information. 
• PFCG is used to maintain the roles.
• SU01 is used to create or change users. 

Q36) List out different types of users in SAP System?

Ans: Following are the various types of users in the SAP System: 

• Service User
• Communication User
• Dialogue User
• Reference User
• System user

Q37) How many user types are there for background jobs?

Ans: Following are two types of users for background jobs: 

• Communication user
• System user

Q38) Which transaction code is used to troubleshoot the problem for background jobs?

Ans: The ST01 transaction code is used to troubleshoot the problem for background jobs.

Q39) What is meant by T-codes?

Ans: T-code means transaction code that is used for running a program in an SAP application. 

Q40) Explain the use of the SU25 T-Code in SAP?

Ans: The SU25 transaction code is used to copy the information from one table to another table. For instance, the data is copied from USOBX and USOBT to USOBT_C and USOBX_C. 

SAP Security Interview Questions for Experienced

 Q41) Explain the use of authorization objects S_TABU_LIN.

Ans: The authorization object is used to provide access to all row-level tables in SAP. 

Q42) How to check the table logs and what transaction codes are used to check the table logs?

Ans: Users need to check if the logging function is active or not for a specific table, and this can be done by using SE13 transaction code. If the table log is already enabled for a specific table, then use SCU3 transaction code to check the table logs in SAP.

Q43) Do you know which transaction code is used to lock the transaction execution?

Ans: SM01 transaction code is used to lock the transaction execution in SAP System.

Q44) Explain the procedure to check the transport checks that are created by another user.

Ans: SE10 transaction code is used to check the transport checks in the SAP System. It will provide you with a text box to enter the user name information, and then it validates the information to check the transport requests that are created by other users. 

Q45) How is a password rule enforced?

Ans: The password rule is enforced if the user has a profile parameter for the same. If the user uses the parameter, then password rules are automatically applied. 

Q46) Which transaction code is used to manage the lock entities in the SAP System?

Ans: SM12 transaction code is used to manage the lock entities in the SAP System. 

Q47) Which transaction code is used to check the background jobs?

Ans: The SM37 transaction code is used to check the background jobs.

Q48) Which transaction code is used to get the user list in the SAP Security System?

Ans: SM04/AL08 transaction codes are used to get the user list in the SAP Security System.

Q49) Explain different layers of SAP Security System?

Ans: Following are various layers that support security system in SAP: 

• Authentication
• Authorization
• Integrity
• Privacy
• Obligation

Q50) How many roles can be assigned to the user in the SAP System?

Ans: Maximum 312 role can be assigned to the user in the SAP System. 

Q51) How do you lock multiple users at a time in the SAP System?

Ans: Use SU01 transaction code to lock multiple users at a time in the SAP System. 

Q52) Which transaction code is used to create authorization groups in the SAP System?

Ans: Use SE54 transaction code to create authorization groups in the SAP System.

Q53) What is the use of SU56 transaction code in the SAP System?

Ans: SU56 transaction code is used to display the current user buffer, which all authorizations are assigned in the user master record. 

Q54) What is the use of ST01 transaction code in the SAP System?

Ans: ST01 transaction code is used to trace the user authorizations in the SAP System. 

Q55) Explain the difference between role and profile in SAP.

Ans: There is a slight difference in role and profile. A role is used as a template where you can insert reports, transaction code and more. In comparison, profiles permit user authorization. In Sap, when you create a role, a profile is created automatically. 

Q56) What is meant by profile version in SAP System?

Ans: When you amend the existing parameter with the RZ10 transaction code, the existing parameter will update the version of the same profile automatically. This process is repeated whenever there are amends in the profile. And all these profiles are stored in the database.

Q57) Explain the differences between a single role and a composite role in the SAP System.

Ans: Single role is also known as a container that stores all the information which are related to the business transactions, and with this information, it generates or maintains the profiles. 

A composite role is also known as a container that contains information about different roles in the SAP System. 

Q58) List out some of the SAP Security transaction codes in the SAP System?

Ans: Following are some of the SAP Security transaction codes in the SAP System: 

• PFGC - This T-code is used for maintaining roles.
• SU10 - This T-code is used for handling users.
• SU01-This T-code is used for creating the user or changing the user.
• ST01 - This T-code is used for tracing the system.
• SU53- This T-code is used for analysing authorisation

Q59) What authorizations are required to maintain and create the user master records in the SAP System?

Ans: Following authorizations are required to create and maintain the user master records in the SAP System:

• S_USER_GRP: Assign user group.
• S_USER_AUT: Maintain and create authorization.
• S_USER_PRO: Assign authorization profile.

Q60) How to insert Missing authorization in SAP System?

Ans: The SU53 transaction code helps the user to find the missing authorization and the PFCG transaction helps the user to insert the code into the profile. 

Q61) How can I do a mass delete of the roles without deleting the new role in the SAP System?

Ans: Using AGR_DELETE_ALL_ACTIVITY_GROUPS to delete the mass roles without deleting the new roles in the SAP. 

Q62) Someone Has Deleted Users In Our System, And I Am Eager To Find Out Who. Is There A Table Where This Is Logged?

Ans: You can find this by debugging the system or using the RSUSR100 transaction code to find information. 

Q63) Is There A Table For Authorizations Where I Can Quickly See The Values Entered In A Group Of Fields?

Ans: Using the P_ORIGIN transaction code, you can see the values that are entered in a group of fields.