100 Top SAP Security Job Interview Questions and Answers

SAP Security Interview Questions and Answers:-

1. What is SAP security?

SAP security is providing correct access to business users with respect to their authority or responsibility and giving permission according to their roles.

2. What is “roles” in SAP security?

“Roles” is referred to a group of t-codes, which is assigned to execute a particular business task. Each role in SAP requires particular privileges to execute a function in SAP that is called AUTHORIZATIONS.

3. Explain how you can lock all the users at a time in SAP?

By executing EWZ5 t-code in SAP, all the user can be locked at the same time in SAP.

4. Mention what are the pre-requisites that should be taken before assigning Sap_all to a user even there is an approval from authorization controllers?

Pre-requisites follows like

  • Enabling the audit log- using sm 19 code
  • Retrieving the audit log- using sm 20 code

5. What is the authorization object and authorization object class?

Authorization Object: Authorization objects are groups of authorization field that regulates the particular activity. Authorization relates to a particular action while the Authorization field relates for security administrators to configure specific values in that particular action.

Authorization object class: Authorization object falls under authorization object classes, and they are grouped by function area like HR, finance, accounting, etc.

6. Explain how you can delete multiple roles from QA, DEV and Production System?

To delete multiple roles from QA, DEV and Production System, you have to follow below steps

Place the roles to be deleted in a transport (in dev)
Delete the roles
Push the transport through to QA and production
This will delete all the all roles

7. What things you have to take care before executing Run System Trace?

If you are tracing batch user ID or CPIC, then before executing the Run System Trace, you have to ensure that the id should have been assigned to SAP_ALL and SAP_NEW. It enables the user to execute the job without any authorization check failure.

8. Mention what is the difference between USOBT_C and USOBX_C?

USOBT_C: This table consists of the authorization proposal data which contains the authorization data which are relevant for a transaction
USOBX_C: It tells which authorization check is to be executed within a transaction and which must not

9. Mention what is the maximum number of profiles in a role and a maximum number of object in a role?

A maximum number of profiles in a role is 312, and the maximum number of object in a role is 150.

10. What is the t-code used for locking the transaction from execution?

For locking the transaction from execution t-code SM01, is used.

11. Mention what is the main difference between the derived role and a single role?

For the single role, we can add or delete the t-codes while for a derived role you cannot do that.

12. What is SOD in SAP Security?

SOD means Segregation of Duties; it is implemented in SAP in order to detect and prevent error or fraud during the business transaction. For example, if a user or employee has the privilege to access bank account detail and payment run, it might be possible that it can divert vendor payments to his own account.

13. Mention which t-codes are used to see the summary of the Authorization Object and Profile details?

SU03: It gives an overview of an authorization object
SU02: It gives an overview of the profile details

14. What is User Buffer?

A user buffer consists of all authorizations of a user. User buffer can be executed by t-code SU56 and the user has its own user buffer. When the user does not have the necessary authorization or contains too many entries in his user buffer, authorization check fails.

15. By which parameter number of entries is controlled in the user buffer?

In user buffer number of entries are controlled by the profile parameter “Auth/auth_number_in_userbuffer”.

16. How many transactions codes can be assigned to a role?

To a role maximum of 14000, transaction codes can be assigned.

17. Mention which table is used to store illegal passwords?

To store illegal passwords, table USR40 is used, it is used to store a pattern of words which cannot be used as a password.

18. What is PFCG_Time_Dependency?

PFCG_TIME_DEPENDENCY is a report that is used for user master comparison. It also clears up the expired profiles from user master record. To directly execute this report PFUD transaction code can also be used.

19. What does USER COMPARE do in SAP security?

In SAP security, USER COMPARE option will compare the user master record so that the produced authorization profile can be entered into the user master record.

20. Are mention different tabs available in PFCG?

Some of the important tab available in PFCG includes

Description: The tab is used to describe the changes made like details related to the role, addition or removal of t-codes, the authorization object, etc.
Menu: It is used for designing user menus like the addition of t-codes
Authorization: Used for maintaining authorization data and authorization profile
User: It is used for adjusting user master records and for assigning users to the role

21. Which t-code can be used to delete old security audit logs?

SM-18 t-code is used to delete the old security audit logs.

22. What reports or programs can be used to regenerate the SAP_ALL profile?

To regenerate the SAP_ALL profile, report AGR_REGENERATE_SAP_ALL can be used.

23. Using which table transaction code text can be displayed?

Table TSTCT can be used to display transaction code text.

24. Which transaction code is used to display the user buffer?

User buffer can be displayed by using transaction code AL08

25. Mention what SAP table can be helpful in determining the single role that is assigned to a given composite role?

Table AGR_AGRS will be helpful in determining the single role that is assigned to a given composite role.

26. What is the parameter in the Security Audit Log (SM19? Does that decide the number of filters?

Parameter Esau/no_of_filters are used to decide the number of filters.

27. What is the rule set in GRC?
Collection of rules is nothing but rule set. There is a default rule set in GRC called Global Rule Set.

28. What is the use of su56?
Displays the current user’s Authorization Profiles available to the ID. Can also be used to reset their User buffer to pick up new roles and authorizations.

29. What is the use of derived roles and where it is used?
Derived roles are also called as Child Roles and Master Roles are called as Parent Roles.

Derived Roles refers to the roles that already exist. As the name indicates Derived roles are derived from another role (Master Role).

Derived ROles inherits the menu structure and functions included (transactions, reports, Weblinks and so on) from the role referenced. The default authorization values of the derived role are that of the inherited role. The Org Levels are to be maintained in the derived Role

30. How to lock all the users at a time?
This is one way to lock the users by executing Tcode EWZ5.

another way is by executing su10… authorization tab….
evaluate the user’s list……… transfer…… execute

SAP SECURITY Questions pdf free download::

31. How can find out whether CUA(Central User Administration) is configured on your sap system?
Execute su01
You can find out a tab called system tab….
If the system tab is not displayed therein su01 screen there is no CUA is configured.

32. One of the users logged into Production System changed a table and then logged out. How will you track him?
We need to login to the system the change has taken, Go to
SM20 you need to select the date and time or range in time
tab, select * in the user tab once you key in all the
inputs are sure to select the servers or instance on left
hand side and then execute.
you need to select the user master record.

You will get a report for user master record, find the user
id in the list

33. How do we test security systems? What is the use of SU56?
Through Tcode SU56, We will check the user’s buffer

34. What is the landscape of GRC?
GRC Landscape is 2 system landscape,

in GRC there is no Quality system.

35. How we Check if the PFCG_TIME_DEPENDENCY is running for user master reconciliations?
Execute SM37 and search for PFCG_TIME_DEPENDENCY

36. How we Schedule and administering Background jobs?
scheduling and administrating of background jobs can be done
by using codes sm36 and sm37

37. How we Restrict the auth groups for table maintain, creating Auth group using SE54 to built new Auth groups to restrict tables via auth object S_TABU_DIS?
We can restrict author groups via object S_TABU_DIS, first,
we need to create an author group in SE54 then assign this
author group in a role by using the object: S_TABU_DIS.

38. What are the prerequisites we should take before assigning sap_all to a user even we have approval from authorization controllers?
prerequisites are followed before assigning sap_all to any

1.enabling the audit log —- using sm19 code.
2.retreving the audit log—–using sm20 code.

this process follows when your not implementing grc in your system.

39. What are the Critical Tcodes and Authorization Objects in R/3?
Just to say all the t-codes which can affect roles and user master records are critical ones. SU01, PFCG, RZ10, RZ11, SU21, SU03, Sm37 are some of the critical t-codes.
Below are critical objects

40. If ur using 10 firefighter is at a time? How will the log reports go to the controller?
This is done whenever a role is already assigned to users and changes are done in that role. In order to get the changes adjusted in the roles, user comparison is done.

41. What is ruleset? and how to update risk id in rule set?
Also during the indirect assignment of roles to the user using t codes Po13 and po10, we have to to do user comparison, so that the roles get reflected in the SU01 record of the user.

42. What is the procedure for Role modifications? explain with example?
Generally, this task is done PFCG_TIME_DEPENDENCY background job which runs once daily so that roles are adjusted after running this report.

43. Who will do user comparison?
If changes are to be reflected immediately, user comparison is recommended.

44. What is the maximum number of profiles in a role?
312 profiles in a role,

45. What is the maximum number of authorization objects in a role?
150 authorization objects,

46. What is the maximum number of authorization in an object?
not more than 10 authorization fields in the object,

47. What is the difference between PFCG, PFCG_TIME_DEPENDENCY&PFUD?
PFCG is used to create maintain and modify the roles.
PFCG_TIME_DEPENDENCY is a background job of PFUD.
PFUD is used for mass user comparison but the difference is
if you set the background job daily basis it will do mass
user comparison automatically

48. What does the Profile Generator do?
we can create roles, transport, copy, download, modifications, all these things done from pfcg t-code.

49. What is the main purpose of Parameters, Groups & Personalization tabs?
parameters: whenever user want some defaults values
whenever he/she execute the t-code we can maintain some
pids by taking help of adapters.

50. Tell me about the derived role?
Derived roles. To restrict user access based on organizational level values.
The derived role will be inherited by master role and inherit all the properties except org level values.

51. What is the main difference between a single role and a derived role?
Main difference–we can add/delete the codes for the single roles but we can’t do it for the derived roles.

52. Does s_tabu_dis org level values in a master role gets reflected in the child role?
If we do the adjusted derived role in the master role while updating the values in the master role the values will be reflected in the child roles.

53. What is the T-code to get into RAR from R/3?

54. Explain about SPM?
SPM can be used to maintain and monitor the superuser access in an SAP system. This enables the super-users to perform emergency activities and critical transactions within a completely auditable environment. The logs of the SPM user IDs helps auditors in easily tracing the critical transactions that have been performed by the Business users

55. What is the use of RSECADMIN?
Reporting Users Analysis Authorization using transaction
RSECADMIN, to maintain authorizations for reporting users.

RSECADMIN To maintain analysis authorization and role
assignment to a user.