Header Ads Widget

Responsive Advertisement

SAP Security Interview Questions



Q. How many profiles can be assigned to any user master record? 

Maximum number of profiles that can be assigned to any user master record is 312. Table USR04 contains the profiles assigned to users. The field PROFS in USR04 table is used for saving the change flag and the name of the profiles assigned to the user. The change flags are – C which means “User was created” and M which means “User was changed”. The field PROFS is defined with a length of 3750 characters. Since the first two characters are intended for the change flag, 3748 characters remain for the list of the profile names per user. Because of the maximum length of 12 characters per profile name, this results in a maximum number of 312 profiles per user.     

 Q. Can a composite role be assigned to another composite role? 
No. A composite role cannot be assigned to another composite role. Single roles are assigned to composite roles.

 Q. What does the PFCG_TIME_DEPENDENCY clean up?
The ‘PFCG_TIME_DEPENDENCY’ background report cleans up the profiles (that is, it does not clean up the roles in the system). Alternatively, transaction code ‘PFUD’ may also be used for this purpose.

 Q. How to prevent custom objects from getting added to SAP_ALL profile? 
Go to table PRGN_CUST and set the following parameter: ADD_ALL_CUST_OBJECTS with value N. 
Regenerate the SAP_ALL profile with report RSUSR406 to have the customer object to be removed from SAP_ALL. See SAP Note 410424 for more info.
 Q. How to find out all actvt in sap? 
All possible activities (ACTVT) are stored in table TACT , and the valid activities for each authorization object can be found in table TACTZ

 Q. How to remove duplicate roles with different start and end date from user master? 
Duplicate roles assigned to a user can be removed using PRGN_COMPRESS_TIMES.




Q. What important authorization objects are required to create and maintain user master records?

Following are some important authorization objects which are required to create and maintain user master records:
S_USER_GRP: User Master Maintenance: Assign user groups
S_USER_PRO: User Master Maintenance: Assign authorization profile
S_USER_AUT: User Master Maintenance: Create and maintain authorizations

Q. Which table is used to store illegal passwords?

Table USR40 is used to store illegal passwords. It can be used to store patterns of words which cannot be used as passwords.


  Q. Explain the concept of “Status Text for Authorizations” – Standard, Changed, Maintained and Manual.
  • StandardIt means that all values in authorization field of an authorization instance is unchanged from the SAP default value (i.e. the values which are getting pulled from SU24)
  • Maintained – It means that at least one of the field values in an authorization instance was blank when it was pulled from SU24 (i.e. SAP default value) and that blank field has been updated with some value. Other fields already having some value have not been touched.
  • Changed – It means that the proposed value in at least one of the fields in an authorization instance has been changed.
  • Manual – It means that at least one authorization field has been manually added, i.e. it was not proposed by profile generator.

Q. What is the difference between Role and Profile?

A Role is like a container which contains authorization objects, transaction codes etc. A profile contains authorizations. When a role is generated using PFCG, a profile is generated which contains authorizations (instances of authorization objects).

Q. What is PFCG_TIME_DEPENDENCY ?


PFCG_TIME_DEPENDENCY is a report which is used for user master comparison. It should be a practice to do user master comparison after every role change and profile generation so that the user’s master record gets updated with the correct authorization. This report also cleans up the expired profiles from user-master record. Role name still remains in the SU01 tab of the user. Transaction code PFUD can also be used to directly execute this report.
 

What is the difference between authorization user group and logon group?

Authorization user group is used for user management purpose. Each user group is managed by certain security administrators. Authorization object S_USER_GRP determines users of which user group can be administered by a certain user admin. Those users who are not assigned to any user group can be administered by all the security user admins.


Logon groups are generally created by SAP Basis Administrators and used for logon load balancing. These are logical groups of users. These users can be assigned to one or more SAP instances. When a Logon group is assigned to an SAP instance, all users belonging to that logon group would by default logon to that particular instance. Hence logon group helps in load balancing.


What steps are checked by the system when an interactive user executes a transaction code?

Various steps are checked when a user executes a transaction code:

(1) First it is checked whether the transaction is a valid transaction code. This is checked in TSTC table. If the tcode does not exists, the system gives the message that the transaction does not exist.

(2) If the tcode is a valid tcode, then the system checks whether the tcode is locked or unlocked. Field CINFO in TSTC is used to determine whether the transaction is locked or unlocked.

(3) The system then checks if the user has necessary tcode value maintained in authorization object S_TCODE in his/her user buffer. If the authorization object S_TCODE contains the required tcode, then the system checks whether any additional authorization check is assigned to the tcode via SE93. This value can be found on the initial screen of SE93 for that tcode or in TSTCA table.

(4) Further authorization check takes place based on the values present in the source code under “Authority-check” statement and the activity performed by the user.

How do we know who made changes to Table data and when?

If checkbox for table Log Changes is enabled, table DBTABLOG keeps all the log data for the related table.

What is a composite role?

A composite role is like a container which contains several single roles. They do not contain authorization data and the authorization needs to be maintained in each role of the composite role. A composite role cannot be added to a composite role. The users assigned to a composite role are automatically assigned the corresponding single roles.



Q What is the difference between USOBX_C and USOBT_C?

USOBX_C and USOBT_C are tables which are used for SU24 transaction code.

The table USOBX_C defines the status of authorization checks for authorization objects, i.e. whether the “check indicator” is set to yes or no. It also defines the proposal status, i.e. whether the authorization check values are being maintained in SU24 or not.


The table USOBT_C defines the “values” which are maintained for check-maintained authorization objects.

 Q. What does the different color light denote in profile generator?

There are three colors (like traffic lights) in profile generator:

Red – It means that some organizational value has not been maintained in org field in profile generator.
Yellow – It means that there are some or all fields in certain authorization instances which are blank (not maintained)
Green – It means that all the authorization fields are maintained (values are assigned).


Q. How can we convert Authorization Field to Org Field?


The report PFCG_ORGFIELD_CREATE is used for converting an Authorization Field to Org Level Field. It can be executed using SA38/SE38 tcode.

There is a bit of caution involved here. Make sure that whatever change related to this conversion is made is done in the initial stage of security role design/system setup. In case this task is performed at a later stage, there is a risk that this will impact lots of existing roles. All those roles would require analysis and authorization data will have to be adjusted.


NOTE : Authorization fields TCD (Tcode) and ACTVT (Activity) cannot be converted to org level fields.


 Q. How do we find all activities in SAP?

All Activities in SAP are stored in table TACT. All valid activities are stored in table TACTZ. The tables can be accessed via SE16 tcode.



Post a Comment

0 Comments

SPAM/SAINT Support Package and Stack Upgrade in SAP