SAP Security interview questions and answers

1. 1. What isreference user type?
Reference usernameused to assigndelegation/tempaccesstoa user
i.e examplea user is going for a holiday during that timeweneed to assign
another employee to take responsibilitytoavoid business impact, sothat
canbe achieved using referenceuser type, You canassigna ref user in roles
tab
2. How do you createan authorizationobject?
Go to SU21 and select authorizationclassand createanauthorizationobject
and maintainauthorizationfieldsand maintainauthoritycheckfor it
3. Is it possible to convert authorizationfieldsintoorganizationfieldsand
what are theexception/restrictionsfor it?
ABAP report PFCG_ORGFIELD_CREATE used to convert authorization
fields into ORG level, similarlyreport PFCG_ORGFIELD_DELETE used to
convert org level field intonon org fields
a. Only createOrganizationallevel fields beforeyou start setting up your
system. If you createorganizationallevel fields later, the authorizationdata
for roles may have to be post processed.
b. Thefields "Activity", "ACTVT"and "Transactioncode", "TCD" cannot
be converted into an organizationallevel field.
Refer: OSS note 323817
4. How do you extract user emailaddress?
USR21 and ADR6 tablesare used to get user email addressin SAP.
Enter the usernamein USR21tcode and executeit, now you will get
“person number” and copy it which users emailaddress required and enter
those person numbersto ADR6 tableand executeit and you will get the
emailaddress
5. How to extract parent and derived role relation?
TableAGR_DEFINE used to check parent and derived role relationship
6. How do you createauthorizationgroups?
SE54 tcodeused to createauthorizationgroupsfor tablesand programs
7. How do you restrict a tableto particularpersonor team?

2. Createan authorizationgroup for the tablewhich needs to be protected and
add the auth group to S_TABU_DIS auth object filed value and give it
activitieslike, create, delete, display, etc..
8. In which table you will checkauthorizationgroup created for a particular
table?
TBRG tableused to check availableauthorizationgroupsand TBRGT holds
auth group with description
9. What arethe ORG fields in sap?
1. Companycode
2. Controlling area
3. Division
4. Salesorganization
5. Plant
6. Business area
7. Purchasingorganization
8. Credit control area
9. Account type
10. What arestatuslight in authorizationpagefor authorizationfieldsin
PFCG?
1. Red – Org level not maintained
2. Yellow – atleast one filed left open
3. Green – all fields are maintained
11. What isthe differencebetweenR/3 securityand BW security?
R/3 securitymainlybased on transactionand controlled via authorization

3. objectsusing profiles and roles
BW securityis mainlybased on analysisauthorizationusing RSECADMIN
tcodeand very few tcodescompareto R/3 and we should secureInfo
objects, info cubes, ODS and quires
BW authorizationsareprimarilyfocused on data not on transactioncodes
and divided intotwo mainareasauthorizationfor administratorworkbench
and authorizationfor businessexplorer
Authorizationobjectsfor field level securityin reporting arecreated asand
when needed.
12. Which authorizationobjectgivesend user to execute/view a queryin
BW?
- S_RS_COMP
- S_RS_COMP1
- S_RS_FOLD
13. What isthe use of SU24 tcode?
SU24(checkindicator) holdsthe relationship betweentcodeand
authorizationobjectsincustomer tablesUSOBX_Cand USOBT_C tables
which values are pulled during role creation
SU24 used to maintainallthe objectsthat arechecked during tcode
execution
14. How do you check authorizationcheckfor a tcode?
Check SU24 for authorizationobjectand itsproposalalso we cancheck the
ABAP report as well
15. What is the authorizationobject which givesdeveloper debug
authorization?
S_DEVELOP with activity01, 02 or 03
16. How do you secure/giveaccessto a custom report to users
without giving SE38tcodeaccess?
Createan authorizationgroup for that report to secure it and giveSA38
tcodeauthorizationfor executionofthe custom report or createa custom
transactioncodeand maintainauthoritycheckand assignto users via role.
17. How do you createa custom tcode?
SE93 is the tcodeused to createa custom tcode

4. 18. How do you createa transport request?
SE01, SE09, SE10 tcodesare used to createa transport request and also we
cancreateduring customizationtimelike, PFCG, SE38, BD54, etc..
19. What arethe types of transport requests?
- Custom transport request
- Workbench transport request
- Transport of copies
- Relocation
20. What is the differencebetweencustom and workbench transport
requests?
- Workbench requestsarethose involve changesto cross client
customizing and repositoryobjects, thoseobjectsareindependent of the
client and the requestsareused to transport changed repositoryobjectsand
changed system settingsfrom cross client tables
- Customizing requestsinvolve changesto client dependent objects, so
custom transport request used to copy and transport requeststhat are
client specific
21. How do you schedule a background job
SM36 used to schedule background jobs
22. Have you worked on upgradeand stepsinvolved?
Yes
2A. Comparewith SAP values
2B. Compareaffected transactioncodes
2C. Roles to be checked
2D. Display changed transactioncodes
23. What is expert modein PFCG?
Expert mode in PFCG used to maintainexistingrolesit has following
options
- Delete and recreateauthorizationand profiles
- Edit old status
- Read old statusand mergewith new data
24. Which tableyou cancheckthe relationbetween compositerolesand

5. child roles?
AGR_AGRS
25. What arethe license types you assignto end users while creating it?
- Applicationprofessionalusers
- Applicationlimited professionalusers
- ApplicationESS user
26. You are not allowed to assignany roles to user profile further what
would be the reason for it?
User must have exceeded the limitationfor profiles assignment i.e312
27. Have you worked with auditors?
Yes with internalauditorsand explainit
28. Which tableused to view roles and org level values?
TableAGR_1252 maintainsrelationship betweenrolesand org field values
29. Which tableused to view roles and authorizationobjectsand itsvalues?
TableAGR_1251maintainsrelationshipbetweenroles, authorization
objectsand its field values
30. Where do you delete old audit logs?
SM18
31. Wheredo you look lock entries?
SM12
32. Which authorizationobject givesyou SM12 authorizationother than
S_tcode?
S_ENQUE
33. Wheredo you reset user buffer?
SU56
34. What is the mandatory field in addresstab in SU01?
Last Name
35. How do you lock a tcode?
SM01tcodeused to lock a tcode

6. 36. Which tablestores all ABAP reports?
TRDIR
37. How do you lock users who didn’t log in to SAP morethan 90 days?
USR02 tableswe canget last login dateand time
38. Which tableholds all valid activityfields?
TACTZ
39. ABAP report which is used for user reconciliation?
PFCG_TIME_DEPENDENCY
40. Tablewhich holds all possible authorizationfieldsas variables
USVAR