SAP BASIS Security Interview Questions

Creating a User Role

The easiest way to create a new user role is to copy an already existing user role, either one of
your own or one of the ones provided to you in the installation of SAP. So lets assume that you
have none of your own and use one
This document is the intellectual property of Jo Spencer and may not be edited without
permission.
of the SAP role templates provided. It might assist you with picking one of these roles if you
have someone dump the appropriate information into a spreadsheet containing the Role Name,
Role Description, Transactions contained in the Role, and the Transaction description. The SQL
query would be something like this:
SELECT AGR_TEXTS.AGR_NAME, AGR_TEXTS.TEXT, AGR_TCODES.TCODE,
TSTCT.TTEXT FROM AGR_TEXTS, AGR_TCODES, TSTCT WHERE
AGR_TEXTS.MANDT = '000' AND AGR_TEXTS.SPRAS = 'E' AND AGR_TEXTS.LINE = 0
AND AGR_TCODES.MANDT = '000' AND AGR_TCODES.AGR_NAME =
AGR_TEXTS.AGR_NAME AND TSTCT.SPRSL = 'E' AND TSTCT.TCODE =
AGR_TCODES.TCODE ORDER BY AGR_TEXTS.AGR_NAME, AGR_TCODES.TCODE;
This query should be changed based on the details of your SAP instance. Identify the roles(s) to
be used as the source for your role copy.
1. Log on to client needing the role.
2. Go to transaction PFCG.
3. On the Role Maintenance screen, either type in the role name to be copied or select it from a
dropdown. Press Enter to confirm that the role exists.
4. Click the Copy role button or press Shift+F11.
5. One the Query popup box, fill in the to role field with the name to be given the new role.
Come up with a standard that everyone follows so the base original role is designated in some
way so you dont forget where you got the original. The name must begin with Z or Y. Most
people will add a Z- in the first two characters of the role name. If you want to only select
specific roles from a Composite role, you would click the Copy selectively button, otherwise
click the Copy all button.
6. Once the role has been copied, you will be taken back to the original PFCG screen where you
will see the name of your new role. Change you Role description and save the new role before
working with it any further
Return to Index...
Modifying a User Role
1. Log on to client needing the role change.
2. Go to transaction PFCG.
3. On the Role Maintenance screen, either type in the role name to be changed or select it from a
dropdown. Press Enter to confirm that the role is found.
4. Click the Change Role little yellow pencil button role button or press F6.
5. Click the Authorizations tab and then the Change Authorization Data button.
6. On the Change Role: Authorizations screen, expand and change the authorizations you need to
adjust. When finished click first the Save button and then the Generate button looks like a little
red and white beachball.
7. Back out to the Change Roles screen and click the User tab. Click on User Comparison and
then Complete Comparison. Once the comparision is done, click Save one more time and you are

done!
Return to Index...
Deleting a User Role
This document is the intellectual property of Jo Spencer and may not be edited without
permission.
1. Log on to client needing the role deletion.
2. Go to transaction PFCG.
3. On the Role Maintenance screen, either type in the role name to be changed or select it from a
dropdown. Press Enter to confirm that the role is found.
4. Click the Role Delete button or Shift+F2.
5. On the Delete Role popup, confirm that you wish to delete the deletion. If you get an
Information popup, confirm it also.
6. Your deletion will return a successful message in the bottom status bar.
Return to Index...
Transporting User Roles between Clients (Transport System Method)
When a modification is made to a role in the 100 client, the roles must be transported to the 800
client. One role, several roles, or all roles can be done if needed. They can all be added to the
same transport change request. After the roles have been moved to other clients, you will need to
log on to each of those clients and do a user comparison. You will also need to do a text
comparison in client 100 of the appropriate SAP system.
1. Log on to client 100 of the appropriate SAP system.
2. Go to transaction PFCG.
3. On the Role maintenance screen, type in the Role name of the first role to be transported.
Click the Truck picture-icon.
4. You will see an Information popup. Click the green picture-icon.
5. In the Choose objects popup, unclick the s beside User assignment and Personalization. If
you want to transport the users along with the role, profiles, and authorizations, you can the
to the left of User assignment. Click the green picture-icon.
6. On the Prompt for Customizing request popup, click the blank page picture-icon to create a
new change request. On the Create Request popup, fill in the Short description and click the Save
picture-icon. You will be returned to the Prompt for Customizing request popup which contains
the generated change request number for this system change. Click the green to continue.
7. You will see a Data entered in change request message in the status bar at the bottom of the
screen. Now enter the name of the next role to be transported and click the Truck picture-icon.
8. You will see an Information popup. Click the green picture-icon.
9. In the Choose objects popup, unclick the s beside User assignment and Personalization. If
you want to transport the users along with the role, profiles, and authorizations, you can the
to the left of User assignment. Click the green picture-icon.
10. On the Prompt for Customizing request popup, continue to use the same transport you
created in step 6. Click the green to continue.
11. Continue to perform steps 7 through 10 until all the roles you need to transport have been
attached to the transport change request.
12. The generated transport can now be released and transported into the clients needing the
modified roles.
13. You may now leave the PFCG transaction.
Return to Index...

Transporting User Roles between Clients (Upload/Download Method)

Central User Administration distributes clients and their information to the other clients
connected to the Distribution Model. It does not, however, do the
This document is the intellectual property of Jo Spencer and may not be edited without
permission.
same for roles and role authorizations. So when a modification is made to a role in the 100 client,
the roles must be transported to the 800 client. One role, several roles, or all roles can be done if
needed. They can all be added to the same transport change request. After the roles have been
moved to other clients, you will need to log on to each of those clients and do a user comparison.
You will also need to do a text comparison in client 100 of the appropriate SAP system.
1. Log on to client 100 of the appropriate SAP system.
2. Go to transaction PFCG.
3. On the Role maintenance screen, type in the Role name of the first role to be transported.
Click the Truck picture-icon.
4. You will see an Information popup. Click the green picture-icon.
5. In the Choose objects popup, unclick the s beside User assignment and Personalization. If
you want to transport the users along with the role, profiles, and authorizations, you can the
to the left of User assignment. Click the green picture-icon.
6. On the Prompt for Customizing request popup, click the blank page picture-icon to create a
new change request. On the Create Request popup, fill in the Short description and click the Save
picture-icon. You will be returned to the Prompt for Customizing request popup which contains
the generated change request number for this system change. Click the green to continue.
7. You will see a Data entered in change request message in the status bar at the bottom of the
screen. Now enter the name of the next role to be transported and click the Truck picture-icon.
8. You will see an Information popup. Click the green picture-icon.
9. In the Choose objects popup, unclick the s beside User assignment and Personalization. If
you want to transport the users along with the role, profiles, and authorizations, you can the
to the left of User assignment. Click the green picture-icon.
10. On the Prompt for Customizing request popup, continue to use the same transport you
created in step 6. Click the green to continue.
11. Continue to perform steps 7 through 10 until all the roles you need to transport have been
attached to the transport change request.
12. The generated transport can now be released and transported into the clients needing the
modified roles.
13. You may now leave the PFCG transaction.
Return to Index...
Performing a User Comparison on the Modified Roles
1. Log on to client 100 of the appropriate SAP system.
2. Go to transaction PFCG.
3. On the Role maintenance screen, type in the Role name of the first role to be transported.
Click the Change button.
4. On the Change Roles screen, click the User tab.
5. On the User tab, click the User compare button.
6. On the Compare Role User Master Record popup, click the Complete compare button.
7. You will receive a User master record for role was adjusted message in the status bar at the
bottom of the screen. You may now leave the PFCG transaction.

Return to Index...
Performing a Text Comparison to Refresh Role Selection Lists
This document is the intellectual property of Jo Spencer and may not be edited without
permission.
1. Log on to client 100 of the appropriate SAP system.
2. Go to transaction SU01.
3. On the User Maintenance: Initial Screen screen, type in the user model_user. Click the
pencil picture-icon.
4. On the Maintain User screen, click the Text comparison from child Syst. button.
5. On the CUA: Text comparison from Child Systems screen, type LSDEV100 for the
Receiving system and LSQAS800 for the to system. This is a range, and since LSPRD300 falls
alphabetically between LSDEV100 and LSQAS800, all three systems will have the text
comparison performed. Click the clock picture-icon.
6. On the CUA: Text comparison from Child Systems results screen, you will see a list of the
systems compared and the compare results. Click the white arrow on green picture-icon 3 times,
or until you have left the SU01 transaction.
Return to Index...
Users, Roles, and Authorizations
SAP security is based on authorization objects and authorizations. An authorization object is
used to indicate that a user can perform a certain activity. An authorization is used to limit the
scope of that activity.
For example, a profile contains the S_DEVELOP authorization object. This authorization object
allows a user to perform ABAP workbench activities. Some users will need to do all ABAP
activites while others will only need to perform a few. So S_DEVELOP has a selection of
authorizations you can use: ACTVT, DEVCLASS, OBJNAME, OBJTYPE, and P_GROUP. The
authorizations are set to the appropriate values as needed. A tree view of the S_DEVELOP
authorization object can be seen below:
S_DEVELOP
ACTVT
Create or generate
Change
Display
Delete
Activate, generate
Execute
Create in DB
Delete in DB
Convert to DB
Administer
Copy
All Functions
Deactivate Mod. assistant
DEVCLASS
Single Value or Value Range
OBJNAME
Single Value or Value Range

OBJTYPE
Single Value or Value Range
P_GROUP
Single Value or Value Range
The S_DEVELOP authorization object in a profile lets a user perform ABAP workbench
activities. But having a S_DEVELOP authorization object with the ACTVT
This document is the intellectual property of Jo Spencer and may not be edited without
permission.
authorization value set to Display (03) means that the user is limited to display only in the ABAP
workbench transactions. Thus we see that authorization objects grant while authorizations limit.
It is important to remember, however, that a user with a profile having a S_DEVELOP with full
authorizations still cannot access an ABAP workbench transaction until a matching S_TCODE
(start up transaction code) has been added as well. In other words, a user may have the rights to
add, modify and delete ABAP programs but until an entry for SE38 has been added to the
S_TCODE authorization object, he cannot access transaction SE38 which is the ABAP Editor.
All authorization objects and authorizations are grouped into profiles before being attached to
users. Profiles use a combination of authorization objects and their respective authorizations, and
their creation can be complex as well as tedious. In order to simplify the creation of profiles, the
Profile Generator (transaction PFCG) was created. Roles are created via a more user-friendly
interface which generates profiles based on the information added via this interface.
Manually creating profiles is the old way of doing things. There are times, such as the start of a
new SAP landscape where no roles exist, that the use of profiles is handy. But once the landscape
has been completed all users, with the exception of the Basis team, should be attached to roles.
There should never be a need to manually create a SAP new profile. To add a new role, the
easiest method is to copy an existing role that matches your needs as closely as possible and
make the changes you need for the new role.
This documentation covers changing user security via both methods.
Adding Authorization Objects and/or Authorizations to a Profile
Remember that profiles are NOT the standard way to implement SAP security
1. Log on to the appropriate client in the appropriate SAP system.
2. Go to transaction SU02.
3. In the Manually edit authorization profiles section of the Profile: Initial Screen screen, enter
the Profile you want to change. Make sure the Active only is checked. Click the Create work
area for profiles button.
4. On the Profile List screen, double-click the profile to be changed.
5. A profile can contain authorization objects only (single profile) or one or more other profiles
(collective profile). If the next screen is titled Maintain Profile, this is a single profile, and you
should proceed to the next step. If the next screen is titled Collect Profiles, this is a collective
profile and you should skip to step 13.
6. On the Maintain Profile screen, you must decide if you need to add a new authorization object
and one or more of its authorizations, or add a new authorization to an authorization object
already in the profile. If you need to add a new authorization to an authorization object already in
the profile, skip to step 7. Otherwise, scroll down the Consisting of authorizations list until you
find a blank line. Type the authorization object you need to add and press Enter. You will need to
scroll through the list again until you find the authorization object you just added (it is was to
find since the Authorization column should still be blank). Once you find the new entry line, use

the drop down to fill in the Authorization column. Click on the Save picture-icon.
7. If you need to add another authorization to an authorization object already in the profile list,
click on the +Add authorization button.
8. From the Maintain Profiles: Object Classes screen, double-click the Object class of the
authorization you are adding.
9. On the Maintain Profiles: List of Authorizations screen, select the authorization you need to
add by double-clicking the appropriate line. This
This document is the intellectual property of Jo Spencer and may not be edited without
permission.
will return you to the Maintain Profile screen where you can see that your authorization has been
added.
10. On the Maintain Profile screen, click the Save picture-icon. Then click the lit match pictureicon to activate the new profile changes.
11. On the Activate Profile: Execution Screen screen, click on the lit match picture-icon to
complete the profile activation process.
12. You may now leave the SU02 transaction.
13. In order the change a profile collection, you must make the changes in one or more of the
dependent profiles, save the changes in the dependent profile(s), activate the dependent
profile(s), save the collection owner profile, and activate the collection owner profile. On the
Collect Profiles screen, double-click on the profile you want to change.
14. You will be taken to the Maintain Profile screen. Perform steps 6 to 11. Then use the white
arrow on green picture-icon to go back.
15. On the Collect Profiles screen, click the Save picture-icon. Then click the lit match pictureicon to activate the new profile changes.
16. On the Activate Profile: Execution Screen screen, click on the lit match picture-icon to
complete the profile activation process.
17. You may now leave the SU02 transaction.
Return to Index...
Adding Authorization Objects and/or Authorizations to a Role
1. Log on to client 100 in the DEV SAP system.
2. Go to transaction PFCG.
3. On the Role Maintenance screen, enter the Role you want to change. Click the Change button.
4. On the Change Role screen, click the Authorizations tab and then click the pencil picture-icon.
5. If you are only adding a start up transaction to the role, skip to step 10. Otherwise, the
assumption is that a new authorization object is to be added. On the Change role: Authorizations
screen, click the +Manually button.
6. On the Manual selection of authorizations popup, enter the authorizations objects that need to
be added (ie S_DEVELOP, S_PROGRAM, etc.) Click the green when you are finished.
7. Back on the Change role: Authorizations screen, if all the displayed signal lights are green,
skip to step 8. Otherwise, fully expand the lines that are yellow and/or red and supply the
necessary information. All signal lights should be green before moving to the next step.
8. On the Change role: Authorizations screen, click the Save picture-icon. You will receive a
Data saved confirmation message in the status bar at the bottom of the screen.
9. On the Change role: Authorizations screen, click the red-and-white beach ball picture-icon to
generate a profile from the saved role. Reply affirmatively if any confirmation popups. You will
receive a Profile(s) created message in the status bar at the bottom of the screen. If you do not

need to add any start up transactions to the profile, you may now leave the PFCG transaction.
10. On the Change Role: Authorizations screen, expand the Cross-application Authorization
Objects Authorization Check for Transaction Start Authorization Check for Transaction
Start until you see the Transaction code entry line. Double-click on the entry portion of the
Transaction code line.
11. In the Maintain Field Values popup, scroll down the list until you find a blank From and To
line. Enter the transaction(s) to be added, and click the Save picture-icon when you have
finished.
This document is the intellectual property of Jo Spencer and may not be edited without
permission.
12. On the Change role: Authorizations screen, click the Save picture-icon. You will receive a
Data saved confirmation message in the status bar at the bottom of the screen.
13. On the Change role: Authorizations screen, click the red-and-white beach ball picture-icon to
generate a profile from the saved role. Reply affirmatively if any confirmation popups. You will
receive a Profile(s) created message in the status bar at the bottom of the screen.
14. You may now leave the PFCG transaction.
Return to Index...
Granting Transaction Access to a User via Profile
*** Since SAP R/3 4.5, this is not the standard for user authorizations.
***
Return to Index...
Granting Transaction Access to a User via Role
1. Log on to the applicable SAP instance and client.
2. Go to transaction SU01.
3. On the User Maintenance: Initial Screen screen, fill in the User ID for the user you want to
change, either by typing it in or choosing it from the drop down. Click the little yellow pencil
Change button.
4. On the Maintain User screen, click on the Roles tab. Fill in the new role in the first available
Role field. Press ENTER to confirm that the role exists. Click the Save button.
5. Make sure to use transaction PFCG to run a user comparion to rebuilt the role-to-user
connections.
6. You may now leave the PFCG transaction.
Return to Index...
Revoking Authorizations from a User via Profile
*** Since SAP R/3 4.5, this is not the standard for user authorizations.
***
Return to Index...
Revoking Authorizations from a User via Role
Use the same procedure as Adding Authorization Objects and/or Authorizations to a
Role
Return to Index...
Revoking Transaction Access from a User via Profile
*** Remember that profiles are NOT the standard way to implement SAP security. ***
Return to Index...
This document is the intellectual property of Jo Spencer and may not be edited without
permission.

Attaching a Profile to a User

*** Since SAP R/3 4.5, this is not the standard for user authorizations.
***
Return to Index...
Attaching a Role to a User
1. Log on to the applicable SAP instance and client.
2. Go to transaction SU01.
3. On the User Maintenance: Initial Screen screen, fill in the User ID for the user you want to
change, either by typing it in or choosing it from the drop down. Click the little yellow pencil
Change button.
4. On the Maintain User screen, click on the Roles tab. Fill in the new role in the first available
Role field. Press ENTER to confirm that the role exists. Click the Save button.
5. Make sure to use transaction PFCG to run a user comparion to rebuilt the role-to-user
connections.
6. You may now leave the PFCG transaction