Scribd
Upload
1K views

SAP SECURITY FAQs

The document discusses several questions related to SAP security. It provides answers to questions about issues such as inactive authorization objects, test script scenarios for role creation, invalid user profiles, differences between transactions SU24 and SU22, failed authorization checks, customizing settings for security administration, and using information from transaction SM20N to build roles. The responses draw from the knowledge of an SAP security professional with one year of experience in security and two years of experience in BASIS administration.

Uploaded by

kumaravvarusap
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
1K views

SAP SECURITY FAQs

The document discusses several questions related to SAP security. It provides answers to questions about issues such as inactive authorization objects, test script scenarios for role creation, invalid user profiles, differences between transactions SU24 and SU22, failed authorization checks, customizing settings for security administration, and using information from transaction SM20N to build roles. The responses draw from the knowledge of an SAP security professional with one year of experience in security and two years of experience in BASIS administration.

Uploaded by

kumaravvarusap
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 5

SAP SECURITY FAQs:

1.Authorization Object S_Program is not active

I have received a request from business to add authorization objct ZMXM with
User Action as SUBMIT for Authorization Object S_Program. I have already manually
added the required access to a given role in DEV and moved to QAS environment. The
Import on QAS was successful but when I saw role in PFCG the Authorization Objec
S_Program is showing as inactive. I have repeat the process of transport but still same
issue. Also I have cross checked by adding other Authorization Object and its showing
active on QAS environment. Is the problem with S_Program only? Could you please
help me to solve this issue as I have to revert back to business. I am working on 4.6C
version of SAP with Oracle 10g.

SOL1:

• 1. Please check the object is activated in QAS system (as this is a standard object,
surely this shud be activated)

SU03 -> Authorization -> Activate

2. Please compare the entries of S_PROGRAM in DEV & QAS system


which does work in table TADIR and TOBJ. Is anything missing or
different?

SOL2:

o I have found the table entries for S_Program in TADIR an TOBJ same
on DEV as well as on QAS system.

Also the object is active for particular role/profile in SU03 transaction.

SOL3:

 you might have saved and transported the role without generating
the profiles.

Please follow the below points:

1. Deactivate the S_PROGRAM object, save & generate the


profile.
2. Again activate the same object, enter the field values, save and
generate the profile and transport the request. Just check the
changes and update me the status for further investigation

Still not working.

2. What is a Test Script ?? Scenarios where role creation through SECATT would be
helpful.

SOL1.

• If you go for mass derive role creation like you need to create same role for
differenent company code or plant or some other org (larger companies having
many number org level and may need this kind of security set up) level where all
authorizaions are same but only differs in org level you have to create huge
number of roles then. And if you have 10 roles each of having 75 derivation then
you need create 750 roles. So this kind of scrips are really helpful and it will save
lots of time.

3. UST04 inconsistency

I am facing a error in our existing system. I am getting an entry in table UST04 which
comprises of a profile and a user assigned to that profile. But when I go to SU01 to see
the details of that particular user I get a message saying user does not exist.

The user also doesnot exist in the table USR02. But this is very unlike SAP that I can see
a user in UST04 and unable to see the same in SU01 and table USR02.

I have also executed a program named RSAUTHXPRA in order to synchronise USR*


and UST* tables,but even that doesnt seem to be working.

Need some help on this. Your help is highly appreciated. In anticipation of your reply.
Thanks in advance.

• SOL1: Probably, program PFCG_TIME_DEPENDENCY is not scheduled in the


system. You can try running this program or you can also run the same
program through transaction PFUD. PFCG_TIME_DEPENDENCY does user
comprison and removes invalid profiles. It is advisable to schedule this program
to run atleast once everyday to clean-up invalid profiles in your system. Please try
this out.

Some security questions

==============================================================

I have one year experience in SAP Security and only two in Basis, so flame on......... I
swear I didn't use google or any of my systems for reference!

1) When PFCG proposes 3 activities but you only want 2, how do you fix this? Best
answer is to modify your su24 data.

2) What is the use of transaction PFUD at midnight? removes invalid profiles from user
records

3)Is PFUD needed when saving in SU01 and does the user need to logoff and on again
after changes? PFUD is not needed and the user needs to log off and back on again

4)How are web services represented in authorizations of users who are not logged on? ??

5)How do you force a user to change their password and on which grounds would you do
so? SU01 -> Logon Data tab -> Deactivate password. I am not sure what grounds this
would be necessary. I have never had to use it.

6)What is the difference between SU24 and SU22? What is "orginal data" in SU22
context? SU22 you maintain authorization objects???? Su24 you maintain which
authorization objects are checked in transactions and maintain the authorization
proposals.

7)When an authorization check on S_BTCH_JOB fails, what happens? "You do not have
authorization to perform whatever operation you are trying to perform." message. HAHA
8)Can you have more than one set of org-level values in one role? I might be
misinterpreting this question. But yes. Depending on the transactions inserted into the
role menu, you could have more than one org level to maintain. Purchasing Org and
Plant, Sales Org and Sales Division.....

9)Should RFC users have SAP_NEW and why? No. Just insert the transactions and
necessary authorization objects into a role. S_RFC for one.

10) What is an X-glueb command and where do you use it in SAP security? ???

11) What is the disadvantage of searching for AUTHORITY-CHECK statements in


ABAP OO coding and how does SU53 deal with this? Disadvantage? I can think of an
advantage. My ABAPer shows me his programs and we work out what authority checks
should be performed.

12) In which tables can you make customizing settings for the security administration and
name one example of such a setting which is usefull but not SAP default? ???

13) Can you use the information in SM20N to build roles and how? You could, I guess.
Not a good practice though. Build roles based on business processes.

14) If the system raises a message that authorizations are missing but you have
SAP_ALL, what do you do? Regenerate SAP_ALL which reconciles new authorization
objects from SAP_NEW

15) Name any one security related SAP note and explain it's purpose or solution. Don't
know the number off hand, but I was looking at it yesterday. Program Z_DEL_AGR to
allow deletion of more than one role at a time. There is no mechanism in SAP to achieve
this currently.

16) What are the two primary difference between a SAML token profile and a Logon
ticket in SAP? ??? I know what these are but have no experience with it.

You might also like