SAP Security Interview Questions

Written by Nagar
Q. SAP Security T-codes
Frequently used security T-codes
SU01 - Create/ Change User SU01 Create/ Change User
PFCG - Maintain Roles
SU10 - Mass Changes
SU01D - Display User
SUIM - Reports
ST01 - Trace
SU53 - Authorization analysis

Q How to create users?

Execute transaction SU01 and fill in all the field. When creating a new user, you must enter an initial password for
that user on the Logon data tab. All other data is optional.
Q What is the difference between USOBX_C and USOBT_C?
The table USOBX_C defines which authorization checks are to be performed within a transaction and which not
(despite authority- check command programmed ). This table also determines which authorization checks are
maintained in the Profile Generator.
The table USOBT_C defines for each transaction and for each authorization object which default values an
authorization created from the authorization object should have in the Profile Generator.
Q What authorization are required to create and maintain user master records?
The following authorization objects are required to create and maintain user master records:
S_USER_GRP: User Master Maintenance: Assign user groups
S_USER_PRO: User Master Maintenance: Assign authorization profile
S_USER_AUT: User Master Maintenance: Create and maintain authorizations
Q List R/3 User Types
Dialog users are used for individual user. Check for expired/initial passwords. Possible to change your own
password. Check for multiple dialog logon
A Service user - Only user administrators can change the password. No check for expired/initial passwords. Multiple
logon permitted
System users are not capable of interaction and are used to perform certain system activities, such as background
processing, ALE, Workflow, and so on.
A Reference user is, like a System user, a general, non-personally related, user. Additional authorizations can be
assigned within the system using a reference user. A reference user for additional rights can be assigned for every
user in the Roles tab.
Q What is a derived role?
Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the functions included
(transactions, reports, Web links, and so on) from the role referenced. A role can only inherit menus and functions if
no transaction codes have been assigned to it before.
The higher-level role passes on its authorizations to the derived role as default values which can be changed
afterwards.
Organizational level definitions are not passed on. They must be created anew in the inheriting role. User
assignments are not passed on either.
Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identical menus and
identical
transactions) but have different characteristics with regard to the organizational level. Follow this link for more info
Q What is a composite role?
A composite role is a container which can collect several different roles. For reasons of clarity, it does not make
sense and is
therefore not allowed to add composite roles to composite roles. Composite roles are also called roles.
Composite roles do not contain authorization data. If you want to change the authorizations (that are represented by
a composite role), you must maintain the data for each role of the composite role.
Creating composite roles makes sense if some of your employees need authorizations from several roles. Instead of
adding each user separately to each role required, you can set up a composite role and assign the users to that
group.
The users assigned to a composite role are automatically assigned to the corresponding (elementary) roles during
comparison.
Q What does user compare do?
If you are also using the role to generate authorization profiles, then you should note that the generated profile is not
entered in the user master record until the user master records have been compared. You can automate this by
scheduling report
FCG_TIME_DEPENDENCY on a daily.
Last Updated (Tuesday, 30 November 1999 00:00)

1) When PFCG proposes 3 activities but you only want 2, how do you
fix this?

2) What is the use of transaction PFUD at midnight?

3) Is PFUD needed when saving in SU01 and does the user need to
logoff and on again after changes?

4) How are web services represented in authorizations of users who

are not logged on?

5) How do you force a user to change their password and on which

grounds would you do so?

6) What is the difference between SU24 and SU22? What is "orginal

data" in SU22 context?

7) When an authorization check on S_BTCH_JOB fails, what

happens?

8) Can you have more than one set of org-level values in one role?

9) Should RFC users have SAP_NEW and why?

10) What is an X-glueb command and where do you use it in SAP

security?

11) What is the disadvantage of searching for AUTHORITY-CHECK

statements in ABAP OO coding and how does SU53 deal with this?
 12) In which tables can you make customizing settings for the security
administration and name one example of such a setting which is
usefull but not SAP default?

13) Can you use the information in SM20N to build roles and how?

14) If the system raises a message that authorizations are missing but
you have SAP_ALL, what do you do?

15) Name any one security related SAP note and explain it's purpose
or solution.

16) What are the two primary differences between a SAML token
profile and a SAP logon ticket?

17) Where do you configure the local and global settings of the CUA
and what are the consequences of inconsistent settings?

18) If you have users in different systems with different user ID's for
the same person, what are your options to manage their
authorizations centrally?

19) Explain the use of the TMSSUP* RFC destinations and the
importance of the domain controller?

20) Why should you delete SAP_NEW profile and which transaction
should you use before doing so?

Cheers,
Julius

Julius Re: Reply

Bussche Security
interview
Posts: 10,510 questions
Registered: 3/13/06
Forum Points: 9,356 - some
fun.
Posted: Mar
25, 2010
10:12
PM in
response
to: Julius
Bussche
 Continued:

21) What is meant by the last sentence in SAP Note 587410 and how
do you restrict it?

22) A key-user in the finance department is also an ABAP developer.

What do you do?

23) A new ABAP developer short dumps regularly in production

while reading business data. What do you do?

24) You are confident with SAP standard, but there are also custom
and partner products in your system. How do you check them for "low
brainer" security issues?

25) How do you remove a developer's access and developer keys from
a system? What else would you check for?

26) How do you transport user groups from transaction SUGR? Does
this impact the "Groups" tab in SU01 and if so, then what should you
check beforehand?

27) When you record a transport request in PFCG for a role and then
change the role before releasing the transport request, does the
transport include the changes or not? Is the answer documented
anywhere in the system?

28) Describe a scenario under which you would update a SAP table
directly, and which precautions you would take?

Julius Re: Security Reply

Bussche interview
questions - some
Posts: 10,510 fun.
Registered: 3/13/06
Posted: Mar 25, 2010
Forum Points: 9,356
10:14 PM in response
to: Julius Bussche

Dummy post 2 for subsequent questions...

Vijayalakshmi Re: Reply

B... Security
interview
Posts: 80 questions -
Registered: 4/18/07 some fun.
Forum Points: 0
Posted: Mar 26,
2010 8:30
AM in
response
to: Julius
Bussche

Hi Julius,
The question bank gives an idea of the breadth and depth of your
knowledge :)

One question which i'm trying to find an aswer to is (as much because
of customer requirements as also curiousity)

8) Can you have more than one set of org-level values in one role? If
so how?

if you have any suggestions for this one please let me know.

Thanks
Vijaya

Guest Re: Security Reply

interview
questions - some
fun.
Posted: Mar 26, 2010
11:27 AM in response
to: Julius Bussche

i can answer most, but as you said not to float, kindly suggest , should
send mail?

Thanks,
Prasant K Paichha

Julius Re: Security Reply

Bussche interview
questions - some
Posts: 10,510 fun.
Registered: 3/13/06
Posted: Mar 26, 2010
Forum Points: 9,356
12:17 PM in response
to: Guest

I am sure that Klinndk12 could have asked you most of them as

well...

Cheers,
Julius
P Re: Reply
Arpan Security
interview
Posts: 152 questions
Registered: 4/6/09
Forum Points: 172 - some
fun.
Posted: Mar
26, 2010
12:25
PM in
response
to: Julius
Bussche

@1 copy....inactive,,,
@2 midnight - time to do right thing for coming day...
@3....
@4....

I am at home today....not sure why I did not went office

today....Entire day was so boring....I was having no wish to make any
post today...But when question comes about earning beer so I could
not resist myself from post,,,,

Ohhh....week end is coming.....

Michael Re: Reply

Jaynes Security
interview
Posts: 45 questions
Registered: 1/10/08
Forum Points: 10 - some
fun.
Posted: Mar
26, 2010
3:59
PM in
response
to: Julius
Bussche

I have one year experience in SAP Security and only two in Basis, so
flame on......... I swear I didn't use google or any of my systems for
reference!

1) When PFCG proposes 3 activities but you only want 2, how do you
fix this? Best answer is to modify your su24 data.

2) What is the use of transaction PFUD at midnight? removes invalid

profiles from user records

3)Is PFUD needed when saving in SU01 and does the user need to
logoff and on again after changes? PFUD is not needed and the user
needs to log off and back on again

4)How are web services represented in authorizations of users who

are not logged on? ??

5)How do you force a user to change their password and on which

grounds would you do so? SU01 -> Logon Data tab -> Deactivate
password. I am not sure what grounds this would be necessary. I have
never had to use it.

6)What is the difference between SU24 and SU22? What is "orginal

data" in SU22 context? SU22 you maintain authorization objects????
Su24 you maintain which authorization objects are checked in
transactions and maintain the authorization proposals.

7)When an authorization check on S_BTCH_JOB fails, what

happens? "You do not have authorization to perform whatever
operation you are trying to perform." message. HAHA

8)Can you have more than one set of org-level values in one role? I
might be misinterpreting this question. But yes. Depending on the
transactions inserted into the role menu, you could have more than
one org level to maintain. Purchasing Org and Plant, Sales Org and
Sales Division.....

9)Should RFC users have SAP_NEW and why? No. Just insert the
transactions and necessary authorization objects into a role. S_RFC
for one.

10) What is an X-glueb command and where do you use it in SAP

security? ???

11) What is the disadvantage of searching for AUTHORITY-CHECK

statements in ABAP OO coding and how does SU53 deal with this?
Disadvantage? I can think of an advantage. My ABAPer shows me
his programs and we work out what authority checks should be
performed.

12) In which tables can you make customizing settings for the
security administration and name one example of such a setting which
is usefull but not SAP default? ???

13) Can you use the information in SM20N to build roles and how?
You could, I guess. Not a good practice though. Build roles based on
business processes.
 14) If the system raises a message that authorizations are missing but
you have SAP_ALL, what do you do? Regenerate SAP_ALL which
reconciles new authorization objects from SAP_NEW

15) Name any one security related SAP note and explain it's purpose
or solution. Don't know the number off hand, but I was looking at it
yesterday. Program Z_DEL_AGR to allow deletion of more than one
role at a time. There is no mechanism in SAP to achieve this
currently.

16) What are the two primary difference between a SAML token
profile and a Logon ticket in SAP? ??? I know what these are but
have no experience with it.

Alex Re: Security Reply

Ayers interview
questions - some
Posts: 2,166 fun.
Registered: 3/15/07
Posted: Mar 26, 2010 4:48
Forum Points: 3,830
PM in response
to: Julius Bussche

15 - reference to the unexpurgated version of note 60233 will get

muchos kudos

Julius Re: Security Reply

Bussche interview
questions - some
Posts: 10,510 fun.
Registered: 3/13/06
Posted: Mar 26, 2010 5:11
Forum Points: 9,356
PM in response
to: Julius Bussche

@ Vijaya: If you can find a 2nd Org. Level button then let us know.

@ Arpan: Enjoy the weekend and your beer.

@ Prasant: Your user ID has been deleted.

@ Michael: Let's put it this way - your answer to question 10 is very

close.

@ Alex: Version 27 fix 2 of Ora-1555 errors, step # 8, sir (this will

also be usefull for Arpan :-)

Cheers.
Julius
John Re: Security Reply
Navarro interview
questions - some
Posts: 398 fun.
Registered: 8/6/07
Posted: Mar 26, 2010 5:50
Forum Points: 510
PM in response
to: Julius Bussche

All these questions are SCUM :-) It's Friday I just want my beer.

Julius Re: Security Reply

Bussche interview
questions - some
Posts: 10,510 fun.
Registered: 3/13/06
Posted: Mar 27, 2010 8:39
Forum Points: 9,356
PM in response
to: John Navarro

I added question 17 for you :-)

Question 18 is a "by-product" of it.

P Re: Reply
Arpan Security
interview
Posts: 152 questions
Registered: 4/6/09
Forum Points: 172 - some
fun.
Posted: Mar
28, 2010
8:09
AM in
response
to: Julius
Bussche

Well Earning beer seems to be more and more harder as new qtn
banks coming in way....But I found @23 very interesting and these
could be the possible solution from my end.

guide the user/lock the user/delete the user/bomb the user/dump the
user from office......so on until dump stops in his name....well HIS
name as this user cannot be SHE ;-)......

By the way its Sunday and accidentally if my wife get access to this
post this day will be Monday in front of boss like feeling...By folks....

Baskar Re: Security Reply

Ramakris... interview
questions - some
Posts: 40 fun to tickle your
Registered: 5/10/06
Forum Points: 28 brain.
Posted: Mar 30, 2010
 10:09 PM in response
to: Julius Bussche

How will you create a developer key and OSS ID in SAP Service
Market Place

Julius Re: Security interview questions - some fun to tickle your brain.
Bussche Posted: Mar 30, 2010 10:55 PM in response to: Baskar Ramakris...

Posts: 10,510
Registered: 3/13/06
Forum Points: 9,356

General Reply
interview
Posts: 1 questions in
Registered: 7/23/06
Forum Points: 0 Security R3?
Posted: Jul 24, 2006 7:24
PM

Hi Everyone,
I just wanted to know what are the questions(in general)to be
expected in R3 Security interview(4.6c)
as i am expecting an interview in couple of days..
Thank you in advance
shabana

Annie Re: General Reply

Chan interview
questions in
Posts: 140 Security R3?
Registered: 10/6/05
Posted: Jul 25, 2006 8:19
Forum Points: 8
AM in response
to: shabana shariff

Questions that i encountered based on R/3 46C:

1. How frequent do you perform transport migration?

2. Understanding of Composite role, Derived Roles, Single Roles
3. Knowledge of SU01, PFCG
4. CUA

Christian Re: Reply

Wippe... General
interview
Posts: 49 questions
Registered: 1/31/05
Forum Points: 110 in
Security
R3?
Posted: Jul
25, 2006
 9:13
AM in
response
to: Annie
Chan

Hi,

these are a few quick thoughts:

IT-Infrastructure Security, SAP Landscape:

- Network layout and firewalling between systems
- Remote administration, backup, archiving procedures
- Hardening procedures for new systems, new clients, system or client
copies
- examples are locking, unlocking, password changes of users, setting
system wide password rules, SM59 configuration, SICF configuration
- Use of cryptographic mechanisms (SNC, SSL)

Authorizations:
- Does a documented authorization concept exist?
- Of course: Are there SAP_ALL, SAP_NEW users (or any
equivalent sort of SAP_ALL)
- How are authorizations of communication / system users managed?
- What kind of functional roles are used (Task roles, job roles, etc.)?
- What kind of technical roles are used (single, composite, derived)?
- Are check indicators used (SU24)?
- Are there many "manual" authorization objects? (this would indicate
that SU24 is not correctly used.)
- Are risky transactions (SU01, PFCG, SM59, SA38, ...) and risky
transaction combinations (vendor creation / change and payment
processing) known and documented?
- Are procedures in place that control / mitigate the execution of these
risks?
- How is user and authorizations management regulated?

Regards,
Christian