Security Qa
Security Qa
In cases where a role is used to generate authorization profiles, the generated profile is not entered into the user
master record until the user master record is compared. It can be automated by scheduling the report
FCG_TIME_DEPENDENCY every day.
● Authentication: It verifies the user and only authorized users should be permitted access to the SAP
system.
● Authorization: The SAP system can authorize users only to access SAP based on the roles and profiles they
have been assigned.
● Integrity: It is vital to ensure the integrity (validity, accuracy, and consistency) of data at all times.
● Privacy: It keeps data safe from unauthorized access.
● Obligation: Securing the company's liability and legal obligations towards stakeholders and shareholders,
as well as validating them.
SAP T-
Description
code
PFUD Compare the User Master in Dialog.
SCC8 The exchange of data occurs at the operating system level.
PFCG Role maintenance with the profile generator.
SE43 Display and maintain the Area Menus.
ST01 System Trace.
SU01 User creation and maintenance.
SU02 Maintain authorization profile.
SU03 Maintain authorization.
SU3 Sets the address and default parameters.
SU10 Maintenance for mass users.
For filling of customer table USOBT_C and USOBX_C with SAP default
SU25
values.
SUIM User information system.
SM01 To lock the transaction from execution.
SM12 Display and Delete Locks.
SM20 View Security Audit log.
EWZ5 Lock users.
RZ10 Profile configuration.
RZ11 Maintain the profile parameters.
● System user: Users with this user type can perform certain system activities such as background
processing, ALE (Application Link Enabling), workflows, etc. The system user does not allow interactive
access to the system. When a user has the service user type, the system won't check for expired/initial
passwords, only a user administrator can change the password, and multiple logins are allowed.
● Dialogue user: Dialogue users represent human users, also called end-users. This user type is needed for
individual, interactive sessions in the SAP system. When a user has dialogue user type, the system checks
their expiring or initial password, enables them to change their passwords, and checks for multiple logins.
● Service user: Service user types generally represent a larger user community and allow. This user type
facilitates guest access, or the ability to connect to remote systems with certain rights. When a user has
the service user type, the system won't check for expired/initial passwords, only a user administrator can
change the password, and multiple logins are allowed.
● Communication user: It enables dialogue-free interaction or communication between systems. Dialogue
logon cannot be done with this type of user.
● Reference user: Rather than assigning roles individually to each user, a reference user is created to hold a
selection of roles that are to be assigned to a larger group of users. If you need to create a large number
of users in your SAP system with the same authorization assigned, you can use this method.
5. How many types of users are there for background jobs? Is there a way to troubleshoot problems that a
background user faces?
The user types for background jobs are as follows:
System user: Users with this user type can perform certain system activities such as background processing, ALE
(Application Link Enabling), workflows, etc.
Communication user: It enables dialog-free interaction or communication between systems. Dialog logon cannot
be done with this type of user.
We can schedule background jobs using the SM36 T-code, view and monitor background jobs running in the
system using SM37 T-code and troubleshoot problems for background users using ST01 T-code.
6. How will you check table logs and what T-codes will you use?
The first thing we need to do is make sure that logging is enabled or not for this table, and we can check this by
using the T-code SE13. Then, if the table loggings are enabled, we can view the history of the table (table logs) by
using T-code SCU3.
Below are some examples of role templates offered by SAP AIF 4.0:
SAP_AIF_ADMIN: AIF Administrator
SAP_AIF_ALL: AIF All Authorizations
SAP_AIF_ARCHITECT: AIF Architect
SAP_AIF_AUDITOR: AIF Auditor
SAP_AIF_POWER_USER: AIF Power User
SAP_AIF_USER: AIF Business User
14. Mention what is the maximum number of profiles in a role and a maximum number of objects in a role?
A role can have a maximum of 312 profiles and 170 objects.
15. Which reports or programs are useful for regenerating SAP_All profiles?
Report RSUSR406 or T-code SU21 can be used to manually regenerate the SAP_ALL profile. In this case, the
SAP_ALL profile is only generated in the client where the report is executed. You can also generate SAP_ALL
profiles using the report AGR_REGENERATE_SAP_ALL. In this case, the SAP_ALL profile is generated in all the
clients.
16. Differentiate between USOBT_C and USOBX_C.
USOBX_C and USOBT_C are customer-specific tables, and the C in their names indicates that these tables contain
customer-specific values that are maintained/changed using the T-code SU24. Differences between USOBT_C and
USOBX_C are as follows:
USOBX_C USOBT_C
This table specifies which authorization checks are to be
USOBT_C contains authorization objects whose
performed and which are not, i.e., whether the field “check
Proposal value is Yes in SU24.
indicator” is set to "check" or to "Do not check".
It contains authorization values for the
This table also defines the authorization checks that are
authorization objects that are defined to be
maintained in the profile generator.
maintained in the profile generator.
19. Which authorization objects are needed to create and maintain user records?
In order to create and maintain a user record, you need the following authorization objects:
S_USER_GRP: Assign user groups.
S_USER_PRO: Assign authorization profile.
S_USER_AUT: Create and maintain authorizations.
20. What does User buffer mean? Which parameter controls the number of entries in the user buffer?
An SAP system automatically creates a user buffer when a user signs on. This buffer includes all authorizations for
that user. Each user has their own buffer, which they can display using the T-code SU56. The tool is only for
monitoring purposes, and no further action can be taken. The following profile parameter controls the number of
entries in the user buffer: “Auth/auth_number_in_userbuffer”.
21. Which T-codes can be used to display user buffers, and delete old security audit logs?
T-code used to display user buffers, and delete old security audit logs are as follows:
SM18: Delete old security audit logs/ Reorganize Security audit log in SAP.
SU56: Monitor the number of objects buffered from individual user authorization roles and profiles.
22. What is the procedure for deleting multiple roles from the QA (Quality Assurance), DEV (Development), and
Production systems?
To delete multiple roles from QA, DEV, and Production systems, you must follow the steps below:
Put the roles to be removed in a transport (in development).
Delete the roles.
Push the transport to the QA and production departments.
23. What are the main tabs available in PFCG (Perfectly Functionally Co-coordinating Group)?
In the PFCG, there are many important and essential tabs, including the following:
Description: Used to describe changes made, such as those made to roles, authorization objects, or other T-codes
(addition or removal).
Menu: Design user menus such as adding T-codes.
Authorization: Used for maintaining authorization profiles and authorization data.
User: Used to adjust user master records and assign users to the role.
24. Describe the steps one needs to take before running the Run system trace.
There are a few things that need to be done before one wants to execute the Run system trace. If one is going to
trace the CPIC or the user ID prior to executing the Run system, then one has to make sure that the said ID is given
to someone that is either SAP_new or SAP_All. This has to be done because it ensures that one is able to execute
the work without any kind of checking failure by authorization.
27. Apparently, someone deleted users from our system, and I would like to know who did so. Is there a table
where this is recorded or logged?
This information can be obtained by debugging the system or by using the RSUSR100 report. This report can be
used to determine all changes made to the user (user change history).
29. Would it be possible to mass delete roles without deleting the new roles in SAP?
SAP provides a report i.e., (AGR_DELETE_ALL_ACTIVITY_GROUPS), which you can copy, then remove the system
type check, and then execute/run. For mass deletion of roles without deleting the new roles in SAP, simply enter
the roles that you wish to delete in a transport (a package used for transferring data between SAP installations),
run/execute the delete program or either delete manually, then release the transport and finally import the roles
into all client systems. As soon as your transport, the role is deleted from all client systems.
It is necessary to tweak/debug & replace the code in AGR_DELETE_ALL_ACTIVITY_GROUPS to ensure it is deleting
only SAP delivered roles. Getting past that little bit makes it work well.
User
Reason
Status
0 Not locked.
16 Mystery values.
32 Locked by CUA central administrator (User Admin).
64 Locked by System Administrator.
128 Locked after too many failed logon or incorrect logon attempts.
A combination of both is locked by the system administrator and locked after too many failed logins (192 =
192
64+128).