1. Can you explain what a ‘user compare’ does in SAP security?

In cases where a role is used to generate authorization profiles, the generated profile is not entered into the user
master record until the user master record is compared. It can be automated by scheduling the report
FCG_TIME_DEPENDENCY every day.

2. Write different layers of security in SAP.

Different layers of security in SAP are as follows:

● Authentication: It verifies the user and only authorized users should be permitted access to the SAP
system.
● Authorization: The SAP system can authorize users only to access SAP based on the roles and profiles they
have been assigned.
● Integrity: It is vital to ensure the integrity (validity, accuracy, and consistency) of data at all times.
● Privacy: It keeps data safe from unauthorized access.
● Obligation: Securing the company's liability and legal obligations towards stakeholders and shareholders,
as well as validating them.

3. What are different SAP Security T-codes?

In SAP, a transaction code (T Code) is basically a four-digit shortcut key that can be used to access a specific
function or any running program in the SAP application. Using a transaction code, you can access desired functions
directly within the SAP system. In the SAP system, there are more than 10,000 T-codes used for configuration, end-
user activities, implementation, reporting, updating, security, etc. Below is a list of some SAP Security T-codes:

SAP T-
Description
code
PFUD Compare the User Master in Dialog.
SCC8 The exchange of data occurs at the operating system level.
PFCG Role maintenance with the profile generator.
SE43 Display and maintain the Area Menus.
ST01 System Trace.
SU01 User creation and maintenance.
SU02 Maintain authorization profile.
SU03 Maintain authorization.
SU3 Sets the address and default parameters.
SU10 Maintenance for mass users.
For filling of customer table USOBT_C and USOBX_C with SAP default
SU25
values.
SUIM User information system.
SM01 To lock the transaction from execution.
SM12 Display and Delete Locks.
SM20 View Security Audit log.
EWZ5 Lock users.
RZ10 Profile configuration.
RZ11 Maintain the profile parameters.

4. Describe the different types of SAP System users.

In SAP systems, when an administrator creates a new user ID, he has to specify the type of user this user ID should
be assigned to. Users in a system can be categorized according to their purposes. This allows different security
policies to be specified for different types of users. A security policy may, for example, specify that a human user
(end-user) who executes tasks interactively needs to change their passwords regularly, whereas this requirement
does not apply to users who are running jobs in the background. Following are some types of users in SAP:

● System user: Users with this user type can perform certain system activities such as background
processing, ALE (Application Link Enabling), workflows, etc. The system user does not allow interactive
access to the system. When a user has the service user type, the system won't check for expired/initial
passwords, only a user administrator can change the password, and multiple logins are allowed.
● Dialogue user: Dialogue users represent human users, also called end-users. This user type is needed for
individual, interactive sessions in the SAP system. When a user has dialogue user type, the system checks
their expiring or initial password, enables them to change their passwords, and checks for multiple logins.
● Service user: Service user types generally represent a larger user community and allow. This user type
facilitates guest access, or the ability to connect to remote systems with certain rights. When a user has
the service user type, the system won't check for expired/initial passwords, only a user administrator can
change the password, and multiple logins are allowed.
● Communication user: It enables dialogue-free interaction or communication between systems. Dialogue
logon cannot be done with this type of user.
● Reference user: Rather than assigning roles individually to each user, a reference user is created to hold a
selection of roles that are to be assigned to a larger group of users. If you need to create a large number
of users in your SAP system with the same authorization assigned, you can use this method.

5. How many types of users are there for background jobs? Is there a way to troubleshoot problems that a
background user faces?
The user types for background jobs are as follows:
System user: Users with this user type can perform certain system activities such as background processing, ALE
(Application Link Enabling), workflows, etc.
Communication user: It enables dialog-free interaction or communication between systems. Dialog logon cannot
be done with this type of user.
We can schedule background jobs using the SM36 T-code, view and monitor background jobs running in the
system using SM37 T-code and troubleshoot problems for background users using ST01 T-code.

6. How will you check table logs and what T-codes will you use?
The first thing we need to do is make sure that logging is enabled or not for this table, and we can check this by
using the T-code SE13. Then, if the table loggings are enabled, we can view the history of the table (table logs) by
using T-code SCU3.

7. Explain the concept of SAP Roles and Authorization.

In SAP, roles and authorization are the mechanisms that allow users to execute transactions (execute programs) in
a secure way. Each role in SAP requires authorization in order to execute a function. There are several different
types of standard roles in SAP for different modules and scenarios. In addition, user-defined roles can be created
based on the project scenario. The SAP system grants access to users based on roles stored in their user master.
PFCG is the T-code for maintaining roles and authorization data.

8. Write different types of roles in SAP security.

In SAP, there are several types of roles as follows:
Single Role: Single roles typically contain all authorization objects as well as field values (both organizational and
non-organizational) required to execute the transactions that the role contains. The term "Single Role" is
commonly used to refer to a job/position-based role design. In such cases, the single role includes all
authorizations required for a user's position or job.
Derived Role: Roles can also be derived from single roles. In derived roles, there is a parent or master role and
more child roles that differ only in their organizational values from each other.
Composite Role: You can group multiple single roles together to make a composite role. By assigning only the
composite role, you can indirectly assign multiple single roles to a user.
9. Is there a way to add a missing authorization?
SU53 is the best T-code to find the authorizations that are missing. There may be times that this T-code is required
for SAP GUI troubleshooting. We can then insert those missing authorizations with the T-code PFCG. PFCG is the T-
code for maintaining roles and authorization data.

10. What is SOD (Segregation of Duties) in SAP Security?

Segregation of Duties (SOD) refers to segregating duties or roles between different users. SOD involves separating
individuals who handle different steps of business transactions in order to reduce fraud and errors. The SAP SOD is
an essential internal control system meant to minimize the risk of errors and irregularities, identify problems and
ensure the onset of remedial action. All of this can be achieved by making sure that no single person controls all
phases of the transaction.

11. How will you create a user group in SAP?

The following steps explain how to create a user group in SAP:
STEP1: In SAP Easy Access Menu, enter the SUGR T-code and execute it. SUGR is the SAP T-code for maintaining
user groups.
STEP2: You will see a new screen. Fill in the text box with the name of the new user group.
STEP3: Then click on the Create button.
STEP4: Add a description and click Save.
STEP5: A new user group will be created in SAP.

12. Explain the use of role templates.

As part of SAP AIF (Application Interface Framework), predefined template roles are available. These role
templates can be used to define or customize roles based on specific requirements. Each role template comes with
a set of authorizations that typical SAP AIF users would require. You can change a role template in three ways:
Use them as they are delivered in SAP
Modify them according to your needs using the PFCG T-code
Build them from scratch.

Below are some examples of role templates offered by SAP AIF 4.0:
SAP_AIF_ADMIN: AIF Administrator
SAP_AIF_ALL: AIF All Authorizations
SAP_AIF_ARCHITECT: AIF Architect
SAP_AIF_AUDITOR: AIF Auditor
SAP_AIF_POWER_USER: AIF Power User
SAP_AIF_USER: AIF Business User

13. State difference between role and profile.

A role is essentially a combination of transactions and authorizations stored in a profile. Profiles associated with a
role can vary in number depending on the number of transactions and authorizations that are contained within the
role. As soon as you generate a role, it automatically creates a profile.

14. Mention what is the maximum number of profiles in a role and a maximum number of objects in a role?
A role can have a maximum of 312 profiles and 170 objects.

15. Which reports or programs are useful for regenerating SAP_All profiles?
Report RSUSR406 or T-code SU21 can be used to manually regenerate the SAP_ALL profile. In this case, the
SAP_ALL profile is only generated in the client where the report is executed. You can also generate SAP_ALL
profiles using the report AGR_REGENERATE_SAP_ALL. In this case, the SAP_ALL profile is generated in all the
clients.
16. Differentiate between USOBT_C and USOBX_C.
USOBX_C and USOBT_C are customer-specific tables, and the C in their names indicates that these tables contain
customer-specific values that are maintained/changed using the T-code SU24. Differences between USOBT_C and
USOBX_C are as follows:

USOBX_C USOBT_C
This table specifies which authorization checks are to be
USOBT_C contains authorization objects whose
performed and which are not, i.e., whether the field “check
Proposal value is Yes in SU24.
indicator” is set to "check" or to "Do not check".
It contains authorization values for the
This table also defines the authorization checks that are
authorization objects that are defined to be
maintained in the profile generator.
maintained in the profile generator.

17. Explain authorization class and authorization object.

Authorization Object: An authorization object is a group of authorization fields that regulates a particular activity.
While authorization relates to a particular action or activity, the authorization field relates to security
administrators for configuring or defining specific parameters/values in that particular action.
Authorization Class: Authorization classes, on the other hand, are groups of Authorization objects. These classes
can contain one or more authorization objects.

18. What t-code is used to maintain Authorization Object and profile?

T-code used to maintain Authorization Object and profile are as follows:
SU21: This is used to maintain authorization objects in SAP.
SU02: This is used to maintain authorization profiles in SAP.

19. Which authorization objects are needed to create and maintain user records?
In order to create and maintain a user record, you need the following authorization objects:
S_USER_GRP: Assign user groups.
S_USER_PRO: Assign authorization profile.
S_USER_AUT: Create and maintain authorizations.

20. What does User buffer mean? Which parameter controls the number of entries in the user buffer?
An SAP system automatically creates a user buffer when a user signs on. This buffer includes all authorizations for
that user. Each user has their own buffer, which they can display using the T-code SU56. The tool is only for
monitoring purposes, and no further action can be taken. The following profile parameter controls the number of
entries in the user buffer: “Auth/auth_number_in_userbuffer”.

21. Which T-codes can be used to display user buffers, and delete old security audit logs?
T-code used to display user buffers, and delete old security audit logs are as follows:
SM18: Delete old security audit logs/ Reorganize Security audit log in SAP.
SU56: Monitor the number of objects buffered from individual user authorization roles and profiles.

22. What is the procedure for deleting multiple roles from the QA (Quality Assurance), DEV (Development), and
Production systems?
To delete multiple roles from QA, DEV, and Production systems, you must follow the steps below:
Put the roles to be removed in a transport (in development).
Delete the roles.
Push the transport to the QA and production departments.

23. What are the main tabs available in PFCG (Perfectly Functionally Co-coordinating Group)?
In the PFCG, there are many important and essential tabs, including the following:
Description: Used to describe changes made, such as those made to roles, authorization objects, or other T-codes
(addition or removal).
Menu: Design user menus such as adding T-codes.
Authorization: Used for maintaining authorization profiles and authorization data.
User: Used to adjust user master records and assign users to the role.

24. Describe the steps one needs to take before running the Run system trace.
There are a few things that need to be done before one wants to execute the Run system trace. If one is going to
trace the CPIC or the user ID prior to executing the Run system, then one has to make sure that the said ID is given
to someone that is either SAP_new or SAP_All. This has to be done because it ensures that one is able to execute
the work without any kind of checking failure by authorization.

25. In which table are illegal passwords stored?

The USR40 table is a standard authentication and SSO (Single Sign-On) Transparent Table in SAP Basis, which stores
data about illegal passwords. It is used to gather illegal passwords and store them in various arrangements and
patterns of words that can be implemented at the moment of creating the passwords.

26. Explain PFCG_Time_Dependency.

The PFCG_TIME_DEPENDENCY report is an Executable ABAP (Advanced Business Application Programming) Report
within your SAP system. PFCG_TIME_DEPENDENCY is a report used for comparing user masters. In addition, it
deletes or removes expired profiles from the user master record. This report can also be directly executed using
the PFUD T-code.

27. Apparently, someone deleted users from our system, and I would like to know who did so. Is there a table
where this is recorded or logged?
This information can be obtained by debugging the system or by using the RSUSR100 report. This report can be
used to determine all changes made to the user (user change history).

28. What is Profile Version?

Profiles contain a set of rights and restrictions associated with a specific user or group. User profiles specify what
actions (like viewing, creating, and editing) a user is allowed to perform on various resources, like sourcing
documents or master data.Changing and saving a profile does not overwrite the old status in the database.
Instead, a new version is created with the updated values. SAP assigns a unique number to each profile version.
Create a new profile, for example, and it will have a version number of 1. After that, additional profiles will have
sequential version numbers.

29. Would it be possible to mass delete roles without deleting the new roles in SAP?
SAP provides a report i.e., (AGR_DELETE_ALL_ACTIVITY_GROUPS), which you can copy, then remove the system
type check, and then execute/run. For mass deletion of roles without deleting the new roles in SAP, simply enter
the roles that you wish to delete in a transport (a package used for transferring data between SAP installations),
run/execute the delete program or either delete manually, then release the transport and finally import the roles
into all client systems. As soon as your transport, the role is deleted from all client systems.
It is necessary to tweak/debug & replace the code in AGR_DELETE_ALL_ACTIVITY_GROUPS to ensure it is deleting
only SAP delivered roles. Getting past that little bit makes it work well.

30. What are the values for user lock?

To determine whether the user is locked or not, we use the USR02 table. Below is a table showing the 6 types of
user lock values:

User
Reason
Status
0 Not locked.
 16 Mystery values.
32 Locked by CUA central administrator (User Admin).
64 Locked by System Administrator.
128 Locked after too many failed logon or incorrect logon attempts.
A combination of both is locked by the system administrator and locked after too many failed logins (192 =
192
64+128).

1. In PFCG, which are the main tabs available?

2. What types of users are there for background jobs?
3. PFCG stands for ___.
4. What are user related tables and roles related tables?
5. What is the main difference between single role, derived and composite roles?