Q.1:- Why SU25 is required?

Ans. After upgrading SAP with the new release, you need to make adjustment to the
all the roles and transaction codes.SU25 is the transaction code for upgrading
profile generator.
This has 6 different steps and the execution of these steps depends on whether you
were already using profile generator in the last release.
This transaction has 6 steps. This transaction is used to fill the customer tables of
the Profile Generator the first time the Profile Generator is used, or update the
customer tables after an upgrade. The customers tables of the Profile Generator are
used to add a copy of the SAP default values for the check indicators and field
values. These check indicators and field values are maintained in transaction SU24.
If you have made changes to check indicators, you can compare these with the SAP
default values and adjust your check indicators as needed.
Step1: If you have not yet used the Profile Generator or you want to add all SAP
default values again, use the initial fill procedure for the customer tables.
If you have used the Profile Generator in an earlier Release and want to compare
the data with the new SAP defaults after an upgrade, use steps 2a to 2d. Execute
the steps in the order specified here.
Step 2a: is used to prepare the comparison and must be executed first.
Step 2b: If you have made changes to check indicators or field values in
transaction SU24, you can compare these with the new SAP default values. The
values delivered by SAP are displayed next to the values you have chosen so that
you can adjust them if necessary. If you double-click on the line, you can assign
check indicators and field values. You maintain these as described in the
documentation for transaction SU24.
Note on the list of transactions to be checked To the right of the list you can see the
status which shows
whether or not a transaction has already been checked. At first the status is set to
to be checked.
If you choose the transaction in the change mode and then choose save, the status
is automatically set to checked.
By choosing the relevant menu option in the list of transactions you can manually
set the status to checked without changing check indicators or field values, or even
reset this status to to be checked.
If you want to use the SAP default values for all the transactions that you have not
yet checked manually, you can choose the menu option to copy the remaining SAP
default values.
Step 2c: You can determine which roles are affected by changes to authorization
data. The corresponding authorization profiles need to be edited and regenerated.
The affected roles are assigned the status “profile comparison required”.
Alternatively you can dispense with editing the roles and manually assign the users
the profile SAP_NEW (make sure the profile SAP_NEW only contains the subprofiles
corresponding to your release upgrade. This profile contains authorizations for all
new checks in existing transactions). The roles are assigned the status “profile
comparison required” and can be modified at the next required change (for
example, when the role menu is changed). This procedure is useful if a large
number of roles are used as it allows you to modify each role as you have time.

1
Step 2d: Transactions in the R/3 System are occasionally replaced by one or more
other transactions.
This step is used to create a list of all roles that contain transactions replaced by
one or more other transactions.
The list includes the old and new transaction codes. You can replace the
transactions in the roles as needed. Double-click the list to go to the role.
Step 3: This step transports the changes made in steps 1, 2a, and 2b.
Tailoring the Authorization Checks
This area is used to make changes to the authorization checks.
Changes to the check indicators are made in step 4. You can also go to step 4 by
calling transaction SU24.
-You can then change an authorization check within a transaction.
-When a profile to grant the user authorization to execute a transaction is
generated, the authorizations are only added to the Profile Generator when the
check indicator is set to Check/Maintain.
-If the check indicator is set to do not check, the system does not check the
authorization object of the relevant transaction.
-You can also edit authorization templates that can be added to the authorizations
for a role in the Profile Generator. These are used to combine general authorizations
that many users need. SAP delivers a number of templates that you can add directly
to the role, or copy and then create your own templates, which you can also add to
roles.
In step 5 you can deactivate authorization objects systemwide.
In step 6 you can create roles from authorization profiles that you generated
manually. You then need to tailor and check these roles.

Q.2:- What is difference b/t SU24 and SU25?

Ans. T-code SU24 is used to select the check objects and default values for an
authorization when any t-code or report is added to a role.
On the other hand t-code SU25 is used at the time of system upgrade to perform
below actions:
1) Initially fill the customer tables USOBT_C and OUSBX_C by copying from SAP
standard tables USOBT and USOBX.
2) Comparing the corresponding values between SAP tables and customer tables.
3) Find out which new t-codes are moved to Production system during upgrade.
4) Find out all t-codes whose name has been changed in upgrade, lets say ST03 is
now called ST03N.

Q.3:- What's the basic difference in between SU22 & SU24?

Ans. SU22 displays and updates the values in tables USOBT and USOBX, while SU24
does the same in tables USOBT_C and USOBX_C. The _C stands for Customer. The
profile generator gets its data from the _C tables. In the USOBT and USOBX tables
the values are the SAP standard values as shown in SU22. With SU25 one can
(initially) transfer the USOBT values to the USOBT_C table.

2
Q.4:- How many Single roles can be added in one Composite role?
Ans. We can assign 88 single role to a composite role.
Q.5:- Which role is commonly used?
Ans. Composit and single role commnly used.
Q.7:- What is the difference between PFCG, PFCG_TIME_DEPENDENCY
& PFUD???
Ans. PFCG is used to create maintain and modify the roles.
PFCG_TIME_DEPENDENCY is a background job of PFUD. PFUD is used for mass user
comparison but the difference is if you set the background job daily basis it will do
mass user comparison automatically.

Q.8:- What is the maximum number of profiles in a role? What is the

maximum number of authorizations in a profile? What is the maximum
number of authorization field in an object?
Ans. 312 profiles in a role, 150 authorization ts, not more than 10 authorization
fields in object.
Q.9:- What are the Critical T-codes and Authorization Objects in R/3.
Ans. Just to say all the t-codes which can affect roles and user master records are
critical ones. SU01, PFCG, RZ10, RZ11, SU21, SU03, SM37 are some of critical t-
codes.
Below are critical objects
S_TABU_DIS : Table maintainance via SM30
S_USER_AGR : For role maintainance
S_USER_AUT : For authorisation maintainance
S_USER_PRO : To assign profile
S_USER_GRP : For user Group
Q.10:- Why we use different-2 landscapes in SAP R/3?
Ans. SAP systems are used in large industries where daily transactions are carried
out at large scale. In order to avoid any affect on production system directly
because of change and to avoid the blockage of business process we use different-2
landscape in R/3.
In R/3 we have 3 systems landscape.
1.Development
2.Quality system
3.Production

3
Q.11:- What is the difference between SU24 & SU25, when we can make the
authorization checks in SU25 then what is the use of SU24?
Ans. T-code SU24 is used to select the check objects and default values for an
authorization when any t-code or report is added to a role.
On the other hand t-code SU25 is used at the time of system upgrade to perform
below actions
1) Initially fill the customer tables by copying from SAP tables.
2) Comparing the corresponding values between SAP tables and customer tables.
3) Find out which new t-codes are moved to Production system
during upgrade.
4) Find out all t-codes whose name has been changed in
upgrade, lets say ST03 is now called ST03N.

Q.12:- What is the table name to see the authorization objects for a user?
Ans. USR12
Q.13:- What is the table name to see illegal passwords (Easily guess)?
Ans. USR40

4
Q.14:- What are two main tables to maintain authorization objects?
Ans: USOBT, USOBX.
1.. USOBT

Execute..

5
2.. USOBX

Execute..

Q.15:- How to secure tables in SAP?

Ans: Using Authorization group (S_TABU_DIS, S_TABU_CLI for cross client) in T.Code
SE54
Q.16:- What are the critical authorization objects in Security?
Ans: S_USER_OBJ,S_USER_GRP, S_USER_AGR , S_TABU_DIS, S_TABU_CLI ,
S_DEVELOP, S_PROGRAM
Q.17:- Difference between USOBT and USOBX tables?
Ans: 1. USOBT-Transaction VS Authorization objects.
2. USOBX- Transaction VS Authorization objects check indicators.

6
Q.18:- Where do we add the FF ids to the SAP user ids?
Ans: go to Tcode /n/virsa/vfat ----->>goto fireFighter tab the give the ff-ID to
firefighter with validity.

Click to firefighter button

Click to “New Entry“

Assign FF id to user here

7
Q.19:- Can a single role be used as master role?
Ans: yes
Q.20:- How to copy 100 roles from a client 800 to client 900?
Ans: Add all 100 roles as one single composite Role and Transfer the Composite role
automatically the 100 Role will transfer to the target client (Using SCC1)
Q.21:- User reports that they lost the access. We check in SUIM and no
change docs found...How do you trouble shoot?
Ans: May be user buffer full or role expired.
Q.22:- What is the correct procedure for Mass Generation of Roles (Profiles)?
Ans: Using T.Code –SUPC
[email protected]

8
Q.23:- What is the T.Code SQVI? What is the main usage of this SQVI?
Ans: SQVI -Quick View, we can see more than one table at a time

9
Q.24:- How can we maintain Organizational values? How can we create
Organizational?
Ans: PFCG_ORGFIELD_CREATE in tcode SE38
Title
Profile Generator: Creating a New Org. Level Field
Purpose
During the installation of SAP Systems, some customers require additional
organizational level fields in the profile generator.
Organizational level fields are specially flagged authorization fields that have
particular significance in the profile generator.
This report creates an organizational level field for an authorization field.
The default authorization values (see the documentation for the profile generator)
that SAP supplies for the corresponding authorization field are deleted.
In addition, all affected roles are analyzed and the authorization data is adjusted
accordingly. The values of the authorization field that is now to become an
organizational level field are removed and entered in the organization level data for
the role. If the result of this conversion process produces a logical difference to the
original state, an error log is created. Here, you see the old authorization data for
the affected authorization field and the new organizational level data that is
cumulated from the various values. The authorizations included in the role are then
not identical to the original state and you should adjust them manually. In this case,
the role is flagged for profile generation using transaction SUPC (visible due to the
yellow icon on the authorization tab in transaction PFCG).
The organizational level field is created across clients, however, the report changes
the roles only in the current client. Therefore, you call up the report in all clients.
The new organizational level field definition is not included in a transport request.
Nor are the changed roles included in a transport request. Therefore, it is necessary
to run the report in both the preparation system and the production system.
You cannot start the report in client 000. This protects the role templates supplied
by SAP.
Integration
The report PFCG_ORGFIELD_DELETE deletes a organizational level field for an
authorization field.
After upgrading the system, you use report PFCG_ORGFIELD_UPGRADE to convert
all new default authorization data that SAP has supplied for new transactions to the
new organizational level fields.
Prerequisites
You should create organizational level fields only before beginning to set up your
system. If you create organizational level fields at a later stage, you may have to
reprocess the authorization data in roles.
Selection
FIELD: Name of the authorization field for which an organizational level field is to
be created.

10
Q.25:- I want to see list of roles assigned to 10 different users. How do you do
it?
Ans:
1. Goto SE16 > agr_users then mention the 10 users name
2. Goto SUIM > role by complex selection crieteria> type user names
Q.26:- What do you mean by User Buffer? How it works with the user's
Authorizations?
Ans: User buffer means user context, it contain user related information i.e.)
authorizations, parameters, reports, earlier acceded screens .We can see the user
context using T.Code –SU56
Q.27:- What is the advantage of CUA from a layman/manager point of view?
Ans: CUA used for maintain and manage the users centrally.

Q.28:- What is the purpose of these Org. values?

Ans: Values: it is used to restrict the user by values e.g. Sale order value (1-100) it
means user can create only 100 sales orders not more than that.

Q.29:- What is the main purpose of Parameters tab& Personalization tab in

SU01 and mini Apps tab in PFCG?
Ans: 1.Parameter tab: It is used to specify user specific values for standard fields in
SAP system.
2. Personalization tab is use to restrict the user in selection criteria E.g.: while
selecting pay slip it will shows only last month pay slip by default. If u select the
attendances it will shows current month by default
3. Miniapps- we can add some mini applications like calculator, calendar etc
Q.30:- How many maximum profiles we can assign to a user?
Ans:312
Q.31:- What is the main difference between single role and a derived role?
Ans. Main difference--we can change the menu structure (add/delete the t-codes)
for the single roles but we cann't do it for the derived roles.

Q.32:- What is the T-code to get into Risk Analysis and Remediation (RAR)
from R/3?
Ans:/virsar/ZVRAT.

11
Q.33:- Explain about SPM (Supper user privilege management)?
Ans:SPM can be used to maintain and monitor the super user access in an SAP
system. This enables the super-users to perform emergency activities and critical
transactions within a completely auditable environment. The logs of the SPM user
IDs helps auditors in easily tracing the critical transactions that have been
performed by the Business users.

Q.34:- Explain me about your SAP Career; tell me your daily monitoring jobs
and most of them you worked on?
Ans. As a part of my daily job being a SAP Security consultant i have to take care of
tickets monitoring and assigning them within the team. I have to take care of critical
incidents and emphasize themon high priority for their faster resolution. I have to
troubeshoot different authorization issues that come across in daily work with the
users.

Q.35:- Is RAR a java stack or ABAP Stack?

Ans. RAR is Java stack. It was ABAP when it was called as Complance Calibrator.

Q.36:- SU24 must be set up before implementing any roles. A. True B. False
Ans. False.
SU24 is an optional feature that enables the security administrator to better define
default values for the role maintenance tool.
With SU24 we can find the relationship between Tcode and auth objects,

12
Q.37:- How to set up profile parameters and security Audit log activation?
Ans. use t-code RZ10 is used to set profile parameters.
SM19 is used to activate audit log.

Q.38:- What is the use of CUA (T-code SCUM)?

Ans. CUA: Central User Administration
1.Using CUA, U can reset the password globaly ( Means: in
single shot u can reset the password for all child systems
or individuval system also reset the password through CUA)

2.No password reset tag in individuval systems

3.Using CUA, U Can unlock and lock the users.

4.Using CUA, U Can assign the roles to particular system

5.Using CUA, U Can add systems to particular user

13
Q.39:- How many Profiles can be assigning to a user?
Ans. The maxmimam number of profile that can be assigned to a user are 312.

Q.40:- When do you get a screen for “maintaining the authorization values for
org elements “in PFCG??? (i.e..screen you get thru PFCG --> AUTHORIZATION tab
--> CHANGE AUTHORIZATION DATA --> SCREEN FOR MAINTAINING ORG ELEMENT
VALUES )

Ans. While creating role in PFCG, you will ADD Tcodes in MENU tab according to the
business requirement, in those tcodes contains auth obaject which contains any
organization fileds then it will prompt to maintain organization field values in
'Authorization' tab.

Q.41:- How can find out whether CUA (Central User Administration T-code
SCUM) is configured on your sap system?
Ans. Execute SU01 You can find out a tab called System tab.... If system tab is not
displayed then in SU01 screen there is no CUA is configured.
Q.42:- I have to create 1000 users. How do you do it?
Ans. We can create any number of user creation through LSMW ( Legacy system
migration workbench ) . Just we have do a recording for one user id and we can run
the same for all in one shot .

OR

We can create any number of users using SECATT(Extended computer added test
tool), you need to use that in datatbase table that you incorporate with scatt.
Q.43:- What is the procedure for deleting a role?
Ans. You can't delete the role in Production System .

First you have to delete the role from development system.

In DEV system ....

GOTO - PFCG - > give the role name which one you want to delete , create an
transport request , dont release. After creating transport request , delete the role
from PFCG in DEV system . Transport the request number to Testing and then
Production system . Role will be deleted from there also after tranport the request
with success.

14
Q.44:- I want to see list of roles assigned to 10 different users. How do you do
it?
Ans. 1.Go to SE16 ---> go to table AGR_USERS -----> click to multiple selection for
users ----> put * in role ----> execute

OR
GO to SUIM ---->ROLES-->By user assignment
Click multiple selection for users.
Select users and then execute
now you get a list roles assgin to selected users.

15
Q.45:- How to adjust user master records?
Ans. In PFCG use user compare and complete compare.if you are using role to
generate authorization profiles that should not assigned in the user master records
untill activate the user compare and complete compare.in composite role have no
user compare and complete compare.
OR
Daily the 'Pfcg_time_dependancy' program is run as backgroound processing
which does the user master comparision to the user buffer if any changes has taken
place to the corresponding role.
OR
We can adjust the user master record by using Tcode PFUD

Q.46:- What is template role and copy role?

Ans. Template role:- It is the sap standard role, which is defined by sap.
Copy role:- copy from an existing role is a copy role.

Q.47:- Users are lockdown from past 3 -4 months. Which table is used to
know that which users are lockdown?
Ans. RSUSR200: List of users accordiong Logon Date and Password change
OR
T-code SUIM : Users -> Click on By Logon Date and password change -> Give * in
user and give 90 days in No.days since last logon and check Locked users and
then EXECUTE

16
OR
Use USR02 Table as below
SE16 -> USR02 and execute
Last Logon Date: Date range between 3- 4 months
User lock: 32,64,128, 64+128=192

17
Q.48:- How we check if the PFCG_TIME_DEPENDENCY is running for user
master reconciliations.
Ans. Execute SM37 and search for PFCG_TIME_DEPENDENCY.

Q.49:- I want to delete 1000 users of a particular client, how can I do it?
Ans. You can also delete users of a perticular client by using t-code SU10.

Q.50:- How can you lock all the users at a time?

Ans. This is one way to lock the users by executing Tcode EWZ5. Another way is by
executing SU10... authoriztion tab.... evaluate the users list.....transfer....
transfer...... execute.

Q.51:- What is use of SNC tab in SU01? Please explain in detail?

Ans. SNC stands for Secure Network Connection.SNC tab is used to configure SNC
name for an User.If you are not using SNC or have not enabled the SNC then it
should not appear.The profile parameter is Change/Add SNC/enable.

SNC is Secure Network Communication. For installing it requires SAP Logon Pad and
it can be installed same way as we install normal SAP Logon pad. Use of SNC is that
user can Logon in number of SAP System Landscape without entering User Id and
password which we do in Non SNC Logon pad. For this setting we needs to update
SNC for user in SNC Tab in SU01 tcode. In that SNC Name needs to update. SNC
Name format is varry as per different project process. But most format syntax is
<UserId@networkaddress> for e.g [email protected]

18
Q.52:- What is mean By Default Profile, Start Profile, and Instance Profile?
What is difference between these?
Ans. Default profile means all users data. start profile means all servies of sap.
instatnce means all hostename of servers.

Q.53:- How to assign more than 312 profiles to any user?? As 312 profiles are
limited to assign in any user account.
Ans. We can maintain more than 312 profiles by assigning reference user in role
tab of the UMR

Q.54:- In which way we can assign single role to many users (more than 5000
users)?
Ans. Go to SU10 click on authorization data click on multiple selection button beside
user input field a pop up will appear-->click on green “import from text file” give the
destination of the excel sheet where you have already kept 5000 users execute--
>execute-->select all -->Then click to “transfer“ button this will bring all 5000 users
in SU10 now change -->role tab--> assign the single role-->save.

19
20
We can include up to 7000 users by this way.

Q.55:- One of the users logged into Production System, changed a table and
then logged out. How will you track him?
Ans. Run SM20 for that user and find out.
OR
you need to login to the system the change has taken, Go to SM20 you need to
select the date and time or range in time tab, select * in the user tab once you key
in all the inputs be sure to select the servers or instance on left hand side and then
click to “Re-read audit Log“. You need to select the user master record.

You will get report for user master record, find the user id in the list.
1.

21
2.

22
3.

Q.56:- What is the alternate t-code for SU01?

Ans. Alternaate tcode to SU01 is SU10.
Here also we can create a single user and also we can create mass users here.

OR
The alternate transaction code for SU01 is OMDL, OMEH, OMWF, ON09, OPF0, OTZ1,
OY27 OY28, OY29 and OY30.

Q.57:- What are the authorization objects which are always present in user
master record?
Ans. For user master record as u must be knowing that different tabs of UMR..So as
per my understanding As UMR stores information of users...Like his name, roles
assigned to him, Licence data.
Objects which are always present for UMR are:
S_USER_AGR,S_USER_GRP,S_USER_AUT,S_USER_PRO and each of this object has its
own importance...bcoz S_USER_AGR helps to maintain roles assigned, S_USER_GRP
helps to maintain Auth. group in Logon Data and S_USER_AUT AND S_USER_PRO
helps to maintain set of Auth. profiles and different Authorizations included in each
profile.....

Q.58:- What is the Ticketing tool that you are using in your Organization?
Ans. Magic tool, SM7.

23
Q.59:- What do you know about LSMW?
Ans. LSMW is used for creating large number of user at a time.

Then execute

Q.60:- What is the landscape of GRC?

Ans. GRC land scape: Development and Production.

Q.61:-What is the difference between Template role & Derive role?

Ans. Tempalte role : it is provided by sap it self.
Dervide role : a role which is derived from a master role it can inherit the menu
structure
t-codes.
In Parent role we do not maintain org values. We maintain org values in child role
and assign to user. We dont assign Parant role to any one.
Important: Org values passed on from parant to child role. Only user assign does
not pass.

24
Q.62:- How do you add sap_all and sap_new in a role?
Ans. Go to PFCG t-code create one single role and then go to Authorization tab next
goto EDIT tab click insert authorizations----->from profile then we can add
sap_all,sap_new.

Q.63:- What is the difference between SE16 and SE16n?

Ans. SE16 is a data browse and it is used to view the contents of the table and we
cannot change or append new fields to the existing structure of the table as we
cannot view the structure level display using the SE16 .

25
SE16N: ** The transaction code SE16N (general table display) is an improved
version of the old data browser (SE16). It has been around for some time, but is not
widely known amongst consultants and end users of SAP. It looks a bit different to
the old “data browser” functionality (SE16).
** Once you have entered your table name, type "&SAP_EDIT" without the quotation
marks into the transaction code. This enables editing functionality on SE16N and
allows you to make table changes. This allows you to access both configuration and
data tables which may be otherwise locked in a production environment.
** Whilst this may appear to be a short cut and allow you to access a back door
which is normally shut, this hidden feature should be used with caution in any SAP
client - especially a live or production system.
New Features of SE16N:
** The new transaction has a number of distinct advantages over SE16.
** You no longer have a maximum of 40 fields to select in the output.
** There are fewer steps involved in executing a number of functions, whether it be
outputting the results, maintaining the values in a table etc.
** Exporting the data into Excel is far easier and quicker
** ALV functionality is available as standard

26
** The user is not restricted by having a maximum width of 1023 saved as a default
in the user settings.
Limitations of SE16N: **You can only output one table at a time. If you wish to
output more than one table you can use the available reporting tools or the
QuickViewer (transaction code SQVI) functionality within SAP.

27
Q.64:- I have deleted single role from composite role now I want to find out
the changes in composite role without using SUIM. Is there any other
possibilities to get?
Ans. yes , it is possible from role screen its self, Go to Menu tab -----> go to
utilities--->change documents .

1.

Execute...

28
OR

You can get from table Agr_Agrs table also.

Q.65:- I have a single role and want to know in which composite role this
single role is assigned, how to do this?
Ans. From table AGR_AGRS, we can get the composite role.

29
Execute ----->

Q.66:- What is SOX in SAP security?

Ans. Post Sarbanes Oxley, focus for corporations is more on compliance and
security. Sarbanes Oxley has had a major impact on the organizations using SAP R/3
as their ERP. Some of the changes seen in the corporate landsacpe include
identifying and documenting processes, implementing controls and safeguards,
documenting user access approvals etc. In short, there has been a cultural shift in
organizations post Sarbanes Oxley. Below, I have listed 7 major pointers which can
help organizations towards better SAP security in the Sarbanes Oxley Era.

1. Provide users access on a need to know and need to do basis.

2. Adequately secure programs, transactions and tables.

30
3. All user accesses to SAP R/3 are properly authorized and approved.

4. Segregation of duties is maintained for all sensitive business transactions

5. All controls and business processes are documented.

6. Anti-fraud preventive controls are in place to prevent & detect fraud before an
audit.

7. User profiles and roles in SAP are secured and designed to meet business
requirements.

Q.67:- Can anybody explain (short n simple) about SOX & SoDs with 3
examples for each functional module? n ur experience on SoDs.
Ans. SoX is serbian & Oxley, it is an ACT in US, this ACT should be liable for
buisness.
SoD is Segeration of Duties, Division of power in different
position. it gives power as per the designation.

OR
SOD stands for Segregation of duties.

It helps us to identify frauds and Misstatements.

For example in virsa tool we have critical SOD conflict S017 for SD module where it
identifies and checks for user who could Perform credit approval function and
modify cash
received for fraudulent purposes.

SOD conflict F017 for FICO module where it checks for users who could Maintain a
non bona-fide bank account and divert incoming payments to it.

SOD conflict P001 for PP module where it checks for users who could Maintain a
fictitious vendor and enter a Vendor invoice for automatic payment.

As far my experience concerned we need to avoid critical SOD conflicts as much as

possible and these SOD conflicts are the ones which the auditor checks and they
ask for the mitigation control that we have outside like trace.

For Risk analysis (to find out conflict) we use Transaction /n/virsa/zvrat.

Q.68:- What are the components in VIRSA tool and GRC?

Ans. Virsa company developed 2 controls which are
1. Access control 2. Process control
Under Access control there are four products
1.Compliance Calibrator
2. Role Expert
3. Firefighter

31
4. Access Enforcer
After SAP owned Virsa Company SAP changed the products name nothing else .

VIRSA GRC
1.Compliance Caliberator 1.Risk Analysis & Remediation
2.Role Expert 2.Enterprise Role Management
3.Firefighter 3.Superuser Privilege Management
4.Access Enforcer 4.Complaint User Provisioning
Q.69:- What is the main difference between role and profile?
Ans.
Role : is task or activity that user has to perfrom or you can say collection of
authorization component,collection of Transaction codes only (No linked
authorization Objects)
Profile : is collection of authorizations.It contains the related Authorization Object,
Fields and Values of the transaction codes.

Q.70:- A user is assigned with T-code SA38. How to restrict him to execute
only a few reports, say RSUSR003?
Ans. There's no way you can restrict one report via SA38. Because for SA38, there's
only S_PROGRAM authorization object check. And under this object only have two
fields P_ACTION (submit, variant, bckground) and P_GROUP (program auth group).

Next, there are several ways depends on the organization choice.

01. call a report via report tree.

02. use SE93 to create customize tcode:
a) via 'transaction with value' where we use SA38 screen as inheritance. We have
option to hide SA38 screen to avoid user running other program.
b) via 'transaction with value' where we use START_REPORT to call program it self.

Q.71:- How can we find out the roles that got directly generated into
Production & not imported from Quality System? Please note, you don't have
any Quality user id.
Ans. We never create a role in production system in any curcumstances,we create
role in dev and transport it to quality and the production system.

Q.72:- Can we delete a Role and transport it? Explain How?

32
Ans. To delete a role across landscapes, in dev system we first add the role to a
transport request (dont release)and then delete the role in pfcg(first screen). Now
transport should be released and moved to QA/ PROD to ensure removal of the role
from these systems.

Q.73:- What is the use of SCC1 t-code?

Ans. T-Code SCC1 for copying a transport request from one client (000) to another
(010).

Suppose you want to copying a transport request from client 000 to client 010 then
login to 010 client and give 000 client in the “source client“

Do not release the transport before you use this and be sure the security is set up
correctly.

Q.74:- Which request is this which we create for transportation?

Ans. Generally there are two types of transport request.
1) Workbench Request : Client independent, used generally in CUA where change
made are transported to cross client tables.
2) Customizing Request : Client dependent.

Q.75:- Under description, in creating a role what should be written over

there ....what does your company follows?
Ans. Description of role defines the role related activity in short.Just seeing the
description of the role, one can easily know the role details, like

Role belongs to which SAP module(MM/PP/FICO)

The Company code/Org level values
Restricted values can also be mentioned there.
Activity performed after assigning that particular role.

33
Q.76:- In which table you can see authorization group for table and which
table to see authorization group for program? OR
How to give display access of a table to a user.
Ans.
TDDAT table - to see auth group for table.
TRDIR table - to see auth group for programme.

Suppose you want to access the table AGR_AGRS. First u need to check the
authorization group for this table. goto SE16->TDDAT--->table name..and find the
autho. grop in this case it is SC. Create a new role suppose z_test add t-code
SE16.In authorization check for S_TABU_DIS and add group SC in DICBERLS. Now
assign this role to user. Now he can access AGR_AGRS. :)

Q.77:- How to lock all the users in a system except DDIC and SAP*
Ans. we can do it by EWZ5.

Q.78:- How can u assign firefighter ids from one firefighter admin to another
firefighter admin if current admin leaves from organization without told to
anybody?

34
Ans. Take the UserId of the left over the company person and go to SE16 tcode and
type table name /virsa/zffusers and execute.in the second column enter the userID
of the left over person and execute and it will give the list of assigned FF_ID'S to
that user,note that FF_ID'S

Execute—it will bring all the FF-ID assigned to that user.

Now run /n/virsa/vfat tcode and go to maintain FF_ID's table and replace it with the
new person User ID.

1.

Practically we can do like this but it does not work. The old who has logged in, has
to logged out also then only other user can use it. We need to kill the process for
the current user, for that we ask Basis guy to kill the process for the old user so
that another user can user the FF_ID.

35
Q.79:- Can we restrict access through t-code added manually in authorization
data in creating a role?
Ans. Object S_USER_TCD controls the access of t-codes that user can include while
creating role. So if we want user to includes no tcodes in role (Menu tab)then we
can deactivate this object .

Q.80:- In SU53 screenshot, there are missing authorization. How you come to
know that these are the relevant Roles in which we have to add these objects?
Decision not SUIM?
Ans. First we have to find out in which role that T-code is included. If SUIM is not
working you can user t-code S_BCE_68001425 or go to SE38 ------> execute report
“RSUSR070“ role by complex selection criteria. You will get list of roles in which that
T-Code in included. For example below screenshot for ST01. Now filter out business
role of that module

Role naming covention we follow here:

1.Z:Site name(for india In01)_Module name(MM)_short description of role what role
will do_we ask QM team to provide against that nomber they will uploade role
document in the DocNov(Histry of the role). This is business role for that perticular
module and site
2.Z:pshnt_ Module name(MM)_short description of role what role will do_we ask QM
team to provide against that nomber they will uploade role document in the
DocNov(Histry of the role)
This is sisnet role used globly.

Now give two option to user

1. we can amend any Business roles that user has OR
2. we can assign a new role to that user as per the users business owner approval.

36
We need to study the documentation of said object and its object class and include
it in a role that contains related functions. This should be done consulting the key
users related to that module.

Having said this, it should be properly check beforehand that indeed the missing
authorization is the real reason for ;an authorization failure.

Q.81:- What is the difference between AGR_1251 and AGR_1252?

Ans. AGR_1251 - shows auth object, field and field values in role/s

37
AGR_1252 - shows org level, and values in role/s

Q.82:- Is there any transaction to see Transport Log. Means, Which data or
roles have been transported from which system at what time?
Ans. SE01 transaction is use to see Transport Log.
By clicking tab "DISPLAY" you can able to see the logs.
you can also see the roles or data has been transported from which system at what
time.

Q.83:- Why fire fighter id is using in the production system?

Ans. Production system is the system where all business transactions are done.
Thus it is required to monitor if anyone is assigned to perform some critical task in
the system. Therefore in order to keep a log of all activities performed in a FF login
FF id is used in production system.

Dev and QA systems are less or no critical for business.

Q.84:- If user says he doesn’t have authorization then how to proceed?

Ans. Simply ask him to raise a ticket asking for the required auth along with the
approval mail from concerned approver.

38
Then based on approval mail, we have to create auth restricting to specified level
using auth objects like S_TABU_DIS, S_TCODE, S_TABU_CLI .. and assing to that user
and execute user comparison. Ask user to log off and login to find the assigned
auth.

Q.85:- Is it possible to assign two roles with different validity period to a user
in one shot through GRC? If yes, how
Ans. If you are talking about GRC Access enforcer tool then there is option of
validity period for role while creating access enforcer request. When you go to
button "Select roles" and when you search and add role in Role Tab you can see
column Validity period which you can change. And you can add multiple roles to one
user by just performing "Add" role activity .. I hope this is what you are asking for.

Q.86:- What is difference bewteen 4.7, ECC 5.0 and ECC6.0 from SAP
Securtiy point of view?
Ans. SAP 4.7 is an ABAP based system, here we can see only about R/3 security

SAP ECC5.0 and SAP ECC6.0 included both ABAP + JAVA stacks,means enterprise
portal also included
here we can have both R/3 security for ABAP stack and JAVA stack security which
includes in portal concept(Enterprise Portal Security).

SAP GRC which is a security tool can be implemented only to ECC 5.0 and ECC 6.0
but not to the 4.7EE.

Q.87:- What is the difference between Parent role and Composite role?

39
Ans. Composite role is a collection of single roles.

Where Parent role concept comes in Derived role.

Where one role is derived from other role (Like inheritancey.what ever the changes
you made to parent role will automatically applied to derived role also.

Q.88:- How do I assign roles to a specific group, not to a specific user, and
apply the roles to all users in that group? This particular group has four
users?
Ans. Go to SUIM,enter the user group name in user by complex selection
criteria,extracat user's list,execute su10 enter list of user's and assign role to them.

Q.89:- I need to give authorisation to a user to SU01 t-code but the delete
options should not work.i,e the user should be able to Create,display,change
etc but not delete on SU01. How can I do this?
Ans. Deletes the 06 activity from S_USER_GRP.

Q.90:- Difference between S_tcode and Menu tab transactions?

Ans. When you add a t-code in role menu,authorization check will done in SU24 and
t-code relevent authorization object with default field values will reflet in Profile
Generator.
But when you add t-code in S_tcode authorization object,there will no auth.check in
U24,and there is no field values reflected in PFCG.So user is not authorized to acess
this particular T-code.

Q.91:- How to secure the customizing T-codes in SAP?

Ans.

40
1. Put on the trace
2. Execute the custom transaction code, execute functionality
3. Pull out the trace results, list out the authorization
objects has been checked
4. Maintain the those auth object in SU24 towards the T-code.

Q.92:- Two company codes ex 1001,1002 and two users ,one user need to
access both company codes and another user need to access only one company
code need to access by giving same role (one role ) to both of them. How can
give access or restrict company codes in one role?
Ans. Both users give different role.Give access or restrict through Derived
role.Always remember ORG value put in Derived role and Object vale in Master
Role.

Q.93:- Can we assign generated profiles to users directly?

Ans. The best practise is not to assign profile to a user master
record.But then we can assign...

check it for example,assign sap_all to a user master reocord and can actually work..
so, yes a profile can be assigned to user and can work.

OR
yes we can generate profile manually by using SUPC and then assign it to the UMR,
but in SAP it is not recommended. There is a background job
'pfcg_time_dependency' while performing user comparison it will remove this
profile when it will find that this profile is not associated with any role.

Q.94:- Tell me name of a T-come from which you can go to SU01 or PFCG?
Ans. T-code RSU01.

Execute this T-code below screen will come.

Q.95:- What is the use of Table USR04?

Ans. From table USR04, we can get number of profiles assigned to user.

41
Q.96:- One T-code, say SA38, is assigned to 10 diffrent users through a same
role.I want to restrict one of those 10 users to execute only a few reports in
SA38 but not all reports. What are the possible ways of getting it done?
Ans. If we make changes to the exisiting role, then access will be changed to the
rest of the users also,hence as per my knowledge, the best way is to maintain a
seperate role to
restrict the access and provide it the user, who has to be restricted.

Q.97:- Where we create auth group?

Table auth groups are created through tcode SE54.

42
Suppose you want to create Authorization Group for table USR02

Execute SE54 ---->> Give name of Table in the table input field and tick to
„ authorization group“ and then click to „Create/change“ button.

Program auth groups are created in table TPGP through tcode

SM30

43
Q.98:- Can we ADD an organisational element in a role? If yes how?
Ans. You can create new Org Level by going to SE38--->PFCG_ORGFIELD_CREATE.
This orgfiled will get populated in all the roles which has the particular element you
created as ORG field. You dont have to go and maintain them manually. But you will
get conflicting results if you have converted an existing auth field into and org level.
So i wouldn prefer that.

44
Q.99:- What is difference between two sentences 1: “Using SUGR we allocate
user to group ". 2: “In SU01 in Logon data we assign user to group “So, What
is assigning and allocating?
Ans. .
Here 1st sentence meaning is...
We are creating a user group.
here the main logic is we creating a group as user..
we can allocate no. of users to this group.
2nd sentence is..
in SU01 we can create a user and assign this user to particular group.. that may be
above created user group.
this is assigning user to user group.
assining : we are assining some of users to one usr group
allocating: we are allocated the user as a user group

Q.100:- How I can reset the DDIC user's password? I have changed it from
the delivered default?
Ans. Just go to SU01, put DDIC in the User field. Change the password by clicking on
the Reset button (Shift+F8). It will be changed.

Q.101:- What is Use of SM35P and SM35.Is there any difference between
these two?
Ans. T-code SM35P use to display/monitor sessions. Using Tcode SM35 you the
run/process the sessions in background or foreground.

Q.102:- How we Schedule and administering Background jobs.

Ans. Scheduling and administrating of background jobs can be done
by using tcodes SM36 and SM37

1. Excute SM36
2. Provide name of the job in “Job name“ field.
3. Job class is used to prioritise the job

45
 3. Hit enter
4. Go to Step -------> Provide program name

Save.

46
Go Back.. click to“ Start condition“ and the select start Time.

When we schedule a job through STMS, system automatically schedule job from our
ID at for the same date and time in the SM36.

47
For example to schadule a job in P75
Put cursor on the Title “project“ and click to filter..

Provide the name of the project for which we have to schadule job and the click to
accept.

Then go to ----->> GOTO, from dropdown select job monitor

48
Then click to Truck button

Adjust date and time as per your wish

49
From SM37 we monitor the job

The execute..

Q.103:- SM59 text mentions it can be used for Display/Maintain RFC

Connections, how can you make this transaction code display only?
Ans. SM59 is for Display AND Change. There is no display only version. Sorry, it
can’t be done.

50
Then Ctrl+F

Accept...

Then double click to any RFC connection

51
Q.104:- How do you compare two user’s roles assignments? (i.e., what roles is
user FOO missing to have exactly the same roles as user BAR?)
Ans. In t-code SUIM there is a report RSUSR050 to compare users/ roles and
selected output.

Q.105:- What is the table name which houses the full list of activities? (01
change, 02, 03 display, etc...)?
Ans. The table is TACT. Possible activities for one authorized object is: TACTZ.

52
53
54
Q.106:- What is the purpose of the “Cost center” field in the SU01 user master
record?
Ans. It is most likely used to allocate costs of system usage to cost centers. Some
use it for internal reporting. It is accessible in some of the ALV reports in SUIM.

55
Q.107:- Users in our system were deleted when they shouldn’t have been. To
determine how this happened, can I retrace the function or is it logged on a
table?
Ans. Debug or use RSUSR100 to find the information.

Execute..below screen will come

56
Adjust date and time and execute again..

Q.108:- While working in development server, my session was deleted by

another user. Is there a way to find the user that deleted it, the system number
and the related data?
Ans. Try using TX STAT (or STAD, ST03,ST03N depends on release) and look for
someone who has used TX SM04. With that, you can kill the session. If more than
one user has used the same t-code at the given time, SM21 has the entry logged for
it. You can find who ran SM04 and delete that user’s session.

57
Q.109:- What is the name of table which houses list of org level values?
Ans. USRM1

58
Q.110:- What is the name of table which houses list of license data?
Ans. USR06

Q.111:- Will activating parameter login/disable_multi_gui_login affect

workflow?
Ans. No, the key is the GUI in the parameter. Workflow does not initiate a GUI logon
but a logon in the "background" or via RFC to a non-GUI display session.
Note: This parameter is for multiple GUI logins via the SAP Logon Pad or equivalent.

Q.112:- What is the Expert mode in Profile generation? What are the options
for its use?
Ans. Expert mode merges existing authorizations with new auths as they are added
to the role. The auths display tells you which authorization objects have been added
or changed. This is a time-saver in that it clearly lists changes and what to maintain.
Note: Always work in Expert mode.

59
Click to Expert mode.. below pop up will come

60
Q.113:- How do you display the transaction code in the Menu folder using
PFCG?
Ans. With and existing role, the transactions may be entered straight into the
S_TCODE auth object, not the menu. If the subfolder “Menu” in PFCG displays the
list of transactions with only text appearing and not transaction codes, the option
needs to be changed. Go to the right of the screen, beneath the menu tabs and
next to the print icon, you will see an icon in the shape of a magnifying glass with
either a – or a + symbol in it. Click on that to turn technical names on and off.

Q.114:- What steps to I take to avoid any security issues that might result
when upgrading from SAP 4.6c?
Ans. Run SU25 Steps 2a…2c.

Q.115:- We have a user that is able to run every transaction code. I’ve
checked the profile in SU01 (not SAP_ALL) and all the roles for this user, but
I couldn’t locate the t-code. How can I find the error?
Ans. Has a manual profile been given to that user?
You may find the authorization for the t-code in there. If not, use SUIM to filter out
your selection.
Look in UST04 to see what profiles the user has.
There may be a strange entry for a t-code object in UST10C in the field BIS.
Run Report RSUSR060 (where used - for auth values).
Then search for obj S_TCODE for a value of all transactions '*' by profile.
Your user should be assigned to one of these.

Q.116:- How can I create a customized table for data maintenance allowing
access only for user controlled by sales area level using authorization object
V_VBAK_VKO?

We won’t give SM30 to the user, so I have created a new t-code for the
customized table.
Ans. You have a few options:
Create a customized program.
Use parameterized t-code to table (see t-code OB52 as an example). It only controls
the auth group you add to the table through SE11, SUCU or SE54.
Create the customized program and add S_TABU_LIN configuration to control access
to a field in the table.

61
Q.117:- How do we track data being accessed by a specific user? (i.e., we need
to know who is accessing, viewing or maintaining, certain employee payroll
data.) Is there a log report for this?
Ans. HR data access can be seen via the change document reports in HR; viewing
may be impossible.
ST03 and STAT will tell you what reports and what SE16 tables were accessed.

Q.118:- How can allow a central user to change user defaults and parameters
for other users without allowing full-access to SU01? We currently authorize
users to change their own settings with SU50 and SU2, but we haven’t figured
out a way to do this without opening up access to maintain user roles and
profiles, which we do not allow.
Ans. You can do this by allowing access to SU01, but not giving S_USER_AGR or
S_USER_PRO. That way no roles or profiles can be assigned, but all other data can
be maintained (name, address, email etc). You can further limit what user groups
access is granted for via S_USER_GRP. This may cause issues in a productive
environment; test thoroughly before executing.
S_TCODE <OBJ> Authorization check for transaction
start
TCD <FLD> Transaction code
SU01
S_USER_GRP <OBJ> User Master Maintenance: User
Groups
ACTVT <FLD> Activity
02
03
CLASS <FLD> User group in user master maintenance.

Q.119:- I need to change the authorization group names for a large number of
tables. What should I protect against when doing that? I plan to work in DEV
boxes, transport to QA and to live.
Ans. Make sure your roles are adjusted to the new auth grp values before the
changes go live. Users probably won’t even notice. You can use some tables in your
preparation: Table TDDAT can be used to see all the tables that have a certain auth
group.
Table TBRG for object S_TABU_DIS will give you all the auth grps allocated to a table
controlled by this object.

Tables and their auth group can be seen in t-code SE54 and SUCU as well. Table
TBRG only has the "documented auth groups." You can use what you want and they
do not have to be in the table TBRG.

62
Q.120:- What is the difference between BDC user and service user?
Ans. A BDC user is one designed to be used for a BDC session (batch input session)
run in batch. A few places SAP check the type of user before it allows the process to
complete. SM35 is one; its password does not expire and it cannot be used
interactively.
Communication ID is designed to be used in RFC connection defined in SM59. The
password does not expire and the id cannot be used in dialog processes.
A BDC user ID can be used in SM59 RFC but a Communication ID (CPIC) cannot be
used in a BDC session.

Q.121:- What is the easiest way to prepare user lists? (It was very difficult to
get an overview of users.)
Ans. Create user groups to categorize the users with transaction SUGR. This makes
for simple reporting through SUIM.

Q.122:- Is there a way I can find out which transactions a particular user used
on a certain day?
Ans. Use STAT for up to 24 +/- hours; ST03 or ST03N for up to a week. After that, it
gets summarized to weekly and monthly data.

Q.123:- We have secured SAP queries based on Query Group. However, when
a query is created using Quick Viewer, then converted to a SAP query for use
by others, it encounters an authorization failure because the user does not
have S_TABU_DIS display access for the authorization group of the
underlying table. Without knowing every query in the query group and every
table assigned to the query group, how do we give access to this query?
Ans. There is no way without analyzing each Quick Viewer and each table it uses
and then referencing TDDAT table for the auth groups.
If you use PFCG's option to "add a report" (as opposed to “add a transaction”) and
have PFCG create the transaction code, you will not need to use the user groups at
all.
You can configure SU24 with the t-code PFCG creates to all the S_TABU_DIS
requirements, so when the t-code is added to any role you will not have to recreate
the access each time.
Some prefer to avoid user groups for queries by adding the generated report (not
the query) to a report tree or role, which helps avoid all the user group pitfalls.

63
Q.124:- Is there a report in SAP that can show all the critical combinations of
transactions assigned to a user? (I tried a report in SUIM but it needs the
table SUKRI to access the list of critical combinations.) Is there another route
to finding a list of the possible critical combinations?
Ans. You can run RSUSR008 for t-code combination but it will not tell you if the user
can complete the t-codes.
RSUSR009 can be configured to show conflicting access based on the authorizations
needed to complete the business processes.
In higher versions there is a RSUSR008_009_NEW that allows you to define business
processes so the results are easier to determine.
A few matrices have been posted in the forums over the last couple of years - you
may want to search for these.
You could get some generic info from these sites:
http://www.auditnet.org/ - you may need to register.
http://www.sapbasis.org/securitydocs.htm
Note: Prior to running these programs, determine what your company considers
“critical” or you will yield a great deal of work for extraneous information.

Q.125:- We have an employee trying to book training from transaction PV7I

by pressing "Request Attendance." The system has the message "You have no
authorization for the function or the object." When I check the SU53 it said
"All authorization checks have so far been successful."

Are there any other tools to prove that this user is authorized or is there some
other way to circumvent?
Ans. On rare occasions, SAP performs a simulation of authorization checks. Thus, no
SU53 is present but the user is not authorized. In some cases the error message is
wrong.
Note: Try debugging the code and breakpoint a message to find where and what is
causing the failure.

Q.126:- How do I find what role I assigned to a user in the child system? I ran
report "display change documents for role administration" via transaction
SU01 but it only shows the roles of the CUA system.
Ans. Just go into the target (child) system and use the table AGR_USERS.
SE16 -> AGR_USERS
Change the "From date" in "Change Documents for Role Assignment" from the
current date to a date in the past.
Or, from SU01, you can select "Change Documents for Users." The report will show
you the deleted profiles.

64
The above report with table AGR_PROF will allow you to see the relation between a
profile and a role.
There are few steps involved, but this will provide you the wanted result.
Q.127:- How do we find out the executable transactions within multiple roles
at one time?
Ans. Put them all in a user id and executes report RSUSR010.

Execute

65
Q.128:- How can I run a report to generate a list of all SAP transactions? I
know I can view a list from SE93 and SM01, but I need to download a full list.
Ans. Try table TSTC for a list of transactions. The texts are in TSTCT.

Q.129:- Can we derive a role from composite role?

Ans: No, we can not derive a role from a composite role.

We can derive a role only from single roles.

Go to PFCG ------> In “Role“ give name of the role and in the “ Derive role from“
give the name of role from whioch you want to derive the role. Then click to save.

66
We can break the relationship b/w parant role and child role by “ Delete inheritance
Relationship“
Once relation is broked out, restablish is not possible.

Q.130:- What is the meaning of value 0, 32, 64 and 128 in Table USR02?

Ans.

We use USR02 table for checking the status of a user whether user is locked or not.

67
There are 6 type of values are there.

0 Not locked
16 Mystery values
32 Locked by CUA admin (User Admin)
64 Locked by system Administrator
128 Locked due to incorrect logon attempts or too many failed attempts
192 A combination of both. The user is locked by admin and user tries to logon with
incorrect passwords and gets locked ( 192 = 64+128)

Q.131:- What does user compare do?

Ans: - Comparing the user master: This is basically updating profile information into
user master record. So that users are allowed to execute the transactions contained
in the menu tree of their roles, their user master record must contain the profile for
the corresponding roles.

You can start the user compare process from within the Profile Generator (User tab
and User compare pushbutton). As a result of the comparison, the profile generated
by the Profile Generator is entered into the user master record. Never enter
generated profiles directly into the user master record (using transaction SU01, for
example)! During the automatic user compare process (with report
pfcg_time_dependency, for example), generated profiles are removed from the user
masters if they do not belong to the roles that are assigned to the user.

If you assign roles to users for a limited period of time only, you must perform a
comparison at the beginning and at the end of the validity period. You are
recommended to schedule the background job pfcg_time_dependency in such
cases.

Q.132: - Can wildcards be used in authorizations?

Ans: - Authorization values may contain wildcards; however, the system ignores
everything after the wildcard. Therefore, A*B is the same as A*.

Q.133:- What does the PFCG_TIME_DEPENDENCY clean up?

Ans: -The 'PFCG_TIME_DEPENDENCY' background report only cleans up the profiles
(that is, it does not clean up the roles in the system). Alternatively, you may use
transaction 'PFUD'.

Q.134:- How will you find list of transport request which are scheduled in
system?
Ans: - Go to STMS T code--->Click on truck icon--->select System--->Click on
"Import monitor" icon on the task bar, you will get two folders "Scheduled Jobs" &
"Executed Jobs" on left hand corner if you expand folder "Scheduled Jobs you will
get list of transport request which are scheduled.

OR

68
From t-code SM37

Q135:- How can I find List of users in system that doesn’t have any role
assigned (Role Tab Blank) but created in system?
Ans. Go to SUIM --------> Go to User -------> User by complex selection criteria ------>
By role

Click to multiple selection criteria..

69
Click to “ Exclude Singe Values“ and give “*“ then execute again execute. You will
get the result

Q.136:-What does user compare do?

Ans: - If you are also using the role to generate authorization profiles, then you
should note that the generated profile is not entered in the user master record until
the user master records have been compared. You can automate this by scheduling
report
PFCG_TIME_DEPENDENCY on a daily.

70
Q.137:- What is the use of SU24?
Ans.
1. SU24 is use to activate/deactivate authorization check within a transaction.
2. We can get t-code specific object with default values
3. We can get list of t-code in which an object is included.
4. We can include an object in a T-code OR execlude an object from a T-code.

Execute SU24 ------>Go to Authorization object tab -----> give t-code in “ Transaction
Code“

Execute......

Click to change button(Pencil)

71
Now there are two button “Check indicator“ and “Proposal“.
By using these Proposal button, we can activate/ deactivate authorization object.

If we select Proposal value “YES“ system will do authorization check.

If we select Proposal “ NO“ system will not do authorization check.

72
If we set“ Check indicator“ Do not check that particular object will be gray out and
proposal will be automatically change to “ NO“
Press to“ Do not check“

Once you will click to save, system will ask request number, because change should
go to quality and production system also.

73
Q.138:- What is the use of Reference user?

Ans: Reference users are use to assign additional authorisation to other users.
We can assign max 312 profile to a user but still user need some additional
authorisation, then we create Reference user with those additional authorisations
and assign this reference user to the needy user.

For example “Test“, is Dialog user having 312 prifiles assigned but still need some
authorisation to proceed.

Create a Reference user with the required authorisation and assign this R-user to
test user.
Now user “Test“ will be able to get a these additional authorisation through
Reference user.

Proccess:
Go to SU01 --------> go to user Test then go to user role tab and assign there
reference user

74
Now test user can get additonal authorisation through reference user.

Q.139:- How to get the name of table assigned to particular field of any T-
code?

Ans: For example if you want to know for which table SU01 is associated.
1.Run SU01 transaction
2.Press F1 then click to “ Technical Information“ button.

3.. From below screen you can get all the technical details related to that T-code.

75
Q.140:- How to know “Authorisation group“ of a table?
Ans. We can get authorisation group of a table from
1.. Table TDDAT
Go to SE16 --------> go to table TDDAT, give name of the table and then execute.

2.. From T-code SE54 is used to create/change or display authorization group.

76
Q.141:- When we change anything in Parant role, what we do to reflect those
changes in the child role?

Ans. After change in the Parant role..

1.. Go to “Authorization“ tab and generate profile again.

2.. Click to “Generate derived role“ button, all new change in the parent role will
come to child role.

Q.142:- What is difference b/w USOBT and USOBX table?

Ans. USOBT: Whenever we assigned any t-code in the menu tab in a role, system
automatically identify associated object with default value. This relationship is
defined in the USOBT table. AND
USOBT contains SAP default check indicator values of “Check/Maintained“
authorization objects for T-codes.
USOBX: table contains all the check indicator status of authorization object linked
with a transaction i.e Check, No check, Check/Maintain and Unmaintained.

77
Q.143:- When we create a role, we document in the “Description“. In which
table it got maintained ?

Ans. Table Agr_texts

Go to SE16 --------->go to table“Agr_texts“

78
Enter role name ..

Execute

Q.144:- What is the difference b/w assigning a role to an user and assigning a
profile to an user? What is difference b/w a profile and a role?

Ans.
1.Profile is a set of authorizations, but a role is a set of profiles.
2.In a profile we can add up to 150 authorizations, but in role there is no limit.
3.Profile can not be manually editable, but role can be manually editable.
4.In a profile we can not create the user menu, but in role we can create the user
menu.
5.Profile is the subset of role, but role is not the subset of profile.
6.Profile can be created only for the transaction codes, but in role we can add t-
codes,web addresses,and reports etc.

79
Q.145:- What is the meaning of "R" in R/3 systems?
Ans. R/3 stands for real-time three tier architecture. This is the kind of architecture
SAP R/3 system has.
R/3 means three layers are installed in Different system/server and they are
connected with each other.
1) Presentation
2) Application
3) Database

Q.146:- How to give display access of a table to an user?

Ans.

We can create an Authorization group by using t-code SE54.

Important: First of all we can not change any SAP standard table.

Go to“ Create/Change and then New Entry.

80
Then Save. Authorization Group ZTTS is created .

Assign this Auth Group to the table to which we need to give access to the user.

Execute again SE54.

Click to Create/change.

Accept..and then give the table name.

81
Accept.
Replace old auth group with new created.

Now assign this Auth group to S_TABU_DIS in SE16 to user.

82
Q.147:- What is the use of “ Default“ tab in SU01?
Ans: In default tab we define user “area menu“ , Date and time formate, output
devices like printer etc.
Use of this “Area Menu“ is that whenever user logged in, he can see all the
transaction related to that area. No need to remember and execute from commond
line.
But user will be only able to execute those transaction when he will have
authorization of those transactions. Defining area menu does not mean that user
can execute all the t-code.

For example...User want all the t-code relaetd to “Empties Management“ in his
menu when he logged in.

Execute SU01...Goto default tab..Go to “Start menu“ field.

Select any Area Menu

83
Now ask user to logged off and the Loggin again

User can see all the t-code related to that defined area.

84
We can also create “Area Menu“ by using t-code SE43

Execute SE43..

Give the name of Area Menu and the press to create

Then provide the description of the Area Menu

85
Then press to “Add Entry as Subnode“

Assign trainsaction ..

86
Now assign this Area menu “Test“ to that user in Defaul tab

Now these transaction user can see in SAP menu.

Q.148:- How to remove all the expired role from all the system?
Ans: Go to SE16 --------> table AGR_USERS
87
Execute..

Take these roles in the excel sheet..press “Local File“

88
Select “ Spreadsheet“

Give name to the File, and the click to generate.

Now go to SA38 and then Program “PRGN_COMPRESS_TIMES“

89
Execute..Copy all the roles from that excell sheet -------->click for multiple roles
selection and
And then “Upload from clipboard“.. all the selected roles will come in the
system.

Execute..

90
All these exepired roles profiles will be deleted from all the users.

Q.149:- How to find out number of t-codes assigned to multiple users?

Ans: Go to table AGR_USERS.

Select for multiple selection of users and give the list of users there and execute

91
By this way we can get all the roles assiged to users.
Now go to table AGR_TCODES, give all the roles assigned to those users.

Execute ...Execute.. it will give all the t-codes..

92
Q.150:- How to change the Description of any profile?
Ans:

93
Go to the role.. go to “Authorization“ tab and then “Change Authorization data“

Click to “Change profile text“

94
Q151. How to exclude SAP_ALL and SAP_NEW profile ?
Ans:

95
Q:151. How to get Parant role child role relatioship ?

Ans: We can get it from table Agr_define.

Execute...

96
Q:151. We have one parent role and we derived five roles from that and i
assigned these derived roles to five users now i want to restrict 2 users for
couple of T-codes and rest of the users work with those T-codes , How we can
solve the problem?

Ans: You can't restrict. You have to create another child role and restrict there i.e
add/remove t-code as per the requirement. This type of question is asked in
interview for creating confusion.

Single role:

Composite role:

97
Concept of derived role. If we create a derived role whether the org values maintained in parent role
will go to Child roles?

Sol: Here we can see three separate things.

1) When we create a fresh new derived role from parent role, only the menu
contents will go to the child role and we have the blank org field wizard
popped up to provide the org values for derived role.
2) If we leave the org values as blank in the derived role and when next time we
update the menu of parent role (may be a new t. Code added to that) and
when we move the new changes from parent to child role at that time it will
create a problem, if the child role’s org fields were kept empty during
previous parent to child change movements, it will fetch all the org elements
maintained in parent role to child role.
3) If we already maintain the derived role’s org elements with some values and
if next time when we will do some changes in parent and move those to child
role, it will not update the org values of child role (If derived roles org
elements were already maintained).In this case it will only update the menu
contents and associated objects, not the org values.
4) If the org values were half filled in child role, in that case also when we move
the changes from Parent role to child, whatever the values were their in org
elements of parent it will fill all the blank org elements of child role.

Conclusion: Do not keep the org elements BLANK in child role in any case, if you don’t know the correct
org value from a particular element put a NA (Not applicable) for that org element in child role.

98
Value of activities:

Q152:- When we submit any request in the CUP, one number genarates, what
is the name of that number ?

Q153:- How to reset password by using SU10?

Q154:- Can we assign a role to 1000 user at a time by using SU10?

Q155:- What is the use of firefighter id?

Q156:- What is the difference b/n master role and derived role?

Q157:- What is the difference b/n SU24 and SU25?

Q158:- What is the naming convetion of role you follow?

Q159:- What is the difference b/n SU53 and ST01?

Q160:- How to know how many users are logged in the system?
Ans: SM04, AL08

99
Q161:- What is the procedure to create a user by using CUP?

Q162:- How to restrict S_develop auth. Object ?

Q163:- I have a developer , he created a report, now he ask security team“ I

want this role should be viewed by only Japan users“ how to do that?

Ans: We can do it by assigning japan country code (org value).

Q164:- How to create mass profiles?

Q165:- What is PFUD?

Q166:- What is the use of PFCG_time_dependency? At what time it runs
every day?

Q167:- What is the meaning of trafic light?

Q168:- Type of Authorisation check?

Q169:-

SoD:
Fk01 to create a vendor
Fb01 to post an invoice
F-53 to post outgoing vendor

Personalization Tab in SU01: used to assign any object which works in background like
workflow, user layout

Miniapps in PFCg :you can link any web links that u want to open through SAP

100
Que:- What is difference between Change mode and Expert mode in PFCG
Ans: There are two options in the PFCG while modifying a role. One change authorizations and
another expert mode-what is the difference between them
Ans: Change authorization: This option we will use when we create new role and modify old
role
Expert mode: i. Delete and recreate authorizations and profile
(All authorizations are recreated. Values which had previously been maintained, changed or
entered manually are lost. Only the maintained values for organizational levels remain.)
ii. Edit old status
(The last saved authorization data for the role is displayed. This is not useful, if transactions in
the role menu have been changed.)
iii. Read old data and merge with new data
(If any changes happen in SU24 Authorizations we have to use this)
Que:- If we give Organizational values as * in the master role and want to
restrict the derived roles for a specific country, how do we do?
Ans: : We have to maintain org level for the country based on the plant and sales area etc in the
derived Role.

Que:- I want to remove all the roles assigned to multiple users using SU10. Is
it possible....?
Ans:
Ans: Yes it is possible, but their is a trick to it. When you go into SU10 and enter your multiple
users the go into change and role tab you have to enter a Valid from date of 01/01/1900 to
31.12.9999 becuase you really don't know what date you assign roles to the users. Make sure you
use the Remove radio button.

101
102
103
Then from SE10 relese the task and move the CD status to testing, it will create a ToC throgh
that changes will move to Q system.

104
Creating Role Menus
You can create the role menu in the following ways on the Menu tab page, which are explained
in more detail below:
· Copying Menus
· Buttons for menu extension: Copying transactions, reports, other objects, and authorization
default values
· Additional activities
· Additional functions
Copying Menus
With these functions, you copy some or all of the menus of other roles.
You can activate the automatic redundancy avoidance for the following activities to ensure that
there are no repeated entries in the newly created menu:
· For single roles, when reading menus from
· The SAP menu
· Roles
· Area menus
· A file
· For composite roles, when reading menus from single roles
To do this, make the entry CONDENSE_MENU_PFCG in the Customizing table SSM_CUST
with the values "NO" (default value) and "YES". In the role maintenance (transaction PFCG),
choose Utilities ® Settings on the detail screen for a role. On the dialog window, set the indicator
Menu: Do Not Insert Existing Entries. Standard NO.
You can override these global default settings for specific users. If you select Utilities ®Settings
and Copy Menu: Do not insert existing entries, Default: NO/YES on the detail screen of any role
(Display or Change Roles), redundancy avoidance is activated. Otherwise, it is not active.
Although this setting applies only for this user, it applies for all of the roles for which he or she is
editing the menus.
The system uses the short texts of the folder hierarchy and the short text, the transaction code,
and the target system of the menu entries o determine redundancies. The system does not
investigate menu entries for other objects. We recommend that you display the "Technical
Name" so that you can see the effect of the redundancy avoidance. If a number of roles are
assigned to a user, it can be useful to continue to use the redundancy avoidance of the Easy
Access Menu.
Even if you have removed redundant folder hierarchies in all roles, there can still be redundant
submenus in the Easy Access Menu of a user, if roles with wholly or partly identical menus are
assigned to the user. In this case, it is useful to keep the redundancy avoidance of the Easy
Access Menu active.
· From the SAP menu

105
To copy complete menu branches or parts of menu branches, select these or expand them and
select only the subordinate nodes or individual transactions and reports that you want to copy to
the menu.
You can also copy submenus using an RFC link if you want to use the menu from another
mySAP Workplace component system for example. Specify a target system and choose From
SAP menu. You can specify whether you want to copy the menu locally or the menu of the target
system of the RFC link. If you choose Remote, you are offered the SAP menu of the target
system.
Use the same procedure for the options From other role and From area menu.
· From a role
You can use this function to copy a menu structure that is already defined for a role in the same
system or from a role delivered by SAP to the role that you are currently editing.
· From an area menu
You can copy area menus (SAP Standard and your own) into a role menu. Choose an area menu
from the list of menus and copy the transactions you want.
· Importing from a file
You can copy menu descriptions from external products to the SAP System if the external
product creates a file with the menu definition that can be uploaded into a role. If you want to
create this file yourself, see the procedure in SAP Note 389675.
Buttons for Menu Extension
· Transaction
You can extend the user menu by directly entering a transaction code.
· Report
You can use this function to add reports, transaction variants, or queries in the user menu. You
do not need to assign a transaction code to the reports, transaction variants, or queries to be
included in advance.
¡ ABAP Report
Choose a report and a variant. Set the corresponding indicators to automatically generate a
transaction code and to copy the description of the report.
¡ SAP Query
Enter the name of a user group and of a query. If the query has a variant, you can specify it. You
can also specify a global query. For more information, see
../../d2/cb3f6f455611d189710000e8322d00/frameset.htmQuery work areas.
¡ Transactions with variants
The system administrator can create transaction variants in the SAP System personalization.
Transaction variants adjust complex SAP System transactions to customer business processes,
by, for example, hiding superfluous information and adding other information such as
pushbuttons, text or graphics. You can put a transaction variant call in a user menu by entering
the transaction code and variant which you created in the transaction SHD0.
¡ BW report

106
To include a report from the Business Information Warehouse, enter the ID of the report in the
appropriate input field.
¡ ReportWriter, Search, Report
You can use these functions to include application-specific report types in the user menu.
· Others
In this case, a system-specific list is displayed, from which you can insert additional objects.
Depending on the system, the list may contain additional entries as well as those listed below.
¡ URL (Web address or file)
To enter Internet/intranet links, enter a descriptive text and the Web address. You can enter a file
name if the browser can call an application.
¡ Predefined URL from directory
If you want to use some URLs frequently, for example, you can predefine URL objects in the
Object Navigator (SE80). To do this, choose a development class and Create ® Other ® URL
objects in the context menu in the Object Navigator.
¡ BW WebReport
You can publish queries which were defined in the Business Explorer Analyzer, in the Intranet or
Internet with Web Reporting. You can insert the queries in any HTML pages to present them.
You can also put various queries in an HTML page and use predefined navigation buttons or
graphics to display the data.
For more information, see the documentation for the Business Information Warehouse and the
SAP Service Marketplace under service.sap.com/bw ® Documentation ® Documentation
Enhancements.
¡ WebSource from Drag&Relate Servlet
Enter a name and a URL which you have defined in the Web Source Editor of the Drag&Relate
servlet which is delivered with the mySAP Workplace. URLs that you define in the Web Source
Editor allow Drag&Relate between the mySAP Workplace and the World Wide Web.
For more information, see the mySAP Workplace Drag&Relate documentation.
¡ External Mail System
You can integrate a call of a mail system.
¡ Knowledge Warehouse link
Choose the information object type with the input help for the Document field. You go to a
selection screen in which you can search for the object in the Knowledge Warehouse.
· Authorization Default Value
You can use this function to copy authorization default values for the subsequently listed entries,
without this being visible in the SAP Easy Access user menu. This is useful, for example, if your
users use a Web browser. In this situation, the Web server accesses the backend system using the
relevant user and starts transactions there, for example. Since the users do not access the backend
system themselves, however, they also do not require entries for the corresponding actions in
their user menus, but rather only the un displayed authorizations, so that the Web server can start
the transaction for them.

107
You assign, for example, authorization for transaction SE61 with the role that you are editing,
but this is not displayed in the SAP Easy Access menu. On the other hand, for example,
transaction SE63, which you insert, using the Transaction button, is displayed in the SAP Easy
Access menu. The entries have different icons so that you can tell them apart while creating the
menu.
Transaction:-
Copies the authorization default values for transactions.
RFC Function:-
Copies the authorization default values for RFC function modules. Currently, the correct
authorization default values for the authorization object S_RFC are automatically copied. You
must still add the other authorization values required for the relevant function module.
Service:-
Copies the authorization default values for services. From a technical point of view, there are
two types of services: Repository services (program ID) and external services. All services that
are managed in the repository in the SAP system and which have an object catalog entry are
combined under repository services. In this case, the input help displays only the services for
which there are authorization default values. External services are services that were created
outside the SAP system, such as a Java program. In this case, the input help displays only the
services for which there are authorization default values in the current SAP system. The names
of the external services, which can be any length, are abbreviated to 132 characters in the input
help, meaning that there can be identical names. Currently, the correct authorization default
values for the authorization object S_SERVICE are automatically copied. You must still add the
other authorization values required for the relevant service.

Que: A user is assigned with t-code SA38. How to restrict him to execute only
a few reports, say RSUSR003.If you're going to modify the role(having SA38)
assigned to the user, that will affect other users also because that role might be
assigned to multiple users. I don' want that to happen, so what is the solution?

Ans:-
In that case you need to create and assign authorization group to report RSUSR003.
You can also create t-code for this report and assign it to user in separate role. In
the new role maintain the object S_PROGRAM with specific auth group. No need to
remove the SA38 from role. Just make sure the SA38 role should restricted the
access got object S_PROGRAM. It should not be '*'. Program Check (Object –
S_PROGRAM, Values – Execution and the authorization group).

108
Q. How to get the E-Mail address for 100 users at a time?
Ans:- To get email address of the no. of users go to SE16- >ADR6->give the person number or
Address number.

Q. What is the use of Simulation?

Simulations provide the ability to perform preventative segregation of duties testing before
allocating user access or modifying SAP security roles. Embedding simulation activities within
security processes is critical to ensure ongoing segregation of duties compliance.

Q. In which table user First name and last name store?

Ans: USER_ADDRP

Q. How to deactivate one option in Expert mode in PFCG?

Q. How to assign 100 roles to 1000 users at a time?
Q. How to find out in which TR one object is moved to P system?

109
Q.How to find Tcode related to any module?

1. T-code: PFCG

2. Create a test role

3. Go to 'menu' tab, and click 'Transaction'

4. Press F4, and click 'SAP Application'

Here we can get the list of all the transactions Module wise. We can get the list and can filter out the
required transactions with the help of functional and business consultants.

Q. What is the table to find out roles for which profile are not generated and generated. I mean to say
table to find the roles in which the authorization tab is green and roles in which authorization tab is red.

Ans: AGR_TIMEB

Q. What is the report which states the critical T-codes? And also what is the T-code?

HCL on 21.04.2012

DELOIT 21.05.2012

1. Where we maintain License data for user.

2. What is the use of SU24? Suppose i have to assign a new object to a t-code what u will do.

3. Type of plant values

4. How to restrict a table for certain users.

5. How to find out Auth Group of a table.

6. Suppose dev has created a Custom T-code... And ask u to add in a role.. What test u will
perform before assigning this t-code?

7. Composite role and derived role difference

8. I need to find out mail id of 1000 users assigned to a user group. From which table we can find
out

9. How to delete a role.

10. What are the tabs in the SU01?

110
11. From which t-code we can find out program details of any t-codes?

12. What procedure u follows before creating any new role?

Q: S_RZL_ADMIN is profile?

In order to use the DBA Planning Calendar, users need authorization for database administration
and background job scheduling.
Enter the profiles S_RZL_ADMIN and S_BTCH_ALL for the database administrator
(../../c4/3a616a505211d189550000e829fbbd/frameset.htmProfile Maintenance (Authorization
Object S_RZL_ADM) background processing authorizations).

04.10.2012

Q. In CUA system, user exist in child system but not in parant. How to bring this user in Parant
system.

SCUG

And if user is in Parant system and want it in child system, please use SCUL.

111
112
113
114
115