GRC Learnings:

Table: 1) GRACFUNCPRM
2) GRACACTRULE
3) GRACSODRISK
4) GRACSODRISKRS
5) GRACFUNCACT
6) SCPRACTP
7) GRACFUNC
8) GRACFUNCPRMEXT

STRFCTRACE
STUSOBTRACE

SAP Security questions:

1) Can we add composite role to another composite role.

Ans: No.

2) How to do mass deletion of a role without deleting the new role.

Ans: Insert all the roles to be deleted in a TR in development system --> delete
the roles --> more the TRs in quality and production. All the required roles will
be deleted in all the system.

3) How to check who has deleted the user and roles? Is there any table to check
this?
Ans:SUIM --> Change document for users.

4) Authorizations required to create and maintain user master records.

Ans: S_USER_GRP, S_USER_PRO, S_USER_AUT.

5) How to find all the users who have SU01?

Ans: SUIM --> Users --> Users by transaction authorization.

6) How to restrict access to files through AL11?

Ans: by using object S_DATASET (Authorization for file access) we can restrict the
access to the required files.

7) why is there no authorization displayed even if the users have all the required
authorization available in thier profile?
Ans: check for user buffer in SU56 and referesh.

8) Which authorization obects are checked in role maintainance?

Ans: PLOG Personnel Planning
S_USER_AGR Authorizations: Role Check
S_USER_AUT User Master Maintenance: Authorizations
S_USER_GRP User Master Maintenance: User Groups
S_USER_PRO User Master Maintenance: Authorization Profile
S_USER_SAS User Master Maintenance: System-Specific Assignments

S_USER_STA Authorizations: TADIR Objects in Roles

S_USER_TCD Authorizations: Transactions in Roles
S_USER_VAL Authorizations: Field Values in Roles

9) How to restrict user access to particular table (Display mode)?

Ans: By restrict the name of the table in S_TABU_NAM,S_TABU_DIS.
10) How to restrict user access to more than one table?
Ans: S_TABU_DIS ( ACTVT : 03, DICBERCLS: Authorization group), S_TABU_DIS.

11) What is meant by Profile versions?

Ans: If any parameter is modified within a profile, it automatically creates an
updated version of the same profile.
The process is repeated whenever there is modification is made within a profile.
All of these profiles are saved into the database with a naming convention.
The stored files of the same profile are considered as Profile versions.

12) Highest permissible no. of profiles, auth objects and T-code in a single role?
Ans: 312 but now due to updation it has increased and no limit, 170, 14000.

13) What is audit risk rating?

Ans:

14) Based on SOD what are their common roles and their Key duties?
Ans:

15) what is the difference between SU22 and SU24?

Ans:

16) T-code used to delete audit logs.

Ans: SM18

17) what are the pre-requisites that should be taken before assigning SAP_ALL to a
user even there is an approval from authorization controllers?
Ans: 1) Enabling the audit log using SM19
2) Retriving the audit log using SM20

18) What is SAP security?

Ans: SAP security is a module that protects the SAP data and applications from
unauthorized use and access.
It refers to providing the right access to business users according to their
authority or responsibility.
Permissions are given as per their roles in the organizations or departments.

19) Name the different layers of Security in SAP.

Ans: Authentication
Authorization
Integrity
Privacy
Obligation

20) Explain some SAP security T-codes.

Ans:
PFUD To compare User master in Dialog
RZ10 Profile configuration
SCC8 Data exchange takes place at the operating system level
PFCG To maintain role using profile generator
SE43 To maintain and display Area Menus
ST01 System Trace
SECR Audit Information System
SM12 Display and Delete Locks
SU01 Create and maintain the users
SU25 For initial Customer table fill
SUPC Generation of Mass profile
SUIM User Information System
21) Explain different types of Users in SAP.
Ans:
Dialog User (A) It is used for an individual user. During a dialog logon, the
system checks for expired/initial passwords. The user can change his or her
password. Several dialog logons are checked and logged.
System User (B) These are non-interactive users and are used to perform some
system activities like ALE, background processing, Workflow, TMS, and CUA.
Service User (S) Dialog user is available to a larger group of users. Only user
administrators can change the password. The system does not check for
expired/initial passwords during login.
Reference User (L) It is like a System user. It involves a general, non-personally
related user.
Communication User (C) It is used for dialog-free communication between systems.

22) How to check table logs?

Ans: The first step is to check if logging is activated for a table using t-code
SE13.
If it is enabled then we can see the table logs with the t-code SCU3.

23) How many fields can be in one authorization object?

Ans: There are 10 fields in one authorization object in SAP.

24) What is the difference between a role and a profile?

Ans: A role and profile go hand-in-hand. When a role is created, a profile is
automatically created.

24) Differentiate between authorization object and authorization object class?

Ans: An authorization object is a group of authorization fields and is related to a
particular activity,
while an authorization object class comes under the authorization class and is
grouped by function areas.

25) How to find out who has deleted users in the system?
Ans: To find out who has deleted users in the system, first debug or use RSUSR100
to find the info.
Then run transaction SUIM and download the Change documents.

26) Can you change a role template? What are the three ways to work with a role
template?
Ans: Yes. There are three ways to change a role template:

Use it as they are delivered in SAP

Modify them as per your needs through PFCG
Create them from scratch

27) What are the authorization objects required to create and maintain user
records?
Ans: S_USER_GRP: to assign user groups.
S_USER_PRO: to assign authorization.
S_USER_AUT: create and maintain authorizations.

28) Explain the difference between USOBT_C and USOBX_C.

Ans: USOBT_C : 1)It provides information about the authorization proposal data that
contains the authorization data which are relevant for a transaction
2)It also includes the checks which are present in the profile
generator.

USOBX_C: 1)This specifies which particular authorization checks need execution

within the transaction and which authorization checks do not.
2)It includes the default set values that need to be present in the
profile generator.

29) Can you add a composite role to another composite role?

Ans: No, you cannot add a composite role to another composite role.

30) How can the password rules be enforced?

Ans: Password rules can be enforced using profile parameter.

31) Which t-code can be used to delete old security audit logs?
Ans: The t-code SM-18 can be used to delete old security and audit logs.

32) What are the main tabs available in PFCG?

Ans: Description: Used to describe the changes done, such as details related to the
role,
the authorization object, and the addition or removal of t-codes.
Menu: To design user menus like the addition of t-codes.
Authorization: To maintain authorization data and authorization profile.
User: Used to adjust user master records and to assign users to the role.

33) Which t-code is used to display the user buffer?

Ans: The t-code SU56 is used to display the user buffer.

34) What does a USER COMPARE do in SAP security?

Ans: USER COMPARE compares the user master record so that the produced
authorization profile can be entered in the user master record.

35) What is the difference between CM (Check/Maintain), C (Check), N (No Check),

and U (Unmentioned)?
Ans: CM (Check/Maintain) C
(Check)
N (No Check)
U (Unmentioned)
An authority check is carried out against this object. An
authority check is carried out against this object. The
authority check against this object is disabled.
An authority check is carried out against this object.
PG creates an authorization for this object.Field values are displayed. PG
does not create authorization for this object.Field values are not displayed.
The PG does not create authorization for this object.Field values are not
displayed. The PG does not create authorization for this object. Field values are
not displayed.
Default values can be maintained.
Default values cannot be maintained for this authorization.
The default values cannot be maintained.
Default values cannot be maintained.

36) Explain a user buffer.

Ans A user buffer is formed when a user signs on to an SAP system.
This user buffer contains authorizations for that particular user.
Every user has his or her own user buffer. A user buffer is a monitoring tool.
It means that no further action can be taken from within this transaction.
It can be used to analyze for a particular user or reset the buffer for the user.
A user can display his or her own user buffer using the t-code SU56.

37) What are the values for user lock?

Ans: 00 – not locked
32 – Locked by CUA central administrator
64 – Locked by the system administrator
128 – Locked after a failed logon

38) How to create a user group in SAP?

Ans: Enter SUGR T-code in SAP Easy Access Menu.
A new screen will open up. Now provide a name for the new user group in the text
box.
Click on create button.
Provide a description and click on the Save button.
The user group will be created in the SAP system.

39) Which parameter is used to control the number of entries in the user buffer?
Ans: Auth/auth_number_in_userbuffer

40) Explain what things you have to take care before executing Run System Trace?
Ans: If you are tracing batch user ID or CPIC, then before executing the Run System
Trace,
you have to ensure that the id should have been assigned to SAP_ALL and SAP_NEW.
It enables the user to execute the job without any authorization check failure.

41) What is the t-code used for locking the transaction from execution?
Ans: For locking the transaction from execution t-code SM01, is used.

42) Explain what is SOD in SAP Security?

Ans: Segregation of Duties; it is implemented in SAP in order to detect and prevent
error or fraud during the business transaction.
For example, if a user or employee has the privilege to access bank account detail
and payment run,
it might be possible that it can divert vendor payments to his own account.

43) Mention which t-codes are used to see the summary of the Authorization Object
and Profile details?
Ans: SU03: It gives an overview of an authorization object

SU02: It gives an overview of the profile details.

44) Mention which table is used to store illegal passwords?

Ans: To store illegal passwords, table USR40 is used, it is used to store pattern
of words which cannot be used as a password.

45) Explain what is PFCG_Time_Dependency ?

Ans: PFCG_TIME_DEPENDENCY is a report that is used for user master comparison.
It also clears up the expired profiles from user master record.
To directly execute this report PFUD transaction code can also be used.

46) Explain what does USER COMPARE do in SAP security?

Ans: In SAP security, USER COMPARE option will compare the user master record so
that the produced authorization profile can be entered into the user master record.

47) Explain what reports or programs can be used to regenerate SAP_ALL profile?
Ans: To regenerate SAP_ALL profile, report AGR_REGENERATE_SAP_ALL can be used.

48) Using which table transaction code text can be displayed?

Ans: Table TSTCT can be used to display transaction code text.

49) Mention what SAP table can be helpful in determining the single role that is
assigned to a given composite role?
Ans: Table AGR_AGRS will be helpful in determining the single role that is assigned
to a given composite role.
50) What is the parameter in Security Audit Log (SM19) that decides the number of
filters?
Ans: Parameter rsau/no_of_filters are used to decide the number of filters.

51) Please explain the personalization tab within a role?

Ans: Personalization is a way to save information that could be common to users,
I meant to a user role… E.g. you can create SAP queries and manage authorizations
by user groups.
Now this information can be stored in the personalization tab of the role.

(I supposed that it is a way for SAP to address his ambiguity of its concept of
user group and roles: is “usergroup” a grouping of people sharing the same access
or is it the role who is the grouping of people sharing the same access).

52) What does user compare do?

Ans: If you are also using the role to generate authorization profiles,
then you should note that the generated profile is not entered in the user master
record until the user master records have been compared.
You can automate this by scheduling report PFCG_TIME_DEPENDENCY on a daily.

53) Can we convert Authorization field to Org, field?

Ans: Authorization field can be changed to Organization field using:
PFCG_ORGFIELD_CREATE or ZPFCG_ORGFIELD_CREATE.
Use SE38 or SA38 to run the above report.

1) Organizational level fields should only be created before you start setting up
your system.
If you create organizational level fields later, you might have to do an impact
analysis.
The authentication data may have to be postprocessed in roles.
2) The fields “Activity”, “ACTVT” and “Transaction code”, “TCD” cannot be converted
into an organizational level field.

54) How many profiles can be assigned to any user master record.
Ans: Maximum Profiles that can be assigned to any user is ~ 312. Table USR04
(Profile assignments for users).
The field is defined with a length of 3750 characters.
Since the first two characters are intended for the change flag,
3748 characters remain for the list of the profile names per user. Because of the
maximum length of 12 characters per profile name,
this results in a maximum number of 312 profiles per user.

55) How to reset SAP* password from oracle database.

Ans: Logon to your database with orasid as user id and run this sql delete from
sapSID.usr02 where bname=’SAP*’ and mandt=’XXX’; commit;
Now you can login to the client using sap* and password pass.

56) The authorization object does not exist in the user buffer.
Ans: The values checked by the application are not assigned to the authorization
object in the user buffer.

57) How can I do a mass delete of the roles without deleting the new roles?
Ans: There is an SAP delivered a report that you can copy, remove the system type
check and run.
It is called: AGR_DELETE_ALL_ACTIVITY_GROUPS. To use it,
you need to tweak/debug & replace the code as it has a check that ensures it is
deleting SAP delivered roles only.
58) How to find out all roles with T-code SU01?
Ans: SE16N. Execute SE16N
Table AGR_1251
Object S_TCODE
VALUE (low) SU01

59) How to find out all the derived roles for one or more Master (Parent) roles?
Ans: Execute SE16N
Table AGR_DEFINE
Use either agr_name field or Parent_agr field.

60) How can I check all the Organization value for any role?
Ans: Execute SE16N
Table AGR_1252
Role Type in the role here and hit execute.
You can always download all the information to spreadsheet also using .

61) How do I restrict access to files through AL11?

Ans: First create an alias. Go to t-code AL11 > configure > create alias.
Let say we are trying to restrict alias DIR_TEMP which is /tmp.
Open PFCG and assign t-code AL11, and change the authorization for S_DATASET as
mentioned below Activity 33
Physical file name /tmp/*
Program Name with Search Help *

62) What are the Best practices for locking expired users?
Ans: Lock the user. Remove all the roles and profiles assigned to the user. Move
them to TERM User group.

63) How can be the password rules enforced ?

Ans: Password rules can be enforced using profile parameter.

64) How to remove duplicate roles with different start and end date from user
master?
Ans: You can use PRGN_COMPRESS_TIMES to do this. Please refer to note 365841 for
more info.

65) How come the users have authorization in PFCG, but user still complains with no
authorization?
Ans: Make sure the user master is compared. May be the there is a user buffer
overflow
Also check the profile- Follow the instruction below.
SUIM > User by complex criteria.
Put the userid of user who is having issue.
Execute

66) How can I have a display all roles.?

Ans: Copy sap_all and open the role and change the activity to 03 and 08

67) How can I find out all actvt in sap?

Ans: All possible activities (ACTVT) are stored in table TACT (transaction SM30)
and also the valid activities for each authorization object can be found in table
TACTZ (transaction SE16).

68) How many fields can be present in one Authorization object?

Ans: 10 fields.

69) What’s the basic difference in between SU22 & SU24 ?

Ans: SU22 displays and updates the values in tables USOBT and USOBX, while SU24
does the same in tables USOBT_C and USOBX_C.
The _C stands for Customer. The profile generator gets its data from the _C
tables.In the USOBT and USOBX tables the values are the SAP standard values as
shown in SU24.
With SU25 one can (initially) transfer the USOBT values to the USOBT_C table.

70) How to restrict the user access to one particular table in display mode ?
Ans: If the system is BASIS 700, we can use the authorization object S_TABU_NAM.
In this auth. Object, we can maintain the values for required activity and the
table name.

If the system version is lower than 700, and the table is z* table then
Create a new authorization Group using SE54.
Assign the table in question to the newly created authorization Group in table
TDDAT using SM30.

If the table is SAP standard table then we can restrict user access by creating new
tcode in SE93.

71) What is the user type for a background jobs user?

Ans: System User
Communication User

72) How to troubleshoot problems for background user?

Ans: using system Trace ST01

73) There are two options in the PFCG while modifying a role. One change
authorizations and another expert mode-what is the difference between them?
Ans: Change authorization: This option we will use when we create new role and
modify old role

Expert mode: i. Delete and recreate authorizations and profile

(All authorizations are recreated. Values which had previously been maintained,
changed or entered manually are lost.
Only the maintained values for organizational levels remain.)

Edit old status(The last saved authorization data for the role is displayed. This
is not useful if transactions in the role menu have been changed.)

Read old data and merge with new data(If any changes happen in SU24 Authorizations
we have to use this).

74) If we give Organizational values as * in the master role and want to restrict
the derived roles for a specific country, how do we do?
Ans: We have to maintain org level for the country based on the plant and sales
area etc in the derived Role.

75) What is the table name to see illegal passwords?

Ans: USR40

76) What is the table name to see the authorization objects for a user?
Ans: USR12

77) What are two main tables to maintain authorization objects?

Ans: USOBT, USOBX

78) How to secure tables in SAP?

Ans: Using Authorization group (S_TABU_DIS, S_TABU_CLI) in T.Code SE54.
79) What are the critical authorization objects in Security?
Ans:S_user_obj,s_user_grp, s_user_agr , s_tabu_dis, s_tabu_cli ,
s_develop ,s_program

80) Difference between USOBT and USOBX tables?

Ans: USOBT-Transaction VS Authorization objects
USOBX- Transaction VS Authorization objects check indicators

81) Use of Firefighter application.

Ans: Whenever the request coming from the user for new authorization .the request
goes to firefighter owner.
FF owner proved the FF ID to the normal user then the user (security admin) will
assign the authority to those users (end user).

82) Where do we add the FF ids to the SAP user ids?

Ans: Go to Tcode /n/virsa/vfat >>goto fireFighter tab the give the ffID to
firefighter with validity.

83) How to copy 100 roles from a client 800 to client 900?
Ans: Add all 100 roles as one single composite Role and Transfer the Composite role
automatically the 100 Role will transfer to the target client (Using SCC1)

84) User reports that they lost the access. We check in SUIM and no change docs
found. How do you troubleshoot.
Ans: Maybe user buffer full or role expired.

85) What is the correct procedure for Mass Generation of Roles?

Ans: SUPC

86) How can we maintain Organizational values? How can we create Organizational?
Ans: PFCG_ORGFIELD_CREATE in t-code SA38

87) I want to see the list of roles assigned to 10 different users. How do you do
it?
Ans: Goto se16 > agr_users then mention the 10 users name
Goto SUIM > role by complex selection > type user names.

89) What is the main purpose of Parameters Groups & Personalization tabs in SU01
and Miniapps in PFCG?
Ans: Parameter tab: it’s used to auto fills some of the values during the creation
of orders.

Personalization tab is used to restrict the user in selection criteria.

E.g.: while selecting pay slip it will show only last month pay slip by default. If
u select the attendances it will show current month by default.

Miniapps- we can add some mini-applications like calculator, calendar etc.

90) How do you deactivate a authorization object globally?

Ans: Goto tcode SU25 and select step 5. Deactivate authorization object globally.

91) Which authorization object is used to check HR transaction codes?

Ans: P_tcode

92) What are role templates?

Ans: The role templates are nothing but the activity clusters which are
predetermined.
These clusters or groups consist of reports, web addresses, and transactions.
93) How do you check the transport requests created by other users?
Ans: By using the SE10 t-code we can find the transport requests created by other
users.

94) How do you find user-defined, security parameters for system default values?
Ans: By using t-code RSPFPAR we can ding user-defined and system default security
parameters.

95) What is the process to assign a logical system to a client?

Ans: The logical system can be assigned to a client by using a specific T-code,
i.e. SCC4.

96) Why do we use t-code SU25?

Ans: If you want to copy data from USBOT, USBOX to tables USOBT_C and USOBX_C, then
we can use t-code SU25.

97) Which T-code do you use to create authorization groups?

Ans: We can create authorization groups in SAP using SE54 T-code.

98) How can you get the user list in SAP?

Ans: We can get the user list by using SM04/AL08 transaction code.

99) Which transaction code is used to manage lock entries?

Ans: Transaction code SM12 is used to manage lock entries.

100) What is the use of the authorization object S_TABU_LIN?

Ans: Generally, the authorization object is to provide access to all the tables on
the row level.

101) How to find the email ids if given a list of users (say 100)?
Ans: Execute the t-code SE16
Enter the table name as USR21.
Upload the list of users using multiple selection option and execute. This will
give us the list of users and their respective person numbers
Extract this data to excel sheet
Now, go back to SE16 and enter table name ADR6
Upload the list of person number extracted from table USR21 and execute
Now, table ADR6 will give us the list of person numbers and their email ids.
Download the list in excel and perform V-look up in excel to map the email ids of
users with their SAP IDs.

102) Which entities are not distributed while distributing the authorization data
from master role to derived roles?
Ans:During the distribution of authorization data from master role to derived
roles, Organizational values and user assignment are not distributed.

103) What are the authorization groups and how to create them?
Ans: Authorization groups are the units comprising of tables for common functional
area.
Generally, each table is assigned to a authorization group due to this reason we
need to mention the value of authorization group while restricting the access to
table in authorization object S_TABU_DIS.
The authorization group can be created by using the t-code SE54. The assignment of
tables to authorization group can be checked by using table TDDAT.

104) What is SOX (Sarbanes Oxley)?

Ans: Sarbanes-Oxley is a US law passed in 2002 to strengthen corporate governance
and restore investor confidence.
105) How to create a query in SAP R/3 system?
Ans: The query can be created and executed using the t-code SQVI:

106) What is the use of ST01? What are the return codes of t-code ST01.
Ans: Below are the return codes of ST01 :

0 – Authorization check passed

1 – No Authorization
2 – Too many parameters for authorization check
3 – Object not contained in user buffer
4 – No profile contained in user buffer
6 – Authorization check incorrect
7,8,9 – Invalid user buffer

107) HR Security: What are the objects for HR and what is the importance of each HR
object
Ans: P_PERNR object is used by a Person to see data related to his Personal Number

P_ORGXX HR: Master Data - Extended Check.

108) What is the landscape of GRC?

Ans: SAP GRC DEV
SAP GRC PROD

-----------------------------------------------------------------------------------
-------------------------------------------------------------------------

SAP Fiori Security Interviwe Questions:

1) What are the components that are configured in SAP Front End Server?
Ans: Configure ABAP Front-end server includes- Configure SAP NetWeaver Gateway,
Configure the Central UI Add-On, Configure SAP Fiori Launchpad.

2) Explain SAP NetWeaver Gateway Central Hub deployment in SAP Fiori?

Ans: In NetWeaver Gateway Central Hub deployment − UI layer and SAP NetWeaver
gateway is contained in ABAP Front-end server. The ABAP back end server contains
business logic and back end data. Separating business logic and back end data from
UI layer has below advantages −

Single Point of maintenance for UI issues- such as browser support and updated
version of SAP UI5 libraries.

Central place for theming and branding SAP Fiori Apps.

Routing and composition of multiple backend systems is supported.

Single Point of access to backend systems and enhanced security because of no

direct access to backend system.

SAP recommends Central Hub deployment especially for Productive environment.

Separate NetWeaver Gateway system is required.

3) Explain SAP NetWeaver Gateway Embedded Hub deployment in SAP Fiori?

Ans: In Embedded Hub Deployment − NetWeaver gateway is deployed on same server as
the Business Suite. So multiple Business Suite systems requires Gateway to be
configured multiple times. It is not recommended by SAP especially for customers
with multiple back ends.
No additional separate NetWeaver Gateway system is required. It is usually used for
sandbox purposes only.

4) To enable communication between the front-end ABAP and back-end ABAP server,
which communication type is used?
Ans: Trusted RFC.

5) Transaction Apps, Factsheets and Analytical Apps require which of the SAP system
to run?
Ans: Transaction Apps are only apps that don’t have to run on Hana system. They can
run on any Database. All factsheets, Analytical apps and Small Business Apps run on
SAP Hana. Only Fact sheet requires Search Models. Only Analytical Apps requires
Hana XS Engine and KPI Framework is needed for Smarts Business Apps.

6) What is the function of SAP Web Dispatcher in SAP Fiori architecture?

Ans: SAP Web Dispatcher (Reverse proxy) is entry point for HTTP(s) request in SAP
Fiori Architecture. It can accept or reject connections as per user request.

7) To diagnose workflow errors, which transaction do you use?

Ans: SWI2_DIAG : to diagnose workflow error.

8) Which service is used by SAP Fiori Launchpad designer to read and assign
transport request?
Ans: UI2/TRANSPORT- Used by SAP Fiori Launchpad designer to read and assign
transport request.

9) How data flow happens in SAP Fiori Launchpad? Explain the steps.
Ans: Sequence of steps −

LPD_CUST

Launchpad Designer – Add a catalog, add a group

Target mapping – semantic object, action

Static/Dynamic Launcher

PFCG – Catalog, group.

10) What are the different RFC authorization objects in SAP Fiori?
Ans: Authorization Object S_RFCACL

Definition

Authorization check for RFC users, particularly for trusted systems

Defined Fields

This authorization object contains the following fields −

RFC_SYSID − ID of the calling system or the domain of the satellite system.

RFC_CLIENT − Client of the calling system.

RFC_USER − ID of the calling user.

RFC_EQUSER − Flag that indicates whether the user can be called by a user with the
same ID (Y = Yes, N = No)
RFC_TCODE − Calling transaction code.

RFC_INFO − Additional information from the calling system (currently inactive).

ACTVT − Activity

11) What is Launchpad designer tool? Why do we need it?

Ans: We can use SAP Fiori Launchpad designer for configuring and creating groups
and catalogs which can then be accessed from SAP Fiori Lauchpad which is a single
entry point to all apps. We can search recently launched apps via search capability
of Launchpad.
Tiles which are available on Fiori Launchpad home page are configured using
Launchpad Designer Tool.

12) What are the configuration tasks that need to be performed on Front End server
as per different app types?
Ans: We need to perform certain configuration tasks on front end server which are
specific to app type. We need to Activate OData Services for transactional apps and
Factsheets but not for Analytical apps. For analytical apps we need to configure
access to SAP HANA data.

13) What are the different app launched tile types in SAP Fiori?
Ans: Static − It shows predefined static content (text, icon).

Dynamic − It shows numbers that can be read dynamically.

News Tile − Flips through news messages according to the configuration of the tile.

KPI Tile − It displays KPI’s in real time.

14) What are the different OData services that are required for SAP Fiori
Launchpad?
Ans: OData services have to be enabled in SAP Net Weaver gateway to establish
mapping between technical OData name and the corresponding back-end service. In
order to setup SAP Fiori Launchpad and Launchpad designer, we have to activate 5
specific OData Services.

/UI2/PAGE_BUILDER_CONF
/UI2/PAGE_BUILDER_PERS
/UI2/PAGE_BUILDER_CUST
/UI2/INTEROP
/UI2/TRANSPORT

15) What are the different options in SAP Fiori Launchpad design?
Ans: 1) COnfiguration Layer.
2) Customizing layer.

16) What is the use of PFCG role SAP_UI2_USER_700?

Ans: The Launchpad user must have the PFCG role SAP_UI2_USER_700 assigned. With
this role the user can run the SAP Fiori Launchpad on the Personalization level and
has authorization to execute the following OData services −

/UI2/PAGE_BUILDER_PERS
/UI2/INTEROP
/UI2/LAUNCHPAD

17) For write access to the UI Theme Designer (create, update, delete themes),
which authorization object should be assigned?
Ans: Authorization object: /UI5/THEME
ACTVT(Activity):02(Change) and

/UI5/THMID (Theme Id):* = all themes

18) To be able to use the UI Theme Designer, which Internet Communication Framework
ICF nodes should be activated?
Ans: To be able to use the UI Theme Designer, Activate the following Internet
Communication Framework (ICF) service nodes −

/sap/public/bc/themes
/sap/bc/theming

19) Which components has to redefine while extending Gateway layer of SAP Fiori
Application?
Ans: IW_BEP on Business Suite

IW_FND on Gateway Layer

20) In SAP NetWeaver 7.31 ep1, which roles should be assigned to the Fiori
Launchpad administrator?
Ans: The Launchpad administrator must have the PFCG role SAP_UI2_ADMIN assigned.
SAP_UI2_ADMIN is a composite role containing the following release-dependent roles
− SAP_UI2_ADMIN_700 for SAP NetWeaver 7.0 SAP_UI2_ADMIN_702 for SAP NetWeaver 7.0
enhancement package 2 SAP_UI2_ADMIN_731 for SAP NetWeaver 7.0 enhancement package 3
and SAP NetWeaver 7.3 enhancement package 1.

-----------------------------------------------------------------------------------
--------------------------------------------------------------------------

3) SAP HANA Security Questions:

1) How to prevent Expiration of database user passwords?

Ans : In case of technical users it is recommended that the password lifetime check
is disabled to prevent the password from getting expired (ALTER USER DISABLE
PASSWORD LIFETIME).

2) Explain the CATALOG READ privilege effect.

Ans: In SAP HANA dictionary tables (e.g. TABLE_COLUMNS or INDEXES) to what extent a
user can access data is controlled by CATALOG READ.
All information is visible if CATALOG READ is granted. The information for own
objects only is shown if CATALOG READ is not granted.
Due to the required security checks at the same time the performance can be worse
for these dictionary queries.

3) The SAP HANA database user of transaction DBACOCKPIT requires which

configuration?
Ans: A role called DBA_COCKPIT is suggested to be defined among others for
DBACOCKPIT operations with the appropriate privileges.

4) In what way the tracing for security topics like authorization, authentication
and login can be activated?
Ans: With the following parameter in general an authorization trace can be
activated on a temporary basis:

.ini -> [trace] -> authorization = info

To the normal service trace files further authorization information will be written
as a consequence. It may be sufficient to set the parameter temporarily in order to
trace connection issues.

.ini -> [password policy] -> detailed_error_on_connect = true

5) What is Sap Hana Security?

Ans: SAP HANA Security is protecting important data from unauthorized access and
ensures that the standards and compliance meet as security standard adopted by the
company.
SAP HANA provides a facility i.e. Multitenant database, in which multiple databases
can be created on single SAP HANA System. It is known as multitenant database
container. So SAP HANA provide all security related feature for all multitenant
database container.
SAP HANA Provide following security-related feature –

User and Role Management

Authorization
Authentication
Encryption of data in Persistence Layer
Encryption of data in Network Layer

6) SAP HANA Authentication.

Ans: Kerberos : It can be used in the following case –
Directly from JDBC and ODBC Client (SAP HANA Studio).
When HTTP is used to access SAP HANA XS.

User Name / Password

When the user enters their database username and password, then SAP HANA Database
authenticate the user.

Security Assertion Markup Language(SAML)

SAML can be used to authenticate SAP HANA User, who is accessing SAP HANA Database
directly through ODBC/JDBC. It is a process of mapping external user identity to
the internal database user, so user can login in sap database with the external
user id.

SAP Logon and Assertion Tickets

The user can be authenticated by Logon or Assertion Tickets, which is configured
and issued to the user for creating a ticket.

X.509 Clients Certificates

When SAP HANA XS Access by HTTP, Client certificates signed by a trusted
Certification authority (CA) can be used to authenticate the user.

7) SAP HANA Authorization.

Ans: SAP HANA Authorization is required when a user using client interface (JDBC,
ODBC, or HTTP) to access the SAP HANA database.

Depending on the authorization provided to the user, it can perform database

operations on the database object. This authorization is called, "privileges."

The Privileges can be granted to the user directly or indirectly (through roles).
All Privileges assign to users are combined as a single unit.

When a user tries to access any SAP HANA Database object, HANA System performs
authorization check on the user through user roles and directly grants the
privileges.

When requested Privileges found, HANA system skips further checks and grant access
to request database objects.

Privileges Types Description

System Privileges It controls normal system activity.

System Privileges are mainly used for –

Creating and Deleting Schema in SAP HANA Database

Managing user and role in SAP HANA Database
Monitoring and tracing of SAP HANA database
Performing data backups
Managing license
Managing version
Managing Audit
Importing and Exporting content
Maintaining Delivery Units

Object Privileges Object Privileges are SQL privileges that are used to give
authorization to read and modify database objects. To access database objects user
needs object privileges on database objects or on the schema in which database
object exists. Object privileges can be granted to catalog objects (table, view,
etc.) or non-catalog objects (development objects). Object Privileges are as below
–

CREATE ANY
UPDATE, INSERT, SELECT, DELETE, DROP, ALTER, EXECUTE
INDEX, TRIGGER, DEBUG, REFERENCES

Analytic Privileges Analytic Privileges are used to allow read access on data
of SAP HANA Information model (attribute view, Analytic View, calculation View).

This privilege is evaluated during query processing.

Analytic Privileges grants different user access on different part of data in the
Same information view based on user role.
Analytic Privileges are used in SAP HANA database to provide row level data
Control for individual users to see the data is in the same view.

Package Privileges Package Privileges are used to provide authorization for

actions on individual packages in SAP HANA Repository.

Application Privileges Application Privileges are required in In SAP HANA Extended

Application Services (SAP HANA XS) for access application.

Application privileges are granted and revoked through the

proceduresGRANT_APPLICATION_PRIVILEGE and REVOKE_APPLICATION_PRIVILEGE procedure in
the _SYS_REPO schema.

Privileges on User It is an SQL Privileges, which can grant by the user on own
user.

ATTACH DEBUGGER is the only privilege that can be granted to a user.

8) Authorization of License Management.

Ans: "LICENSE ADMIN" privileges are required for License Management.

9) SAP HANA Auditing.

Ans: "AUDIT ADMIN" System Privileges required for SAP HANA Auditing.

-----------------------------------------------------------------------------------
--------------------------------------------------------------------------