SAP SECURITY INTERVIEW QUESTIONS & ANSWERS
Q) Where do all possible activities are stored?
A) In the table TACT
Q) Where do valid activities for each authorization Objects are stored?
A) In the table TACTZ
Q) How do I identify pre-defined roles and what is their use?
A) Pre-defined roles begin with the prefix “SAP_”. These roles are used as templates for creating customized roles.
Q) Can we assign pre-defined roles to a user? If so, how?
A) No, never assign a role to a user. If at all you want to, then first make a copy of pre-defined role and then add the user to the role.
Q) Is a role without Auth-profile considered as complete or not?
Q) What are the types of roles?
A) Roles are 2 types 1) Parental Role 2) Derived / Base Role
Q) What is the relationship between parent and derived roles?
A) In Parent role we maintain the list of Transaction Codes whereas in derived role we assign the parent role name so that an inheritance hierarchy is being maintained and hence the transactions are automatically pulled into derived roles.
Q) What are the total numbers of activities?
A) As per 4.7 total number of activities=168
01 – 99 = Activities
A1 – VF = 69
Q) What is the default authorization object which is used to check for any role?
1) We cannot edit S_TCODE object in a Role. The only way to add a transaction code is in parent role.
2) First time while creation of a new role, if any functional related Transactions are added in a role, and then we have to maintain organization level in a popup.
3) Red color indicates missing organizational values
4) Yellow indicates missing field values and not organizational values.
Q) Why should we not add organizational values directly in a role without using org levels button?
A) Value maintenance using directly no longer changes values i.e. whenever we try to add a new value and generate, an empty field appears i.e. when adjusting derived roles authorization value is overwritten.
Q) Why do I need to add a role to transport?
A) All the changes to the roles are done in development box and move to production. If I delete a role in dev box, the same role has to be deleted in prod because these roles are finally used by the users in prod box only. Hence the deleted role needs to be transported.
Go to PFCG select the role to be deleted. Keep the role in a transport by selecting transport role button.
Q) Unlock a user or track why the user is being locked?
A) Go to SU01 -> Enter the user ID -> Log on data and check the user is locked.
Go to SUIM -> Change docs for user -> Enter the user name and execute
Q) Where do the default value in a Role comes from i.e. activities under auth object?
A) Tables USOBX_C and USOBT_C are the tables, that control the behavior of profile generator after the trans has been selected.
Q) How do I deactivate authorization object globally?
A) Go to SU25 select step 5 deactivate authorization globally.
Q) What is single sign-on?
1) Single sign-on, through which we create credential. Third party tool Eg: Keon, later on logon to SAP without entering any credentials.
2) We can even logon through internet using SSO.
3) SSO is represented in form of SNC (Secured Network Connection) string for the SNC String to be activated we need to configure certain DLL files at OS files.
4) Once we confirm DLL files then we need to go to SAPGUI, select one server, go to properties network and check the secure network settings and enter the SNC string.
Q) What are the Steps to Configure CUA?
CUA works with RFC’s steps to config CUA.
1) Create logical systems to all the clients (using BD54/SALE)
2) Attach logical system to clients using SCC4
3) Create user CUA_SID in central system with 3 roles and create user CUA_SID_CLIENT <number>/name in child system with 2 roles.
4) Create RFCS to child systems from central and central to child using SM59
5) Log on to central system using SCUA to config CUA (Central User Admin)
6) Enter the model view and enter all child system RFC’s
Q) If all the users are locked mistakenly, how do we connect to SAP system?
A) Follow the steps
Step 1) Go to OS level and execute the following SQL scripts after connecting to Oracle DB
Select * from <Application Server name>.USR02 where bname=’SAP*’;
Delete from <Application Server name>.USR02 where bname=’SAP*’;
Step 2) Then Login using SAP* user
Step 3) Go to EWZ5 or SU10 transaction code and unlock all the users.
Q) There is one derived role, if i copy the role of derived role will the parent or master role will be the same for the new which is derived from the derived role, if so why if not why ?
yes, if I copy the role from a derived role then that parent role of that derived role will become as a parent role to the new role which we have derived from the other derived role because for that particular derived role will get all the transactions and authorizations from the parent role only so, if we copy a role then all the transaction with authorization copied from other role from where we are copying that might be parent role/derived role.
Q) What is the organizational level ?
It's a customer specific enterprise structures which are subjected to authorization check vary by module. It maintains:
Purchase Order and so on....
Q) How many composite roles can be assigned to a user ?
Ideally there is no limit on number of composite roles/single roles that can be assigned to a user. But keep this in mind that user buffer can hold only 312 profiles in it for a user. Hence there is no use of assigning roles more than 312 profiles to a user. For extending the authorization more than 312 profiles use reference user.
SAP_ALL is said to be good example for composite role so is there any single role limit in SAP_ALL. So there is no limit for adding single roles in composite role...