May 31, 2016



Q) What is the difference between VIRSA Tool and GRC, and does VIRSA tool support to ECC6.0? & what is GRC? & what is SAP VIRSA Tool ?

Governance, Risk, and Compliance (GRC). The goal of GRC is to help a company efficiently put policies and controls in place to address all its compliance obligations while at the same time gathering information that helps proactively run the business. This means Ethical Business Process should comply with Effective Process controls as per the related industry Business Process and accounting Process and Govt Policy .This GRC process finally Can Concluded with respect to Govt Organizations and Public Organization which are Registered in Local Stock Markets are accountable to have Effective Governance and Process Controls to Protect the Share holder rights and Prevent Organized Corporate Frauds and scams. GRC Tools and IT applications
There are many GRC AUDIT tools in the Market to Facilitate Internal and External Audit of the Companies.

Q) What is SAP VIRSA Tool ?

 1) Access controls, 2) Process Controls.
It Has 4 Sections to Audit the system.
1. Compliance Calibrator
2. Role Expert
3. Firefighter
4. Access enforcer.
VIRSA system is now taken over by SAP AG. It has been a part of Netwever and add on now.
VIRSA produced a number of tools, most commonly used was Compliance Calibrator.
SAP acquired VIRSA and integrated their tools into its GRC suite of products which have a wider span than the VIRSA products.
You can use the VIRSA tools in ECC6.  As the company no longer sells these products it is an easy way to tell if a candidate does not understand the GRC topic by them referring to when they mean SAP GRC.
GRC as a subject has been hijacked by SAP's use of the term, real GRC is much wider than a set of tools which can automate part of the GRC process

Q) What is FireFighter ? When we are using FireFighter ?

If you have implemented VIRSA/GRC FireFighter is also a normal user ID but having some specific access [Say SU01 or SAP_ALL] as per the needs. User type is kept as "service user' Ex: In your project you are security administrator who does not have access to direct SU01 but you need the access urgently.
Then FFID owner/administrator assigns you a FFID for limited period so that you can perform the task from your login ID and pwd, using t-code /n/VIRSA/VFAT and login with that FFID.
While logging you will be prompted to give business reason for access. Everything you perform in that period [Using FFID] gets recorded for auditing.

Q) What is the difference between SoX & SoD ? What kind of work SoX do as well SoD do ? What is VIRSA ?

SoX - refer to Sarbanes OXley act in the earlier 2000+-.Where it impact all US companies either they operated in US or outside (on other countries). Some people think this act is significant, after fall down of big companies such as Enron etc..
SoD - refer to Segregation of Duties. Basically one person cannot have access to the whole process. The task needs to be segregated so that there is check and balance.
VIRSA - is one of third party tools used to check for SoX compliance in a company. Other than this, there are also other product such as APPROVA and SecurInfo. Nowadays VIRSA have been brought by SAP, and rebrand it as GRC (Governance, Risk and Control).

Q) What is the use of Detour path ? How Fork path differs from Detour path ?

If a WF fulfills a certain condition e.g. SOD violation the original WF ends and takes a predefined alternative route (detour). This workflow can contain other stages and additional approvers.
Fork is a way to split up a workflow from a single initiator between sap and non-sap systems

Q) What is the name of background job in FF that is responsible for sending notification and logs to FF id controller ?


Q) What is the Rule Set in GRC ?

Collection of rules is nothing but Rule Set. There is a default Rule Set in GRC called Global Rule Set.

Q) How can you assign FireFighter id’s from one FireFighter Admin to another FireFighter Admin if current Admin leaves from organization without told to anybody ?

Take the UserId of the left over the company person and, go to SE16 T-code and, type table name /VIRSA/zffusers and execute.
In the second column enter the UserId of the left over person and execute and it will give the list of assigned FF_ID'S to that user, note that FF_ID'S and run /n/VIRSA/VFAT T-code and, go to maintain FF_ID's table and replace it with the new person User ID.



Q) How to find out all actvt in sap ? 

All possible activities (ACTVT) are stored in table TACT , and the valid activities for each authorization object can be found in table TACTZ.

Q) How to remove duplicate roles with different start and end date from user master ? 

Duplicate roles assigned to a user can be removed using PRGN_COMPRESS_TIMES.

Q) What is the main difference between role and profile ?

Role: Collection of Transaction Codes Only (No linked authorization Objects)
Profile: It contains the related Authorization Object, Fields and Values of the transaction codes.

Role is a set of function/activity which is assigned to him based on his business role. Assigning a role to the user does not mean that the user has access to execute those functions. This is ruled by profiles. Profiles are required to give necessary authorization to the users through the respective roles.

Q) What troubleshooting we get these transactions like SU53, ST01, SUIM and ST22 ?

SU53: Will give the screen shot last missing authorization of the details for the user ID
ST01: Some times SU53 will be wrong, using ST01 will perform the trace activity will check for authorization checks for user ID
SUIM: This will used to pull out the authorization reports; usually we will use this T-code by analyzing the out put results of SU53 and ST01 and will be inputs for SUIM to pull out authorization reports

Q) What is the difference between authorization user group and logon group ?

Authorization user group is used for user management purpose. Each user group is managed by certain security administrators. Authorization object S_USER_GRP determines users of which user group can be administered by a certain user admin. Those users who are not assigned to any user group can be administered by all the security user admins.

Logon groups are generally created by SAP Basis Administrators and used for logon load balancing. These are logical groups of users. These users can be assigned to one or more SAP instances. When a Logon group is assigned to an SAP instance, all users belonging to that logon group would by default logon to that particular instance. Hence logon group helps in load balancing.

Q) What steps are checked by the system when an interactive user executes a transaction code ?

Various steps are checked when a user executes a transaction code:

1. First it is checked whether the transaction is a valid transaction code. This is checked in TSTC table. If the tcode does not exists, the system gives the message that the transaction does not exist.
2. If the tcode is a valid tcode, then the system checks whether the tcode is locked or unlocked. Field CINFO in TSTC is used to determine whether the transaction is locked or unlocked.
3. The system then checks if the user has necessary tcode value maintained in authorization object S_TCODE in his/her user buffer. If the authorization object S_TCODE contains the required tcode, then the system checks whether any additional authorization check is assigned to the tcode via SE93. This value can be found on the initial screen of SE93 for that tcode or in TSTCA table.
4. Further authorization check takes place based on the values present in the source code under “Authority-check” statement and the activity performed by the user.

Q) How to extract users list like who didn't login since 3 months. And In 90 Days user locking in which table we will use ?

T-code SUIM: Users -> Click on By Logon Date and password change -> Give * in user and give 90 days in No. days since last logon and check Locked users and then EXECUTE. (OR) RSUSR200 report to get info

Q) What is OSS Connection and System Opening and why we have to open these ? 

OSS means Online Service System where SAP is going to give Service to R/3 Users.

Q) What will have in one single role and how many profiles will be in one SAP CUA system ? 

Single role will contain T-codes, Reports and URL's, Profiles and Users. Max profiles are 312.

Q) What is the difference between SE16 and SE16N  ?

SE16 - SAPLSETB - Data Browser
SE16N - RK_SE16N - General Table Display

SE16: SE16 is a data browse and it is used to view the contents of the table and we cannot change or append new fields to the existing structure of the table as we cannot view the structure level display using the SE16.

SE16N: The transaction code SE16N (general table display) is an improved version of the old data browser (SE16). It has been around for some time, but is not widely known amongst Consultants and end users of SAP. It looks a bit different to the old “data browser” functionality (SE16).
** Once you have entered your table name, type "&SAP_EDIT" without the quotation marks into the transaction code. This enables editing functionality on SE16N and allows you to make table changes. This allows you to access both configuration and data tables which may be otherwise locked in a production environment.

** Whilst this may appear to be a short cut and allow you to access a back door which is normally shut, this hidden feature should be used with caution in any SAP client - especially a live or production system.

New Features of SE16N:
** The new transaction has a number of distinct advantages over SE16.
** You no longer have a maximum of 40 fields to select in the output.
** There are fewer steps involved in executing a number of functions, whether it be outputting the results, maintaining the values in a table etc.
** Exporting the data into Excel is far easier and quicker
** ALV functionality is available as standard
** The user is not restricted by having a maximum width of 1023 saved as a default in the user settings.

Limitations of SE16N:
**You can only output one table at a time. If you wish to output more than one table you can use the available reporting tools or the QuickViewer (transaction code SQVI) functionality within SAP.

Q)  How many transaction codes can be assigned to a role ?

A maximum of around 14000 transaction codes can be assigned to a role.

Q)  What is the difference between ECC security and RAR security when GRC is used, when similar functionality can be performed SAP R3 level (ECC) ?

ECC and RAR are different.ECC is a system whereas RAR is a tool.
ECC security involves security data, t-code access, report access and maintaining the authorizations.

RAR (Risk analysis and Remediation) is a tool that is used for analysis of risk analysis and its remediation as name suggests. This tool determines all potential risks that arise if a t-Code object/role/auth is assigned to a user. Also this tool helps to remediate that risk using mitigation technique.

Simply we can say one thing like In ECC system you can’t find any risk while assigning the roles.

But in RAR tool it will check the RISK of that particular assignment and if risk is their then we can mitigate and simulate to that risk I mean it’s purely for SOD (segregation of duties)

May 29, 2016



Q) How to get ticket from end user ? Which ticketing tool you are using ?

Generally tickets are raised by the end users or clients.
Each organization having a separate tool box for the purpose of tickets and then the team leader allot the tickets to corresponding person through mail.
Ticketing Tools: HP open view, remedy, mail (Microsoft Outlook), Lotus Notes, Magic
HPSD- HP service Desk. First Users send mails to 1st level support stating their issue; they then create service call and assign them to respective Team. Unique no is provided which is call service call no and it's used as reference no in future.

Q) What is difference between ECC 4.7, ECC 5 and ECC 6 from SAP Security point of view ?

SAP ECC 4.7 is an ABAP based system, here we can see only about R/3 security.
SAP ECC5.0 and SAP ECC6.0 included both ABAP + JAVA stacks, means enterprise portal also included, here we can have both R/3 security for ABAP stack and JAVA stack security which includes in portal concept (Enterprise Portal Security).
SAP GRC which is a security tool can be implemented only to ECC 5.0 and ECC 6.0 but not to the ECC 4.7.

Q) What is Role Matrix ?

Role Matrix is nothing but a column we can maintain t-codes
            z_singlerole   z_dervir
PFCG                    x  
SU01                                         x
VA01                     x
VK11                                        x
       See based on business process approvers we can assign T-codes to a particular roles.

Q) What are the steps to create a user in SAP ?

Following are the steps to create user in SAP:

1. Logon to the SAP system and execute transaction code SU01. (Path to SU01 via user menu : Tools -> Administration -> User Maintenance -> Users
2. Give a username in “User” field and click create. In the next screen, there are various tabs like Address, Defaults, Parameters, Roles, Profiles etc.
3. In the “Address” tab, fill the necessary fields (Last Name is mandatory)
4. In the “Logon data” tab, select the “User Type” and fill “Initial Password” (Initial Password is mandatory in all cases except if the “User Type” selected is “Reference”.
5. Similarly fill other information in rest of the tabs viz. “Defaults”, “Parameters”, “Systems”, “Roles”, “Profiles” etc.
6. Now click on Save. User is created.

Q) What are different types of users in SAP System ?

Different user types are:
(1) Dialog
(2) Service
(3) System
(4) Communication
(5) Reference

Q) What mandatory fields need to be filled while creating a user in SAP ?

Last name is mandatory for creating any user type. Initial password needs to be given for all user types except “Reference users“.

Q) Which table contains the list of developers (development users) including registered Developer access keys ?

DEVACCESS table contains the list of developers and their developer access keys.

Q) What does table TSTCP contain ?

Table TSTCP contains information related to transactions which are parameterized transactions for a tables or views.

Q) How can we Schedule and administrating Background jobs ?

Scheduling and administrating of background jobs can be done by using T-codes SM36 and SM37

Q) I have deleted single role from composite role now I want to find out the changes in composite role without using SUIM. Is there any other possibility to get ?

 Yes, it is possible from role screen itself.
Go to menu tab
Go to utilities--->change documents .you can see from Agr_AGrs table

Q) How many authorizations fit into a profile ?

A maximum of 150 authorizations fit into a profile. If the number of authorizations exceeds this value, the profile generator automatically creates one more profile for the role.

Q) How many profiles can be assigned to any user master record ? 

Maximum number of profiles that can be assigned to any user master record is 312. Table USR04 contains the profiles assigned to users. The field PROFS in USR04 table is used for saving the change flag and the name of the profiles assigned to the user. The change flags are – C which means “User was created” and M which means “User was changed”. The field PROFS is defined with a length of 3750 characters. Since the first two characters are intended for the change flag, 3748 characters remain for the list of the profile names per user. Because of the maximum length of 12 characters per profile name, this results in a maximum number of 312 profiles per user.



Q) How do we know who made changes to Table data and when ?

If checkbox for table Log Changes is enabled, table DBTABLOG keeps all the log data for the related table.

Q) What is a composite role ?

A composite role is like a container which contains several single roles. They do not contain authorization data and the authorization needs to be maintained in each role of the composite role. A composite role cannot be added to a composite role. The users assigned to a composite role are automatically assigned the corresponding single roles.

Q) What is the difference between USOBX_C and USOBT_C ?

USOBX_C and USOBT_C are tables which are used for SU24 transaction code.

The table USOBX_C defines the status of authorization checks for authorization objects, i.e. whether the “check indicator” is set to yes or no. It also defines the proposal status, i.e. whether the authorization check values are being maintained in SU24 or not.

The table USOBT_C defines the “values” which are maintained for check-maintained authorization objects.

Q) How can we convert Authorization Field to Org Field ?

The report PFCG_ORGFIELD_CREATE is used for converting an Authorization Field to Org Level Field. It can be executed using SA38/SE38 tcode.

There is a bit of caution involved here. Make sure that whatever change related to this conversion is made is done in the initial stage of security role design/system setup. In case this task is performed at a later stage, there is a risk that this will impact lots of existing roles. All those roles would require analysis and authorization data will have to be adjusted.

NOTE : Authorization fields TCD (Tcode) and ACTVT (Activity) cannot be converted to org level fields.

Q) How do we find all activities in SAP ?

All Activities in SAP are stored in table TACT. All valid activities are stored in table TACTZ. The tables can be accessed via SE16 tcode.

Q) What important authorization objects are required to create and maintain user master records ?

Following are some important authorization objects which are required to create and maintain user master records:
• S_USER_GRP: User Master Maintenance: Assign user groups
• S_USER_PRO: User Master Maintenance: Assign authorization profile
• S_USER_AUT: User Master Maintenance: Create and maintain authorizations

Q) Which table is used to store illegal passwords ?

Table USR40 is used to store illegal passwords. It can be used to store patterns of words which cannot be used as passwords.

Q) Explain the concept of “Status Text for Authorizations” – Standard, Changed, Maintained and Manual.

• Standard – It means that all values in authorization field of an authorization instance is unchanged from the SAP default value (i.e. the values which are getting pulled from SU24)
• Maintained – It means that at least one of the field values in an authorization instance was blank when it was pulled from SU24 (i.e. SAP default value) and that blank field has been updated with some value. Other fields already having some value have not been touched.
• Changed – It means that the proposed value in at least one of the fields in an authorization instance has been changed.
• Manual – It means that at least one authorization field has been manually added, i.e. it was not proposed by profile generator.

Q) What is the difference between Role and Profile ?

A Role is like a container which contains authorization objects, transaction codes etc. A profile contains authorizations. When a role is generated using PFCG, a profile is generated which contains authorizations (instances of authorization objects).


PFCG_TIME_DEPENDENCY is a report which is used for user master comparison. It should be a practice to do user master comparison after every role change and profile generation so that the user’s master record gets updated with the correct authorization. This report also cleans up the expired profiles from user-master record. Role name still remains in the SU01 tab of the user. Transaction code PFUD can also be used to directly execute this report.

Q) What are the different tabs in PFCG ?

Following are some of the important tabs in PFCG:

• Description - We define the role name and role text. We also have a text description option at the bottom where we can provide other details related to the role. Those details can be the ticket no through which the role was created, the various changes (addition/removal of tcodes, authorization objects etc) and the date when those changes took place and the user who performed that task etc. It is a good practice to make use of this space as it helps in identifying the reasons for changes.
• Menu - For designing user menus like for addition of tcodes etc.
• Authorizations - For maintenance of Authorization data. Also for generating authorization profile.
• User – For assigning users to role and for adjusting user master Records.

Q) What does user compare do ?

When a role is used for generating authorization profile, then the user master record needs to be compared so that the generated authorization profile can be entered in the user master record. This comparison is done using tcode PFUD or by scheduling the report PFCG_TIME_DEPENDENCY.

Q) What is user buffer ?
A user buffer contains all authorizations of a user. Each user has his own user buffer and it can be displayed by executing tcode SU56. The authorization check fails when the user does not have necessary authorization in his user buffer or if the user buffer contains too many entries and has overflowed. The number of entries in user buffer is controlled using profile parameter ”Auth/auth_number_in_userbuffer“.



Q) What are various user types ?

Dialog user 'A'
Individual system access (personalized) Logon with SAPGUI is possible. The user is therefore interaction-capable with the SAPGUI. Expired or initial passwords are checked. Users have the option of changing their own passwords. Multiple logon is checked. Usage: For individual human users (also Internet users)

System user 'B'
System-dependent and system-internal operations Logon with SAPGUI is not possible. The user is therefore not interaction-capable with the SAPGUI. The passwords are not subject to the password change requirement, that is, they cannot be initial or expired. Only an administrator user can change the password. Multiple logon is permitted. Usage: Internal RFC, background processing, external RFC (for example, ALE, workflow, TMS, CUA)

Communication user 'C'
Individual system access (personalized) Logon with SAPGUI is not possible. The user is therefore
Not interaction-capable with the SAPGUI. Expired or initial passwords are checked but the conversion of the password change requirement that applies in principle to all users depends on the caller (interactive/not interactive). (*) Users have the option of changing their own passwords.
Usage: external RFC (individual human users)

Service user 'S'
Shared system access (anonymous) Logon with SAPGUI is possible. The user is therefore
Interaction-capable with the SAPGUI. The passwords are not subject to the password change requirement, that is, they cannot be initial or expired. Only a user administrator can change the password. Multiple logon is permitted. Usage: Anonymous system access (for example, public Web services)

Reference user 'L'
Authorization enhancement No logon possible. Reference users are used for authorization assignment to other users. Usage: Internet users with identical authorizations

Q) What is the difference between Template role & Derive role ? 

Template role is nothing but a default role provided by SAP. This template role might be a single or composite or derived role. Template roles are not generated profiles or authorizations nor assigned to users and org levels are not maintained.
Derived role is nothing but a single role and it’s derived from a Master role and can restrict org levels and can assign them to users.

Q) What is the advantage of CUA from a layman/manager point of view ?

CUA - Central User Administration
Advantage of CUA is to lessen the time by creating users in one single system, and distribute it to the respective systems (where the user id is requested) Helps in avoiding logging to each individual systems

Q) What is the procedure for deleting a role ?

You can't delete the role in Production System.
First you have to delete the role from development system.
In DEV system  Go to PFCG  give the role name which one you want to delete, create a transport request, don’t release. After creating transport request. Delete the role from PFCG in DEV system. Transport the request number to Testing, Production system. Roles delete from there also, after transport the request with success.
1) Create transport request to the role but don’t release
2) Delete the role from the system
3) Release the transport request.

Q) If we delete a Role can we transport it, if yes then how ?

Yes, add that role to a transport request first and then delete it from dev system. After deletion transport it to QA and prod system

Q) In creating a role what should we write over there, and what does your company follows ?

Description of role defines, the role related activity in short. Just seeing the description of the role, one can easily know the role details, like Role belongs to which SAP module(MM/PP/FICO) The Company code/Org level values Restricted values can also be mentioned there Activity performed after assigning that particular role.

Q) Can you tell me some of the password related parameters ?

Password related parameters are:
login/min_password_lng (Defines minimum lengh for pwd)
login/password_expiration_time, these are the main parameters - which can be maintained via t-code RZ10

Q) What is the use of CUA ?

CUA: Central User Administration
1. Using CUA, U can reset the password globally (Means: in single shot u can reset the password for all child systems or individual system also reset the password through CUA)
2. No password reset tag in individual systems
3. Using CUA, you can unlock and lock the users.
4. Using CUA, you can assign the roles to particular system
5. Using CUA, you can add systems to particular user

Q) What are the types of requests ? And which we create for transportation ?

Generally there are two types of transport request.
1) Workbench Request: Client independent, used generally in CUA where change made are transported to cross client tables.
2) Customizing Request: Client dependent.

Q) I want to reset the passwords of 100 users. How do you do it ?

Mass Password resetting is the easiest task. Login into LSMW t-code. Create a project, which is very easy. Record a batch input session. And run it. It hardly takes 2 mins. OR SECATT script



Q) Is it possible to assign two roles with different validity period to a user in one shot through GRC ? If yes, how

If you are talking about GRC Access enforcer tool then there is option of validity period for role while creating access enforcer request. When you go to button "Select roles" and when you search and add role in Role Tab you can see column Validity period which you can change. And you can add multiple roles to one user by just performing "Add" role activity. I hope this is what you are asking for.

Q) How to get the E-Mail address for 100 users at a time ?

SECATT script / to get email address of the no. of users go to SE16  ADR6  give the person number or Address number.
To get the Address number or Person number go to the tableUSR21 extracts the data of the users.

Q) While Creating BW roles what are the Authorization Objects we will use ?

 s_rs_auth, s_rs_icube, s_rs_odso, s_rs_mpro, s_rs_ipro, s_rs_admwb (for BI consultants & admins) and s_rs_rsec (for BI Security consultant)

Q) When we changed the password for more users(for example:100 users) 

a) At the time of implementation we create users & PWD
b) Depend on business user’s requests
c) If locked users needed to unlock and make them use then we generate new PWDs.
d) Monthly or quarterly basis we send a message to end-users to change their PWDs.
e) Users got locked due to incorrect log on.
f) Users locked with the expiration of their user ids.

Q) (A) Where the password will be stored 
        (B) from where you can Re-Collect the password and 
        (C) how will you communicate the password to all users at a time.

A) PWD information will be stored in table USR02.
B) There is NO re-collect password process in SAP again user needs to send request to security team to re-issue new PWD
C) We can do it through SECATT script.

Q) What is Virsa ? Once you entered in to the screen what it will perform ? 

Before GRC comes into picture there were other tools which are running in the market in order to do analysis. Those are VIRSA and APPROVA. Both are an INDIAN Companies and VIRSA developed Tools like Firefighter, Compliance Calibrator, Access Enforcer and Role expert to do risk analysis but In the Year 2006 VIRSA took over by SAP and it changed names as Superuser Privilege Management (SPM), Risk Analysis and Remediation (RAR), Compliant User Provisioning CUP) and Enterprise Role Management (ERM) respectively.
Virsa FireFighter for SAP: enables super-users to perform emergency activities outside the parameters of their normal role, but to do so within a controlled, fully auditable environment. The application assigns a temporary ID that grants the super-user broad yet regulated access & tracks and logs every activity the super-user performs using that temporary ID.

Q) What is the use of SU24 & SM24 ? 

There is no SM24 t-code in SAP. Coming to SU24, here we can maintain the assignment of Authorization Objects by entering into particular t-code and we can check the relation between the t-code and concern authorization objects and we can make changes according to business needs. It means maintain Authorizations and its fields and field values.

Q) What is Dialog users, Batch users and Communicate users. What is the use with Communicate user ? 

Dialog user is used by an individual to do all kinds of log on. Batch user is used for Background processing and communication within the system. Communicate user is used for external RFC calls. (Across the systems we can connect)

Q) Can we add one Composite role in to another Composite role at any urgent user requests or in normal user requests ? 

We cannot add a composite role into another composite role but we can add multiple derived roles into one composite role.

Q)    In Transport what type of Request we will use. Why don't we use workbench request in transport ?

Most of the time we do transport workbench and customized requests. 95% we do customized transport as we do settings, configurations, creation etc at DEV system and transport them to QUA or PRD systems.
Settings, configurations etc are done by BASIS, Security and Functional consultants then those will be treated as Customized and if ABAPers do programs and packages etc and transport them then those will be treated as workbench.

Q)    When we added Authorization Object in Template role, at the same time what will be happen in Derived role ? 

Template Roles will be provided by default by SAP while we do implementation (install SAP).when we want to have template role we should not use that role directly, instead of that we can go for COPY option and we can copy it and do customize according to our business needs.

Q) How to Check Profile parameter. And how to find whether any transport has ended with error and where we can check ?

T-code RZ10 to check Profile Parameter & T-code STMS we can check the Transport error logs. Click on Import Overview (Truck icon) in STMS screen and in next screen we have options like: Import Monitor, Import Tracking and Import History.... these will show the transport issues.

May 28, 2016



Q) If we add org level elements in a master role will it reflect in child role and how AGR_1252 will act as a barrier ?

Org level elements does not effect in child roles.AGR_1252 show the information of Org.values related to role.

Q) How to do mass user to role assignment using SECATT, will u use SU01 or SU10 ? Explain why you will use SU10 not SU01 ?

We can assign role to mass users using SU10. We can do the same with SECATT.

Q) Can SU10 can be used for mass password reset ? Why not ?

Password reset option not available in SU10 for mass user maintenance

Q) If you want to reset the password for say 100 users in Production how will you do ?

We can use SAP GUI scripts or SECATT to do it.

Q) Explain Steps 2A and 2B in SU25 ? 

2A -->This compares the Profile Generator data from the previous release with the data for the current release. New default values are written in the customer tables for the Profile Generator. You only need to perform a manual adjustment later (in step 2B) for transactions in which you changed the settings for check indicators and field values. You can also display a list of the roles to be checked (step 2C).

2B-->If you have made changes to the check indicators or field values in transaction “SU24”, you can compare these with the new SAP defaults.
You can see the values delivered by SAP and the values that you changed next to each other, and can make an adjustment, if desired. You can assign the check indicators and field values by double-clicking the relevant line.

Q) What is the difference between Derived Role & Copy Role ? Can't we just do a copy instead of deriving it when both have the same characteristics or inputs or functions ?

Derived role: Derived role inherits all properties from Master role. It means all authorizations. If u made any changes in master role it will reflect in child role but not vice versa. We can't add any authorizations in derived role. But we can maintain org levels.

Copy role: Copying role means creating a role same as from existing role. It’s name should be changed. There is no relation between existing role and copied role.

Q) What is the difference between PFCG, PFCG_TIME_DEPENDENCY & PFUD ?

PFCG is used to create maintain and modify the roles.
PFCG_TIME_DEPENDENCY is a background job of PFUD.
PFUD is used for mass user comparison but the difference is if you set the background job daily basis it will do mass user comparison automatically

Q) What does the Profile Generator do ?

We can create roles, transport, copy, download, modifications, and these entire things done from PFCG t-Code.

Q) What is the main purpose of Parameters, Groups & Personalization Tabs ?

parameters: when ever user want some defaults values when ever he/she execute the t-code we can maintain some pid's by taking help of abapers.
Group: based on user roles and responsibilities security admin can assign to particular    group.
Personalization: this data provides by sap itself based on t-codes which are maintained at menu tab.

Q)   Purpose of Miniapps in PFCG ?

Using mini apps we can add some third party functionality

Q) What happens to change documents when they are transported to the production system ?

Change documents cannot be displayed in transaction 'SUIM' after they are transported to the production system because we do not have the 'before input' method for the transport. This means that if changes are made, the 'USR10' table is filled with the current values and writes the old values to the 'USH10' table beforehand.

The difference between both tables is then calculated and the value for the change documents is determined as a result. However, this does not work when change documents are transported to the production system. The 'USR10' table is automatically filled with the current values for the transport and there is no option for filling the 'USH10' table in advance (for the history) because we do not have a 'before input' method to fill the 'USH10' table in advance for the transport.

Q) What do you know about LSMW ?

LSMW is used for creating large number of user at a time.

Q) Difference between SU22 and SU24 ?

SU22: is maintained standard t-codes and their standard authorization object (USOBX and USOBT).
SU24: here we can maintain customer related t-code and their authorization objects (USOBX_C and USOBT_C).

Q) What is the landscape of GRC ?

GRC landscape is development and production.

Q) What is the difference between Template role & Derive role ?

Template role: it is provided by sap itself.
Derived role: a role which is derived from a master role it can inherit the menu structure t-codes and all but it can’t inherit the organization level, here we can maintain organization levels only.



Q) What is SOD (Segregation of Duties) ?

SOD stands for segregation of duties. It is a primary internal control to prevent the risk, identify a problem and take corrective action. It is achieved by assuring that no single user has control over all phases of business transactions.
E.G.: the staff who creates a purchase order must not approve the same; there must be a different person to approve that.

Q) how we Restrict the auth groups for table maintain, creating Auth group using SE54 to built new Auth groups to restrict tables via auth object S_TABU_DIS

We can restrict authorization groups via object S_TABU_DIS, first we need to create a authorization group in SE54 then assign this authorization group in a role by using the object: S_TABU_DIS.

Q) How to create new authorization object ?

1. To create the authorization object, choose the SU21 transaction.
2. First double-click an object class to select it.
3. Provide the name of the object and relevant text
4. Add the fields that should be included in the new authorization object.
5. Hit Save.. once you click on save it'll ask for package details (select the relevant package from the drop down list) and save again.
6. New auth objected is created now.
7. Click on permitted activities to select the activities and save the changes.

Q) What is the difference between Parent role and Composite role ?

Composite role is a collection of single roles.

Where Parent role concept comes in Derived role. Where one role is derived from other role (Like inheritance. Whatever the changes you made to parent role will automatically applied to derived role also

Q) How can i assign a same role to 200 users ?

You can do using PFCG- >  enter the role -> change -> go to users tab -> paste the users -> click on user comparison ->  complete comparison -> Save the role - it's done or

One can also use "Authorization Data" functionality in transaction SU10 to complete this task.

Q) Difference between USOBT_C and USOBX_C ?

USOBX_C defines which authorization checks are to be performed within a transaction and which are not. This table also determines which authorization checks are maintained in the Profile Generator.

USOBT_C defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator.

Q) What are USOBT and USOBX tables for ?
SAP delivers the tables USOBX and USOBT. These tables are filled with default values and are used for the initial fill of the customer tables USOBX_C and USOBT_C.

Q) Difference between USOBT and USOBT_C ? 

USOBT is SAP delivered table where as USOBT_C is customer table. After the initial fill, you can modify the customer tables, and therefore the behavior of the Profile Generator, if required.

Q) How you create custom t-codes ? 

Yes we can create custom t-code in SE93.

Q) Difference between customizing request and workbench request ?

Customizing request is client dependent. Work bench request is client independent.

Q) To transport SU24 setting which is used is it customizing or workbench request ?

For transporting SU24 changes we need to have a workbench request as it is client independent settings.

Q) What does the different color light denote in profile generator ?

There are three colors (like traffic lights) in profile generator:

Red – It means that some organizational value has not been maintained in org field in profile generator.
Yellow – It means that there are some or all fields in certain authorization instances which are blank (not maintained)
Green – It means that all the authorization fields are maintained (values are assigned).

Q) Can a composite role be assigned to another composite role ? 

No. A composite role cannot be assigned to another composite role. Single roles are assigned to composite roles.

Q) What does the PFCG_TIME_DEPENDENCY clean up ?

The ‘PFCG_TIME_DEPENDENCY’ background report cleans up the profiles (that is, it does not clean up the roles in the system). Alternatively, transaction code ‘PFUD’ may also be used for this purpose.

Q) How to prevent custom objects from getting added to SAP_ALL profile ? 

Go to table PRGN_CUST and set the following parameter: ADD_ALL_CUST_OBJECTS with value N.
Regenerate the SAP_ALL profile with report RSUSR406 to have the customer object to be removed fromSAP_ALL. See SAP Note 410424 for more info.



1. Explain me about your SAP Career ?

Elaborate about your complete SAP experience and yes be true with them.

2. Tell me your daily monitoring jobs and most of them you worked on ?

As a part of my daily job being a SAP Security consultant i have to take care of tickets monitoring and assigning them within the team. I have to take care of critical incidents and emphasize them on high priority for their faster resolution. I have to troubleshoot different authorization issues that come across in daily work with the users.

3. Which version of SAP are you working on ? Is it a java stack or ABAP stack ?

You have to check this with your systems.

4. Tell me about derived role ?

Derived roles. To restrict the user access based on organizational level values. Derived role will be inherited by master role and inherit all the properties except org level values.

5. What is the main difference between single role and a derived role ?

Main difference--we can add/delete the T-codes for the single roles but we can’t do it for the derived roles.

6. Does S_TABU_DIS org level values in a master role gets reflected in the child role ?

If we do the adjusted derived role in the master role while updating the values in the master role than values will be reflected in the child roles.

7. Tell me the steps to configure CUA ?

Steps to Set Up the CUA
1. Create Administrator
2. Specify Logical systems
3. Assign logical systems to client
4. Create system users
5. Create RFC destinations
6. Create CUA
7. Set field distributor parameters
8. Synchronization of company addresses
9. Transfer Users

8. Is RAR a java stack or Abap Stack ?

RAR is Java stack. It was ABAP when it was called as Complance Calibrator.

9. What is the report which states the critical T-codes ?


10. What is the T-code to get into RAR from R/3 ?


11. Explain about SPM ?

SPM can be used to maintain and monitor the super user access in an SAP system. This enables the super-users to perform emergency activities and critical transactions within a completely auditable environment. The logs of the SPM user IDs helps auditors in easily tracing the critical transactions that have been performed by the Business users

12. What is the difference between Execution and Simulation in GRC RAR ?

Simulation: It will simulate the existing access with additional access before assigning the roles and provides the SOD's report after assigning the roles
Execution: will execute the user existing access and provides the report SOD reports for user existing access. It will be 2 option ignore mitigation yes and ignore mitigation no.

13. Difference between User Group in “Logon Data” and “Groups” tab in SU01 ?

The difference between Logon data group you can map one user with only one group. But in groups you can map one user with multiple groups.

The group that are showing in logon data is identification of user which group he is belongs to and the group tab is to add that user in multiple ex:- If i am a basis employee we will group him at logon tab... And we want to add this guy into more groups we will add those at group tab......

14. Security admin kept trace on a user. But while analyzing it is showing that "zero records" found. Then what to do ?

In General, the production system will be running on multiple application servers, check whether the user and the security admin are logged in to the same application server or not? Through the transaction code SM51.

Before switch on the trace please take care of below things.

1. User should log on to same server.
2. Go to SM04 / Al08 to check the server details which users logged in and confirm that both should logged into same server
3. Select the appropriate option ex: authorization kernel check. So that it will check for authorization which users going to run...

15. What is the difference between SU24, SU22, and SU21 ?

SU24: Authorization check under Transaction. SU24 can access customized tables USOBX_C and USOBT_C

SU22: Authorization objects in transactions. SU22 can access standard tables USOBX and USOBT

SU21: Maintain authorization Object