May 29, 2016



Q) How do we know who made changes to Table data and when ?

If checkbox for table Log Changes is enabled, table DBTABLOG keeps all the log data for the related table.

Q) What is a composite role ?

A composite role is like a container which contains several single roles. They do not contain authorization data and the authorization needs to be maintained in each role of the composite role. A composite role cannot be added to a composite role. The users assigned to a composite role are automatically assigned the corresponding single roles.

Q) What is the difference between USOBX_C and USOBT_C ?

USOBX_C and USOBT_C are tables which are used for SU24 transaction code.

The table USOBX_C defines the status of authorization checks for authorization objects, i.e. whether the “check indicator” is set to yes or no. It also defines the proposal status, i.e. whether the authorization check values are being maintained in SU24 or not.

The table USOBT_C defines the “values” which are maintained for check-maintained authorization objects.

Q) How can we convert Authorization Field to Org Field ?

The report PFCG_ORGFIELD_CREATE is used for converting an Authorization Field to Org Level Field. It can be executed using SA38/SE38 tcode.

There is a bit of caution involved here. Make sure that whatever change related to this conversion is made is done in the initial stage of security role design/system setup. In case this task is performed at a later stage, there is a risk that this will impact lots of existing roles. All those roles would require analysis and authorization data will have to be adjusted.

NOTE : Authorization fields TCD (Tcode) and ACTVT (Activity) cannot be converted to org level fields.

Q) How do we find all activities in SAP ?

All Activities in SAP are stored in table TACT. All valid activities are stored in table TACTZ. The tables can be accessed via SE16 tcode.

Q) What important authorization objects are required to create and maintain user master records ?

Following are some important authorization objects which are required to create and maintain user master records:
• S_USER_GRP: User Master Maintenance: Assign user groups
• S_USER_PRO: User Master Maintenance: Assign authorization profile
• S_USER_AUT: User Master Maintenance: Create and maintain authorizations

Q) Which table is used to store illegal passwords ?

Table USR40 is used to store illegal passwords. It can be used to store patterns of words which cannot be used as passwords.

Q) Explain the concept of “Status Text for Authorizations” – Standard, Changed, Maintained and Manual.

• Standard – It means that all values in authorization field of an authorization instance is unchanged from the SAP default value (i.e. the values which are getting pulled from SU24)
• Maintained – It means that at least one of the field values in an authorization instance was blank when it was pulled from SU24 (i.e. SAP default value) and that blank field has been updated with some value. Other fields already having some value have not been touched.
• Changed – It means that the proposed value in at least one of the fields in an authorization instance has been changed.
• Manual – It means that at least one authorization field has been manually added, i.e. it was not proposed by profile generator.

Q) What is the difference between Role and Profile ?

A Role is like a container which contains authorization objects, transaction codes etc. A profile contains authorizations. When a role is generated using PFCG, a profile is generated which contains authorizations (instances of authorization objects).


PFCG_TIME_DEPENDENCY is a report which is used for user master comparison. It should be a practice to do user master comparison after every role change and profile generation so that the user’s master record gets updated with the correct authorization. This report also cleans up the expired profiles from user-master record. Role name still remains in the SU01 tab of the user. Transaction code PFUD can also be used to directly execute this report.

Q) What are the different tabs in PFCG ?

Following are some of the important tabs in PFCG:

• Description - We define the role name and role text. We also have a text description option at the bottom where we can provide other details related to the role. Those details can be the ticket no through which the role was created, the various changes (addition/removal of tcodes, authorization objects etc) and the date when those changes took place and the user who performed that task etc. It is a good practice to make use of this space as it helps in identifying the reasons for changes.
• Menu - For designing user menus like for addition of tcodes etc.
• Authorizations - For maintenance of Authorization data. Also for generating authorization profile.
• User – For assigning users to role and for adjusting user master Records.

Q) What does user compare do ?

When a role is used for generating authorization profile, then the user master record needs to be compared so that the generated authorization profile can be entered in the user master record. This comparison is done using tcode PFUD or by scheduling the report PFCG_TIME_DEPENDENCY.

Q) What is user buffer ?
A user buffer contains all authorizations of a user. Each user has his own user buffer and it can be displayed by executing tcode SU56. The authorization check fails when the user does not have necessary authorization in his user buffer or if the user buffer contains too many entries and has overflowed. The number of entries in user buffer is controlled using profile parameter ”Auth/auth_number_in_userbuffer“.

No comments:

Post a Comment