May 31, 2016

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -11





SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS


Q) How to find out all actvt in sap ? 

All possible activities (ACTVT) are stored in table TACT , and the valid activities for each authorization object can be found in table TACTZ.

Q) How to remove duplicate roles with different start and end date from user master ? 

Duplicate roles assigned to a user can be removed using PRGN_COMPRESS_TIMES.

Q) What is the main difference between role and profile ?

Role: Collection of Transaction Codes Only (No linked authorization Objects)
Profile: It contains the related Authorization Object, Fields and Values of the transaction codes.

Role is a set of function/activity which is assigned to him based on his business role. Assigning a role to the user does not mean that the user has access to execute those functions. This is ruled by profiles. Profiles are required to give necessary authorization to the users through the respective roles.

Q) What troubleshooting we get these transactions like SU53, ST01, SUIM and ST22 ?

SU53: Will give the screen shot last missing authorization of the details for the user ID
ST01: Some times SU53 will be wrong, using ST01 will perform the trace activity will check for authorization checks for user ID
SUIM: This will used to pull out the authorization reports; usually we will use this T-code by analyzing the out put results of SU53 and ST01 and will be inputs for SUIM to pull out authorization reports

Q) What is the difference between authorization user group and logon group ?

Authorization user group is used for user management purpose. Each user group is managed by certain security administrators. Authorization object S_USER_GRP determines users of which user group can be administered by a certain user admin. Those users who are not assigned to any user group can be administered by all the security user admins.

Logon groups are generally created by SAP Basis Administrators and used for logon load balancing. These are logical groups of users. These users can be assigned to one or more SAP instances. When a Logon group is assigned to an SAP instance, all users belonging to that logon group would by default logon to that particular instance. Hence logon group helps in load balancing.

Q) What steps are checked by the system when an interactive user executes a transaction code ?

Various steps are checked when a user executes a transaction code:

1. First it is checked whether the transaction is a valid transaction code. This is checked in TSTC table. If the tcode does not exists, the system gives the message that the transaction does not exist.
2. If the tcode is a valid tcode, then the system checks whether the tcode is locked or unlocked. Field CINFO in TSTC is used to determine whether the transaction is locked or unlocked.
3. The system then checks if the user has necessary tcode value maintained in authorization object S_TCODE in his/her user buffer. If the authorization object S_TCODE contains the required tcode, then the system checks whether any additional authorization check is assigned to the tcode via SE93. This value can be found on the initial screen of SE93 for that tcode or in TSTCA table.
4. Further authorization check takes place based on the values present in the source code under “Authority-check” statement and the activity performed by the user.

Q) How to extract users list like who didn't login since 3 months. And In 90 Days user locking in which table we will use ?

T-code SUIM: Users -> Click on By Logon Date and password change -> Give * in user and give 90 days in No. days since last logon and check Locked users and then EXECUTE. (OR) RSUSR200 report to get info

Q) What is OSS Connection and System Opening and why we have to open these ? 

OSS means Online Service System where SAP is going to give Service to R/3 Users.

Q) What will have in one single role and how many profiles will be in one SAP CUA system ? 

Single role will contain T-codes, Reports and URL's, Profiles and Users. Max profiles are 312.

Q) What is the difference between SE16 and SE16N  ?

SE16 - SAPLSETB - Data Browser
SE16N - RK_SE16N - General Table Display

SE16: SE16 is a data browse and it is used to view the contents of the table and we cannot change or append new fields to the existing structure of the table as we cannot view the structure level display using the SE16.

SE16N: The transaction code SE16N (general table display) is an improved version of the old data browser (SE16). It has been around for some time, but is not widely known amongst Consultants and end users of SAP. It looks a bit different to the old “data browser” functionality (SE16).
** Once you have entered your table name, type "&SAP_EDIT" without the quotation marks into the transaction code. This enables editing functionality on SE16N and allows you to make table changes. This allows you to access both configuration and data tables which may be otherwise locked in a production environment.

** Whilst this may appear to be a short cut and allow you to access a back door which is normally shut, this hidden feature should be used with caution in any SAP client - especially a live or production system.

New Features of SE16N:
** The new transaction has a number of distinct advantages over SE16.
** You no longer have a maximum of 40 fields to select in the output.
** There are fewer steps involved in executing a number of functions, whether it be outputting the results, maintaining the values in a table etc.
** Exporting the data into Excel is far easier and quicker
** ALV functionality is available as standard
** The user is not restricted by having a maximum width of 1023 saved as a default in the user settings.

Limitations of SE16N:
**You can only output one table at a time. If you wish to output more than one table you can use the available reporting tools or the QuickViewer (transaction code SQVI) functionality within SAP.

Q)  How many transaction codes can be assigned to a role ?

A maximum of around 14000 transaction codes can be assigned to a role.


Q)  What is the difference between ECC security and RAR security when GRC is used, when similar functionality can be performed SAP R3 level (ECC) ?

ECC and RAR are different.ECC is a system whereas RAR is a tool.
ECC security involves security data, t-code access, report access and maintaining the authorizations.

RAR (Risk analysis and Remediation) is a tool that is used for analysis of risk analysis and its remediation as name suggests. This tool determines all potential risks that arise if a t-Code object/role/auth is assigned to a user. Also this tool helps to remediate that risk using mitigation technique.

Simply we can say one thing like In ECC system you can’t find any risk while assigning the roles.

But in RAR tool it will check the RISK of that particular assignment and if risk is their then we can mitigate and simulate to that risk I mean it’s purely for SOD (segregation of duties)



No comments:

Post a Comment