SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -12

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS

Q) What is the difference between VIRSA Tool and GRC, and does VIRSA tool support to ECC6.0? & what is GRC? & what is SAP VIRSA Tool ?

Governance, Risk, and Compliance (GRC). The goal of GRC is to help a company efficiently put policies and controls in place to address all its compliance obligations while at the same time gathering information that helps proactively run the business. This means Ethical Business Process should comply with Effective Process controls as per the related industry Business Process and accounting Process and Govt Policy .This GRC process finally Can Concluded with respect to Govt Organizations and Public Organization which are Registered in Local Stock Markets are accountable to have Effective Governance and Process Controls to Protect the Share holder rights and Prevent Organized Corporate Frauds and scams. GRC Tools and IT applications
There are many GRC AUDIT tools in the Market to Facilitate Internal and External Audit of the Companies.

Q) What is SAP VIRSA Tool ?

 1) Access controls, 2) Process Controls.
It Has 4 Sections to Audit the system.
1. Compliance Calibrator
2. Role Expert
3. Firefighter
4. Access enforcer.
VIRSA system is now taken over by SAP AG. It has been a part of Netwever and add on now.
VIRSA produced a number of tools, most commonly used was Compliance Calibrator.
SAP acquired VIRSA and integrated their tools into its GRC suite of products which have a wider span than the VIRSA products.
You can use the VIRSA tools in ECC6.  As the company no longer sells these products it is an easy way to tell if a candidate does not understand the GRC topic by them referring to when they mean SAP GRC.
GRC as a subject has been hijacked by SAP's use of the term, real GRC is much wider than a set of tools which can automate part of the GRC process

Q) What is FireFighter ? When we are using FireFighter ?

If you have implemented VIRSA/GRC FireFighter is also a normal user ID but having some specific access [Say SU01 or SAP_ALL] as per the needs. User type is kept as "service user' Ex: In your project you are security administrator who does not have access to direct SU01 but you need the access urgently.
Then FFID owner/administrator assigns you a FFID for limited period so that you can perform the task from your login ID and pwd, using t-code /n/VIRSA/VFAT and login with that FFID.
While logging you will be prompted to give business reason for access. Everything you perform in that period [Using FFID] gets recorded for auditing.

Q) What is the difference between SoX & SoD ? What kind of work SoX do as well SoD do ? What is VIRSA ?

SoX - refer to Sarbanes OXley act in the earlier 2000+-.Where it impact all US companies either they operated in US or outside (on other countries). Some people think this act is significant, after fall down of big companies such as Enron etc..
SoD - refer to Segregation of Duties. Basically one person cannot have access to the whole process. The task needs to be segregated so that there is check and balance.
VIRSA - is one of third party tools used to check for SoX compliance in a company. Other than this, there are also other product such as APPROVA and SecurInfo. Nowadays VIRSA have been brought by SAP, and rebrand it as GRC (Governance, Risk and Control).


Q) What is the use of Detour path ? How Fork path differs from Detour path ?

If a WF fulfills a certain condition e.g. SOD violation the original WF ends and takes a predefined alternative route (detour). This workflow can contain other stages and additional approvers.
Fork is a way to split up a workflow from a single initiator between sap and non-sap systems

Q) What is the name of background job in FF that is responsible for sending notification and logs to FF id controller ?

/VIRSA/ZVFATBAK or /n/VIRSA/VFATBAK

Q) What is the Rule Set in GRC ?

Collection of rules is nothing but Rule Set. There is a default Rule Set in GRC called Global Rule Set.

Q) How can you assign FireFighter id’s from one FireFighter Admin to another FireFighter Admin if current Admin leaves from organization without told to anybody ?

Take the UserId of the left over the company person and, go to SE16 T-code and, type table name /VIRSA/zffusers and execute.
In the second column enter the UserId of the left over person and execute and it will give the list of assigned FF_ID'S to that user, note that FF_ID'S and run /n/VIRSA/VFAT T-code and, go to maintain FF_ID's table and replace it with the new person User ID.

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -11

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS

Q) How to find out all actvt in sap ? 

All possible activities (ACTVT) are stored in table TACT , and the valid activities for each authorization object can be found in table TACTZ.

Q) How to remove duplicate roles with different start and end date from user master ? 

Duplicate roles assigned to a user can be removed using PRGN_COMPRESS_TIMES.

Q) What is the main difference between role and profile ?

Role: Collection of Transaction Codes Only (No linked authorization Objects)
Profile: It contains the related Authorization Object, Fields and Values of the transaction codes.

Role is a set of function/activity which is assigned to him based on his business role. Assigning a role to the user does not mean that the user has access to execute those functions. This is ruled by profiles. Profiles are required to give necessary authorization to the users through the respective roles.

Q) What troubleshooting we get these transactions like SU53, ST01, SUIM and ST22 ?

SU53: Will give the screen shot last missing authorization of the details for the user ID
ST01: Some times SU53 will be wrong, using ST01 will perform the trace activity will check for authorization checks for user ID
SUIM: This will used to pull out the authorization reports; usually we will use this T-code by analyzing the out put results of SU53 and ST01 and will be inputs for SUIM to pull out authorization reports

Q) What is the difference between authorization user group and logon group ?

Authorization user group is used for user management purpose. Each user group is managed by certain security administrators. Authorization object S_USER_GRP determines users of which user group can be administered by a certain user admin. Those users who are not assigned to any user group can be administered by all the security user admins.

Logon groups are generally created by SAP Basis Administrators and used for logon load balancing. These are logical groups of users. These users can be assigned to one or more SAP instances. When a Logon group is assigned to an SAP instance, all users belonging to that logon group would by default logon to that particular instance. Hence logon group helps in load balancing.

Q) What steps are checked by the system when an interactive user executes a transaction code ?

Various steps are checked when a user executes a transaction code:

1. First it is checked whether the transaction is a valid transaction code. This is checked in TSTC table. If the tcode does not exists, the system gives the message that the transaction does not exist.
2. If the tcode is a valid tcode, then the system checks whether the tcode is locked or unlocked. Field CINFO in TSTC is used to determine whether the transaction is locked or unlocked.
3. The system then checks if the user has necessary tcode value maintained in authorization object S_TCODE in his/her user buffer. If the authorization object S_TCODE contains the required tcode, then the system checks whether any additional authorization check is assigned to the tcode via SE93. This value can be found on the initial screen of SE93 for that tcode or in TSTCA table.
4. Further authorization check takes place based on the values present in the source code under “Authority-check” statement and the activity performed by the user.

Q) How to extract users list like who didn't login since 3 months. And In 90 Days user locking in which table we will use ?

T-code SUIM: Users -> Click on By Logon Date and password change -> Give * in user and give 90 days in No. days since last logon and check Locked users and then EXECUTE. (OR) RSUSR200 report to get info

Q) What is OSS Connection and System Opening and why we have to open these ? 

OSS means Online Service System where SAP is going to give Service to R/3 Users.

Q) What will have in one single role and how many profiles will be in one SAP CUA system ? 

Single role will contain T-codes, Reports and URL's, Profiles and Users. Max profiles are 312.

Q) What is the difference between SE16 and SE16N  ?

SE16 - SAPLSETB - Data Browser
SE16N - RK_SE16N - General Table Display

SE16: SE16 is a data browse and it is used to view the contents of the table and we cannot change or append new fields to the existing structure of the table as we cannot view the structure level display using the SE16.

SE16N: The transaction code SE16N (general table display) is an improved version of the old data browser (SE16). It has been around for some time, but is not widely known amongst Consultants and end users of SAP. It looks a bit different to the old “data browser” functionality (SE16).
** Once you have entered your table name, type "&SAP_EDIT" without the quotation marks into the transaction code. This enables editing functionality on SE16N and allows you to make table changes. This allows you to access both configuration and data tables which may be otherwise locked in a production environment.

** Whilst this may appear to be a short cut and allow you to access a back door which is normally shut, this hidden feature should be used with caution in any SAP client - especially a live or production system.

New Features of SE16N:
** The new transaction has a number of distinct advantages over SE16.
** You no longer have a maximum of 40 fields to select in the output.
** There are fewer steps involved in executing a number of functions, whether it be outputting the results, maintaining the values in a table etc.
** Exporting the data into Excel is far easier and quicker
** ALV functionality is available as standard
** The user is not restricted by having a maximum width of 1023 saved as a default in the user settings.

Limitations of SE16N:
**You can only output one table at a time. If you wish to output more than one table you can use the available reporting tools or the QuickViewer (transaction code SQVI) functionality within SAP.

Q)  How many transaction codes can be assigned to a role ?

A maximum of around 14000 transaction codes can be assigned to a role.


Q)  What is the difference between ECC security and RAR security when GRC is used, when similar functionality can be performed SAP R3 level (ECC) ?

ECC and RAR are different.ECC is a system whereas RAR is a tool.
ECC security involves security data, t-code access, report access and maintaining the authorizations.

RAR (Risk analysis and Remediation) is a tool that is used for analysis of risk analysis and its remediation as name suggests. This tool determines all potential risks that arise if a t-Code object/role/auth is assigned to a user. Also this tool helps to remediate that risk using mitigation technique.

Simply we can say one thing like In ECC system you can’t find any risk while assigning the roles.

But in RAR tool it will check the RISK of that particular assignment and if risk is their then we can mitigate and simulate to that risk I mean it’s purely for SOD (segregation of duties)

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -10

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS

Q) How to get ticket from end user ? Which ticketing tool you are using ?

Generally tickets are raised by the end users or clients.
Each organization having a separate tool box for the purpose of tickets and then the team leader allot the tickets to corresponding person through mail.
Ticketing Tools: HP open view, remedy, mail (Microsoft Outlook), Lotus Notes, Magic
HPSD- HP service Desk. First Users send mails to 1st level support stating their issue; they then create service call and assign them to respective Team. Unique no is provided which is call service call no and it's used as reference no in future.

Q) What is difference between ECC 4.7, ECC 5 and ECC 6 from SAP Security point of view ?

SAP ECC 4.7 is an ABAP based system, here we can see only about R/3 security.
SAP ECC5.0 and SAP ECC6.0 included both ABAP + JAVA stacks, means enterprise portal also included, here we can have both R/3 security for ABAP stack and JAVA stack security which includes in portal concept (Enterprise Portal Security).
SAP GRC which is a security tool can be implemented only to ECC 5.0 and ECC 6.0 but not to the ECC 4.7.

Q) What is Role Matrix ?

Role Matrix is nothing but a column we can maintain t-codes
            z_singlerole   z_dervir
---------------------------------------
PFCG                    x  
SU01                                         x
VA01                     x
VK11                                        x
       See based on business process approvers we can assign T-codes to a particular roles.

Q) What are the steps to create a user in SAP ?

Following are the steps to create user in SAP:

1. Logon to the SAP system and execute transaction code SU01. (Path to SU01 via user menu : Tools -> Administration -> User Maintenance -> Users
2. Give a username in “User” field and click create. In the next screen, there are various tabs like Address, Defaults, Parameters, Roles, Profiles etc.
3. In the “Address” tab, fill the necessary fields (Last Name is mandatory)
4. In the “Logon data” tab, select the “User Type” and fill “Initial Password” (Initial Password is mandatory in all cases except if the “User Type” selected is “Reference”.
5. Similarly fill other information in rest of the tabs viz. “Defaults”, “Parameters”, “Systems”, “Roles”, “Profiles” etc.
6. Now click on Save. User is created.

Q) What are different types of users in SAP System ?

Different user types are:
(1) Dialog
(2) Service
(3) System
(4) Communication
(5) Reference

Q) What mandatory fields need to be filled while creating a user in SAP ?

Last name is mandatory for creating any user type. Initial password needs to be given for all user types except “Reference users“.

Q) Which table contains the list of developers (development users) including registered Developer access keys ?

DEVACCESS table contains the list of developers and their developer access keys.

Q) What does table TSTCP contain ?

Table TSTCP contains information related to transactions which are parameterized transactions for a tables or views.


Q) How can we Schedule and administrating Background jobs ?

Scheduling and administrating of background jobs can be done by using T-codes SM36 and SM37


Q) I have deleted single role from composite role now I want to find out the changes in composite role without using SUIM. Is there any other possibility to get ?

 Yes, it is possible from role screen itself.
Go to menu tab
Go to utilities--->change documents .you can see from Agr_AGrs table

Q) How many authorizations fit into a profile ?

A maximum of 150 authorizations fit into a profile. If the number of authorizations exceeds this value, the profile generator automatically creates one more profile for the role.

Q) How many profiles can be assigned to any user master record ? 

Maximum number of profiles that can be assigned to any user master record is 312. Table USR04 contains the profiles assigned to users. The field PROFS in USR04 table is used for saving the change flag and the name of the profiles assigned to the user. The change flags are – C which means “User was created” and M which means “User was changed”. The field PROFS is defined with a length of 3750 characters. Since the first two characters are intended for the change flag, 3748 characters remain for the list of the profile names per user. Because of the maximum length of 12 characters per profile name, this results in a maximum number of 312 profiles per user.

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -9

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS




Q) How do we know who made changes to Table data and when ?

If checkbox for table Log Changes is enabled, table DBTABLOG keeps all the log data for the related table.

Q) What is a composite role ?

A composite role is like a container which contains several single roles. They do not contain authorization data and the authorization needs to be maintained in each role of the composite role. A composite role cannot be added to a composite role. The users assigned to a composite role are automatically assigned the corresponding single roles.

Q) What is the difference between USOBX_C and USOBT_C ?

USOBX_C and USOBT_C are tables which are used for SU24 transaction code.

The table USOBX_C defines the status of authorization checks for authorization objects, i.e. whether the “check indicator” is set to yes or no. It also defines the proposal status, i.e. whether the authorization check values are being maintained in SU24 or not.

The table USOBT_C defines the “values” which are maintained for check-maintained authorization objects.

Q) How can we convert Authorization Field to Org Field ?

The report PFCG_ORGFIELD_CREATE is used for converting an Authorization Field to Org Level Field. It can be executed using SA38/SE38 tcode.

There is a bit of caution involved here. Make sure that whatever change related to this conversion is made is done in the initial stage of security role design/system setup. In case this task is performed at a later stage, there is a risk that this will impact lots of existing roles. All those roles would require analysis and authorization data will have to be adjusted.

NOTE : Authorization fields TCD (Tcode) and ACTVT (Activity) cannot be converted to org level fields.

Q) How do we find all activities in SAP ?

All Activities in SAP are stored in table TACT. All valid activities are stored in table TACTZ. The tables can be accessed via SE16 tcode.

Q) What important authorization objects are required to create and maintain user master records ?

Following are some important authorization objects which are required to create and maintain user master records:
• S_USER_GRP: User Master Maintenance: Assign user groups
• S_USER_PRO: User Master Maintenance: Assign authorization profile
• S_USER_AUT: User Master Maintenance: Create and maintain authorizations

Q) Which table is used to store illegal passwords ?

Table USR40 is used to store illegal passwords. It can be used to store patterns of words which cannot be used as passwords.

Q) Explain the concept of “Status Text for Authorizations” – Standard, Changed, Maintained and Manual.

• Standard – It means that all values in authorization field of an authorization instance is unchanged from the SAP default value (i.e. the values which are getting pulled from SU24)
• Maintained – It means that at least one of the field values in an authorization instance was blank when it was pulled from SU24 (i.e. SAP default value) and that blank field has been updated with some value. Other fields already having some value have not been touched.
• Changed – It means that the proposed value in at least one of the fields in an authorization instance has been changed.
• Manual – It means that at least one authorization field has been manually added, i.e. it was not proposed by profile generator.

Q) What is the difference between Role and Profile ?

A Role is like a container which contains authorization objects, transaction codes etc. A profile contains authorizations. When a role is generated using PFCG, a profile is generated which contains authorizations (instances of authorization objects).

Q) What is PFCG_TIME_DEPENDENCY ?

PFCG_TIME_DEPENDENCY is a report which is used for user master comparison. It should be a practice to do user master comparison after every role change and profile generation so that the user’s master record gets updated with the correct authorization. This report also cleans up the expired profiles from user-master record. Role name still remains in the SU01 tab of the user. Transaction code PFUD can also be used to directly execute this report.

Q) What are the different tabs in PFCG ?

Following are some of the important tabs in PFCG:

• Description - We define the role name and role text. We also have a text description option at the bottom where we can provide other details related to the role. Those details can be the ticket no through which the role was created, the various changes (addition/removal of tcodes, authorization objects etc) and the date when those changes took place and the user who performed that task etc. It is a good practice to make use of this space as it helps in identifying the reasons for changes.
• Menu - For designing user menus like for addition of tcodes etc.
• Authorizations - For maintenance of Authorization data. Also for generating authorization profile.
• User – For assigning users to role and for adjusting user master Records.

Q) What does user compare do ?

When a role is used for generating authorization profile, then the user master record needs to be compared so that the generated authorization profile can be entered in the user master record. This comparison is done using tcode PFUD or by scheduling the report PFCG_TIME_DEPENDENCY.

Q) What is user buffer ?
A user buffer contains all authorizations of a user. Each user has his own user buffer and it can be displayed by executing tcode SU56. The authorization check fails when the user does not have necessary authorization in his user buffer or if the user buffer contains too many entries and has overflowed. The number of entries in user buffer is controlled using profile parameter ”Auth/auth_number_in_userbuffer“.

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -8

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS


Q) What are various user types ?

Dialog user 'A'
Individual system access (personalized) Logon with SAPGUI is possible. The user is therefore interaction-capable with the SAPGUI. Expired or initial passwords are checked. Users have the option of changing their own passwords. Multiple logon is checked. Usage: For individual human users (also Internet users)

System user 'B'
System-dependent and system-internal operations Logon with SAPGUI is not possible. The user is therefore not interaction-capable with the SAPGUI. The passwords are not subject to the password change requirement, that is, they cannot be initial or expired. Only an administrator user can change the password. Multiple logon is permitted. Usage: Internal RFC, background processing, external RFC (for example, ALE, workflow, TMS, CUA)

Communication user 'C'
Individual system access (personalized) Logon with SAPGUI is not possible. The user is therefore
Not interaction-capable with the SAPGUI. Expired or initial passwords are checked but the conversion of the password change requirement that applies in principle to all users depends on the caller (interactive/not interactive). (*) Users have the option of changing their own passwords.
Usage: external RFC (individual human users)

Service user 'S'
Shared system access (anonymous) Logon with SAPGUI is possible. The user is therefore
Interaction-capable with the SAPGUI. The passwords are not subject to the password change requirement, that is, they cannot be initial or expired. Only a user administrator can change the password. Multiple logon is permitted. Usage: Anonymous system access (for example, public Web services)

Reference user 'L'
Authorization enhancement No logon possible. Reference users are used for authorization assignment to other users. Usage: Internet users with identical authorizations

Q) What is the difference between Template role & Derive role ? 

Template role is nothing but a default role provided by SAP. This template role might be a single or composite or derived role. Template roles are not generated profiles or authorizations nor assigned to users and org levels are not maintained.
Derived role is nothing but a single role and it’s derived from a Master role and can restrict org levels and can assign them to users.

Q) What is the advantage of CUA from a layman/manager point of view ?

CUA - Central User Administration
Advantage of CUA is to lessen the time by creating users in one single system, and distribute it to the respective systems (where the user id is requested) Helps in avoiding logging to each individual systems

Q) What is the procedure for deleting a role ?

You can't delete the role in Production System.
First you have to delete the role from development system.
In DEV system  Go to PFCG  give the role name which one you want to delete, create a transport request, don’t release. After creating transport request. Delete the role from PFCG in DEV system. Transport the request number to Testing, Production system. Roles delete from there also, after transport the request with success.
1) Create transport request to the role but don’t release
2) Delete the role from the system
3) Release the transport request.

Q) If we delete a Role can we transport it, if yes then how ?

Yes, add that role to a transport request first and then delete it from dev system. After deletion transport it to QA and prod system

Q) In creating a role what should we write over there, and what does your company follows ?

Description of role defines, the role related activity in short. Just seeing the description of the role, one can easily know the role details, like Role belongs to which SAP module(MM/PP/FICO) The Company code/Org level values Restricted values can also be mentioned there Activity performed after assigning that particular role.

Q) Can you tell me some of the password related parameters ?

Password related parameters are:
login/min_password_lng (Defines minimum lengh for pwd)
login/min_password_digits
login/password_expiration_time, these are the main parameters - which can be maintained via t-code RZ10

Q) What is the use of CUA ?

CUA: Central User Administration
1. Using CUA, U can reset the password globally (Means: in single shot u can reset the password for all child systems or individual system also reset the password through CUA)
2. No password reset tag in individual systems
3. Using CUA, you can unlock and lock the users.
4. Using CUA, you can assign the roles to particular system
5. Using CUA, you can add systems to particular user

Q) What are the types of requests ? And which we create for transportation ?

Generally there are two types of transport request.
1) Workbench Request: Client independent, used generally in CUA where change made are transported to cross client tables.
2) Customizing Request: Client dependent.

Q) I want to reset the passwords of 100 users. How do you do it ?

Mass Password resetting is the easiest task. Login into LSMW t-code. Create a project, which is very easy. Record a batch input session. And run it. It hardly takes 2 mins. OR SECATT script

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -7

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS



Q) Is it possible to assign two roles with different validity period to a user in one shot through GRC ? If yes, how

If you are talking about GRC Access enforcer tool then there is option of validity period for role while creating access enforcer request. When you go to button "Select roles" and when you search and add role in Role Tab you can see column Validity period which you can change. And you can add multiple roles to one user by just performing "Add" role activity. I hope this is what you are asking for.

Q) How to get the E-Mail address for 100 users at a time ?

SECATT script / to get email address of the no. of users go to SE16  ADR6  give the person number or Address number.
To get the Address number or Person number go to the tableUSR21 extracts the data of the users.

Q) While Creating BW roles what are the Authorization Objects we will use ?

 s_rs_auth, s_rs_icube, s_rs_odso, s_rs_mpro, s_rs_ipro, s_rs_admwb (for BI consultants & admins) and s_rs_rsec (for BI Security consultant)

Q) When we changed the password for more users(for example:100 users) 

a) At the time of implementation we create users & PWD
b) Depend on business user’s requests
c) If locked users needed to unlock and make them use then we generate new PWDs.
d) Monthly or quarterly basis we send a message to end-users to change their PWDs.
e) Users got locked due to incorrect log on.
f) Users locked with the expiration of their user ids.

Q) (A) Where the password will be stored 
        (B) from where you can Re-Collect the password and 
        (C) how will you communicate the password to all users at a time.

A) PWD information will be stored in table USR02.
B) There is NO re-collect password process in SAP again user needs to send request to security team to re-issue new PWD
C) We can do it through SECATT script.

Q) What is Virsa ? Once you entered in to the screen what it will perform ? 

Before GRC comes into picture there were other tools which are running in the market in order to do analysis. Those are VIRSA and APPROVA. Both are an INDIAN Companies and VIRSA developed Tools like Firefighter, Compliance Calibrator, Access Enforcer and Role expert to do risk analysis but In the Year 2006 VIRSA took over by SAP and it changed names as Superuser Privilege Management (SPM), Risk Analysis and Remediation (RAR), Compliant User Provisioning CUP) and Enterprise Role Management (ERM) respectively.
Virsa FireFighter for SAP: enables super-users to perform emergency activities outside the parameters of their normal role, but to do so within a controlled, fully auditable environment. The application assigns a temporary ID that grants the super-user broad yet regulated access & tracks and logs every activity the super-user performs using that temporary ID.

Q) What is the use of SU24 & SM24 ? 

There is no SM24 t-code in SAP. Coming to SU24, here we can maintain the assignment of Authorization Objects by entering into particular t-code and we can check the relation between the t-code and concern authorization objects and we can make changes according to business needs. It means maintain Authorizations and its fields and field values.


Q) What is Dialog users, Batch users and Communicate users. What is the use with Communicate user ? 

Dialog user is used by an individual to do all kinds of log on. Batch user is used for Background processing and communication within the system. Communicate user is used for external RFC calls. (Across the systems we can connect)

Q) Can we add one Composite role in to another Composite role at any urgent user requests or in normal user requests ? 

We cannot add a composite role into another composite role but we can add multiple derived roles into one composite role.

Q)    In Transport what type of Request we will use. Why don't we use workbench request in transport ?

Most of the time we do transport workbench and customized requests. 95% we do customized transport as we do settings, configurations, creation etc at DEV system and transport them to QUA or PRD systems.
Settings, configurations etc are done by BASIS, Security and Functional consultants then those will be treated as Customized and if ABAPers do programs and packages etc and transport them then those will be treated as workbench.

Q)    When we added Authorization Object in Template role, at the same time what will be happen in Derived role ? 

Template Roles will be provided by default by SAP while we do implementation (install SAP).when we want to have template role we should not use that role directly, instead of that we can go for COPY option and we can copy it and do customize according to our business needs.

Q) How to Check Profile parameter. And how to find whether any transport has ended with error and where we can check ?

T-code RZ10 to check Profile Parameter & T-code STMS we can check the Transport error logs. Click on Import Overview (Truck icon) in STMS screen and in next screen we have options like: Import Monitor, Import Tracking and Import History.... these will show the transport issues.

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -6

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS



Q) If we add org level elements in a master role will it reflect in child role and how AGR_1252 will act as a barrier ?

Org level elements does not effect in child roles.AGR_1252 show the information of Org.values related to role.

Q) How to do mass user to role assignment using SECATT, will u use SU01 or SU10 ? Explain why you will use SU10 not SU01 ?

We can assign role to mass users using SU10. We can do the same with SECATT.

Q) Can SU10 can be used for mass password reset ? Why not ?

Password reset option not available in SU10 for mass user maintenance

Q) If you want to reset the password for say 100 users in Production how will you do ?

We can use SAP GUI scripts or SECATT to do it.

Q) Explain Steps 2A and 2B in SU25 ? 

2A -->This compares the Profile Generator data from the previous release with the data for the current release. New default values are written in the customer tables for the Profile Generator. You only need to perform a manual adjustment later (in step 2B) for transactions in which you changed the settings for check indicators and field values. You can also display a list of the roles to be checked (step 2C).

2B-->If you have made changes to the check indicators or field values in transaction “SU24”, you can compare these with the new SAP defaults.
You can see the values delivered by SAP and the values that you changed next to each other, and can make an adjustment, if desired. You can assign the check indicators and field values by double-clicking the relevant line.

Q) What is the difference between Derived Role & Copy Role ? Can't we just do a copy instead of deriving it when both have the same characteristics or inputs or functions ?

Derived role: Derived role inherits all properties from Master role. It means all authorizations. If u made any changes in master role it will reflect in child role but not vice versa. We can't add any authorizations in derived role. But we can maintain org levels.

Copy role: Copying role means creating a role same as from existing role. It’s name should be changed. There is no relation between existing role and copied role.

Q) What is the difference between PFCG, PFCG_TIME_DEPENDENCY & PFUD ?

PFCG is used to create maintain and modify the roles.
PFCG_TIME_DEPENDENCY is a background job of PFUD.
PFUD is used for mass user comparison but the difference is if you set the background job daily basis it will do mass user comparison automatically

Q) What does the Profile Generator do ?

We can create roles, transport, copy, download, modifications, and these entire things done from PFCG t-Code.

Q) What is the main purpose of Parameters, Groups & Personalization Tabs ?

parameters: when ever user want some defaults values when ever he/she execute the t-code we can maintain some pid's by taking help of abapers.
Group: based on user roles and responsibilities security admin can assign to particular    group.
Personalization: this data provides by sap itself based on t-codes which are maintained at menu tab.

Q)   Purpose of Miniapps in PFCG ?

Using mini apps we can add some third party functionality

Q) What happens to change documents when they are transported to the production system ?

Change documents cannot be displayed in transaction 'SUIM' after they are transported to the production system because we do not have the 'before input' method for the transport. This means that if changes are made, the 'USR10' table is filled with the current values and writes the old values to the 'USH10' table beforehand.

The difference between both tables is then calculated and the value for the change documents is determined as a result. However, this does not work when change documents are transported to the production system. The 'USR10' table is automatically filled with the current values for the transport and there is no option for filling the 'USH10' table in advance (for the history) because we do not have a 'before input' method to fill the 'USH10' table in advance for the transport.

Q) What do you know about LSMW ?

LSMW is used for creating large number of user at a time.

Q) Difference between SU22 and SU24 ?

SU22: is maintained standard t-codes and their standard authorization object (USOBX and USOBT).
SU24: here we can maintain customer related t-code and their authorization objects (USOBX_C and USOBT_C).

Q) What is the landscape of GRC ?

GRC landscape is development and production.

Q) What is the difference between Template role & Derive role ?

Template role: it is provided by sap itself.
Derived role: a role which is derived from a master role it can inherit the menu structure t-codes and all but it can’t inherit the organization level, here we can maintain organization levels only.

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -5

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS



Q) What is SOD (Segregation of Duties) ?

SOD stands for segregation of duties. It is a primary internal control to prevent the risk, identify a problem and take corrective action. It is achieved by assuring that no single user has control over all phases of business transactions.
E.G.: the staff who creates a purchase order must not approve the same; there must be a different person to approve that.

Q) how we Restrict the auth groups for table maintain, creating Auth group using SE54 to built new Auth groups to restrict tables via auth object S_TABU_DIS

We can restrict authorization groups via object S_TABU_DIS, first we need to create a authorization group in SE54 then assign this authorization group in a role by using the object: S_TABU_DIS.

Q) How to create new authorization object ?

1. To create the authorization object, choose the SU21 transaction.
2. First double-click an object class to select it.
3. Provide the name of the object and relevant text
4. Add the fields that should be included in the new authorization object.
5. Hit Save.. once you click on save it'll ask for package details (select the relevant package from the drop down list) and save again.
6. New auth objected is created now.
7. Click on permitted activities to select the activities and save the changes.

Q) What is the difference between Parent role and Composite role ?

Composite role is a collection of single roles.

Where Parent role concept comes in Derived role. Where one role is derived from other role (Like inheritance. Whatever the changes you made to parent role will automatically applied to derived role also

Q) How can i assign a same role to 200 users ?

You can do using PFCG- >  enter the role -> change -> go to users tab -> paste the users -> click on user comparison ->  complete comparison -> Save the role - it's done or

One can also use "Authorization Data" functionality in transaction SU10 to complete this task.

Q) Difference between USOBT_C and USOBX_C ?

USOBX_C defines which authorization checks are to be performed within a transaction and which are not. This table also determines which authorization checks are maintained in the Profile Generator.

USOBT_C defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator.

Q) What are USOBT and USOBX tables for ?
SAP delivers the tables USOBX and USOBT. These tables are filled with default values and are used for the initial fill of the customer tables USOBX_C and USOBT_C.

Q) Difference between USOBT and USOBT_C ? 

USOBT is SAP delivered table where as USOBT_C is customer table. After the initial fill, you can modify the customer tables, and therefore the behavior of the Profile Generator, if required.

Q) How you create custom t-codes ? 

Yes we can create custom t-code in SE93.

Q) Difference between customizing request and workbench request ?

Customizing request is client dependent. Work bench request is client independent.

Q) To transport SU24 setting which is used is it customizing or workbench request ?

For transporting SU24 changes we need to have a workbench request as it is client independent settings.

Q) What does the different color light denote in profile generator ?

There are three colors (like traffic lights) in profile generator:

Red – It means that some organizational value has not been maintained in org field in profile generator.
Yellow – It means that there are some or all fields in certain authorization instances which are blank (not maintained)
Green – It means that all the authorization fields are maintained (values are assigned).

Q) Can a composite role be assigned to another composite role ? 

No. A composite role cannot be assigned to another composite role. Single roles are assigned to composite roles.

Q) What does the PFCG_TIME_DEPENDENCY clean up ?

The ‘PFCG_TIME_DEPENDENCY’ background report cleans up the profiles (that is, it does not clean up the roles in the system). Alternatively, transaction code ‘PFUD’ may also be used for this purpose.

Q) How to prevent custom objects from getting added to SAP_ALL profile ? 

Go to table PRGN_CUST and set the following parameter: ADD_ALL_CUST_OBJECTS with value N.
Regenerate the SAP_ALL profile with report RSUSR406 to have the customer object to be removed fromSAP_ALL. See SAP Note 410424 for more info.

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -4

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS


1. Explain me about your SAP Career ?

Elaborate about your complete SAP experience and yes be true with them.

2. Tell me your daily monitoring jobs and most of them you worked on ?

As a part of my daily job being a SAP Security consultant i have to take care of tickets monitoring and assigning them within the team. I have to take care of critical incidents and emphasize them on high priority for their faster resolution. I have to troubleshoot different authorization issues that come across in daily work with the users.

3. Which version of SAP are you working on ? Is it a java stack or ABAP stack ?

You have to check this with your systems.

4. Tell me about derived role ?

Derived roles. To restrict the user access based on organizational level values. Derived role will be inherited by master role and inherit all the properties except org level values.

5. What is the main difference between single role and a derived role ?

Main difference--we can add/delete the T-codes for the single roles but we can’t do it for the derived roles.

6. Does S_TABU_DIS org level values in a master role gets reflected in the child role ?

If we do the adjusted derived role in the master role while updating the values in the master role than values will be reflected in the child roles.

7. Tell me the steps to configure CUA ?

Steps to Set Up the CUA
1. Create Administrator
2. Specify Logical systems
3. Assign logical systems to client
4. Create system users
5. Create RFC destinations
6. Create CUA
7. Set field distributor parameters
8. Synchronization of company addresses
9. Transfer Users

8. Is RAR a java stack or Abap Stack ?

RAR is Java stack. It was ABAP when it was called as Complance Calibrator.

9. What is the report which states the critical T-codes ?

RSUSR005

10. What is the T-code to get into RAR from R/3 ?

/virsa/ZVRAT

11. Explain about SPM ?

SPM can be used to maintain and monitor the super user access in an SAP system. This enables the super-users to perform emergency activities and critical transactions within a completely auditable environment. The logs of the SPM user IDs helps auditors in easily tracing the critical transactions that have been performed by the Business users

12. What is the difference between Execution and Simulation in GRC RAR ?

Simulation: It will simulate the existing access with additional access before assigning the roles and provides the SOD's report after assigning the roles
Execution: will execute the user existing access and provides the report SOD reports for user existing access. It will be 2 option ignore mitigation yes and ignore mitigation no.

13. Difference between User Group in “Logon Data” and “Groups” tab in SU01 ?

The difference between Logon data group you can map one user with only one group. But in groups you can map one user with multiple groups.

The group that are showing in logon data is identification of user which group he is belongs to and the group tab is to add that user in multiple groups...like ex:- If i am a basis employee we will group him at logon tab... And we want to add this guy into more groups we will add those at group tab......

14. Security admin kept trace on a user. But while analyzing it is showing that "zero records" found. Then what to do ?

In General, the production system will be running on multiple application servers, check whether the user and the security admin are logged in to the same application server or not? Through the transaction code SM51.

Before switch on the trace please take care of below things.

1. User should log on to same server.
2. Go to SM04 / Al08 to check the server details which users logged in and confirm that both should logged into same server
3. Select the appropriate option ex: authorization kernel check. So that it will check for authorization which users going to run...

15. What is the difference between SU24, SU22, and SU21 ?

SU24: Authorization check under Transaction. SU24 can access customized tables USOBX_C and USOBT_C

SU22: Authorization objects in transactions. SU22 can access standard tables USOBX and USOBT

SU21: Maintain authorization Object

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -3

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS

Q) Where do all possible activities are stored?
A) In the table TACT

Q) Where do valid activities for each authorization Objects are stored?
A) In the table TACTZ

Q) How do I identify pre-defined roles and what is their use?
A) Pre-defined roles begin with the prefix “SAP_”. These roles are used as templates for creating customized roles.

Q) Can we assign pre-defined roles to a user? If so, how?
A) No, never assign a role to a user. If at all you want to, then first make a copy of pre-defined role and then add the user to the role.

Q) Is a role without Auth-profile considered as complete or not?
A) No

Q) What are the types of roles?
A) Roles are 2 types 1) Parental Role 2) Derived / Base Role

Q) What is the relationship between parent and derived roles?
A) In Parent role we maintain the list of Transaction Codes whereas in derived role we assign the parent role name so that an inheritance hierarchy is being maintained and hence the transactions are automatically pulled into derived roles.

Q) What are the total numbers of activities?
A) As per 4.7 total number of activities=168
01 – 99 = Activities
A1 – VF = 69

Q) What is the default authorization object which is used to check for any role?
A) S_TCODE
Note:
1) We cannot edit S_TCODE object in a Role. The only way to add a transaction code is in parent role.
2) First time while creation of a new role, if any functional related Transactions are added in a role, and then we have to maintain organization level in a popup.
3) Red color indicates missing organizational values
4) Yellow indicates missing field values and not organizational values.

Q) Why should we not add organizational values directly in a role without using org levels button?
A) Value maintenance using directly no longer changes values i.e. whenever we try to add a new value and generate, an empty field appears i.e. when adjusting derived roles authorization value is overwritten.

Q) Why do I need to add a role to transport?
A) All the changes to the roles are done in development box and move to production. If I delete a role in dev box, the same role has to be deleted in prod because these roles are finally used by the users in prod box only. Hence the deleted role needs to be transported.
   Go to PFCG select the role to be deleted. Keep the role in a transport by selecting transport role button.

Q) Unlock a user or track why the user is being locked?
A) Go to SU01 -> Enter the user ID -> Log on data and check the user is locked.
   Go to SUIM -> Change docs for user -> Enter the user name and execute

Q) Where do the default value in a Role comes from i.e. activities under auth object?
A) Tables USOBX_C and USOBT_C are the tables, that control the behavior of profile generator after the trans has been selected.

Q) How do I deactivate authorization object globally?
A) Go to SU25 select step 5 deactivate authorization globally.

Q) What is single sign-on?
  1) Single sign-on, through which we create credential. Third party tool Eg: Keon, later on logon to SAP without entering any credentials.
  2) We can even logon through internet using SSO.
  3) SSO is represented in form of SNC (Secured Network Connection) string for the SNC String to be activated we need to configure certain DLL files at OS files.
  4) Once we confirm DLL files then we need to go to SAPGUI, select one server, go to properties network and check the secure network settings and enter the SNC string.

Q) What are the Steps to Configure CUA?
  CUA works with RFC’s steps to config CUA.
  1) Create logical systems to all the clients (using BD54/SALE)
  2) Attach logical system to clients using SCC4
  3) Create user CUA_SID in central system with 3 roles and create user CUA_SID_CLIENT <number>/name in child system with 2 roles.
  4) Create RFCS to child systems from central and central to child using SM59
  5) Log on to central system using SCUA to config CUA (Central User Admin)
  6) Enter the model view and enter all child system RFC’s

Q) If all the users are locked mistakenly, how do we connect to SAP system?
A) Follow the steps
   Step 1) Go to OS level and execute the following SQL scripts after connecting to Oracle DB
   Select * from <Application Server name>.USR02 where bname=’SAP*’;
   Delete from <Application Server name>.USR02 where bname=’SAP*’;
   Step 2) Then Login using SAP* user
   Step 3) Go to EWZ5 or SU10 transaction code and unlock all the users.

Q) There is one derived role, if i copy the role of derived role will the parent or master role will be the same for the new which is derived from the derived role, if so why if not why ?

yes, if I copy the role from a derived role then that parent role of that derived role will become as a parent role to the new role which we have derived from the other derived role because for that particular derived role will get all the transactions and authorizations from the parent role only so, if we copy a role then all the transaction with authorization copied from other role from where we are copying that might be parent role/derived role.

Q) What is the organizational level ?

It's a customer specific enterprise structures which are subjected to authorization check vary by module. It maintains:
Company code
Controlling Area
Plant
Purchase Order and so on....

Q) How many composite roles can be assigned to a user ?

Ideally there is no limit on number of composite roles/single roles that can be assigned to a user. But keep this in mind that user buffer can hold only 312 profiles in it for a user. Hence there is no use of assigning roles more than 312 profiles to a user. For extending the authorization more than 312 profiles use reference user.

SAP_ALL is said to be good example for composite role so is there any single role limit in SAP_ALL. So there is no limit for adding single roles in composite role...

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -2

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS


Q.Please explain the personalization tab within a role.
Personalization is a way to save information that could be common to users, I meant to a user role...  E.g. you can create SAP queries and manage authorizations by user groups. Now this information can be stored in the personalization tab of the role.  (I supposed that it is a way for SAP to address his ambiguity of its concept of user group and roles: is "usergroup" a grouping of people sharing the same access or is it the role who is the grouping of people sharing the same access)

Q.Is there a table for authorizations where I can quickly see the values entered in a group of fields?  
In particular I am looking to find the field values for P_ORGIN across a number of authorization profiles, without having to drill down on each profile and authorization.
AGR_1251 will give you some reasonable info.

Q.How can I do a mass delete of the roles without deleting the new roles ?
There is a SAP delivered report that you can copy, remove the system type check and run. To do a landscape with delete, enter the roles to be deleted in a transport, run the delete program or manually delete and then release the transport and import them into all clients and systems.
It is called: AGR_DELETE_ALL_ACTIVITY_GROUPS.
To used it, you need to tweak/debug & replace the code as it has a check that ensure it is deleting SAP delivered roles only. Once you get past that little bit, it works well.

Q.Someone has deleted users in our system, and I am eager to find out who. Is there a table where this is logged?
Debug or use RSUSR100 to find the info's.
Run transaction SUIM and down its Change documents.

Q.How to insert missing authorization?
su53 is the best transaction with which we can find the missing authorizations.and we can insert those missing authorization through pfcg.

Q.What is the difference between role and a profile?
Role and profile go hand in hand. Profile is bought in by a role. Role is used as a template,  where you can add T-codes, reports..Profile is one which gives the user authorization.  When you create a role, a profile is automatically created.

Q.What profile versions?
Profile versions are nothing but when u modifies a profile parameter through a RZ10 and generates a new profile is created with a different version and it is stored in the database.

Q.What is the use of role templates?
User role templates are predefined activity groups in SAP consisting of transactions, reports and web addresses.

Q.What is the different between single role & composite role?
A role is a container that collects the transaction and generates the associated profile.  A composite roles is a container which can collect several different roles

1Q.Is it possible to change role template? How?
Yes, we can change a user role template.  There are exactly three ways in which we can work with user role templates
- we can use it as they are delivered in sap
- we can modify them as per our needs through pfcg
- we can create them from scratch.
For all the above specified we have to use pfcg transaction to maintain them.


Q.What happens to change documents when they are transported to the production system?
A.Change documents cannot be displayed in transaction 'SUIM' after they are transported to the production system because we do not have the 'befor input' method for the transport. This means that if changes are made, the 'USR10' table is filled with the current values and writes the old values to the 'USH10' table beforehand. The difference between both tables is then calculated and the value for the change documents is determined as a result. However, this does not work when change documents are transported to the production system. The 'USR10' table is automatically filled with the current values for the transport and there is no option for filling the 'USH10' table in advance (for the history) because we do not have a 'befor input' method to fill the 'USH10' table in advance for the transport.

Q.What is the difference between the table buffer and the user buffer?
A.The table buffers are in the shared memory. Buffering the tables increases performance when accessing the data records contained in the table. Table buffers and table entries are ignored during startup. A user buffer is a buffer from which the data of a user master record is loaded when the user logs on. The user buffer has different setting options with regard to the 'auth/new_buffering' parameter.

Q.What does the Profile Generator do?
A.The Profile Generator creates roles. It is important that suitable user roles, and not profiles, are entered manually in transaction 'SU01'. The system should enter the profiles for this user automatically.

Q.How many authorizations fit into a profile?
A.A maximum of 150 authorizations fit into a profile. If the number of authorizations exceeds this marker, the Profile Generator will automatically create more profiles for the role. A profile name consists of twelve (12) characters and the first ten (10) may be changed when generated for the first time.

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -1

SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS

Q.SAP Security T-codes
A.Frequently used security T-codes
SU01 Create/ Change User SU01 Create/ Change User
PFCG Maintain Roles
SU10 Mass Changes
SU01D Display User
SUIM Reports
ST01 Trace
SU53 Authorization analysis

Q.How to create users?
A.Execute transaction SU01 and fill in all the field. When creating a new user, you must enter an initial password for that user on the Logon data tab. All other data is optional. Click here for turotial on creating sap user id.

Q.What is the difference between USOBX_C and USOBT_C?
A.The table USOBX_C defines which authorization checks are to be performed within a transaction and which not (despite authority-check command programmed ). This table also determines which authorization checks are maintained in the Profile Generator.
The table USOBT_C  defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator.

Q.What authorization are required to create and maintain user master records?
A.The following authorization objects are required to create and maintain user master records:
•S_USER_GRP: User Master Maintenance: Assign user groups
•S_USER_PRO: User Master Maintenance: Assign authorization profile
•S_USER_AUT: User Master Maintenance: Create and maintain authorizations

Q.List R/3 User Types
A.1.Dialog users are used for individual user. Check for expired/initial passwords Possible to change your own password. Check for multiple dialog logon
2.A Service user - Only user administrators can change the password. No check for expired/initial passwords. Multiple logon permitted
3.System users are not capable of interaction and are used to perform certain system activities, such as background processing, ALE, Workflow, and so on.
4.A Reference user is, like a System user, a general, non-personally related, user. Additional authorizations can be assigned within the system using a reference user. A reference user for additional rights can be assigned for every user in the Roles tab.

Q What is a derived role?
A.•Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the functions included (transactions, reports, Web links, and so on) from the role referenced. A role can only inherit menus and functions if no transaction codes have been assigned to it before.
•The higher-level role passes on its authorizations to the derived role as default values which can be changed afterwards. Organizational level definitions are not passed on. They must be created anew in the inheriting role. User assignments are not passed on either.
•Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identical menus and identical transactions) but have different characteristics with regard to the organizational level.

Q.What is a composite role?
A.•A composite role is a container which can collect several different roles. For reasons of clarity, it does not make sense and is therefore not allowed to add composite roles to composite roles. Composite roles are also called roles.
•Composite roles do not contain authorization data. If you want to change the authorizations (that are represented by a composite role), you must maintain the data for each role of the composite role.
•Creating composite roles makes sense if some of your employees need authorizations from several roles. Instead of adding each user separately to each role required, you can set up a composite role and assign the users to that group.
•The users assigned to a composite role are automatically assigned to the corresponding (elementary) roles during comparison.

Q.What does user compare do?
A.If you are also using the role to generate authorization profiles, then you should note that the generated profile is not entered in the user master record until the user master records have been compared. You can automate this by scheduling report FCG_TIME_DEPENDENCY on.

Q.How do I change the name of master / parent role keeping the name of derived/child role same? I would like to keep the name of   derived /child role same and also the profile associated with the child roles.
A.First copy the master role using PFCG to a role with new name you wish to have. Then you have to generate the role. Now open each derived role and delete the menu. Once the menus are removed it will let you put new inheritance. You can put the name of the new master role you created. This will help you keep the same derived role name and also the same profile name. Once the new roles are done you can transport it. The transport automatically includes the Parent roles.

Q.What is the difference between C (Check) and U (Unmentioned)?
A.Background:
When defining authorizations using Profile Generator, the table USOBX_C defines which authorization checks should occur within a transaction and which authorization checks should be maintained in the PG. You determine the authorization checks that can be maintained in the PG using Check Indicators. It is a Check Table for Table USOBT_C.
In USOBX_C there are 4 Check Indicators.
•CM (Check/Maintain)
-An authority check is carried out against this object.
-The PG creates an authorization for this object and field values are displayed for changing.
-Default values for this authorization can be maintained.
•C (Check)
-An authority check is carried out against this object.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization.
•N (No check)
-The authority check against this object is disabled.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization.
•U (Unmaintained)
-No check indicator is set.
-An authority check is always carried out against this object.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization..

Q.What does user compare do?
A.Comparing the user master: This is basically updating profile information into user master record. So that users are allowed to execute the transactions contained in the menu tree of their roles, their user master record must contain the profile for the corresponding roles.
You can start the user compare process from within the Profile Generator (User tab and User compare pushbutton). As a result of the comparison, the profile generated by the Profile Generator is entered into the user master record. Never enter generated profiles directly into the user master record (using transaction SU01, for example)! During the automatic user compare process (with report pfcg_time_dependency, for example), generated profiles are removed from the user masters if they do not belong to the roles that are assigned to the user.
If you assign roles to users for a limited period of time only, you must perform a comparison at the beginning and at the end of the validity period. You are recommended to schedule the background job pfcg_time_dependency in such cases

Q.Can wildcards be used in authorizations?
A.Authorization values may contain wildcards; however, the system ignores everything after the wildcard. Therefore, A*B is the same as A*.

Q.What does the PFCG_TIME_DEPENDENCY clean up?
A.The 'PFCG_TIME_DEPENDENCY' background report only cleans up the profiles (that is, it does not clean up the roles in the system). Alternatively, you may use transaction 'PFUD'.

Q.Authorization object needed for PFCG access
A.S_USER_AGR
ACT_GROUP= * (You can restrict by role, if proper naming convention is used)
ACTVT=01, 02, 03, 64 other fields below
01   Create or Generate
02   Change
03   Display
06   Delete
08   Display change documents
21   Transport
22   Enter, Include, Assign
36   Extended maintenance
59   Distribute
64   Generate
68   Model
78   Assign
79   Assign Role to Composite Role
DL   Download
UL   Upload

S_USER_GRP
CLASS= 
ACTVT=22; 03  
Other activity
01        Create or Generate
02        Change
03        Display
05        Lock
06        Delete
08        Display change documents
22        Enter, Include, Assign
24        Archive
68        Model
78        Assign
S_USER_TCD
TCD=   * (Transaction in role)
S_USER_PRO
PROFILE= *
ACTVT=01, 06  
Other activity
01        Create or Generate
02        Change
03        Display
06        Delete
07        Activate, generate
08        Display change documents
22        Enter, Include, Assign
24        Archive
S_TCODE
TCD=PFCG;