SAP Security Interview Questions

  • (4.0)
  • | 8971 Ratings

SAP Security Interview Questions

If you're looking for SAP Security Interview Questions for Experienced & Freshers, you are at right place. There are lot of opportunities from many reputed companies in the world. According to research SAP Security has a market share of about 0.8%. So, You still have opportunity to move ahead in your career in SAP Security. Mindmajix offers advanced SAP Security Interview Questions  2019 that helps you in cracking your interview & acquire dream career as SAP Security Developer.

Q. Role Naming Procedures
I am trying to determine the best role naming procedures.  We are doing a security set-up redesign and would like to use “Generally Accepted Security Role Naming Practices.”  We are a global company with decentralized SAP set-up with SAP instances for each region.
A:  The intent of developing a naming convention for SAP access is to facilitate long-term maintenance of Security, enhance auditing features, and improve the periodic review of access.  The following is a proposal for the naming convention guidelines for Roles, Profiles and Authorizations. Note: Composite Role naming conventions are not covered as they are NOT recommended for use.
Naming Conventions: Roles ‘Z’ or ‘Y’ is not needed as part of the naming convention.  SAP Security is Master Data, not configuration or repository object and therefore does not need the standard development name space.  The ‘:’ is the customer designation.
Role name template:  xxxx;yyyy_Describe_org.
Designate xxxx as major company division, (i.e, Jones, Inc., Parts, etc.).  : is the Customer Role designation;
yyyy is the Functional area in SAP such as Financial Accounts Payable (FIAP) or Materials Management Warehouse Maintenance (MMWM).
Under Describe give brief description of Role, i.e., INVOICE_PROCESSOR; Org is any major organizational designations such as plant, sales org or warehouse.
Example:  J:FIAP_INVOICE_PROCESSOR is Jones, Inc. Financial Accounts Payable Invoice Processor for the company.
Jones, Inc. is the company, so there is no need to use the _org designation.  If this role did ALL or cross company, then a designation would be needed.
Note:  If you set the configuration for Session Manager to sort the roles for display, they sort in alphabetical order by technical name.  Your generic System roles (Printing, RFC, GUI control, SU56, SU53, SU3, SMX) should sort to the bottom; yyyy should be Cross Application, or XA.

Q. Display Only SM59
SM59 text mentions it can be used for Display/Maintain RFC Connections, how can you make this transaction code display only?
A:  SM59 is for Display AND Change.  There is no display only version.  Sorry, it can’t be done.

Q. APO Authorizations
Regarding APO authorizations, can you limit to display only in the product master using transaction code /SAPAPO/MAT1?
A:  For the /SAPAPO/MAT1, make sure you have only 03 on C_APO_PROD.

Q. Tcode /SAPAPO/SDP94
In the planning book screen, certain buttons are missing when using tcode /SAPAPO/SDP94.  Neither the “Selection Window” nor the “Display Dependant Objects” buttons are visible.
A:  Maintain C_APO_FUN to have C_SELCTION, C_SELE and C_SELORG on field APO_FUNC and the name of the planning area on APO_PAREA to make sure /SAPAPO/SDP94 is fully functional and viewable.

Q. Comparing user assignments
How do you compare two user’s role assignments?  (i.e., What roles is user FOO missing to have exactly the same roles as user BAR?)
A:  In tcode SUIM there is a report to compare users/ roles and selected output.
The best way to make user BAR have the same access as user FOO is to have one role with the access and assign it to each of them once in tcode SU01.  Ensure that this is the only role they have.
If this becomes too complicated, use a program to read in the AGR_USERS tables for two users, and lay out the role assignments side by side showing where the role assignment gaps are.

Q. Table names
What is the table name which houses the full list of activities? (01 change, 02, 03 display, etc…)?
A:  The table is TACT.  Possible activities for one authorized object is: TACTZ.
The list of additional activities is extensive.  Go to the profile generator/authorizations screen, pick up any autho object and get to the selection screen for possible activities. Right click and you will see “More values – F7” for a complete list of activities.
Note: May not work for all “activity” fields.  In the field for F_REGU_BUK, for example, the values are kept are in a pull-down menu in the transaction F110.

Q. Cost center field in SU01
What is the purpose of the cost center field in the SU01 user master record?
A:  It is most likely used to allocate costs of system usage to cost centers. Some use it for internal reporting. It is accessible in some of the ALV reports in SUIM.

Q. Security report scheduling
Are there any periodic security reports that need to be scheduled to monitor during maintenance?
A:  Try running user compare – RHAUTUPD_NEW
Other valuable reports:
USTxx Sync to USRxxx (custom program)
RHPROFL0 (for security by position)
Lock/delete inactive users (custom program)
Delete orphaned authorizations/profile (custom program)
Delete orphaned address info.
Critical User monitoring report and notification (custom program)

Q. Querying restricted roles
Is it possible to query all roles that have a particular Organizational Level Restriction? (e.g. Company Code, Plant, Division, etc.?)
A:  You can get all the roles that have an authorization for a particular object that contain a company code or plant or other authorization value. Those reports are in transaction SUIM.

Q. Accidental deletions
Users in our system were deleted when they shouldn’t have been.  To determine how this happened, can I retrace the function or is it logged on a table?
A:  Debug or use RSUSR100 to find the information.

Q. Accidental deletions 2
While working in development server, my session was deleted by another user.  Is there a way to find the user that deleted it, the system number and the related data?
A:  Try using TX STAT (or STAD, depends on release) and look for someone who has used TX SM04.
With that, you can kill the session.  If more than one user has used the same tcode at the given time, SM21 has the entry logged for it.
You can find who ran SM04 and delete that user’s session.

Q. Conflicting combinations
How do you find the typical conflicting combinations of authorization objects in HR, like conflicting tcodes, infotypes and clusters?
A:  If you are looking for conflicts within HR, there aren’t many.  Some companies use security measures to limit payroll information, update disciplinary actions, promotion potential and medical to specific individuals.  It is not done with tcodes, but with limited Info types.
SAP HR is written as a central set of tcodes with access limited by data.
The main tcodes are PA40, PA30 and PA20, HR org management is the PA10, PA03, PA13 or the POME and “run Payroll”.
Concentrate on the Info types not necessarily the tcodes not objects as they all use P_ORGIN (or what you configure). The only anomaly is P_ABAP which can override P_ORGIN.

Q. The Parameters tab
What is the “Parameters” tab in the SU01 user maintenance screen for?
A:  The “Parameters” tab allows users to pre-set entries in order to fill field values in tcodes without having to re-key.  Also used for “Set Preferences.”

Q. Org Level Tables
Is there a comprehensive list of all the Org Level Tables?
A:  Try table AUTHX via SE16.
If it is not loaded or incomplete, use the underlying source structures in SE11, including structures: AUTHA, AUTHB, AUTHC and a few others (search on AUTH*).  Look for the Check table or value tables.  Note:  If AUTHX is not loaded, there is a report to load it.

Q. Setting values in authorization objects
When setting values in an auth obj, is there a way to exclude a specific value without compromising the access of the others?
Example: I’m trying to restrict S_TABU_DIS to allow certain people to see all the auth groups except SS.  If someone creates an auth group in the system, we want the people with this role to see the added group without us going back into the role and adding the value via pfcg.
A:  Set the values to be included – 00 to SR and ST to ZZ, this would exclude SS.

Q. Authorization reports
How are authorization reports generated?  The reports should include activity by object and be accessible to all users with access.
A:  Run SUSR_SYNC_USER_TABLES and then try tcode SUIM/report RSUSR002. Enter your object in Object 1 and press enter.  Follow the prompts.

Q. Movement types
How do you restrict users on Movement types and certain storage locations in transaction MB1B?  The only object displayed in SU24 for MB1B, with a combination of Movement type and Storage location, is M_MSEG_LGO.  How do we enable the system to check this object in MB1B?  Or, how can we restrict users on a combination of Storage location and Movement type in transaction MB1B?
A:  Storage location must be configured to check authorization on each storage location.  SAP does not do this by default so there is no ST01 trace of it until you configure it. This is done in the IMG (tcode SPRO).
If you get the help documentation of M_MSEG_LGO (using SU21), there is a link with the correct customizing tcode which turn on/off the authority check on it (under material management-stocks).
This works only for good movements, not for display stocks content.

Q. Login/disable_multi_gui_login
Will activating parameter login/disable_multi_gui_login affect workflow?
A:  No, the key is the GUI in the parameter.  Workflow does not initiate a GUI logon but a logon in the “background” or via RFC to a non-GUI display session.

Q. Expert mode
What is the Expert mode in Profile generation? What are the options for its use?
A: Expert mode merges existing authorizations with new auths as they are added to the role. The auths display tells you which authorization objects have been added or changed. This is a time-saver in that it clearly lists changes and what to maintain.
Note: Always work in Expert mode.

Q. Accessing authorization objects
Is there a table where I can access the name of a particular Authorization Object? Possibly a SUIM report?
A: Start with SU24; it will give the objects/transactions in pfcg use.
After SU24 there are tables USOBT_C and USOBX_C.
SU25, Step 1 is mandatory to initialize these tables. Note: Read Help carefully before executing SU25, Step 1.

Q. Display transaction code in PFCG?
How do you display the transaction code in the Menu folder using PFCG?
A: With and existing role, the transactions may be entered straight into the S_TCODE auth object, not the menu.
If the subfolder “Menu” in PFCG displays the list of transactions with only text appearing and not transaction codes, the option needs to be changed.

Q. How to create the user group in SAP system?
1. User group can be created by performing the below steps:
2. Execute the t-code SUGR
3. Enter the name of user group to be created in the textbox
4. Click on the create the button
5. Enter the description and click on save button

Q. How to find the Transport requests containing the specific role?
The list of Transport requests containing the specific role can be retrieved by performing below steps:
1. Execute the t-code SE03
2. Double click on option “Search for Objects in requests/Tasks” under node “Objects in Requests” in left panel of screen. This will take us to new screen.
3. In object selection screen, enter the field value as ACGR and check the checkbox present at left side.
4. Enter the role name for which we need the list of transport request.
5. In screen “Request/Task Selection” screen (below section of the same screen), check the status of the requests which we need in the list
6. Click on execute button

Q. How to check the transport requests created by other user?
The t-code SE10 provide the option to enter the user name. By using this facility, we can search the transport requests created by other users.

Q. How to generate the list of roles having authorization objects with status as “maintained”?
This list can be generated by using the table AGR_1251 as below:
Execute the t-code SE16
Enter the table name as AGR_1251 and hit enter button
Enter the field value as “G” in field “Object Status” and click on execute
The same table can be used to generate the list of roles with authorization objects having status modified and manual with field values M and U respectively.

Q. How to find the email ids if given a list of users (say 100)?
The list of email ids for given users can be generated by performing the below steps:
1. Execute the t-code SE16
2. Enter the table name as USR21.
3. Upload the list of users using multiple selection option and execute. This will give us the list of users and their respective person numbers
4. Extract this data to excel sheet
5. Now, go back to SE16 and enter table name ADR6
6. Upload the list of person number extracted from table USR21 and execute
7. Now, table ADR6 will give us the list of person numbers and their email ids.
8. Download the list in excel and perform V-look up in excel to map the email ids of users with their SAP IDs

Q. How to find user defined, system default values for security parameters?
The values for parameters can be checked by using the t-code RSPFPAR. After executing the t-code, given the parameter name and click on execute.

Q. How to assign the logical system to client?
Logical system can be assigned to client by using the t-code SCC4. We need to be very careful while doing this change as it can affect the CUA (if configured).

Q. Which entities are not distributed while distributing the authorization data from master role to derived roles?
During the distribution of authorization data from master role to derived roles, Organizational values and user assignment are not distributed. The Org. values and user assignments are specific to individual roles hence has no bearing on master-derived role relationship.

Explore SAP Security Sample Resumes! Download & Edit, Get Noticed by Top Employers!Download Now!

Q. How to assign the multiple roles to more than 20 users in one shot in t-code SU10?
To perform this mass role assignment, we need to follow below steps in SU10:
1. In SU10 home screen, click on the button “Authorization Data”
2. This will take to the new screen similar to screen in t-code SUIM -> User by complex search criteria. Enter the search criteria for users needed to be changed in SU10 and execute the same
3. Once the list of users is reflected, click on “select all” button on left top corner of the list and click on “Transfer” button. This will take us back to SU10 screen with all the selected users in users
4. Now, click on select all button in SU10 home screen and then click on change button.
5. Above step will take us to the next screen where you can perform the role assignment as in normal case of SU10 t-code

Q. What is the use of SU25 t-code?
The t-code SU25 is used to copy the data from tables USOBT and USOBX to tables USOBT_C and USOBX_C. Generally, this t-code needs to be executed after the installation of system upgrade so that the values in customer tables are updated accordingly.

Q. What is the use of authorization object S_TABU_LIN?
This authorization object is used to provide the access to tables on row level.

Q. What are the authorization groups and how to create them?
Authorization groups are the units comprising of tables for common functional area. Generally, each table is assigned to a authorization group due to this reason we need to mention the value of authorization group while restricting the access to table in authorization object S_TABU_DIS.
The authorization group can be created by using the t-code SE54. The assignment of tables to authorization group can be checked by using table TDDAT.

Q. What is SOX (Sarbanes Oxley)?
Sarbanes-Oxley is a US law passed in 2002 to strengthen corporate governance and restore investor confidence. Act was sponsored by US Senator Paul Sarbanes and US Representative Michael Oxley.
The Sarbanes-Oxley Act is legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. Sarbanes-Oxley defines which records are to be stored and for how long. The legislation not only affects the financial side of corporations, but also affects the IT departments whose job it is to store a corporation’s electronic records. The Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages, must be saved for “not less than five years”. The consequences for non-compliance are fines, imprisonment, or both. IT departments are increasingly faced with the challenge of creating and maintaining a corporate records archive in a cost-effective fashion that satisfies the requirements put forth by the legislation.
Organizations should be able to guarantee the integrity of some of their operations like PTP or OTC which can have quiet a significant impact on the way the financial statements are projected if not controlled.
Organizations today are thereby moving in direction of automating their softwares for SOX compliance. A key factor towards achieving SOX compliance is to seperate the duties amongst individuals to such an extent that no one person has the authorization to fulfill a complete cycle say procurement or sales.

Q. How to create a query in SAP R/3 system?
1. The query can be created and executed using the t-code SQVI:
2. Execute the t-code SQVI.
3. Enter the name of query to be created and click on create button.
4. Enter the Title and comments for query and select the data source such as table or table join.
5. Select the preferred view as Basis Mode or Layout Mode and click on continue button.
6. Above step will take us to the new screen, add the respective table on which we need to create a query.
7. If Data source is selected as table join, select the respective tables as needed and joining fields.
8. Save and come to main screen. Here, you need to select the fields to be displayed in output and their sequence.
9. The query can be created and executed using the t-code SQVI.

Q. What is the use of ST01? What are the return codes of t-code ST01
Transaction code ST01 is used to trace the user authorizations. This can be useful if we need to check which all the authorizations have been checked in background when any t-code is being executed by the business user.
0 – Authorization check passed
1 – No Authorization
2 – Too many parameters for authorization check
3 – Object not contained in user buffer
4 – No profile contained in user buffer
6 – Authorization check incorrect
7,8,9 – Invalid user buffer

Q. Please explain the personalization tab within a role?
Personalization is a way to save information that could be common to users, I meant to a user role…  E.g. you can create SAP queries and manage authorizations by user groups. Now this information can be stored in the personalization tab of the role.  (I supposed that it is a way for SAP to address his ambiguity of its concept of user group and roles: is “usergroup” a grouping of people sharing the same access or is it the role who is the grouping of people sharing the same access).

Q. Is there a table for authorizations where I can quickly see the values entered in a group of fields?
In particular I am looking to find the field values for P_ORGIN across a number of authorization profiles, without having to drill down on each profile and authorization. AGR_1251 will give you some reasonable info.

Q. How can I do a mass delete of the roles without deleting the new roles ?
There is a SAP delivered report that you can copy, remove the system type check and run. To do a landscape with delete, enter the roles to be deleted in a transport, run the delete program or manually delete and then release the transport and import them into all clients and systems.
It is called: AGR_DELETE_ALL_ACTIVITY_GROUPS. To used it, you need to tweak/debug & replace the code as it has a check that ensure it is deleting SAP delivered roles only. Once you get past that little bit, it works well.

Q. Someone has deleted users in our system, and I am eager to find out who. Is there a table where this is logged?
1. Debug or use RSUSR100 to find the info’s.
2. Run transaction SUIM and down its Change documents.

Q. How to insert missing authorization?
su53 is the best transaction with which we can find the missing authorizations.and we can insert those missing authorization through pfcg.

Q. What is the difference between role and a profile?
Role and profile go hand in hand. Profile is bought in by a role. Role is used as a template,  where you can add T-codes, reports..Profile is one which gives the user authorization.  When you create a role, a profile is automatically created.

Q. What profile versions?
Profile versions are nothing but when u modifies a profile parameter through a RZ10 and generates a new profile is created with a different version and it is stored in the database.

Q. What is the use of role templates?
User role templates are predefined activity groups in SAP consisting of transactions, reports and web addresses.

Q. What is the different between single role & composite role?
A role is a container that collects the transaction and generates the associated profile.  A composite roles is a container which can collect several different roles

Q. Is it possible to change role template? How?
Yes, we can change a user role template.  There are exactly three ways in which we can work with user role templates
1. – we can use it as they are delivered in sap
2. – we can modify them as per our needs through pfcg
3. – we can create them from scratch.
For all the above specified we have to use pfcg transaction to maintain them.

Q. SAP Security T-codes?
Frequently used security T-codes
1. SU01 Create/ Change User SU01 Create/ Change User
2. PFCG Maintain Roles
3. SU10 Mass Changes
4. SU01D Display User
5. SUIM Reports
6. ST01 Trace
7. SU53 Authorization analysis

Q. How to create users?
Execute transaction SU01 and fill in all the field. When creating a new user, you must enter an initial password for that user on the Logon data tab. All other data is optional. Click here for turotial on creating sap user id.

Q. What is the difference between USOBX_C and USOBT_C?
The table USOBX_C defines which authorization checks are to be performed within a transaction and which not (despite authority-check command programmed ). This table also determines which authorization checks are maintained in the Profile Generator.  The table USOBT_C  defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator.

Q. What authorization are required to create and maintain user master records?
The following authorization objects are required to create and maintain user master records:
1. S_USER_GRP: User Master Maintenance: Assign user groups
2. S_USER_PRO: User Master Maintenance: Assign authorization profile
3. S_USER_AUT: User Master Maintenance: Create and maintain authorizations

Q. List R/3 User Types
1. Dialog users are used for individual user. Check for expired/initial passwords Possible to change your own password. Check for multiple dialog logon
2. A Service user – Only user administrators can change the password. No check for expired/initial passwords. Multiple logon permitted
3. System users are not capable of interaction and are used to perform certain system activities, such as background processing, ALE, Workflow, and so on.
4. A Reference user is, like a System user, a general, non-personally related, user. Additional authorizations can be assigned within the system using a reference user. A reference user for additional rights can be assigned for every user in the Roles tab.

Q. What is a derived role?
Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the functions included (transactions, reports, Web links, and so on) from the role referenced. A role can only inherit menus and functions if no transaction codes have been assigned to it before.
1. The higher-level role passes on its authorizations to the derived role as default values which can be changed afterwards. Organizational level definitions are not passed on. They must be created anew in the inheriting role. User assignments are not passed on either.
2. Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identical menus and identical transactions) but have different characteristics with regard to the organizational level.

Q. What is a composite role?
A composite role is a container which can collect several different roles. For reasons of clarity, it does not make sense and is therefore not allowed to add composite roles to composite roles. Composite roles are also called roles.
1. Composite roles do not contain authorization data. If you want to change the authorizations (that are represented by a composite role), you must maintain the data for each role of the composite role.
2. Creating composite roles makes sense if some of your employees need authorizations from several roles. Instead of adding each user separately to each role required, you can set up a composite role and assign the users to that group.
3. The users assigned to a composite role are automatically assigned to the corresponding (elementary) roles during comparison.

Q. What does user compare do?
If you are also using the role to generate authorization profiles, then you should note that the generated profile is not entered in the user master record until the user master records have been compared. You can automate this by scheduling report FCG_TIME_DEPENDENCY on.

Q. What is the difference between C (Check) and U (Unmentioned)?
Background: When defining authorizations using Profile Generator, the table USOBX_C defines which authorization checks should occur within a transaction and which authorization checks should be maintained in the PG. You determine the authorization checks that can be maintained in the PG using Check Indicators. It is a Check Table for Table USOBT_C.
In USOBX_C there are 4 Check Indicators.
CM (Check/Maintain):
-An authority check is carried out against this object.
-The PG creates an authorization for this object and field values are displayed for changing.
-Default values for this authorization can be maintained.
C (Check):
-An authority check is carried out against this object.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization.
N (No check):
-The authority check against this object is disabled.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization.
U (Unmaintained):
-No check indicator is set.
-An authority check is always carried out against this object.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization.

Ravindra Savaram
About The Author

Ravindra Savaram is a Content Lead at His passion lies in writing articles on the most popular IT platforms including Machine learning, DevOps, Data Science, Artificial Intelligence, RPA, Deep Learning, and so on. You can stay up to date on all these technologies by following him on LinkedIn and Twitter. Protection Status