SAP Security Interview Questions

SAP security can be a potentially lucrative career path for individuals with the right skills. As organizations increasingly rely on SAP systems for their critical data operations, the need for robust security measures becomes paramount. This blog gives you insights about the types of SAP Security interview questions that you may encounter for SAP security related-positions. Preparing them will help you to crack the SAP security interview easily.

Rating: 4.6

If you're looking for SAP Security Interview Questions and Answers 2024 for Experienced & Freshers, you are at the right place. Here Mindmajix presenting a list of 60+ interview questions on SAP Security. There are a lot of opportunities from many reputed companies in the world.

According to research SAP Security has a market share of about 0.8%. So, You still have the opportunity to move ahead in your career in SAP Security. Mindmajix offers Advanced SAP Security Interview Questions 2024 that helps you in cracking your interview & acquire a dream career as SAP Security Developer.

Top 10 SAP Security Interview Questions And Answers

  1. What is SAP security?
  2. What does one mean by roles as far as SAP security is concerned?
  3. What are the differences between a single roll and a derived role?
  4. Within SAP security, what is SOD?
  5. Explain what is user buffer?
  6. What is the role of users compare in SAP security?
  7. Explain the derived role?
  8. What are the derived roles in SAP?
  9. List out SAP security T-codes
  10. What are the different types of users within the SAP system

Best SAP Security Interview Questions

1. Distinguish between the functions of USOBX_C and USOBT_C?

This gives personal information about which particular authorization checks need execution inside the transaction and which authorization check doesn’t need to be. This table gives information regarding the proposal data of the authorization that includes the data related to an authorization which is useful for transactions
This table also looks at the checks which are present in the profile generator.It looks at the default set values that need to be present in the profile generator.

2. What is SAP security?

The main role of SAP security is to provide the right access for users with business according to their responsibility and the authority that they hold. And permission is supposed to be given as per their roles in any of the organizations or departments. 

3. What does one mean by roles as far as SAP security is concerned?

Roles are nothing but the transactional codes these are generally found in groups. These codes are given to take out a specific business assignment. So all these t-codes or roles require some specific privileges to implement any function as far as SAP security is concerned. And these special privileges are known as authorization.

 MindMajix YouTube Channel

4. Elaborate on how all users can be locked at the same time at SAP security?

It is possible to lock every user at the same time at SAP security. One has to implement a transactional code EWZ5 for doing this particular task. 

5. Comment on the necessary steps that need to be taken prior to assigning a task for users even when approval is given from the authorities or the authorized controllers.

There are certain steps that need to be taken prior to handing over or giving SAP_all to any of the users. These steps are necessary even when it has the approval of someone in the position of authority. These pre-requisite includes the following. 

  • The first is to enable the log of the audit. This can be done using a transactional code of sm 19. 
  • The second step is to retrieve the log of the audit. This can be done by using a transactional code of sm 20. 

6. Elaborate on the meaning of authorization object class and the meaning of authorization object. 

It is very essential to understand the meaning of the authorization object and that of the authorization object class. The authorization object is nothing but the groups of the field of authorization which looks after the function of a specific activity. Authorization is related to a specific action only whereas the field of authorization looks after the security administrators.

It helps in the configuration of the particular values in any action which is required. As far as authorization object class is concerned it is an umbrella term under which authorization object is taken into consideration. These are put into groups by some departments which include accounting, HR, finance, and some more. 

7. How can one delete numerous roles from Production Systems, DEV, and QA?

There are certain steps that make it possible to delete numerous roles from the above-mentioned systems. These steps are as follows:

  1. Firstly one needs to put the roles that are supposed to be deleted in transport. 
  2. Secondly, delete the said roles from there. 
  3. Thirdly one has to send transport across the production and QA. 
  4. This way one can delete numerous roles. 

8. Explain the steps that need to be taken before one has to execute the Run system trace. 

There are a few things that need to be done before one wants to execute the Run system trace. If one is going to trace the CPIC or the user id then prior to executing the Run system then one has to make sure that they said ID is given to someone that is either SAP_new or SAP_all.

This has to be done because this ensures that one is able to execute the work without any kind of checking failure by authorization. 

9. What is the highest amount of profiles and the highest amount of objects in the roles?

Three hundred and twelve is the highest amount of profile that a role can have. And a role can have one hundred and seventy highest amount of object. 

10. Mention the transactional code for separating the execution from the transaction and locking any transaction.

The transactional code which is used to lock the transaction from the execution is SM01. 

11. What are the differences between a single role and a derived role?

The main difference is that of dealing with the transactional codes. When one deals with a single role then the transactional codes can be added or deleted easily. But if one is dealing with a derived role then a person is not able to add or delete any transactional code. This is the most important difference that one needs to know about a single role and derived role. 

12. Within SAP security, what is SOD?

  • SOD stands for Segregation of Duties. 
  • SOD is implemented in SAP to detect and prevent fraud during business transactions.

13. If one has to go through the summary of the Profile and Authorization Object then what transactional code needs to be used?

  • In case if one person has to go through the summary for profile and authorization object then there are two different transactional codes are to be used. 
  • For the summary of any authorization, object one has to use the transactional code of SU03. And if one needs the summary of profile details then one has to use the transactional code of SU02.

14. Explain what is user buffer?

Whenever a user logs into the SAP R/3 system, a user buffer is built where it has all the authorizations associated with the user. So basically, each user will have their user buffer. 

For example:

  • If Krishna is a user and tries to log on to the system, then buffer would have all the authorization information under USER_KRISHNA_ROLE.
  • On the other hand, the user would fail to log on to the system, under the below scenarios:
  • For the user, authorization information doesn't exist in the user buffer
  • If the user buffer has many entries and is flooded with authorization information. In this case, the number of entries can be restricted or limited by using a profile parameter called "auth/number_in_userbuffer".

15. What parameter is used in the user buffer? For controlling the excess of entries

The user buffer looks at the entries and it has to control the entries because they shouldn’t exceed. The parameter which is used is the following, auth/auth_number_in_userbuffer. 

16. What is the number of transactional codes that can be given to a particular role?

A role can have a transactional code of as many as fourteen thousand. 

17. In order to stock the illegal passwords what table is usually used?

In order to stock or accumulate the illegal password a table called USR40 is usually used. This particular table stores various patterns and arrangements of words that cannot be implemented while making any password. 

18. What is known by PFCG Time dependency?

The PFCG time dependency is nothing but a report which is normally used for comparison of the user master. The PFCG Time dependency also makes sure to wipe away any profiles from the main record which seem to have expired and are of no use. There is also a transactional code that can be employed in order to execute this particular action. The transactional code which is used to do this is PFUD. 

19. What is the role of users compare in SAP security?

The role of user comparison in the sap security is that it helps in the comparison of the master records of the user. This helps in entering the authorized profile which is produced into the main records. 

20. What are the different types of tabs that are present in the PFCG?

There are a lot of important and essential tabs that are present in the PFCG. The following tabs are included in the PFCG. 

  1. The first is the description tab. This tab is essential for describing any changes which are made such as the details which are related to any role. Mentioning if there are any additions or removal of any transactional codes. Also mentioning if there are any changes in the authorization object and many more.
  2. The second is the menu tabs. It is essential to design the user menu such as the addition of any transactional codes. 
  3. The third is the authorization tabs. This tab is used for the maintenance of the authorization profile and authorization data. 
  4. The third is the user. This tab is used for any adjustment in the main user record and for assigning the users to any roles.  

21. What is the T-code that is used to delete all the old security audit logs?

SM-18 T-code is the transactional code that is used to delete all the old security audit logs.

22. Which program or report one must use to regenerate the profile of SAP?

If one has to regenerate the profile of sap all then one has to use the following report or program:


23. If one wants the display the text of transactional code then which of the table will be used?

If a person wants to display the text of the transactional code then the TSTCT table will be used. 

24. If a user buffer needs to be displayed then what transactional code will be used?

If a user buffer needs to be displayed when the following transactional code will be used; the code is SU56. 

25. Which table of the SAP can be used for determining single roles that are given for a certain role?

If one has to know the single roles the table which is used is AGR_AGRS. 

26. If one has to see the number of filters in the SM19 which is the Security audit log then which parameter is used?

The parameter which is used for deciding on the number of filters is as follows; rsau/no_of_filters. 

27. Explain the derived role?

The derived role is an already present role. This role receives functions and menu structure which is present in the role referenced. This function of inheriting by the roles is only possible when no type of transactional code is assigned prior. The roles at the highest level will pass on the authorizations as a default to derived roles and this can be changed later on.

Certain levels are not passed to the derived roles and they need to be created newly this includes the organizational definitions as well as assignments of the user. Derived roles are well-designed and have a fixed functionality which means it has the same menus and transactions. But the characteristics are different as far as the level of organization is concerned. 

28. Explain the working of a composite role?

  • On the other hand, a composite level role is like a big container that can collect numerous varied roles. These types of roles do not have any data about authorization. In case of any changes in the authorization since composite roles represent it, data needs to be maintained regarding every role of every composite role.
  • The creation of the composite roles is only useful when some of the employees in the organization require authorization from various roles. So, in that case, the composite role can be set and the user can be assigned to that group. This is time-saving rather than separately assigning every user to each different role.
  • When a user is assigned to one composite role, then during comparison they are spontaneously assigned to other elementary roles. 

29. Which transactional codes are most commonly used in SAP security?

The transactional codes which are most commonly used in SAP security are SU53 for authorization of analysis, ST01 for trace, SUIM for the reports, SU01D for the display user, SU10 for bulk changes, PFCG to maintain roles, and SU01 for the creation or changing the user.

30. What are role templates?

The role templates are nothing but the activity clusters which are predetermined. These clusters or groups consist of reports, web addresses, and transactions.

31. Explain the process of creating a user group in the SAP system?

The following are the steps that are involved in terms of creating a user group in the SAP system. 

  • Use the T-code SUGR, execute it
  • Provide a name for the user group in the text box. 
  • After providing the name for the user group, click on create button
  • Now, key in the description and click on the Save button.
  • This completes the user group created in the SAP system.

32. How do you check the transport requests created by other users?

By using the SE10 t-code we can find the transport requests created by other users.

33. How do you find user-defined, security parameters for system default values?

By using t-code RSPFPAR we can ding user-defined and system default security parameters.

34. What is the process to assign a logical system to a client?

The logical system can be assigned to a client by using a specific T-code, i.e. SCC4. This needs to be done with utmost care because it might alter other configurations like CUA ( if it is configured).

35. Why do we use t-code SU25?

If you want to copy data from USBOT, USBOX to tables USOBT_C and USOBX_C, then we can use t-code SU25.

36. Why do we use the ST01 t-code?

ST01 t-code is used to trace the user authorizations.

37. What are the derived roles in SAP?

  • Derived roles are defined by other existing roles called master roles. 
  • Derived roles inherit features from a master role like functions, menu structure, transactions, reports, weblinks, etc.

38. Why do we use t-code SU56?

T-code SU56 is used to display the current user buffer which authorization is assigned in the user master record.

39. How do you lock multiple users at a time in SAP?

We can lock multiple users using the SU01 t-code. Go to SU01 t-code and enter user names to be locked.

40 Which T-code do you use to create authorization groups?

We can create authorization groups in SAP using SE54 T-code.

41. What is the maximum number of roles that can be assigned to a user?

In SAP, the maximum number of roles that can be assigned is 312.

42. What are the different layers of Security in SAP?

SAP supports multiple layers of security, they are:

  1. Authentication
  2. Authorization
  3. Integrity
  4. Privacy
  5. Obligation

43. How can you get the user list in SAP?

We can get the user list by using SM04/AL08 transaction code.

44. How do you check background jobs?

Using the SM37 transaction code we can check the background jobs.

45. Which transaction code is used to manage lack entries?

Transaction code SM12 is used to manage lock entries.

46. Explain what is the difference between a role and a profile?

To be honest, there is no much difference between a role and a profile, they go hand in hand. A Role is nothing but a combination of authorizations and combinations. This information is stored in the form of Profiles. At any given point in time, it can be more than one profile associated with a role. By creating a role, a profile is automatically generated. 

47. Explain what do you mean by "Profile Versions"?

If any parameter is modified within a profile, it automatically creates an updated version of the same profile. The process is repeated whenever there is modification is made within a profile. All of these profiles are saved into the database with a naming convention. The stored files of the same profile are considered as Profile versions. 

48. What is the main difference between a single role and a composite role?

A role is nothing but a container that has or collects the information related to transactions and generates the necessary profile. On the other hand, a composite role is also a container that has information about different roles. 

49. List out SAP security T-codes?

The following are a list of frequently used SAP security T-codes:

SAP T-codeDescription
PFGCThis T-code is used for maintaining roles.
SU10This T-code is used for handling users.
SU01This T-code is used for creating the user or changing the user.
ST01This T-code is used for tracing the system.
SU53This T-code is used for analyzing authorization

50. Explain how a password rule can be enforced?

The process is very straightforward. If password rules need to be enforced then the user has to a profile parameter for the same. If this parameter is used then the password rules will be applied automatically. 

51. Explain how to check the table logs and what are the T-codes to be used for the same?

To check whether the table logs are available, firstly one has to check whether the logging function is activatable or not for a particular table. This can be done by using Tcode SE13. If the table is enabled for logging then the table legs can be seen using T-code SCU3.

52. Can you please let me know the highest permitted number of profiles in a role and the highest permitted number of objects in a role?

  • The highest permitted number of profiles in a role is 312.
  • The highest permitted number of objects in a role is 150.

53. Do you know Transaction-code to lock the transaction execution?

The Transaction-code that is used for locking the transaction execution is SM01.

54. Can you please let us know how many transaction codes can be assigned to a particular role?

we can assign at least 14000 transactions to a particular role. 

55. What is the process to check the transport checks created by another user?

Using T-code SE10 will provide an option to enter the user name. After providing the user name information, we will have the ability to check the transport requests that were created by other sets of users.

56. Explain what is the use of SU25 T-code?

The main use of the SU25 T-code is: the data is copied from one set of tables to another set of tables. The data is copied from USOBT and USOBX to USOBT_C and USOBX_C.

57. What is the use of the authorization object S_TABU_LIN?

Generally, the authorization object is to provide access to all the tables on the row level. 

58. What is a T-code in SAP?

A T-code is nothing but a transaction code. This is used for the running program in an SAP application.

59. What are the user types for background jobs?

User types for background jobs are:

  • System user
  • Communication user

60. What is the transaction code that is used to troubleshoot the problem for a background user?

Transaction code that is used to troubleshoot the problem for a background user in ST01

61. What are the different types of users within the SAP system?

Below are the different types of users that are within the SAP system. 

  1. Dialog user
  2. Service user
  3. System user
  4. Communication user
  5. Reference user
Explore SAP Security Sample Resumes Download & Edit, Get Noticed by Top Employers!


Course Schedule
SAP HANA TrainingMay 28 to Jun 12View Details
SAP HANA TrainingJun 01 to Jun 16View Details
SAP HANA TrainingJun 04 to Jun 19View Details
SAP HANA TrainingJun 08 to Jun 23View Details
Last updated: 02 Jan 2024
About Author

Ravindra Savaram is a Technical Lead at His passion lies in writing articles on the most popular IT platforms including Machine learning, DevOps, Data Science, Artificial Intelligence, RPA, Deep Learning, and so on. You can stay up to date on all these technologies by following him on LinkedIn and Twitter.

read less