35+ Tricky SAP Security Interview Questions with SMART ANSWERS

Last updated on 04th Jul 2020, Blog, Interview Questions

SAP security encompasses the strategies and practices aimed at safeguarding SAP (Systems, Applications, and Products in Data Processing) software and systems, which are integral to the operations of many organizations. With SAP being a comprehensive enterprise resource planning (ERP) solution, encompassing various core business functions, including financials, human resources, and supply chain management, securing SAP is of utmost importance. It involves implementing access controls, such as user roles, authorizations, and profiles, to manage and restrict user privileges, ensuring that only authorized individuals can access specific data and perform particular actions within the system.

1. Describe SAP security.

Ans:

The primary function of SAP security is to grant users appropriate access to the business based on their level of authority and responsibility. Permission should also be granted based on a person’s role within any department or organisation.

2. What is the role of users compare in SAP security?

Ans:

The role of user comparison in sap security is that it helps in comparison of the master records of the user. This helps in entering an authorized profile which is produced into main records.

3. How does all users can be locked at a same time at SAP security?

Ans:

It is possible to lock each user at a same time at SAP security. One has to implement the transactional code EWZ5 for doing this particular task.

4. What necessary steps that need to be taken assigning a task for users?

Ans:

There are certain steps that need to be taken prior to be handing over or giving SAP_all to any of users. These steps are necessary even when it has approval of someone in position of authority. These pre-requisite includes following:

• The first is to enable a log of the audit. This can be done using the transactional code of sm 19.
• The second step is to retrieve a log of the audit. This can be done by using the transactional code of sm 20.

5. Elaborate authorization object class and meaning of authorization object.

Ans:

It is essential to understand the meaning of an authorization object and that of authorization object class. The authorization object is nothing but groups of the field of authorization which looks after function of a specific activity. Authorization is related to the specific action only whereas a field of authorization looks after security administrators. It helps in configuration of the particular values in any action which is required.

6. How does removing multiple roles from Production Systems, DEV, and QA work??

Ans:

There are certain steps that make it possible to delete the numerous roles from above-mentioned systems. These steps are as follows:

• Firstly one needs to put roles that are supposed to be deleted in a transport.
• Secondly, delete said roles from there.
• Thirdly one has to send a transport across the production and QA.
• This way one can delete the numerous roles.

7. Explain the steps that need to be taken before one has to execute a Run system trace.

Ans:

There are few things that need to be done before one needs to execute a Run system trace. If one is going to trace CPIC or the user id then prior to executing a Run system then one has to make sure that said ID is given to someone that is SAP_new or SAP_all. This must be done because it ensures that a work can be executed without any kind of checking failure by an authorization.

8. What does highest amount of profiles and highest amount of objects in the roles?

Ans:

The maximum number of profile that a role can have is 312. The role has the ability to possess the maximum of 170 units of the object.

9. What are the different types of SAP Security?

Ans:

There are two main types of a SAP Security:

SAP Basis Security: Involves the securing the SAP infrastructure and system administration tasks.

SAP Authorization Security: Involves the defining roles, authorizations, and permissions for SAP users.

10. What does differences between a single role and a derived role?

Ans:

The primary distinction is how transactional codes are handled. Transactional codes are easily added or removed when dealing with a single role. However, one cannot add or remove any transactional code when working with derived roles. The most crucial distinction between a single role and a derived role is this.

11. In SAP security, what does SOD?

Ans:

• SOD stands for a Segregation of Duties.
• SOD is implemented in the SAP to detect and prevent a fraud during business transactions.

12. Explain buffer.

Ans:

A buffer typically refers to a memory area or storage location used to temporarily hold sensitive data or credentials, such as passwords and cryptographic keys. This buffer is employed as a protective mechanism to prevent unauthorized access to these critical security-related pieces of information.

13. What parameter is used in user buffer?

Ans:

The user buffer looks at entries and it has to control the entries because they should not exceed. The parameter which is used is following, auth/auth_number_in_userbuffer.

14. What does number of transactional codes that can be given to particular role?

Ans:

A role can have the transactional code of as many as a fourteen thousand. The number of transaction codes that can be assigned to particular role is not fixed or limited by the specific number. Instead, it depends on version of SAP are using and the configuration settings in the SAP system.

15. In order to stock the illegal passwords what does table is usually used?

Ans:

In order to stock or accumulate illegal password a table called USR40 is usually used. This particular table stores the various patterns and arrangements of words that cannot be implemented while making the any password.

16. What is PFCG Time dependency?

Ans:

The PFCG time dependency is nothing more than a report that is typically used for user master comparison. The PFCG Time dependency also ensures that any profiles from the main record that appear to have expired and are no longer useful are removed. There is transactional code that can be used to carry out this specific action. The transactional code used to perform PFUD.

17. What are the different types of tabs that are present in PFCG?

Ans:

• The first is the description tab. This tab is critical for describing any changes made, such as details pertaining to any role.
• The second is a menu tabs. It is essential to design user menu such as the addition of the any transactional codes.
• The third is authorization tabs. This tab is used for maintenance of the authorization profile and authorization data.
• The third is user. This tab is used to make changes to the main user record and to assign users to roles.

18. What roles as far as SAP security is concerned?

Ans:

Roles are simply transactional codes that are commonly found in groups. These codes are used to extract a specific business assignment. As far as SAP security is concerned, all of these t-codes or roles require some specific privileges to implement any function. And these special rights are referred to as authorizations.

19. What T-code is used to delete all old security audit logs?

Ans:

Transaction code used to delete the old security audit logs is SM19. Here’s how can use SM19 to manage a security audit logs:

Go to Transaction SM19: Enter the transaction code SM19 in SAP command field and press Enter.

Select a Logs: In SM19 transaction, can select the specific logs want to delete based on various criteria like time period, users, events, etc.

Delete the Logs: After selecting an appropriate logs, can delete them using options available in the SM19 transaction.

20. Which program or report one must use to regenerate profile of SAP?

Ans:

If one has to regenerate a profile of sap all then one has to use following report or program: AGR_REGENERATE_SAP_ALL

21. Why does use t-code SU25?

Ans:

Use t-code SU25 if data needs to be copied from USBOT and USBOX to tables USOBT_C and USOBX_C. Company-Code-Dependent Settings are initialised in SAP using transaction code SU25. Setting up company code-specific settings in the SAP system is a crucial step to take either after the initial SAP installation or after an upgrade.

22. If user buffer needs to be displayed then what does transactional code will be used?

Ans:

Transaction SU56 allows to display the user buffer content. It is particularly useful for a SAP administrators and security personnel to review an authorization data stored in user buffer for a specific user. The user buffer stores the authorization data for user after successful logon and during user’s session.

23. Explain derived role.

Ans:

• The derived role is an existing role. This role inherits the functions and menu structure of the role referenced.
• This function of role inheritance is only available when no type of transactional code has been assigned previously.
• The highest-level roles will pass authorizations to derived roles by default, but this can be changed later.

24. Which table of SAP can be used for determining a single roles?

Ans:

If one has to know a single roles the table which is used is as AGR_AGRS. The table stores information about which single roles are assigned to the composite roles is AGR_1251.

This table is used to determine individual roles included in the composite role. It provides mapping between the composite roles and the single roles contain.

25. Which parameter is used if one needs to see how many filters are used in SM19?

Ans:

The parameter which is used for a deciding on the number of filters is follows-rsau/no_of_filters. SM19, can view the security audit log and apply the various filters to narrow down results. To check the number of filters applied, can use the “Number of Filters” parameter, which allows to see how many filters are currently active in a security audit log display.

26. Explain working of a composite role.

Ans:

A composite level role is similar to a large container that can hold a variety of roles. There is no authorization data for these types of roles. If an authorization changes because composite roles represent it, data must be maintained for each role of each composite role. The creation of a composite roles is only useful when some of employees in the organization require authorization from the various roles.

27. Which transactional codes are most commonly used in a SAP security?

Ans:

The most commonly used transactional codes in SAP security are SU53 for analysis authorization, ST01 for trace, SUIM for reports, SU01D for display user, SU10 for bulk changes, PFCG for role maintenance, and SU01 for user creation or change.

28. What is meant by role templates?

Ans:

The role templates are nothing but an activity clusters which are predetermined. These clusters or a groups consist of reports, web addresses, and transactions.

29. Explain the process of creating a user group in SAP system.

Ans:

The following are steps that are involved in terms of creating the user group in SAP system:

• Use T-code SUGR, execute it.
• Provide the name for the user group in text box.
• After providing a name for the user group, click on a create button.
• Key in the description and click on Save button.
• This completes the user group created in SAP system.

30. How does check the transport requests created by the other users?

Ans:

To check the transport requests created by the other users using transaction SE03 (Transport Organizer Tools). Here’s how can do it:

• Go to the Transaction SE03.
• Select “Display Requests”, Enter a Search Criteria.
• Execute Search.
• Review a Transport Requests.

31. What is SAP Security Auditing, and why is it important?

Ans:

SAP Security Auditing involves the monitoring and reviewing SAP system activities and configurations to ensure the compliance, detect security breaches, and prevent unauthorized access. It is crucial for maintaining the system integrity and data confidentiality.

32. What is the process to assign logical system to a client?

Ans:

The logical system, SCC4, can be assigned to the client using a specific T-code. This must be done with extreme caution because it may affect other configurations such as the CUA (if it is configured).

33. Mention the transactional code for separating execution from transaction and locking any transaction.

Ans:

The transaction code for separating an execution from transaction and locking any transaction is BAPI_TRANSACTION_COMMIT. This BAPI (Business Application Programming Interface) function module allows to separate the execution of transaction from the transaction itself and control locking behavior.

34. How does one monitor user activities in SAP?

Ans:

User activities in SAP can be monitored using the tools like SAP Solution Manager, SAP Audit Information System (AIS), and Security Information and Event Management (SIEM) systems. Transaction codes are ST03N and STAD can also be used to track the user activities.

35. Why does use t-code SU56?

Ans:

T-code SU56 is used to display a current user buffer which authorization is assigned in user master record. Transaction code SU56 in SAP is used for a User Buffer Display. It allows to view the content of the user buffer for specific user. The user buffer in SAP contains authorization data for the user after a successful logon and during the user’s session.

36. How does Handle Emergency User Access in SAP?

Ans:

Emergency user access is typically granted temporarily for an urgent issues and should be logged, monitored, and regularly reviewed to be ensure compliance and security.

37. Which T-code does use to create authorization groups?

In SAP, transaction code “SUGR” is used to create and manage the authorization groups. Using this transaction, can create, modify, or delete authorization groups. Authorization groups are used to group together related to the objects, making it easier to manage authorizations for the users and roles within the SAP system.

38. What does maximum number of roles that can be assigned to user?

Ans:

User activities in SAP can be monitored using the tools like SAP Solution Manager, SAP Audit Information System (AIS), and Security Information and Event Management (SIEM) systems. Transaction codes are ST03N and STAD can also be used to track the user activities.

39. What are the different layers of Security in SAP?

Ans:

SAP supports the multiple layers of security, they are:

• Authentication
• Authorization
• Integrity
• Privacy
• Obligation

40. How does check background jobs?

Ans:

Using the SM37 transaction code can check the background jobs. Transaction SM37N provides the enhanced version of the job monitoring tool (SM37). It offers the additional features and an improved the user interface for managing a background jobs.

41. How does one get the user list in SAP?

Ans:

In SAP, can obtain the list of users through the various methods. Here are the few common ways to get the user list:

• Using Transaction SUIM
• Using Transaction SU01
• Using SAP Queries
• Using SAP Reports
• Using SAP Tables

42. What does Steps for SAP System Hardening?

Ans:

System hardening involves the securing the SAP system by applying patches, configuring a firewalls, disabling unnecessary services, and implementing the strong password policies.

43. what is the difference between a role and a profile?

Ans:

There is no much difference between the role and a profile, go hand in hand. A Role is nothing but the combination of authorizations and combinations. This information is stored in a form of Profiles. At any given point in time, it can be more than a one profile associated with the role. By creating role, a profile is automatically generated.

44. Explain “Profile Versions”.

Ans:

If any parameter in the profile is changed, an updated version of the same profile is created automatically. The process is repeated whenever a change is made to a profile. These profiles are all saved into a database using a naming convention. Profile versions are the saved files from the same profile.

45. What is the main difference between a single role and a composite role?

Ans:

	Aspect	Single Role	Composite Role
Purpose	Specific function or task	Combines multiple functions or tasks
Complexity	Simple and focused	More complex and encompassing
Authorization	Limited scope and permissions	Broader scope with comprehensive permissions
User Assignment	Assigned directly to users	Assigned to users or other roles for hierarchy

46. Explain password rule can be enforced.

Ans:

The procedure is easier to understand. The user must set a profile parameter for password rules enforcement if they are necessary. When this parameter is used, automatic application of password rules takes place.

47. Explain check the table logs and what does T-codes to be used for.

Ans:

To check whether a table logs are available, firstly one has to check whether logging function is activatable or not for particular table. This can be done by using the Tcode SE13. If table is enabled for logging then table legs can be seen using the T-code SCU3.

48. What does highest permitted number of profiles and objects in role?

Ans:

• The highest permitted number of a profiles in role is 312.
• The highest permitted number of the objects in role is 150.

49. What does Risks of Inadequate SAP Security?

Ans:

An Inadequate security can lead to be unauthorized data access, data breaches, financial loss, and damage to the organization’s reputation.

50. How many transaction codes can be assigned to particular role?

Ans:

There isn’t a fixed or specific limit to the number of transaction codes that can be assigned to the particular role. The number of transaction codes that can be assigned to role largely depends on a SAP version you are using and specific configuration of the SAP system.

51. What does process to check the transport checks created by another user?

Ans:

When using T-code SE10, you will be prompted to enter a user name. After providing user name information, and will be able to check transport requests created by other groups of users.

52. What is the use of authorization object S_TABU_LIN?

Ans:

Generally, authorization object is to provide access to all tables on row level. SAP authorization object S_TABU_LIN is used to control the access to table rows based on the specified key fields. This authorization object is particularly powerful and flexible as it allows to define the access permissions at a row level within a specific database tables.

53. Explain SU25 T-code.

Ans:

The main use of SU25 T-code is: the data is copied from a one set of tables to the another set of tables. The data is copied from the USOBT and USOBX to USOBT_C and USOBX_C.

54. What does T-code in SAP?

Ans:

Transaction code (T-code) is a shortcut used to access the specific task or transaction in SAP ERP system. Instead of navigating through a menu path, users can enter a relevant T-code in the command field to directly access desired functionality. T-codes simplify user experience and increase efficiency by allowing the users to quickly execute a commonly used tasks.

55. What user types are used for background jobs?

Ans:

User types for a background jobs are:

• System user
• Communication user

56. What transaction code is used to troubleshoot a problem for a background user?

Ans:

In SAP, to troubleshoot problems for a background user, you can use the transaction code “SM66.” The SM66 transaction provides you with an overview of the currently active background processes and allows you to monitor and analyze their status, performance, and resource utilization. This can be helpful in identifying issues or errors related to background jobs and processes, as well as taking corrective actions as needed.

57. What are the different types of users within the SAP system?

Ans:

The different types of users that are within SAP system:

• Dialog user
• Service user
• System user
• Communication user
• Reference user

58. What does User buffer mean?

Ans:

An SAP system automatically creates the user buffer when user signs on. This buffer includes all the authorizations for that user. Every user has their own buffer, which they can display using T-code SU56. The tool is only for monitoring the purposes, and no further action can be taken. The following profile parameter controls number of entries in user buffer: “Auth/auth_number_in_userbuffer”.

59. Which T-codes can be used to display the user buffers, and delete old security audit logs?

Ans:

To display user buffers in SAP, use transaction code “SU56.” This transaction helps you check and manage user-specific data caches for performance optimization.

For deleting old security audit logs, use transaction code “SM20.” While SM20 is primarily for viewing security audit logs, you can configure it to automatically delete older logs as well, ensuring your system’s security records are efficiently maintained.

60. What process exists for deleting multiple roles from QA, DEV, and Production systems?

Ans:

In order to delete the multiple roles from QA, DEV, and Production systems, and must follow the steps below:

• Put roles to be removed in the transport (in development).
• Delete roles.
• Push transport to QA and production departments.

61. Explain PFCG_Time_Dependency.

Ans:

The PFCG_TIME_DEPENDENCY report is Executable ABAP (Advanced Business Application Programming) Report within the SAP system. PFCG_TIME_DEPENDENCY is a report used for a comparing user masters. In addition, it deletes or removes an expired profiles from user master record. This report can also be directly executed using PFUD T-code.

62. How can I check table logs?

Ans:

First, verify whether logging is enabled for table with t-code SE13. If enabled, table logs can be viewed using SCU3 t-code.

63. How does one remove multiple roles in Dev, QA, and production system?

Ans:

Following are some of the steps to delete the multiple roles in Dev, QA, and Production systems:

• First, need to put the roles that are to be deleted in a transport. Now delete a roles to be deleted.
• Finally, it is necessary to send a transport through the production and quality assurance.

64. What is SOD?

Ans:

SOD stands for Segregation of Duties. It is used to identify and prevent errors and fraud in business transactions. For example, if a user/employee has access to the bank account details and payment cycle, they may be able to divert payments from suppliers to their own account.

65. What distinguishes USOBX_C from USOBT_C?

Ans:

USOBX_C: It specifies which authorization controls are appropriate to implement during the transaction and which are not.

USOBT_C: This table contains a data relating to the proposed authorization that contains an appropriate authorization information for transaction.

66. What are the various tabs available in PFCG?

Ans:

Description: It is used to describe the changes made as role details, adding or removing the t-codes, authorization objects, etc.

Menu: This is used to create a user menus, such as adding t-codes.

Authorization: It is used to maintain an authorization data as well as authorization profiles.

User: This is used to adjust the user master records and to assign the roles to the users.

67. How does one create a user group within SAP?

Ans:

Below are the steps for creating the user group within a SAP system:

• Use the T-code SUGR and run it.
• Enter a user group’s name in given text box.
• Once have provided the name of user group, click on the create button.
• Then type description and select a Save button.
• As a result, user group created in a SAP system is completed.

68. What does the Personalization Tab in a role?

Ans:

Personalization is one method of storing information that users can share. Create SAP Queries, for example, and control authorizations based on user groups. This information will be saved in the role’s personalization tab.

69. What are user lock values?

Ans:

• 00 indicates not locked.
• 32 indicates Locked by the CUA central administrator.
• 64 indicates Locked by system administrator.
• 128 indicates Locked following the connection failure.

70. How does one impose password rules in SAP security?

Ans:

Using the profile parameter, and can impose the password rules in SAP Security. Use the profile parameters in transaction RZ10 to define a password rules such as minimum length, complexity requirements (uppercase letters, lowercase letters, digits, special characters), and expiration intervals.

71. What transactional codes are frequently used in SAP security?

Ans:

• SU53 to authorize analysis.
• ST01 to trace.
• SUIM to reports.
• SU01D to display user.
• SU10 to the bulk changes.
• PFCG for maintaining a roles.
• SU01 to create or change the User.

72. How can insert a missing authorization into SAP?

Ans:

The SU53 transaction code assists User in locating the missing authorization, and PFCG transaction assists the User in inserting the code into profile.

73. How does one remove all the audit logs of old security in SAP security?

Ans:

The T-code SM18 is useful for removing old security audit logs in SAP Security. In SAP, removing the old audit logs and security-related data should be performed carefully and in compliance with the legal, regulatory, and organizational policies.

74. Which T-code is used in the SAP to get user list?

Ans:

• There isn’t a single transaction code that provides the comprehensive list of all users.
• The method to retrieve the user list can vary based on specific requirements and the level of detail need.
• Utilize the t-code SM04/AL08 to get the user list.

75. Which transaction code will use for creating Authorization Groups in SAP Security?

Ans:

SAP Security, can create Authorization Groups using the transaction code SE54. This transaction allows to create and manage authorization groups in SAP. Authorization groups are used to group together related objects for a security administration purposes, making it simpler to manage authorizations for users and roles within a SAP system.

76. Name the T-code to find the Transport requests.

Ans:

Using the t-code SE10, can easily find the transport requests in the SAP Security. And will get the option to enter a user name, allowing us to find requests for transport made by the other users.

77. What is the use of T-code ST01?

Ans:

• Transaction code ST01 is used for a SAP Trace, which is a tool used for tracing and analyzing the activities within the SAP system.
• SAP Trace provides a detailed information about executed transactions, function modules, SQL statements, and more.
• It’s often used for the performance analysis, troubleshooting, and auditing purposes.

78. Name the SAP table used to identify a specific single roles assigned to each.

Ans:

The table that contains an information about the assignment of specific single roles to the users is AGR_USERS. The AGR_USERS table stores a data related to role assignments for users in SAP system, mapping user IDs (UNAME) to role names (AGR_NAME). This table helps in managing relationship between individual users and roles they are assigned to.

79. Explain use of authorization objects S_TABU_LIN.

Ans:

The authorization object S_TABU_LIN is used to control a the ccess to specific table entries (rows) based on a specified key fields. This authorization object allows for a fine-grained control over data access within the SAP tables, ensuring that users can only access or modify a specific rows of data based on authorizations.

80. What does Profile Generator do?

Ans:

Roles are created by the Profile Generator. The transaction ‘SU01’ requires that appropriate user roles—not profiles—be manually entered. The user’s profiles ought to be automatically entered by the system.

81. What distinguishes the user buffer from the table buffer?

Ans:

The table buffers are in shared memory. Buffering the tables increases performance when accessing a data records contained in table. Table buffers and table entries are ignored during the startup.

A user buffer is the buffer from which the data of user master record is loaded when user logs on. Several configuration options for the user buffer are available with respect to ‘auth/new_buffering’ parameter.

82. How many authorizations fit into the profile?

Ans:

The profile can hold a maximum of 150 authorizations. More profiles for the role will be automatically created by Profile Generator if the number of authorizations surpasses this marker. Upon first generation, the first ten (10) characters of a profile name can be changed out of a total of twelve (12) characters.

83. Mention the important steps before assigning Sap_all to the users.

Ans:

Even if an authorities approve, the following will be necessary steps to take:

• To authorize audit log- we use t-code SM19.
• To recover audit log- we use t-code SM20.

84. How to Schedule and administering Background jobs?

Ans:

You can use the tcodes sm36 and sm37 to schedule and manage background jobs. Managing background processes that operate in the background without requiring user input is part of scheduling and managing jobs in SAP.

85. Explain SAP Security in Regulatory Compliance.

Ans:

SAP security is essential for an ensuring compliance with the regulations like GDPR, Sarbanes-Oxley, and industry-specific standards by a controlling access and protecting a sensitive data.

86. How do I assign logical system to client?

Ans:

A Logical system can be assigned to the client by using the t-code SCC4. You need to be very careful while doing this change as it can affect CUA (if configured).

87. What happens to documents when transported to the production system?

Ans:

A Change documents cannot be displayed in the transaction ‘SUIM’ after they are transported to production system because do not have the ‘befor input’ method for a transport. This indicates that whenever modifications are made, the old values are written to the ‘USH10’ table first and the current values are added to the ‘USR10’ table. The difference between both the tables is then calculated and value for the change documents is determined as a result.

88. Why use the authorization object S_TABU_LIN in SAP Security?

Ans:

In SAP Security, the authorization object S_TABU_LIN is used to control access to specific table entries (rows) based on key fields. This authorization object is particularly useful because it allows access permissions to be defined at the row level within specific database tables.

89. Explain Restricting Access to Sensitive Data in SAP.

Ans:

By establishing authorization checks, encrypting or masking data, and using SAP’s field-level security, it is possible to limit access to sensitive information.

90. Name the SAP table used to identify a specific single roles assigned to each.

Ans:

• The table that contains an information about the assignment of specific single roles to the users is AGR_USERS.
• The AGR_USERS table stores a data related to role assignments for users in SAP system, mapping user IDs (UNAME) to role names (AGR_NAME).
• This table helps in managing relationship between individual users and roles they are assigned to.