Sap Security Interview Questions And Answers

 1. what is a composite profile?

Composite profiles are set of (MORE THAN TWO OR MORE PROFILES) authorization profiles, both simple and composite. A composite profiles can contain unlimited number of profiles.Composite profiles are suitable for users who have MULTIPLE responsibilities or job tasks in the system.

These profiles are sometimes known as reference profiles for assigning larger group of access privileges and having the possibility of better match users with several responsibilities.

example:SAP_ALL

2.What is an authorization?

Authorization provides permission to access certain transactions reports or data. For each user activity or transaction an authorization check is performed to see if the required authorizations have been provided to the user. Authorization limit access to transactions and objects in r/3 system. An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.

 3. What is a profile?

A profile is a set of authorizations or user master records TO access certain transactions, reports or data.

4. What is a profile Generator?

Profile generator allows authorization administrators to automatically generate and

assign authorization profiles. Released with 3.1 G this tool accelerates R/3

implementation by simplifying the task of setting up the authorization environment.

The administrator needs only to configure customer specific settings. The profile

generator is a new approach to defining the authorization environment. The

administrator no longer uses authorization objects to define authorizations for

various user groups.

5. What is a security? Why it needs? Explain?

This unit focuses on the R/3 user within the R/3 System. However, it is important for

the R/3 System administrator to control access to both the operating system (OS)

where the R/3 Systems reside and the database (DB). External user IDs exist both at

the OS and DB levels that can be used to disrupt normal operation of the R/3

System.

Access to the R/3 System is controlled at the client level. Each R/3 user must

have a user master record in the client in which that user will work. In R/3,

authorizations are used to restrict access to programs and data.

6 how can u modify or add the authorizations (after getting the user

dump oruser trace)?

ans: by using su24( it can possible thru expert mode only) or manualat authorizations screen( if we r using su24 and modify the required authorization object, then it shows the authorizations status

file:///G|/basis%20security.txt (1 of 5)11/21/2006 11:26:33 PM

file:///G|/basis%20security.txt

as"standard" if u do the modification by mannually by choosing the"manually" button at the

authorizations screen and add or modify the requried authorization object to the role or profile , then it

shows the

authorizations

status as "manual".), after that u need to regenarate the profile and role too.

7.What is an authorization object?

An object class is a logical grouping of authorization objects that share a similar

Purpose or business area. For example, object class Basis: Administration contains

authorization objects that control access to Basis transactions.

The authorization object is the template from which the authorization is created. It is

used in the ABAP code for authorization checks. Each object has up to 10 fields that

are checked using AND logic before access is granted to the desired transaction.

8. what r the authorizations statuses at the screen, while u r

generatingprofiles?

Ans. standard, maintained, changed, manually, old, new.

9. whilegenerating the roles, if the user tab having different type of color symbols?What r they, explain?

ans: green, yellow and red.

Green: all authorizations have been maintained

Yellow: some authorizations must still be maintained

Red: organizational levels must be maintained

An activity group may contain one-to many (1-n) profiles depending upon the transactions

selected from the company menu. If more than 150 authorizations are required for the

transactions selected, multiple profiles are generated.

RSUSR003 Checks for default password on user IDs SAP* and DDIC

RSUSR005 Lists users with critical authorizations

RSUSR006 Lists users who are locked due to incorrect logon .This report should be scheduled to run

each day, just before midnight.

RSUSR007 Lists users with incomplete address data

RSUSR008 Lists users with critical combinations of authorizations or transactions

RSUSR009 Lists users with critical authorizations, with the option to select the critical authorizations

RSUSR100 Lists change documents for users and shows changes made to a user’s security

RSUSR101 Lists change documents for profiles and shows changes made to security profiles

RSUSR102 Lists change documents for authorizations and shows changes made to security

authorizations

USR01 contains the runtime data of the user master records

USR02 is the table containing logon information such as the password

USR03 includes the users' address information

USR04 contains users' authorizations

USR05 is the users' parameter ID table

file:///G|/basis%20security.txt (2 of 5)11/21/2006 11:26:33 PM

file:///G|/basis%20security.txt

USR09 contains user menus

USR10 is the table for user authorization profiles

USR11 contains the descriptive texts for profiles

USR12 is the user master authorization values table

USR13 contains the descriptive short texts for authorizations

USR14 contains the logon language versions per user

USR30 includes additional information for user menus

trdir contains program authorization group assignments

tddat contains table authorization group assignments

USH02, USH04, USH10 and USH12 contains Users and profile and

authorization change history data.

Tables related with authorizations objects and authorization fields are as follows:

TOBJ is the authorization objects table containing the authorization

fields for each.

TACT contains the list of standard activities authorization fields

in the system.

TACTZ is the table which defines the relationship between the

authorization objects and the activities in those objects containing

the Activity authorization field.

TSTC is the transaction code table where authorization objects

and values can be defined.

SCCR_LOCK_CLIENT and unlock SCCR_UNLOCK_CLIENT

10.what are user groups?explain?

User groups are created by an administrator to organize users into logical groups and apply security,

such as:

< Basis

< Finance

< Shipping

< purchasing

< sales

depending on the functionality of the users

11.What is a role? explain?

A ROLE describes the job position or acivity of a user

12. What is your minimum length for passwords?

Set the profile parameter login/min_password_lng. Default = 3

13.Do users have to change their passwords on a regular basis?

file:///G|/basis%20security.txt (3 of 5)11/21/2006 11:26:33 PM

file:///G|/basis%20security.txt

Set the profile parameter login/password_expiration_time.

Default = 0 (users do not have to change passwords)

14.Do youmonitor unsuccessful logon attempts on a regular basis (daily)?

Report RSUSR006 shows all unsuccessful logon attempts by a known user and all

user locks.

15.Haveyou set session termination after a number of unsuccessful logon attempts?

Set the profile parameter login/fails_to_session_end. Default = 3

16.Haveyou activated automatic logoff for idle users?

Set the profile parameter rdisp/gui_auto_logout. Default = 0 (off)

17.Do you have users locked after a number of unsuccessful logon attempts? Is the default (12) appropriateor have you changed the value?

Set the profile parameter login/fails_to_user_lock. Default = 12

18.Doesyour R/3 System automatically remove user locks at midnight on the same day?

Set the profile parameter login/failed_user_auto_unlock. Default = 1 (yes)

8.login/min_password_diff Default = 1

9.auth/no_check_in_some_cases Default = Y

PARAMETER DEFAULT

login/create_sso2_ticket ---------- ----- 0

login/disable_cpic ---------------------------- 0

login/disable_multi_gui_login ............................. 0

login/disable_multi_rfc_login ---------------- ---------- 0

login/disable_password_logon ------------- --- ---- 0

login/failed_user_auto_unlock ......................... .....1

login/fails_to_session_end --------------------------------3

login/fails_to_user_lock -- --- ----------------------------12

login/min_password_diff ....................................1

login/min_password_digit ------------------------------------0

login/min_password_letters ....................................0

login/min_password_lng ------------------------------------3

login/min_password_specials ...................................0

login/no_automatic_user_sapstar --------------------------------0

login/password_change_for_SSO ................................ -1

login/password_expiration_time ---------------------------------0

login/password_logon_usergroup

login/password_max_new_valid ------------------------------- 0

login/password_max_reset_valid ................................0

login/system_client ---------------------------------------000

login/ticket_expiration_time ...................................60

login/ticket_only_by_https -----------------------------------0

login/ticket_only_to_host ...................................0

login/ticketcache_entries_max ----------------------------------1000

login/ticketcache_off ........................................0

login/update_logon_timestamp ----------------------------------m

file:///G|/basis%20security.txt (4 of 5)11/21/2006 11:26:33 PM

file:///G|/basis%20security.txt

rdisp/gui_auto_logout Default value: 0

•Authorization data administrator, who creates roles (transaction selection and authorization data),

selects transactions, and maintains authorization data. However the authorization data administrator can

only save data in the Profile Generator, since he or she is not authorized to generate the profile, He or

she accepts the default profile name T_.... when doing this.SAP_ADM_AU

• Authorization profile administrator, who checks and approves the data, and generates the authorization

profile. To do this, he or she choose ? All Roles in transaction SUPC, and then specifies the abbreviation

of the role to be edited. On the following screen, he or she checks the data by choosing Display Profile.

SAP_ADM_PR

• User administrator, who maintains the user data with the user maintenance transaction (SU01) and

assigns roles to the users. This enters the approved profiles in the master records of the users.

SAP_ADM_US

These authorization checks are performed before the start of a program or table maintenance and which

the SAP applications cannot avoid:

•Starting SAP transactions (authorization object S_TCODE)

• Starting reports (authorization object S_PROGRAM)

• Calling RFC function modules (authorization object S_RFC)

• Table maintenance with generic tools (S_TABU_DIS)

You can lock a system at the OS level by running: tp locksys <SID> pf=tpprofile

Example: To lock your DEV system enter this command: tp locksys DEV

pf=saptranshostsapmnttransbintp_domain_dev.pfl

Users will get this message if they attempt to log on: "Upgrade still running. Logon not possible".

Notice that the message is not exactly accurate. TP locksys is mainly used during release upgrades so the

message is kind of generic. But, it works!

To unlock the system, run: tp unlocksys <SID> pf=tpprofile

Now you can tell your boss that you know how to keep the users off the system!

Only SAP* and DDIC can log on to any of the clients in the system that has been locked.

The idea to check, if SAP* is present in the client you want is

(Command: SELECT * FROM USR02 WHERE MANDT='XXX' and BNAME='SAP*'

... MANDT here is the client) ... this is an optional step ...

Delete the record SAP* ON THE REQUIRED CLIENT ONLY on table USR02.

(Command: delete from USR02 where MANDT='XXX' and BNAME='SAP*').

file:///G|/basis%20security.txt (5 of 5)11/21/2006 11:26:33 PM