Q1) Distinguish between the functions of USOBX_C and USOBT_C?

USOBX_C USOBT_C

This gives person information about which particular This table gives information regarding the proposal
authorization checks needs execution inside the data of the authorization that includes the data
transaction and which authorization check doesn’t related to authorization which is useful for
need to be. transactions

This table also looks at the checks which are present It looks at the default of set values which need to be
in the profile generator. present in the profile generator.

Q2) Elaborate on SAP security

The main role of SAP security is to provide right access for users with business according to their
responsibility and the authority that they hold. And permission is supposed to be given as per their
roles in any of the organization or departments.

Q3) What does one mean by roles as far as SAP security is concerned?
Roles are nothing but the transactional codes these are generally found in groups. These codes are
given to take out a specific business assignment. So all these t-codes or roles requires some specific
privileges to implement any function as far as SAP security is concerned. And these special privileges
are known as authorization.

Q4) Elaborate on how all users can be locked at the same time at SAP security?
It is possible to lock every user at the same time at SAP security. One has to implement a transactional
code of EWZ5 for doing this particular task.

Q5) Comment on the necessary steps that need to be taken prior to assigning a task for users
even when approval is given from the authorities or the authorized controllers.
There are certain steps that need to be taken prior to handing over or giving SAP_all to any of the
users. These steps are necessary even when it has the approval of someone in the position of
authority. These pre-requisite includes the following.
 First is to enable the log of audit. This can be done using a transactional code of sm
19.
 Second step is to retrieve the log of audit. This can be done by using a transactional
code of sm 20.
Q6) Elaborate on the meaning of authorization object class and the meaning of authorization
object.
It is very essential to understand the meaning of authorization object and that of authorization object
class.
Authorization object is nothing but the groups of field of authorization which looks after the function of
a specific activity. Authorization is related to a specific action only whereas field of authorization looks
after the security administrators. It helps in the configuration of the particular values in any action which
is required.

As far as authorization object class is concerned it is an umbrella term under which authorization object
is taken into consideration. These are put into groups by some departments which include accounting,
HR, finance and some more.

Q7) How can one delete numerous roles from Production Systems, DEV and QA?
There are certain steps which make it possible to delete numerous roles from the above mentioned
systems. These steps are as follows:
1. Firstly one needs to put the roles that are supposed to be deleted in transport.
2. Secondly, delete the said roles from there.
3. Thirdly one has to send transport across the production and QA.
4. This way one can delete numerous roles.
Q8) Explain the steps that need to be taken before one has to execute the Run system trace.
There are a few things that need to be done before one wants to execute the Run system trace. If one
is going to trace the CPIC or the user id then prior to executing Run system then one has to make
sure that they said ID is given to someone that is either SAP_new or SAP_all. This has to be done
because this ensures that one is able to execute the work without any kind of checking failure by the
authorization.

Q9) Comment on what is the highest amount of profiles and highest amount of object in the
roles?
Three hundred and twelve is the highest amount of profile that a role can have. And a role can have
one hundred and seventy highest amount of object.

Q10) Mention the transactional code for separating the execution from transaction and locking
any transaction.
The transactional code which is used to lock the transaction from the execution is SM01.

Q11) What are the differences between single role and a derived role?
The main difference is that of dealing with the transactional codes. When one deals with the single
role then the transactional codes can be added or deleted easily. But if one is dealing with a derived
role then a person is not able to add or delete any transactional code. This is the most important
difference that one needs to know about single role and derived role.

Q12) Explain the role of SOD in the SAP security and what does SOD mean?
SOD is the segregation of duties the most important reason as to why is it implemented is that it helps
in detecting and preventing any kind of fraud or error which might occur while getting into business
and money transactions. Say for instance an employee or even an user is privileged to access any
account details of a bank and go through any kind of payment then it might be likely that it can change
the course of the payments of the vendor to the employees or users own bank accounts. That is why
it is essential to implement the SOD.

Q13) If one has to go through the summary of the Profile and Authorization Object then what
transactional code need to be used?
In case if one person has to go through the summary for profile and authorization object then there
are two different transactional codes are to be used.

For the summary of any authorization object one has to use the transactional code of SU03. And if
one needs the summary of profile details then one has to use the transactional code of SU02.

Q14) What does one mean by User Buffer?

The user buffer is the one which has every authorization of any user. A user buffer can be implemented
by a transactional code of SU56. Any user has a user buffer of own. In case of a lot of entries in the
users, user buffer it leads to failure in the authorization checking. If there is no needful authorization
to the user then even that leads to failure in the authorization checking.

Q15) For controlling the excess of entries what parameter is used in user buffer?
The user buffer looks at the entries and it has to control the entries because it shouldn’t exceed. The
parameter which is used is the following, auth/auth_number_in_userbuffer.

Q16) What is the number of transactional codes that can be given to a particular role?
A role can have a transactional code of as many as fourteen thousand.

Q17) In order to stock the illegal passwords what table is usually used?
In order to stock or accumulate the illegal password a table called USR40 is usually used. This
particular table stores various patterns and arrangements of words that cannot be implemented while
making any password.

Q18) What is known by PFCG Time dependency?

The PFCG time dependency is nothing but a report which is normally used for comparison of the user
master. The PFCG Time dependency also makes sure to wipe away any profiles from the main record
which seem to have expired and are of no use. There is also a transactional code which can be
employed in order to execute this particular action. The transactional code which is used to do this is
PFUD.

Q19) What is the role of user compare in the SAP security?

The role of user compare in the sap security is that it helps in comparison of the master records of the
user. This helps in entering the authorized profile which is produced into the main records.

Q20) What are the different types of tabs that are present in the PFCG?
There are a lot of important and essential tabs which are present in the PFCG. The following tabs are
included in the PFCG.

1. The first is the description tab. This tab is essential for describing any changes which are
made such as the details which are related to any role. Mentioning if there are any
additions or removing of any transactional codes. Also mentioning if there are any
changes in the authorization object and many more.
2. Second is the menu tabs. It is essential to design the user menu such as addition of any
transactional codes.
3. The third id the authorization tabs. This tab is used for the maintenance of the
authorization profile and authorization data.
4. The third is the user. This tab is used for any adjustment in the main user record and for
assigning the users to any roles.
Q21) If one has to delete the previous audit logs of security then which transactional code will
be used?
If one has to delete the previous audit log of the security then the transactional code of SM-18 will be
used.

Q22) Which program or report one must use to regenerate the profile of SAP all?
If one has to regenerate the profile of sap all then one has to use the following report or program;
AGR_REGENERATE_SAP_ALL
Q23).If one wants the display the text of transactional code then which of the table will be used?
If a person wants to display the text of transactional code then TSTCT table will be used.

Q24) If a user buffer needs to be displayed then what transactional code will be used?
If a user buffer needs to be displayed then the following transactional code will be used; the code is
SU56.
Q25) Which table of the SAP can be used for determining single roles that is given for a certain
role?
If one has to know the single roles the table which is used is AGR_AGRS.

Q26) If one has to see the amount of filters in the SM19 which is the Security audit log then
which parameter is used?
The parameter which is used for deciding on the amount of filters is as follows; rsau/no_of_filters.

Q27) Explain derived role

Derived role is an already present role. This role receives functions and menu structure which is
present in the role referenced. This function of inheriting by the roles is only possible when no type of
transactional code is assigned prior. The roles at highest level will pass on the authorizations as a
default to derived roles and this can be changed later on. Certain levels are not passed to the derived
roles and they need to be created newly this includes the organizational definitions as well as
assignments of the user. Derived roles are well-designed and have a fixed functionality which means
it has same menus and transactions. But the characteristics are different as far as the level of
organization is concerned.

Q28) Explain the working of composite role.

On the other hand, a composite level role is like a big container which can collect numerous varied
roles. These types of roles do not have any data about authorization. In case of any changes in the
authorization since composite roles represent it, a data needs to be maintained regarding every role
of every composite roles. Creation of the composite roles is only useful when some of the employees
in the organization require authorization from various roles. So in that case composite role can be set
and the user can be assigned to that group. This is time saving rather than separatelyassigning every
user to each different role. When user is assigned to one composite role, then during comparison they
are spontaneously assigned to other elementary roles.

Q29) Which transactional codes are most commonly used in SAP security?
The transactional codes which are most commonly used in SAP security are

SU53 for authorization of analysis, ST01 for trace, SUIM for the reports, SU01D for the display user,
SU10 for bulk changes, PFCG to maintain roles and SU01 for creation or changing the user.

Q30) What are role templates?

The role templates are nothing but the activity clusters which are predetermined. These clusters or
groups consist of the reports, web addresses and the transactions.
Q31) How do you create the user group in SAP system?
In SAP system user group can be created by following steps,

 Run the SUGR t-code

 Enter the name of the user group
 Now click on Create button
 Now enter the description and save

Q32) How do you check the transport requests created by other users?
By using SE10 t-code we can find the transport requests created by other users.

Q33) How do you find user defined, security parameters for system default values?
By using t-code RSPFPAR we can ding user-defined and system default security parameters.

Q34) How do you assign the logical system to the client?

By using t-code SCC4, we can assign logical system to the client.

Q35) Why do we use t-code SU25?

If you want to copy data from USBOT, USBOX to tables USOBT_C and USOBX_C, then we can use t-
code SU25.

Q36) Why do we use ST01 t-code?

ST01 t-code is used to trace the user authorizations.

Q37) What are derived roles in SAP?

Derived roles are defined by other existing roles called as master roles.

Derived roles inherit features from a master role like functions, menu structure, transactions, reports,
web links etc.

Q38) Why do we use t-code SU56?

T-code SU56 is used to display current user buffer which authorization is assigned in user master
record.

Q39) How do you lock multiple users at a time in SAP?

We can lock multiple users using SU01 t-code. Go to SU01 t-code and enter user names to be locked.

Q40) Which T-code do you use to create authorization groups?

We can create authorization groups in SAP using SE54 T-code.
Q41) What is the maximum number of roles can be assigned to a user?
In SAP, the maximum number of roles can be assigned is 312.

Q42) What are the different layers of Security in SAP?

SAP supports multiple layers of security, they are:

Authentication, Authorization, Integrity, Privacy, and Obligation.

Q43) How can you get the user list in SAP?

We can get the user list by using SM04/AL08 transaction code.

Q44) How do you check background jobs?

Using SM37 transaction code we can check the background jobs.

Q45) Which transaction code is used to manage lack entries?

Transaction code SM12 is used to manage lock entries.