1.

I have deleted single role from composite role now i

want to find out the changes in composite role without
using SUIM.Is there any other possibilities to get?
Yes, it is possible from role screen it’s self. Go to
menu tab go to utilities--->change documents.

2. What are the prerequisites we should take before

assigning sap_all to a user even we have approval from
authorization controllers?

3. what is the difference between su25 & su24 , when we

can make the authorization checks in su25 then what is
the use of su24
T-code SU24 is used to select the check objects and
default values for an authorization when any t-code or
report is added to a role. On the other hand t-code
SU25 is used at the time of system
Upgrade to perform below actions:
1) Initially fill the customer tables by copying from
SAP tables.
2) Comparing the corresponding values between SAP
tables and customer tables.
3) Find out which new t-codes are moved to Production
system during upgrade.
4) Find out all t-codes whose name has been changed in
Upgrade; let’s say ST03 is now called ST03N.

4. Why we are using the landscape in sap r/3?

SAP systems are used in large industries where daily
transactions are carried out at large scale. In order
to avoid any affect on production system directly
because of change and to avoid the blockage of business
process we are using landscape in R/3.

5. How to modify a mass user’s validity, address, and email at a time?

6. Why fire fighter id is using in the production

system?
 Production system is the system where all business
Transactions are done. Thus it is required to monitor
if anyone is assigned to perform some critical task in
the system. Therefore in order to keep a log of all
activities performed in a FF login FF id is used in
production system.
Dev and QA systems are less or no critical for
business.

7. Use of T-code SE63

To change the short description of the role

8. what are the authorization switches in security

9. What is the difference between PFCG,

PFCG_TIME_DEPENDENCY&PFUD?
PFCG is used to create maintain and modify the roles.
PFCG_TIME_DEPENDENCY is a background job of PFUD.PFUD
is used for mass user comparison but the difference is
if you set the background job daily basis it will do
mass user comparison automatically

10. What is the maximum number of profiles in a role ?

What is the maximum number of authorization objects in
a role? What is the maximum number of authorization in
an object?
312 profiles in a role,
150 authorization objects,
Not more than 10 authorization fields in object,

11. If u r using 10 firefighter ids at a time? How will

the log reports goes to controller?

12. What is rule set? And how to update risk id in rule

set?

13. What is the procedure for Role modifications?

Explain with example?
14. Who will do user comparison?

1) Log reports send through (mail, workflow or Log

display) these are available at options tab when we are
assigning fids to the controller tab.
2) Rule set which contains (business process, risks,
Function and action, authorizations) is known as rule
set.

15. What are the Critical Tcodes and Authorization

Objects in R/3?
pfcg n su01
rz02 n rz03

16. What are the prerequisites we should take before

assigning sap_all to a user even we have approval from
authorization controllers?
Prerequisites are follows before assigning sap_all to
any user.
1. Enabling the audit log ---- using sm19 tcode.
2. Retreving the audit log-----using sm20 tcode.

This process follows when you’re not implementing grc

in your system.

17. How can u assign firefighter ids from one

firefighter admin? To another firefighter admin if
current admin leaves from organization without told to
anybody?
Take the User Id of the left over the company person
and go to SE16 tcode and type table name
/virsa/zffusers and execute. In the second column enter
the userID of the left over person and execute and it
will give the list of assigned FF_ID'S to that user,
note that FF_ID'S and run /n/virsa/vfat tcode and go to
maintain FF_ID's table and replace it with the new
person User ID.
18. Can any tell me if a t_code is assigned to 5000
users then how would you find out who never uses this
t_code?
You can find the information using tcode STAT

19. Could anyone tell me "What are critical

authorizations in sap security"?
OB52, SA38, SCCL, SCC4, ME59, SU01.

s_tabu_dis.

s_tabu-cli.

s_tabu_lin.

s_tcode.

s_usergroup.

s_develop
s_program
Are these non critical

1. What is the difference b/w change authorization mode

and expert mode?

2. When we do the user comparison in pfcg what is the

Difference in complete comparison and expert mode
comparison.
3. what are the critical auth objects in security point
of you,
4. When we do the transportation of composite role what
will happened.
5. While doing the kernel upgrade we download the
executable
s one by one are all together.
6. While applying the patches what is the importance of
test import why we do test import
1) if new authorization created threw change
authorization. If you edit the old authorization and
add the new authorization we can use export mode.
2) This is also same for first if you create new role
in pfcg you can use user comparison, is you change the
old role and giving the new changes we can use the
expert mode comparison.
3) S_DEVELOP, S_PROGRAM, S_ADMI_FCD
4) If you insert in composite role in transport request
Automatically child roles also included in transport
request.
5) All together.
6) If you test import is success means the patch
uploaded successfully.

Ans.1 - Change auth mode opens the last saved

authorizations for change. If any new t-code is added
to that role then change auth only adds the relevant
objects in role for the new t-code.

Expert mode has three options detailed below:

1) Delete old auth and create new - This will delete
all old auth data except org values and will create new
Authorization by including the objects maintained for
t-codes of role in SU24.

2) Edit Old Status-This will open last saved auth for

Change with any change/addition of relevant objects if
you have added any new t-code to role.

3) Edit old status and merge with new - It will include

the new objects for newly added t-code in role and also
compares the objects for old t-codes of role and
includes in role the missing object/auth values if any,
deleted earlier due to any reason. New added auth
objects will have the status new. Updated auth objects
will get the status updated. Old objects not change
will have the status old.
Could you please let me know the exact step by step
process for the following Questions?

1. How to get the E-Mail address for 100 users at a

time.
ANS: scatt script

2. While Creating BW roles what are the Authorization

Objects we will use.
ANS: s_rs_auth, s_rs_icube, s_rs_odso , s_rs_mpro,
s_rs_ipro, s_rs_admwb (for BI consultants & admins) and
s_rs_rsec (for BI Security consultant)

3. While Creating Single role what will be happened in

the functional side, when entered the Template role in
the derived role tab.
ANS : Don't NO

4. When we changed the password for more users(for

Example: 100 users) where the password will be stored
or from where you can Re-Collect the password and how
will you Communicate the password to all users at a
time.
ANS:
a) at the time of implementation we create users & PWD
b) depend on business users requests
c) if locked users needed to unlock and make them use
then
we generate new PWDs.
d) monthly or quaterly basis we send a message to
endusers
to change there PWDs.
e) users got locked due to incorrect log on.
f) users locked with the expiration of there user ids.

5. What is Virsa? Once you entered in to the screen

what it will perform.
ANS:
A) PWD information will be stored in table USR02.
B) There is NO re-collect password process in SAP again
user needs to send request to security team to re-issue
new
PWD
C) we can do it through scatt script.

6. What is the use of SU24 & SM24.

ANS: Before GRC comes into picture there were other
tools
which are running in the market in order to do
analysis.
those are VIRSA and APPROVA. both are an INDIAN
Companies
and VIRSA developed Tools like Firefighter, Compliance
Calibrator, Access Enforcer and Role expert to do risk
analysis but In the Year 2006 VIRSA took over by SAP
and it
changed names as Superuser Privilage Management (SPM),
Risk
Analysis and Remediation (RAR), Compliant User
Provisioning
CUP) and Enterprise Role Management (ERM) respectively.

Virsa FireFighter for SAP: enables super-users to

perform
emergency activities outside the parameters of their
normal
role, but to do so within a controlled, fully auditable
environment.The application assigns a temporary ID that
grants the super-user broad yet regulated access &
tracks
and logs every activity the super-user performs using
that
temporary ID.
7. While Creating BW roles what are the Authorization
Objects we will use.
ANS: There is no SM24 t-code in SAP. coming to SU24,
here
we can maintain the assignment of Authorization Objects
by
entering into particular t-code and we can check the
relation between the t-code and concern authorization
objects and we can make changes according to business
needs. it means maintain Authorizations and its fields
and
field values.

8. While Creating Single role what will be happened in

the functional side, when you entered the Template role
in the derived role tab.

9. What is Dialog users, Batch users and Communicate

users. What is the use with Communicate user.
ANS:
Dialog user is used by an individual to do all kinds of
log on.
Batch user is used for Background processing and
communication within the system.
Communicate user is used for external RFC calls.
(Across the systems we can connect)

10. Can we add one Composite role in to another

Composite role at any urgent user requests or in normal
user requests?
ANS: We can not add a composite role into another
composite
role but we can add multiple derived roles into one
composite roles.

11. In Transport what type of Request we will use. Why

don't we use Workbench request in transport.
ANS: most of the time we do transport workbench and
customized requests. 95% we do customized transport as
we
do settings,configurations,creation etc at DEV system
and
transport them to QUA or PRD systems.
settings,configurations etc are done by BASIS,Security
and
Functional consultants then those will be treated as
Customized and if ABAPers do programs and packages etc
and
transport them then those will be treated as workbench.

12. When we added Authorization Object in Template

role, at the same time what will be happen in Derived
role.
ANS: Template Roles will be provided by default by SAP
while we do implementation (install SAP).when we want
to
have template role we should not use that role
directly,
instead of that we can go for COPY option and we can
copy
it and do customize according to our business needs.

13. How to Check Profile parameter. And how to find

whether any transport has ended with error and where we
can check.
ANS: T-code RZ10 to check Profile Parameter & T-code
STMS
we can check the Transport error logs. click on Import
Overview (Truck icon) in STMS screen and in next screen
we
have options like : Import Monitor, Import Tracking and
Import History.... these will show the transport
issues.

14. How to extract users list like who didn't login

since 3 months. And In 90 Days user locking in which
table we will use.
ANS: T-code SUIM : Users -> Click on By Logon Date and
password change -> Give * in user and give 90 days in
No.days since last logon and check Locked users and
then
EXECUTE.

(OR) RSUSR200 report to get info

15. What is OSS Connection and System Opening and why

we have to open these.
ANS: OSS means Online Service System where SAP is going
to
give Service to R/3 Users.

16. What will have in one single role and how many
profiles will be in one sap cua system.
ANS: Single role will contain T-codes, Reports and
URL's,
Profiles and Users. Max profile are 312
17. What is the difference between Template role &
Derive role?
ANS: Template role is nothing but a default role
provided
by SAP. this template role might be a single or
composite
or derived role. template roles are not generated
profiles
or authorizations nor assigned to users and org levels
are
not maintained.Derived role is nothing but a single
role
and its derived from a Master role and can restrict org
levels and can assign them to users.

Which request is this Which we create for

transportation?
Generally there are two types of transport request.
1) Workbench Request: Client independent, used
generally in CUA where change made are transported to
cross client tables.
2) Customizing Request: Client dependent.

Difference between short and Long Description in PFCG?

Short Description is actual name of role & Long
Description is used to mention whatever changes have
been done from date role was created. e.g.
ZT.1011001 has short name "R/3 Test Role" then in
column Long Description information will be like
anything say Added tcode MM01,MM02
Added purchasing organization 1001

Remove tcode MM03

. Is it possible to have a request type by which we can

change the validity period of a user? If possible, then
what are the actions?
By changing the values at the account information under
Logon data tab.

How to secure the customizing Tcodes in sap

1. Put on the trace
2. Execute the custom transaction code, execute
functionality
3. Pull out the trace results, list out the
authorization objects has been checked
4. Maintain the those auth object in SU24 towards the
Tcode

What is Business Process? Explain about the Business

Process Procure to Pay?
Business process which can categorize the risks based
on modules

Difference between Change Mode and Expert Mode in PFCG?

Change mode: If a new t-code is added to a role it will
pull the auth obj corresponding to that t-code but not
any of those which was deleted by us earlier, provided
that obj is not related to newly added t-code. Or we
can say that change mode will compare the auth in the
role for newly added t-code with su24 and and will add
all the necessary objects.

Expert mode: it have three options.

1. Delete all auh and create new profile- it will
delete all auth data except org level and we have to
create new authorizations in role corresponding to all
t-codes in role.
2. Edit old status - it will give u chance to edit last
saved authorizations only, no matter if u added any t-
code to role. it will not pull the auth obj for new t-
code from su24.
3. Edit old status and merge with he new - this will
compare the auth of all t-codes in role with the
records in su24 and will pull the objects corresponding
to newly added t-code as well the missing object for
any other t-code present in role and was deleted
earlier. The newly pulled auth objects are marked as
new and old ones are marked old. The auth objects in
which auth values are added/changed gets the status
updated.

Difference between S_tcode and Menu tab transactions?

When add t-code in role menu, there will authorization
check will done in SU24 and T-Code relevant A.O, field
values will reflect in Profile Generator. When u add T-
Code in s_tcode a.o, there will no auth. check in
SU24, There is no field values reflected in PFCG.SO
user is not authorized to access this particular T-
Code.

Difference between Standard and Manual objects?

Standard Objects: The Authorization object pulled for
SU24 settings against the T-Code in to the PFCG

Manual Objects: Authorization objects added manually in

PFCG

Difference between SE01, SE10 & SE09?

SE09 (workbench organizer) Registration of modification
Done on client independent object
SE10 (customizing organizer) Registration of
modification done on client specific object
SE01 (Transport organizer) can do both functions of
se09 and se10

What do you mean by Role Remediation?

Role remediation is one of the risk resolution
strategies which is used for modifying the content at
role level it means that we are removing the sod
conflicts

Support types of WOs you have faced?

If user says he doesn’t have authorization then how to

proceed?
Simply ask him to raise a ticket asking for the
required auth along with the approval mail from
concerned approver. Then based on approval mail, we
have to create auth restricting to specified level
using auth objects like s_tabu_dis, s_tcode, s_tabu_cli
.. and assing to that user and execute user comparison.
Ask user to log off and login to find the assigned
auth.
If SU53 screenshot does not give anything then How will
you find the solution? If there is no relevant Role ,
then How?

SU25 Step6 How Roles are created through Profiles?

If you do decide to use SU25 Step 6 to convert the
Manual profiles to activity groups, you will need to
watch out for the following “gotchas”:
Naming convention (T_500yyyyy_previous name)
All activity groups created before SU25 is run are
renamed to T_500yyyyy_previous name.
See OSS note 156196 for additional information and
Procedures to rename the activity groups back to their
Original names using program ZPRGN_COPY_T_RY_ARGS.
Carefully review information regarding the loss of
links between profiles and user master records.

SU25 Step6 How Roles are created through Profiles?

If you do decide to use SU25 Step 6 to convert the
Manual profiles to activity groups, you will need to
watch out for the following “gotchas”:
Naming convention (T_500yyyyy_previous name)
All activity groups created before SU25 is run, are
renamed to T_500yyyyy_previous name.
See OSS note 156196 for additional information and
Procedures to rename the activity groups back to their
Original names using program ZPRGN_COPY_T_RY_ARGS.
Carefully review information regarding the loss of
links between profiles and user master records.

Tables so far used?

If we delete a Role can we transport it, if yes then

how?
Yes, add that role to a transport request first and
then delete it from dev system. After deletion
transport it to qa and prod system

Users are lockdown from past 3 -4 months. Which table

is used to know that which users are lockdown?
RSUSR200
or
T-code SUIM: Users -> Click on By Logon Date and
Password change -> Give * in user and give 90 days in
No. days since last logon and check Locked users and
then
EXECUTE
Use USR02 Table as below

SE16 -> USR02 and execute

Last Logon Date: Date range between 3- 4 months

User lock: 64,32,128

Attributes in SE01?

In SU53 screenshot, there is missing authorization. How

you come to know that these are the relevant Roles in
which we have to add these objects? Decision not SUIM
We need to study the documentation of said object and
its object class and include it in a role that contains
related functions. This should be done consulting the
key users related to that module.

Having said this, it should be properly check

beforehand that indeed the missing authorization is the
real reason for an authorization failure

Can we delete a Role and transport it? Explain How?

To delete a role across landscapes, in dev system we
first add the role to a transport request and then
delete the role in pfcg(first screen).Transport should
be released and moved to QA/ PROD to ensure removal of
the role from these systems.

To delete a role across landscapes, in dev system we

first add the role to a transport request and then
delete the role in pfcg(first screen).
Transport should be released and moved to QA/ PROD to
ensure removal of the role from these systems.
Through CTS how we come to know the Role?

What do you mean by SOX and Gxp?

Which transaction should not be given to BASIS and DEV

team in Production?

1).what is the diff b/w adding the tcode in s_tcode

Authorization object and adding the tcode in menu tab
of pfcg?
4) What is the difference between Owner, Controller and
Administrator in Firefighter?
2) Can you tell me why do you use S_TABU_DIS
authorization object?

3) Explain how do you restrict a particular table

access then?
5) In RAR, What is the default back ground Jobs?
6) Which job will update all user master records?
7) What will happen whenever we execute a t-code?
8) What is the purpose of the report RSUSR006?
9) Lets say a user is locked by admin? What value will
you see in USR02 table and in UFLAG column?
10) What will you do if the user complains that he is
not able to access a t-code?
11) Why we have to delete users?
12)a. What is direct role assignment and indirect role?
Assignment?
b. What is the process of adding a t-code to an
existing role?
c. If client asked you to modify a role directly in
PRODUCTION for emergency? Is it possible? What you
will do in that situation?
d. What is the purpose of customized Transaction codes?
Have you created any custom t-codes?
13)
1. The difference is if you add the T code in s_tcode
the user will access to that t code only; To restrict
the user to specific tcode we use s_tcode.
2. We use this object to restrict the authorization
group’s s_tabu_dis
7. When we execute a T code, first it will check the
user is having the access to that Tcode in S_TCODE,
9. If we find the value 64 in usr02 table, UFLAG field
the user is locked , if the value is 0 the user is not
locked.
10. If user complaints that he is not accessed to
tcode, ask the user to send his su53 report , login as
user with his user id and password check his
authorizations wither he has the accessed to that t-
code or not, get the black & white approval from you
senior authorities and assign the missing
authorizations to that t code.

Ans2) what is the diff b/w adding the tcode in s_tcode

Authorization object and adding the tcode in menu tab
of pfcg?

When you add Tcode in S_tcode, assign that role to

user. and try to login, you will see that you have
access to transaction but you cannot see the name and
desc in SAP User menu

4) What is the difference between Owner, Controller and

Administrator in Firefighter?

Owner: person responsible for FF id

Controller: Check what activity done by the particular
id
Administer: Admin work( Ex: lock/unlock or Check logs )

2) Can you tell me why do you use S_TABU_DIS

authorization object?
You can use this authorization object to limit users’
Access authorization users with authorization for the
se16 transaction (that is, for all Data Dictionary
objects)can only access data of the table entries
defined using this authorization object. You can also
deny system administrators specific access to
application data, for example. As soon as you have set
up this authorization object, you can edit or change
only the table entries for which corresponding
authorization has been granted explicitly by
S_TABU_DIS.

3) Explain how do you restrict a particular table

access then?
TABU_DIS _CLNT

6) Which job will update all user master records?

PFUD, PFCG_TIME_DEPENDNCY

7) What will happen whenever we execute a t-code?

A system program makes various checks to ensure that

the user has the appropriate authorization.

Is the transaction code valid? (Table TSTC check).

Is the transaction locked by the system administrator?

(Table TSTC check).

Is the user authorized to call the transaction?

The authorization object S_TCODE (call transaction)

Contains the field TCD (transaction code).
The user must have an authorization with a value for
the selected transaction code.

8) What is the purpose of the report RSUSR006?

Report RSUSR006 provides a list of all users that have

been locked as a result of entering incorrect password
in the system.

9) Lets say a user is locked by admin? What value will

you see in USR02 table and in UFLAG column?

SE16N-USR02

We can find the value 64 in usr02 table, UFLAG field

the user is locked, and if the value is 0 the user is
not locked

10) What will you do if the user complains that he is

not able to access a t-code?

Check that if he has access to that TCODE Report SU53

11) Why we have to delete users?

It’s a two question, its depends upon the process that

if we have to delete the user or not.

As per my understanding we can lock the user and not-

used (in logon tab ).

12) What is direct role assignment and indirect role

Assignment?

Direct assignment - SU01 Assign role

Indirect assignment - ORg level and Postion level( HR
system PO13-BOO7 sttribute)

b. What is the process of adding a t-code to an

existing
role?

Execute the t_code PFCG and select what ever the role
you
have then edit.

In the menu tab Click on transaction. Then add the

t_code
for the role.

Base on the requirement manage the authorization.

(Check in
the
authorization TAB)

c. If client asked you to modify a role directly in

PRODUCTION for emergency? Is it possible? What you
will
do in that situation?

It is not recommended as per SAP Standard.

Depends upon the critcal issue of the customer.

d. What is the purpose of customized Transaction codes?

Have you
created any custom t-codes?

Go to SE93 transaction code.

Enter the transaction code (Z or Y transaction code
Double-click the program which has been associated with
the
transaction code.
Click Find button in the program screen.
This will display all the strings that have Auth
included.
Find out the lines
that display “Authority check” statement and identify
the
authorization object.
Note: You can double-click on the line to view the
specific
lines in the program.Enter “auth” in the Find text box,
select “In main program” option and click Execute.
Incase, if you don’t find any authorization objects,
check
for the string “Transaction” instead of “Auth
When the program is calling another transaction, follow
the
steps mentioned below:
Double-click the transaction code in the main program.
Click Find button.
Enter “auth” as the string and look for the
authorization
objects associated.
Record the list of authorization objects that are used
by
the call-in transaction code and ensure to include all
of
them in the current role.
Parameter transaction codes
Tables in the SAP environment are treated as critical
and
hence direct maintenance is not allowed in the
production
systems using SM30 or SM31 transaction codes.
When a custom table (Z or Y table) requires periodic
modification by the business, a Z transaction code is
created, which is controlled via a parameter
transaction,
which will call SM30 or SM31 internally and skips the
initial screen, or the application program.
They are further protected by an authorization group.
The
same will be maintained using S_TABU_DIS, and
S_TABU_LIN
objects.

Identifying the authorization group (S_TABU_DIS)

When the custom transaction code is a parameter
transaction, the authorization group for table should
be
added to the role. Below are the steps which will help
you
to identify the authorization group:
Go to SE93, and enter the tcode.
Scroll down and copy the view name:

Is This Answer Correct ? 1 Yes 0 No

How will you find list of transport request which are

scheduled in system ?
go to STMS tcode--->Click on truck icon--->select
system--->Click on "Import monitor" icon on the task
bar,
you will get two folders "Scheduled Jobs" & "Excuted
Jobs"
on left hand corner if you expand folder "Scheduled
Jobs you
will get list of transport request which are scheduled.

How to transport a T-code into Production?

tcode:STMS

as per my knowledge we can not transport the t code

directly , we have to create a role add the t code to
that
role and transport that role to production through
stms,
please correct me if i am wrong

How will remove all expired role assignments to number

of
users ?
Go to SU10--->Click on Authorization Data--->put * in
option
"Users"--->Go to Role Tab & select option button
"remove" &
mention name of role(s) with its corresponding expired
validity "From" & "to" date --->then Click on "Save"
once
its starts excuting it will check the mention role(s)
entries with validity dates against every user in list
&
where the entry matches will remove that role from that
corresponding user master record. On the other hand if
you
select option "Add" will add the mention role with its
validity date to all listed users.

Run the report PRGN_COMPRESS_TIMES

Is This Answer Correct ? 2 Yes 0 No

we have to use the report of prgn_compress_times by
calling
the transaction code sa38 or se38

Is This Answer Correct ? 0 Yes 0 No

what is central user administration?

Using central user administration, you can maintain

user
mater records centrally in one system. Changes to the
information are then automatically distributed to the
child
systems. This means that you have an overview in the
central system of all user data in the entire system
landscape.

Distribution of the data is based on a functioning ALE

landscape. In this way, data can be exchanged in a
controlled manner and is kept consistent. An ALE system
group is used by the central user administration to
distribute user data between a central system and child
systems linked by ALE.

Is This Answer Correct ? 1 Yes 0 No

whats the meaning of relocation in transport request ?

You assign the user to a user group on this tab page.
This
is purely a grouping that is suitable in the
organization.
You can create the user group using the Tcode SUGR. for
example, for basis user, user group is BASIS_USER.
The groups assigned in group tab page are not identical
group which is assigned in the logon data tab page
using
the User Group field.

If you maintain the parameter ID and values in user

master
record, a field can be filled with default values from
the
SAP memory.

Example – Let, a user only has authorization for

company
code 2000. When he/she starts a transaction, this
company
code is saved to the memory using the corresponding
parameter ID. On all subsequent screens, all fields
referencing the company code data element are then
automatically filled with the value 2000.

Table: USR05 - User Master Parameter ID (Parameter ID &

Values)

Is This Answer Correct ? 1 Yes 0 No

how do you add sap_all and sap_new in a role?

Go to PFCG tcode create one single role and then go to
Authorization tab next goto EDIT tab click insert
authorizations----->from profile then we can add
sap_all,sap_new

Thankyou

Is This Answer Correct ? 13 Yes 2 No

can we restrict access through tcode added manually in
authorisation data in creating a role?
Object S_USER_TCD controls the access of tcodes that
user
can include while creating role. So if we want user to
includes no tcodes in role then we can make this object
inactive.

Is This Answer Correct ? 0 Yes 2 No

As per my knowledge we can restrict the access by
adding
tcode manually
go to the authorization tab -- change authorization
data---
go to s-tcode object in cross application--- give the
values
which t code you want to restrict ex-- su01 give the
values
a* - st*, suoo*-- su02*, 0-9
i hope this will help to your question ,
Please let me know if i am wrong

Is This Answer Correct ? 0 Yes 0 No

what is the difference between copied and derived

role?
We can get org.levels from copied role.But we can't get
org.levels from the derived roles

Is This Answer Correct ? 3 Yes 1 No

copied role we get the all the t codes and org levels
what
ever we copied from role , we can make changes in both
roles
one will never effect another ,
Derived role , we get the t codes but we did not get
the org
levels we have to maintain according to the requirement
, we
can not make changes in derive role we have to make
changes
in master role at the time of generation we will get
one
option adjust derive role .
please correct me if i am wrong

Is This Answer Correct ? 1 Yes 0 No

what are ticketing tools?

ticketing tool....

remedy ,ibm maximo

Is This Answer Correct ? 2 Yes 0 No

hat is transaction varient?

How can I find List of users in system who dont have

any
role assigned (Role Tab Blank) but created in system ?
I have one option to get this list.

First find list of users who has atleast one role

assigned
using SUIM option "With User assignment" and then find
all
users in system using option "Users by address Data".

Then go to table USR02/USER_ADDR and put 2nd List under

option "Select Values" and put 1st List in option
"Exclude
Values".

But I want another short cut option using which I will

get
this list in one short. Plz advice

Is This Answer Correct ? 2 Yes 0 No

what is the significance of parameter id and user

group?
If you maintain the parameter ID and values in user
master
record, a field can be filled with default values from
the
SAP memory.

Example – Let, a user only has authorization for

company
code 2000. When he/she starts a transaction, this
company
code is saved to the memory using the corresponding
parameter ID. On all subsequent screens, all fields
referencing the company code data element are then
automatically filled with the value 2000.

Table: USR05 - User Master Parameter ID (Parameter ID &

Values)

You assign the user to a user group on this tab page.

This
is purely a grouping that is suitable in the
organization.
You can create the user group using the Tcode SUGR. for
example, for basis user, user group is BASIS_USER.
The groups assigned in group tab page are not identical
group which is assigned in the logon data tab page
using
the User Group field.

Is This Answer Correct ? 2 Yes 1 No