Tell me about your self

1) What are the user types we have in SU01?

Ans:
We have 5 types of user types
Dialog, Service, Communication, System and Reference Types. Generally all
the users (End users and IT users will be created with dialog type)
System accounts we used for background jobs scheduling, also for RFC
connections
All the FF ID’s would be created with service type.

2) How to restrict the tables in SAP?

Ans:
Tables can be restricted through authorization objects S_TABU_DIS or
S_TABU_NAM

S_TABU_DIS will restrict based on the authorization group. Authgroup

contain tables.
S_TABU_NAM will restrict based on table name (table specific restriction)

3) Where we can find the table which is belongs which auth group?

Ans : TDDAT

4) How to adjust user master records after importing the roles to production?

Ans: we have a background job running on daily basis, which will update the user
master data comparison
Programs: PFCG_TIME_DEPENDENCY
RHAUTUPD_NEWt

5) We have a requirement for granting access to service desk team to restrict

their access to only lock and password reset access in SU01. How can you
provide?

Ans: An authorization Object S_USER_GRP with ACTVT 05 will give access to lock
and reset the password of users in SAP. I will create a new role with above access
and grant this new role to Service Desk Team.

TACT table name shows all activities

Also, I will create one SOP document for SD team, like If any account has been
locked by Admin, please unlock it.

6) Difference between user group and groups tab in SU01?

Ans: User group tab perform authorization check and also we can mention
only one group where as in groups we can assign multiple groups. Groups tab
is reference purpose like user belongs to which group

7) What type of roles we have?

Ans: I have an experience on Single, Master, Derived and Composite roles

8) What is the difference between Master role and Derived role?

Ans: Master role Maintained All the Transaction codes and related
authorization objects. whereas in derived role we only maintain organization
levels. Derived roles mainly used to restrict the plant and company code
levels. If Business has multiple locations/branches, Master and Derived role
concept is useful.

If you want to add any new tcode to a role, then if we add in Master role, it
would be updated in derived roles as well.

9) Can we add a tcode directly in derived role?

Ans: It cannot be possible to add a tcode in derived role under Menu.

Transactions tab would be disabled in derived role. Also, it would differ the
master and derived role concept.

10) What is a composite role?

Ans: It is groups of single roles. Generally we used to create composite roles

based on job based. It will have common access role (SU53, SU3, SWBP
etc), display tcodes related role and specific role which is created per
corresponding team. Whenever we assign this composite role, all 3 singles
roles would be assigned to users in SAP.

11) What is the difference between Change Mode and Expert mode while
generating an authorization profile using with PFCG?

Ans: Whenever we are creating a new role, there is no difference between both
options. If we are updating any existing role, it recommended to go with expert
mode with read old status and merge with new data option. It will brings the SU24
updates of old tcodes existed in the roles.
 whenever we do su24 changes we go for expert mode and select read old
status and merger with new data

12) What are the tables related to SU24?

Ans: USOBT_C AND USOBX_C

13) Difference between st01 and stauthtrace?

Ans: ST01- If a system has 3 different application servers, we have to login to

3 servers separately and activate and deactivate the trace in all servers
STAUTHTRACE: System Wide trace option can be activated to get the trace
for all application servers at a same time also we can fetch and deactivate all
server trace from the single point. We can also filter duplicate entries here.

GRC

14)What are components of GRC Ac?

ANS:
ARA - Access risk analysis
EAM - Emergency Access Management
ARM – Access Request Management
BRM - Business Role Management

15) What type of Risks we have in GRC

Ans: SOD risk, Critical Action and Critical Permission

15)Explain what is SOD risk in GRC?

Ans:
SOD Is segregation of duties. It is nothing but a user should not have any
conflicting access

16)What Is The Rule Set In Grc?

Ans:
Rule set is set of rules mapped with functions, actions and permissions to
identify risks in role, user levels.

17)Sync jobs in GRC AC?

Ans:
Authorization Synch:
Synchronizes PFCG Authorization data
Repository Object Synch:
Synchronizes Profiles, Roles, and Users master data
Action Usage Synch:
Synchronizes action usage data
Role Usage Synch:
Synchronize role usage data

18) Your customer has created a custom transaction code ZFB10N by

copying transaction FB10 and implementing a user exit.
How can you incorporate the customer enhancement into the global rule set
so that it will be available for Risk Analysis?
Ans:
Update all relevant functions with ZFB10N, maintain the permission values for
all relevant authorization objects, and generate the access rules

19) Do you have experience on EAM / FF access?

Ans: Yes, I have

20) What is centralized and decentralized in grc system

Ans: Centralized EAM : User login to GRC and access the FF ID
Decentralized EAM : User login into plugin system to access FF ID.

21) How do you perform risk analysis.

Ans: We can run risk analysis both at user level as well as role level
Whenever we are adding any new role to user, we used to run SOD
simulation to check any risks occur with this new assignment
Also Whenever we are adding a tcode to role or creating new role, we used to
run SOD simulation to check any risks occur with this role change

22) What is remediation and mitigation

Ans: Remediation is nothing but a remove risk from user or role. You can
remove the risk by removing the conflicting role from user or remove the
conflicting tcode from a role.
If user need both access, then we can create a Mitigation control and assign
to user. Mitigation is nothing but a monitoring mechanism.

23) Difference between firefighter I'd and firefighters

Ans: It is unique user id created with specific FFID role that allows firefighter
to perform the task. This account should assign a role which we maintained
the role at parameter 4010
Firefighter: these are the users who are get assigned FF ID’s

24) What is the difference between firefighter owner and firefighter controllers
Ans: FFOWNER: Responsible for maintaining the FFID and assignment to
firefighters
FF CONTROLLER: Responsible to review the FF Logs

Any Experience on Fiori Security?