What are the role types available?
The different role types available are;
Single role
Composite role
Derived role
Master role
Copy role
What are the values for user lock?
The user lock values are:
00 – not locked
32 – Locked Globally by administrator
64 – Locked by administrator
128 – Locked due to incorrect logon attempt
What is the use of SU56 transaction code?
SU56 tcode used to display current user buffer which authorization is assigned in user master record.
Administrators can able to reset other user buffer when it’s required.
Are you Looking for SAP SNC Training? Please Enroll for Demo SAP SNC..! |
What are the authorization objects are required to create and maintain user master records?
S_USER_GRP: User Master Maintenance: Assign user groups
S_USER_PRO: User Master Maintenance: Assign authorization profile
S_USER_AUT: User Master Maintenance: Create and maintain authorizations
List out some security critical authorization objects.
The some of the critical security authorizations objects are:
S_USER_PRO
S_USER_AGR
S_USER_AUT
S_USER_GRP
S_TABU_DIS
S_TABU_CLI
List out important security tcodes
The important security tcodes are;
PFCG Role Maintenance
SM19 Security Audit Configuration
SM20 Security Audit Log Assessment
ST01 System Trace
SU01 User Maintenance
SU02 Maintain Authorization Profiles
SU03 Maintain Authorizations
SU10 User Mass Maintenance
SU21 Maintain Authorization Objects
SU24 Auth. Obj. Check Under Transactions
SU25 Upgrade Tool for Profile Generator
SU53 Display Check Values
SUIM User Information System
What is the difference between custom and workbench transport requests?
Workbench requests are those involve changes to cross client customizing and repository objects, those objects are independent of the client and the requests are used to transport changed repository objects and changed system settings from cross client tables
Customizing requests involve changes to client dependent objects, so custom transport request used to copy and transport requests that are client specific
List out some of the critical security transaction codes.
SU01, PFCG, ST01, SU24, SU25, SU10
Transaction codes which is used for security audit?
SM19 and SM20
What is the authorization object which gives developer debug authorization?
S_DEVELOP with activity 01, 02 or 03
What is the difference between R/3 security and BW security?
R/3 security mainly based on transaction and controlled via authorization objects using profiles and roles
BW security is mainly based on analysis authorization using RSECADMIN tcode and very few tcodes compare to R/3 and we should secure Info objects, info cubes, ODS and quires
What is the difference between USOBX_C and USOBT_C?
Table USOBX_C defines which authorization checks are to be performed within a transaction and which not (despite authority-check command programmed) when it’s executed. This table also determines which authorization checks are maintained in the Profile Generator.
Table USOBT_C defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator.
What is the difference between PFCG, PFCG_TIME_DEPENDENCY and PFUD transaction code?
PFCG is used to create/maintain roles
PFCG_TIME_DEPENDENCY is used to perform mass user comparison
PFUD transaction code does same function like PFCG_TIME_DEPENDENCY report mass user comparison which can be scheduled as background job
What are statuses light in authorization page for authorization fields in PFCG?
1. Red – Org level not maintained
2. Yellow – at least one filed left open
3. Green – all fields are maintained
Explain what is authorization object and authorization object class?
Authorization Object: Authorization objects are groups of authorization field that regulates particular activity. Authorization relates to a particular action while Authorization field relates for security administrators to configure specific values in that particular action.
Authorization object class: Authorization object falls under authorization object classes, and they are grouped by function area like HR, finance, accounting, etc.
Explain what is SOD in SAP Security?
SOD means Segregation of Duties; it is implemented in SAP in order to detect and prevent error or fraud during the business transaction. For example, if a user or employee has the privilege to access bank account detail and payment run, it might be possible that it can divert vendor payments to his own account.
How to copy 100 roles from a client 800 to client 900?
Add all 100 roles as one single composite Role and Transfer the Composite role automatically the 100 Role will transfer to the target client (Using SCC1)
Are you Looking for SAP SNC Online Training? Please Enroll for Demo SAP SNC..! |
How many maximum profiles we can assign to one user?
312
How can I do a mass delete of the roles without deleting the new roles?
There is a SAP delivered report that you can copy, remove the system type check and run. To do a landscape with delete, enter the roles to be deleted in a transport, run the delete program or manually delete and then release the transport and import them into all clients and systems.
It is called: AGR_DELETE_ALL_ACTIVITY_GROUPS. To used it, you need to tweak/debug & replace the code as it has a check that ensure it is deleting SAP delivered roles only. Once you get past that little bit, it works well.
What is the difference between C (Check) and U (Unmentioned)?
When defining authorizations using Profile Generator, the table USOBX_C defines which authorization checks should occur within a transaction and which authorization checks should be maintained in the PG. You determine the authorization checks that can be maintained in the PG using Check Indicators. It is a Check Table for Table USOBT_C.
In USOBX_C there are 4 Check Indicators.
•CM (Check/Maintain)
-An authority check is carried out against this object.
-The PG creates an authorization for this object and field values are displayed for changing.
-Default values for this authorization can be maintained.
•C (Check)
-An authority check is carried out against this object.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization.
•N (No check)
-The authority check against this object is disabled.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization.
•U (Unmaintained)
-No check indicator is set.
-An authority check is always carried out against this object.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization.