SAP SECURITY INTERVIEW QUESTIONS & ANSWERS
Q) What is SOD (Segregation of Duties) ?
SOD stands for segregation of duties. It is a primary internal control to prevent the risk, identify a problem and take corrective action. It is achieved by assuring that no single user has control over all phases of business transactions.
E.G.: the staff who creates a purchase order must not approve the same; there must be a different person to approve that.
Q) how we Restrict the auth groups for table maintain, creating Auth group using SE54 to built new Auth groups to restrict tables via auth object S_TABU_DIS
We can restrict authorization groups via object S_TABU_DIS, first we need to create a authorization group in SE54 then assign this authorization group in a role by using the object: S_TABU_DIS.
Q) How to create new authorization object ?
1. To create the authorization object, choose the SU21 transaction.
2. First double-click an object class to select it.
3. Provide the name of the object and relevant text
4. Add the fields that should be included in the new authorization object.
5. Hit Save.. once you click on save it'll ask for package details (select the relevant package from the drop down list) and save again.
6. New auth objected is created now.
7. Click on permitted activities to select the activities and save the changes.
Q) What is the difference between Parent role and Composite role ?
Composite role is a collection of single roles.
Where Parent role concept comes in Derived role. Where one role is derived from other role (Like inheritance. Whatever the changes you made to parent role will automatically applied to derived role also
Q) How can i assign a same role to 200 users ?
You can do using PFCG- > enter the role -> change -> go to users tab -> paste the users -> click on user comparison -> complete comparison -> Save the role - it's done or
One can also use "Authorization Data" functionality in transaction SU10 to complete this task.
Q) Difference between USOBT_C and USOBX_C ?
USOBX_C defines which authorization checks are to be performed within a transaction and which are not. This table also determines which authorization checks are maintained in the Profile Generator.
USOBT_C defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator.
Q) What are USOBT and USOBX tables for ?
SAP delivers the tables USOBX and USOBT. These tables are filled with default values and are used for the initial fill of the customer tables USOBX_C and USOBT_C.
Q) Difference between USOBT and USOBT_C ?
USOBT is SAP delivered table where as USOBT_C is customer table. After the initial fill, you can modify the customer tables, and therefore the behavior of the Profile Generator, if required.
Q) How you create custom t-codes ?
Yes we can create custom t-code in SE93.
Q) Difference between customizing request and workbench request ?
Customizing request is client dependent. Work bench request is client independent.
Q) To transport SU24 setting which is used is it customizing or workbench request ?
For transporting SU24 changes we need to have a workbench request as it is client independent settings.
There are three colors (like traffic lights) in profile generator:
Red – It means that some organizational value has not been maintained in org field in profile generator.
Yellow – It means that there are some or all fields in certain authorization instances which are blank (not maintained)
Green – It means that all the authorization fields are maintained (values are assigned).
Q) Can a composite role be assigned to another composite role ?
No. A composite role cannot be assigned to another composite role. Single roles are assigned to composite roles.
Q) What does the PFCG_TIME_DEPENDENCY clean up ?
The ‘PFCG_TIME_DEPENDENCY’ background report cleans up the profiles (that is, it does not clean up the roles in the system). Alternatively, transaction code ‘PFUD’ may also be used for this purpose.
Q) How to prevent custom objects from getting added to SAP_ALL profile ?
Go to table PRGN_CUST and set the following parameter: ADD_ALL_CUST_OBJECTS with value N.
Regenerate the SAP_ALL profile with report RSUSR406 to have the customer object to be removed fromSAP_ALL. See SAP Note 410424 for more info.