SAP Security Interview Questions Written by Nagar
Q. SAP Security T-codes Frequently used security T-codes SU01 - Create/ Change User SU01 Create/ Change User PFCG - Maintain Roles SU10 - Mass Changes SU01D - Display User SUIM - Reports ST01 - Trace SU53 - Authorization analysis Q How to create users? Execute transaction SU01 and fill in all the field. When creating a new user, you must enter an initial password for that user on the Logon data tab. All other data is optional. Q What is the difference between USOBX_C and USOBT_C? The table USOBX_C defines which authorization checks are to be performed within a transaction and which not (despite authority- check command programmed ). This table also determines which authorization checks are maintained in the Profile Generator. The table USOBT_C defines for each transaction and for each authorization object which default values values an authorization created from the authorization object should have in the Profile Generator. Q What authorization are required to create and maintain user master records? The following authorization objects are required to create and maintain user master records: S_USER_GRP: User Master Maintenance: Assign user groups S_USER_PRO: User Master Maintenance: Assign authorization profile S_USER_AUT: User Master Maintenance: Create and maintain authorizations Q List R/3 User Types Dialog users are used for individual user. Check for expired/initial passwords. passwords. Possible to change your own password. Check for multiple dialog logon A Service user - Only user administrators administrators can change change the password. No check for expired/initial passwords. passwords. Multiple logon permitted System users are not capable of in teraction and are used to perform certain system activities, activities, such as background processing, ALE, Workflow, and so on. A Reference user is, is, like a System System user, a general, non-personally related, related, user. Additional Additional authorizations can be assigned within the system using a reference user. A reference user for additional ri ghts can be assigned for every user in the Roles tab. Q What is a derived role? Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the functions included (transactions, reports, Web links, and so on) from the role referenced. A role can only inherit menus and functions if no transaction codes have been assigned to it before. The higher-level role passes on its authorizations to the derived role as default values which can be changed afterwards. Organizational level definitions are not passed on. They must be created anew in the in heriting role. User assignments are not passed on either. Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identical (identical menus and identical transactions) but have different characteristics with regard to the organizational level. Follow this link for more info Q What is a composite role? A composite role is a container which can collect several different roles. For reasons reasons of clarity, clarity, it does not make sense and is therefore not allowed to add composite composite roles to composite roles. Composite roles are also called called roles. Composite roles do not contain authorization data. If you want to change the authorizations (that are represented by a composite role), you must maintain the data for each role of the composite role. Creating composite roles makes sense if some of your employees need authorizations from several roles. Instead of adding each user separately to each role required, you can set up a composite role and assign the users to that
group. The users assigned to a composite role are automatically assigned to the corresponding (elementary) roles during comparison. Q What does user compare do? If you are also using the role to generate a uthorization profiles, then you should note that the generated profile is not entered in the user master record until the user master records have been compared. You can automate this by scheduling report FCG_TIME_DEPENDENCY on a daily. Last Updated (Tuesday, 30 November 1999 00:00)
1) When PFCG proposes 3 activities but you only want 2, how do you fix this? 2) What is the use of transaction PFUD at midnight? 3) Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes? 4) How are web services represented in authorizations of users who are not logged on? 5) How do you force a user to change their password and on which grounds would you do so? 6) What is the difference between SU24 and SU22? What is "orginal data" in SU22 context? 7) When an authorization check on S_BTCH_JOB fails, what happens? 8) Can you have more than one set of org-level values in one role? 9) Should RFC users have SAP_NEW and why? 10) What is an X-glueb command and where do you use it in SAP security? 11) What is the disadvantage of searching for AUTHORITY-CHECK statements in ABAP OO coding and how does SU53 deal with this?
12) In which tables can you make customizing settings for the security administration and name one example of such a setting which is usefull but not SAP default? 13) Can you use the information in SM20N to build roles and how? 14) If the system raises a message that authorizations are missing but you have SAP_ALL, what do you do? 15) Name any one security related SAP note and explain it's purpose or solution. 16) What are the two primary differences between a SAML token profile and a SAP logon ticket? 17) Where do you configure the local and global settings of the CUA and what are the consequences of inconsistent settings? 18) If you have users in different systems with different user ID's for the same person, what are your options to manage their authorizations centrally? 19) Explain the use of the TMSSUP* RFC destinations and the importance of the domain controller? 20) Why should you delete SAP_NEW profile and which transaction should you use before doing so? Cheers, Julius Julius Bussche Posts: 10,510 Registered: 3/13/06 Forum Points: 9,356
Re: Security interview questions - some fun. Posted: Mar 25, 2010 10:12 PM in response to: Julius Bussche
Reply
Continued: 21) What is meant by the last sentence in SAP Note 587410 and how do you restrict it? 22) A key-user in the finance department is also an ABAP developer. What do you do? 23) A new ABAP developer short dumps regularly in production while reading business data. What do you do? 24) You are confident with SAP standard, but there are also custom and partner products in your system. How do you check them for "low brainer" security issues? 25) How do you remove a developer's access and developer keys from a system? What else would you check for? 26) How do you transport user groups from transaction SUGR? Does this impact the "Groups" tab in SU01 and if so, then what should you check beforehand? 27) When you record a transport request in PFCG for a role and then change the role before releasing the transport request, does the transport include the changes or not? Is the answer documented anywhere in the system? 28) Describe a scenario under which you would update a SAP table directly, and which precautions you would take? Julius Bussche Posts: 10,510 Registered: 3/13/06 Forum Points: 9,356
Re: Security interview questions - some fun.
Reply
Posted: Mar 25, 2010 10:14 PM in response to: Julius Bussche
Dummy post 2 for subsequent questions... Vijayalakshmi B... Posts: 80
Re: Security interview questions -
Reply
Registered: 4/18/07 Forum Points: 0
some fun. Posted: Mar 26, 2010 8:30 AM in response to: Julius Bussche
Hi Julius, The question bank gives an idea of the breadth and depth of your knowledge :) One question which i'm trying to find an aswer to is (as much because of customer requirements as also curiousity) 8) Can you have more than one set of org-level values in one role? If so how? if you have any suggestions for this one please let me know. Thanks Vijaya Guest
Re: Security interview questions - some fun.
Reply
Posted: Mar 26, 2010 11:27 AM in response to: Julius Bussche
i can answer most, but as you said not to float, kindly suggest , should send mail? Thanks, Prasant K Paichha Julius Bussche Posts: 10,510 Registered: 3/13/06 Forum Points: 9,356
Re: Security interview questions - some fun.
Reply
Posted: Mar 26, 2010 12:17 PM in response to: Guest
I am sure that Klinndk12 could have asked you most of them as well... Cheers, Julius
P Arpan Posts: 152 Registered: 4/6/09 Forum Points: 172
Re: Security interview questions - some fun.
Reply
Posted: Mar 26, 2010 12:25 PM in response to: Julius Bussche
@1 copy....inactive,,, @2 midnight - time to do right thing for coming d ay... @3.... @4.... I am at home today....not sure why I did not went office today....Entire day was so boring....I was having no wish to make any post today...But when question comes about earning beer so I could not resist myself from post,,,, Ohhh....week end is coming..... Michael Jaynes Posts: 45 Registered: 1/10/08 Forum Points: 10
Re: Security interview questions - some fun.
Reply
Posted: Mar 26, 2010 3:59 PM in response to: Julius Bussche
I have one year experience in SAP Security and only two in Basis, so flame on......... I swear I didn't use google or any of my systems for reference! 1) When PFCG proposes 3 activities but you only want 2, how do you fix this? Best answer is to modify your su24 data. 2) What is the use of transaction PFUD at midnight? removes invalid profiles from user records 3)Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes? PFUD is not needed and the user
needs to log off and back on again 4)How are web services represented in authorizations of users who are not logged on? ?? 5)How do you force a user to change their password and on which grounds would you do so? SU01 -> Logon Data tab -> Deactivate password. I am not sure what grounds this would be necessary. I have never had to use it. 6)What is the difference between SU24 and S U22? What is "orginal data" in SU22 context? SU22 you maintain authorization objects???? Su24 you maintain which authorization objects are checked in transactions and maintain the authorization proposals. 7)When an authorization check on S_BTCH_JOB fails, what happens? "You do not have authorization to perform whatever operation you are trying to perform." message. HAHA 8)Can you have more than one set of org-level values in one role? I might be misinterpreting this question. But yes. Depending on the transactions inserted into the role menu, you could have more than one org level to maintain. Purchasing Org and Plant, Sales Org and Sales Division..... 9)Should RFC users have SAP_NEW and why? No. Just insert the transactions and necessary authorization objects into a role. S_ RFC for one. 10) What is an X-glueb command and where do you use it in SAP security? ??? 11) What is the disadvantage of searching for AUTHOR ITY-CHECK statements in ABAP OO coding and how does SU53 deal with this? Disadvantage? I can think of an advantage. My ABAPer shows me his programs and we work out what authority checks should be performed. 12) In which tables can you make customizing settings for the security administration and name one example of such a setting which is usefull but not SAP default? ??? 13) Can you use the information in SM20N to build roles and how? You could, I guess. Not a good practice though. Build roles based on business processes.
14) If the system raises a message that authorizations are missing but you have SAP_ALL, what do you do? Regenerate SAP_ALL which reconciles new authorization objects from SAP_NEW 15) Name any one security related SAP note and explain it's purpose or solution. Don't know the number off hand, but I was looking at it yesterday. Program Z_DEL_AGR to allow deletion of more than one role at a time. There is no mechanism in SAP to achieve this currently. 16) What are the two primary difference between a SAML token profile and a Logon ticket in SAP? ??? I know what these are but have no experience with it. Alex Ayers Posts: 2,166 Registered: 3/15/07 Forum Points: 3,830
Re: Security interview questions - some fun.
Reply
Posted: Mar 26, 2010 4:48 PM in response to: Julius Bussche
15 - reference to the unexpurgated version of note 60233 will get muchos kudos Julius Bussche Posts: 10,510 Registered: 3/13/06 Forum Points: 9,356
Re: Security interview questions - some fun.
Reply
Posted: Mar 26, 2010 5:11 PM in response to: Julius Bussche
@ Vijaya: If you can find a 2nd Org. Level button then let us know. @ Arpan: Enjoy the weekend and your beer. @ Prasant: Your user ID has been deleted. @ Michael: Let's put it this way - your answer to question 10 is very close. @ Alex: Version 27 fix 2 of Ora-1555 errors, step # 8, sir (this will also be usefull for Arpan :-) Cheers. Julius
John Navarro Posts: 398 Registered: 8/6/07 Forum Points: 510
Re: Security interview questions - some fun.
Reply
Posted: Mar 26, 2010 5:50 PM in response to: Julius Bussche
All these questions are SCUM :-) It's Friday I just want my beer. Julius Bussche Posts: 10,510 Registered: 3/13/06 Forum Points: 9,356
Re: Security interview questions - some fun.
Reply
Posted: Mar 27, 2010 8:39 PM in response to: John Navarro
I added question 17 for you :-) Question 18 is a "by-product" of it. P Arpan Posts: 152 Registered: 4/6/09 Forum Points: 172
Re: Security interview questions - some fun.
Reply
Posted: Mar 28, 2010 8:09 AM in response to: Julius Bussche
Well Earning beer seems to be more and more harder as new qtn banks coming in way....But I found @23 very interesting and these could be the possible solution from my end. guide the user/lock the user/delete the user/bomb the user/dump the user from office......so on until dump stops in his name....well HIS name as this user cannot be SHE ;-)...... By the way its Sunday and accidentally if my wife get access to this post this day will be Monday in front of boss like feeling...By folks.... Baskar Ramakris... Posts: 40 Registered: 5/10/06 Forum Points: 28
Re: Security interview questions - some fun to tickle your brain. Posted: Mar 30, 2010
Reply
10:09 PM in response to: Julius Bussche
How will you create a developer key and OSS ID in SAP Service Market Place Julius Bussche
Re: Security interview questions - some fun to tickle your brain. Posted: Mar 30, 2010 10:55 PM
in response to: Baskar Ramakris...
Posts: 10,510 Registered: 3/13/06 Forum Points: 9,356
Posts: 1 Registered: 7/23/06 Forum Points: 0
General interview questions in Security R3?
Reply
Posted: Jul 24, 2006 7:24 PM
Hi Everyone, I just wanted to know what are the questions(in general)to be expected in R3 Security interview(4.6c) as i am expecting an interview in couple of days.. Thank you in advance shabana Annie Chan Posts: 140 Registered: 10/6/05 Forum Points: 8
Re: General interview questions in Security R3?
Reply
Posted: Jul 25, 2006 8:19 AM in response to: shabana shariff
Questions that i encountered based on R/3 46C: 1. How frequent do you perform transport migration? 2. Understanding of Composite role, Derived Roles, Single Roles 3. Knowledge of SU01, PFCG 4. CUA Christian Wippe... Posts: 49 Registered: 1/31/05 Forum Points: 110
Re: General interview questions in Security R3? Posted: Jul 25, 2006
Reply
9:13 AM in response to: Annie Chan
Hi, these are a few quick thoughts: IT-Infrastructure Security, SAP Landscape: - Network layout and firewalling between systems - Remote administration, backup, archiving procedures - Hardening procedures for new systems, new clients, system or client copies - examples are locking, unlocking, password ch anges of users, setting system wide password rules, SM59 configuration, SICF configuration - Use of cryptographic mechanisms (SNC, SSL) Authorizations: - Does a documented authorization concept exist? - Of course: Are there SAP_ALL, SAP_NEW users (or any equivalent sort of SAP_ALL) - How are authorizations of communication / system users managed? - What kind of functional roles are used (Task roles, job roles, etc.)? - What kind of technical roles are used (single, composite, derived)? - Are check indicators used (SU24)? - Are there many "manual" authorization objects? (this would indicate that SU24 is not correctly used.) - Are risky transactions (SU01, PFCG, SM59, SA38, ...) and risky transaction combinations (vendor creation / change and payment processing) known and documented? - Are procedures in place that control / mitigate the execution of these risks? - How is user and authorizations management regulated? Regards, Christian