SAP GRC Security Interview Questions

1).Explain what is SAP security?

Ans)SAP security is providing correct access to business users with respect to their authority or responsibility and giving permission according to their roles.


2).Explain what is “roles” in SAP security?

Ans) “Roles” is referred to a group of t-codes, which is assigned to execute particular business task. Each role in SAP requires particular privileges to execute a function in SAP that is called AUTHORIZATIONS.


3). Explain how you can lock all the users at a time in SAP?

Ans)By executing su10 t-code in SAP,and click on the authorization tab and select the users (which users you want to locked) next click on the lock option .by doing this process all the user can be locked at the same time in SAP.


4).Mention what are the pre-requisites that should be taken before assigning Sap_all to a user even there is an approval from authorization controllers?

Ans)Pre-requisites follows like

  • Enabling the audit log- using sm 19 tcode
  • Retrieving the audit log- using sm 20 tcode

5).Explain what is authorization object and authorization object class?

Ans)Authorization Object: Authorization objects are groups of authorization field that regulates particular activity. Authorization relates to a particular action while Authorization field relates for security administrators to configure specific values in that particular action.

Authorization object class: Authorization object falls under authorization object classes, and they are grouped by function area like HR, finance, accounting, etc.


6). Explain how you can delete multiple roles from QA, DEV and Production System?

Ans)To delete multiple roles from QA, DEV and Production System, you have to follow below steps

Place the roles to be deleted in a transport (in dev)

Delete the roles

Push the transport through to QA and production

This will delete all the all roles


7) Explain what things you have to take care before executing Run System Trace?

If you are tracing batch user ID or CPIC, then before executing the Run System Trace, you have to ensure that the id should have been assigned to SAP_ALL and SAP_NEW. It enables the user to execute the job without any authorization check failure.


8).Mention what is the difference between USOBT_C and USOBX_C?

Ans)USOBT_C: This table consists the authorization proposal data which contains the authorization data which are relevant for a transaction

USOBX_C: It tells which authorization check are to be executed within a transaction and which must not


9).Mention what is the maximum number of profiles in a role and maximum number of object in a role?

Ans)Maximum number of profiles in a role is 312, and maximum number of object in a role is 170.


10).What is the t-code used for locking the transaction from execution?

Ans) For locking the transaction from execution t-code SM01, is used.


11). Mention what is the main difference between the derived role and a single role?

Ans) For the single role, we can add or delete the t-codes while for a derived role you cannot do that.


12).Explain what is SOD in SAP Security?

Ans)SOD means Segregation of Duties; it is implemented in SAP in order to detect and prevent error or fraud during the business transaction. For example, if a user or employee has the privilege to access bank account detail and payment run, it might be possible that it can divert vendor payments to his own account.


13).Mention which t-codes are used to see the summary of the Authorization Object and Profile details?

Ans) SU03: It gives an overview of an authorization object SU02: It gives an overview of the profile details

SDM ( Software Delivery Manager) is used for importing Java Support Packages. To deploy and manage software packages received from SAP, SDM tool is used.

JSPM uses SDM for the deployment purpose


14).Explain what is User Buffer?

Ans)A user buffer consists of all authorizations of a user. User buffer can be executed by t-code SU56 and user has its own user buffer. When the user does not have the necessary authorization or contains too many entries in his user buffer, authorization check fails.


15).By which parameter number of entries are controlled in the user buffer?

Ans) In user buffer number of entries are controlled by the profile parameter “Auth/auth_number_in_userbuffer”.


16).How many transactions codes can be assigned to a role?

Ans)To a role maximum of 14000 transaction codes can be assigned.


17).Mention which table is used to store illegal passwords?

Ans) To store illegal passwords, table USR40 is used, it is used to store pattern of words which cannot be used as a password.

18).Explain what is PFCG_Time_Dependency ?

Ans)PFCG_TIME_DEPENDENCY is a report that is used for user master comparison. It also clears up the expired profiles from user master record. To directly execute this report PFUD transaction code can also be used.


19).Explain what does USER COMPARE do in SAP security?

Ans)In SAP security, USER COMPARE option will compare the user master record so that the produced authorization profile can be entered into the user master record.


20).Mention different tabs available in PFCG?

Ans) Some of the important tab available in PFCG includes

  • Description: The tab is used to describe the changes made like details related to the role, addition or removal of t-codes, the authorization object, etc.
  • Menu: It is used for designing user menus like addition of t-codes
  • Authorization: Used for maintaining authorization data and authorization profile
  • User: It is used for adjusting user master records and for assigning users to the role

21).Which t-code can be used to delete old security audit logs?

Ans) SM-18 t-code is used to delete the old security audit logs.


22). Explain what reports or programs can be used to regenerate SAP_ALL profile?

Ans)To regenerate SAP_ALL profile, report AGR_REGENERATE_SAP_ALL can be used.


23). Using which table transaction code text can be displayed?

Ans)Table TSTCT can be used to display transaction code text.


24). Which transaction code is used to display the user buffer?

Ans)User buffer can be displayed by using transaction code SU56


25).Mention what SAP table can be helpful in determining the single role that is assigned to a given composite role?

Ans)Table AGR_AGRS will be helpful in determining the single role that is assigned to a given composite role.


26).What is the parameter in Security Audit Log (SM19) that decides the number of filters?

Ans)Parameter rsau/no_of_filters are used to decide the number of filters.


27).Please explain the personalization tab within a role?

Ans)Personalization is a way to save information that could be common to users, I meant to a user role… E.g. you can create SAP queries and manage authorizations by user groups. Now this information can be stored in the personalization tab of the role. (I supposed that it is a way for SAP to address his ambiguity of its concept of user group and roles: is “usergroup” a grouping of people sharing the same access or is it the role who is the grouping of people sharing the same access).


28). Someone has deleted users in our system, and I am eager to find out who. Is there a table where this is logged?

Ans)Debug or use RSUSR100 to find the info’s.

Run transaction SUIM and down its Change documents.


29). How to insert missing authorization?

Ans) su53 is the best transaction with which we can find the missing authorizations.and we can insert those missing authorization through pfcg.


30).What is the difference between role and a profile?

Ans) Role and profile go hand in hand. Profile is bought in by a role. Role is used as a template, where you can add T-codes, reports..Profile is one which gives the user authorization. When you create a role, a profile is automatically created.


31). What profile versions?

Ans) Profile versions are nothing but when u modifies a profile parameter through a RZ10 and generates a new profile is created with a different version and it is stored in the database.


32). What is the use of role templates?

Ans) User role templates are predefined activity groups in SAP consisting of transactions, reports and web addresses.


33). What is the different between single role & composite role?

Ans) A role is a container that collects the transaction and generates the associated profile. A composite roles is a container which can collect several different roles


34).Is it possible to change role template? How?

Ans)Yes, we can change a user role template. There are exactly three ways in which we can work with user role templates

  • we can use it as they are delivered in sap
  • we can modify them as per our needs through pfcg
  • we can create them from scratch.

For all the above specified we have to use pfcg transaction to maintain them.


35). How to create users?

Ans) Execute transaction SU01 and fill in all the field. When creating a new user, you must enter an initial password for that user on the Logon data tab. All other data is optional. Click here for turotial on creating sap user id.


36). What is the difference between USOBX_C and USOBT_C?

Ans)The table USOBX_C defines which authorization checks are to be performed within a transaction and which not (despite authority-check command programmed ). This table also determines which authorization checks are maintained in the Profile Generator. The table USOBT_C defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator.


37).What is a derived role?

Ans) Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the functions included (transactions, reports, Web links, and so on) from the role referenced. A role can only inherit menus and functions if no transaction codes have been assigned to it before.

The higher-level role passes on its authorizations to the derived role as default values which can be changed afterwards. Organizational level definitions are not passed on. They must be created anew in the inheriting role. User assignments are not passed on either.

Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identical menus and identical transactions) but have different characteristics with regard to the organizational level.


38).What does user compare do?

Ans)If you are also using the role to generate authorization profiles, then you should note that the generated profile is not entered in the user master record until the user master records have been compared. You can automate this by scheduling report FCG_TIME_DEPENDENCY on.


39). SAP Security T-codes?

Ans)Frequently used security

T-codesSU01 - Create/ Change User SU01 Create/ Change User

PFCG - Maintain RolesSU10 - Mass Changes

SU01D - Display User

SUIM - ReportsST01 - Trace

SU53 - Authorization analysis


40).List R/3 User Types ?

Ans) Dialog users are used for individual user. Check for expired/initial passwords. Possible tochange your own password. Check for multiple dialog logon
A Service user - Only user administrators can change the password. No check for expired/initial passwords. Multiple logon permitted
System users are not capable of interaction and are used to perform certain system activities,such as background processing, ALE, Workflow, and so on.A Reference user is, like a System user, a general, non-personally related, user.
Additionalauthorizations can be assigned within the system using a reference user. A reference user for additional rights can be assigned for every user in the Roles tab.


41).What is the use of ST01? What are the return codes of t-code ST01?

Ans)Transaction code ST01 is used to trace the user authorizations. This can be useful if we need to check which all the authorizations have been checked in background when any t-code is being executed by the business user.


42).How to create a query in SAP R/3 system?

AnsThe query can be created and executed using the t-code SQVI:

  • Execute the t-code SQVI.
  • Enter the name of query to be created and click on create button.
  • Enter the Title and comments for query and select the data source such as table or table join.
  • Select the preferred view as Basis Mode or Layout Mode and click on continue button.
  • Above step will take us to the new screen, add the respective table on which we need to create a query.
  • If Data source is selected as table join, select the respective tables as needed and joining fields.
  • Save and come to main screen. Here, you need to select the fields to be displayed in output and their sequence.

43). What are the authorization groups and how to create them?

Ans) Authorization groups are the units comprising of tables for common functional area. Generally, each table is assigned to a authorization group due to this reason we need to mention the value of authorization group while restricting the access to table in authorization object S_TABU_DIS. The authorization group can be created by using the t-code SE54. The assignment of tables to authorization group can be checked by using table TDDAT.


44).What is the use of authorization object S_TABU_LIN?

Ans)This authorization object is used to provide the access to tables on row level.


45).What is the use of SU25 t-code?

Ans)The t-code SU25 is used to copy the data from tables USOBT and USOBX to tables USOBT_C and USOBX_C. Generally, this t-code needs to be executed after the installation of system upgrade so that the values in customer tables are updated accordingly.


46).How to assign the multiple roles to more than 20 users in one shot in t-code SU10?

Ans)To perform this mass role assignment, we need to follow below steps in SU10:

  • In SU10 home screen, click on the button “Authorization Data”
  • This will take to the new screen similar to screen in t-code SUIM -> User by complex search criteria. Enter the search criteria for users needed to be changed in SU10 and execute the same
  • Once the list of users is reflected, click on “select all” button on left top corner of the list and click on “Transfer” button. This will take us back to SU10 screen with all the selected users in users
  • Now, click on select all button in SU10 home screen and then click on change button.
  • Above step will take us to the next screen where you can perform the role assignment as in normal case of SU10 t-code

47).Which entities are not distributed while distributing the authorization data from master role to derived roles?

Ans) During the distribution of authorization data from master role to derived roles, Organizational values and user assignment are not distributed. The Org. values and user assignments are specific to individual roles hence has no bearing on master-derived role relationship.


48).How to assign the logical system to client?

Ans)Logical system can be assigned to client by using the t-code SCC4. We need to be very careful while doing this change as it can affect the CUA (if configured).


49). How to find user defined, system default values for security parameters?

Ans) The values for parameters can be checked by using the t-code RSPFPAR. After executing the t-code, given the parameter name and click on execute.


50).How to check the transport requests created by other user?

Ans)The t-code SE10 provide the option to enter the user name. By using this facility, we can search the transport requests created by other users.