Security General Questions

QUESTION: 1) how to assign the selected transaction in role example in the role we have a Two
transactions(T1,T2)so we have a users U1,U2. i need to assign the T1 and lock the T2 to U1, and U2
assign the bothT1,T2
2) two company codes ex 1001,1002 and two users ,one user need to access both company codes and
another user need to access only one company code need to access by giving same role (one role ) to
both of them.how can give access or restrict company codes in one role?

3) If SU53 screenshot does not give anything then How will you find the solution? If there is no relevant
Role , then How?

4) In SU53 screenshot , there are missing authorization. How you come to know that these are the
relevant Roles in which we have to add these objects? Decision not SUIM

5) authorization issue. We had asssigned company codes 'BUKRS' in range for example 4000-4220
some come company code is working some are not working means in between ranges .
ANSWER: Localisation restriction can b done by assigning derive role..


QUESTION: Can you tell me the use of Cost Center and accounting number field in SU01 transaction in Logon data
tab
ANSWER: This is used for companies to track the users accounts by subsidiary companies. Most of the
time major companies will have some stake in organizations in other countries. They will also let them use
them use the system. So they can put the account number and charge them for the users and also assign
cost center to track the costs by business area

QUESTION: A user has reported missing auth in an object. User has provided su53 screeshot, without using SUIM
can we find out the role user having which contains that auth object ?
ANSWER: how about linking two tables AGR_USERS and AGR_1251 using SQVI tcode, then you can
find even user id field also along with the rest of fields.....
This will give you all roles user have which contains the auth object as shown by SU53...
QUESTION: Hi All What is the use of the table TCDCOUPLES? What does it mean by calling transactions?
ANSWER: There are several t-codes which calls some further t-codes in a series.
Table TCDCOUPLES contains the list of t-codes in the form Caller t-code and called t-codes i.e, t-code
which calls another t-code and t-code which is
called by another t-code.

QUESTION: Can anyone tell me the pre-implementation activties for SAP Security ?
ANSWER:
QUESTION: What is the difference between BW/BI and SAP ECC System ?.
High Level ANSWER: on the purpose and target audience
ANSWER: Guru's Im not having any realtime Exp in SAP SEC, Looking for a break. plz ignore if my
ANSWER: is wrong. 1) In Ecc we work on T code while in BI Reports & Tcodes ie; user data { OLTP &
OLAP} 2} difference Auth Objects .
3} In BI we use RSA1 is work bench data dictionary which is used to develop new things & in ECC we
use SPRO.

QUESTION: Any table is available were for a particular t.code what are the Org values available... instead of every
time going in pfcg and seeing..
ANSWER: USOBT is standard SAP table for default values of authorizations fields in auth objects for a t-
code.Here no auth values are maintained . Generally we change auth values as per business rules and
requirements.
USOBT_C is table we generally deals with as it is customer specific.


QUESTION: What is information security?
ANSWER: Information security is the process of protecting information and It protects its availability,
privacy...infact we can say Protecting the business information.


QUESTION: Can anyone please tell me the table name to check whether a particular transport is moved in which all
system. I need to check this at one go in dev, or Quality or any other system.
There is one table E070, but it is not useful for me as It was showing changes till Quality only but the transport was
moved to production but it did not show in the table.
I can check this in t-code SE01 but I need to do this for Multiple Transport requests at one go, to check for transport
conflicts... hope I m clear with my query :)
ANSWER: E070 -> Change & Transport System: Header of Requests/Tasks
E070A -> Change & Transport System: Attributes of a Request
E070C -> CTS: Source/Target Client of Requests/Task
E070CREATE -> Change & Transport System: Creation Date of Request
E070DEP -> Change & Transport System: Dependencies of Requests


QUESTION: Can you tell me a situation where the service ID was helpful.
ANSWER: this should be good in case of firecall or firefighter ID to keep only one fix password with
restrcting its validity date..so that system will not ask for passwd change..
service user is also used as a ffid in spm, Reason: Multiple logins are possible (But not at a time) &
Licensing cost will be low.

QUESTION: Can Anyone tell me about CRM WebUI and the t-code to ACE(Access control Engine) to assign User
groups.
I dont want to go through SPRO, need to check direct t-code and if possible basic difference of R3 role management
and CRM Web UI concept(For CRM 7.0)
ANSWER: tcode crmc_ui_nblinks i think


QUESTION: How to classify the user by license type. What will be the criteria used for the classification
ANSWER:

QUESTION: Have any one maintained table PRGN_CUST
ANSWER:

QUESTION:
"Disable Rules. A number of transactions were not included that have SOD conflicts with other transactions. In
addition, some additional SOD rules for transactions, that have other conflicts configured in the system, have
conflicts with additional transactions. In order for the GRC RAR module to be used for SOD testing as part of
organization's annual Sarbanes Oxley (SOX) control testing; these rules need to be incorporated into the overall
GRC RAR rule set."
Could anyone provide any suggetion,how to approach for the issue?
ANSWER:

QUESTION: Can anybody tell me what are combination of authorization object and authrization field
value(activity) is required to create, release and delete a transport request?
ANSWER: The system-specific authorization objects S_CTS_SADM and S_SYS_RWBO are
enhancements of the non-system-specific authorization objects S_CTS_ADMI and S_TRANSPRT. For
compatibility reasons only the system-specific authorizations come into effect if the user has not beed
granted the required rights from S_CTS_ADMI or S_TRANSPRT. However, the display authorization
S_TRANSPRT must always be given
http://help.sap.com/saphelp_NW70EHP1/helpdata/en/69/78ff8f8223429da34482c38e18dbcb/content.htm
QUESTION: What are critical authorization objects in bi?
ANSWER: s_rs_comp and s_rs_comp1
QUESTION: during implementation apart from doing unit test, integration 1 and 2... is it necessary to do
Negative testing... wht is d exact meaning fo negative testing... any diffrence with integration 1 and 2
ANSWER:
QUESTION: Why do you face blank screen(sometimes),while doing trace in ST01 t-code? Though we have done all
the pre-steps(trace on,check all options,give the user name in filter option).
What are various return codes in ST01 and what does it mean? Which of below values are true for ST01 return
codes?

RC=0 Auth check successfull
RC=4 Reqd auth for the auth object is not available in user master record
RC=12 No auth for the auth object is available.

0 = Authorisation check passed
1 = No authorisation
2 = Too many parameters for authorisation check
3 = Object not contained in user buffer
4 = No profile contained in user buffer
6 = Authorisation check incorrect
7/8/9 = Invalid user buffer
ANSWER: trace is always better!!... it would shw step by step of access of auth object... Su53 cant
confrim missin auth.. by trace itz possble..


QUESTION: In F.13 Transaction, there is select GL account option.what should we do if i want a specific user to
access specific GL account.Right now everyone can acess every GL account.
Please advice how to restrict specific users to access specific GL Account?
ANSWER: the transaction F.13 is related to the authorisation objects with the fields 'company codes' and
the 'account types'.So,you can restrict the user with respect to company code as well as account
types.Particularly,in account type,you can restrict with particular account type along with the
corresponding activity e.g display,change etc. as required.


QUESTION: Can any one tell the procedure for running a custom Programm.... what i mean is how this Custom
table or tcode linked with Custom Object... and how to run this program
ANSWER:
You Have to Include a Authority-Check Statement in the Custom program which checks for the custom
Security Authorization object. Let say for example your object in ZABC_PLANT AUTHORITY-CHECK
OBJECT 'ZABC_PLANT'
ID 'ACTVT' FIELD '03'
ID 'WERKS' FIELD ls_t001w-werks.
IF sy-subrc <;>; 0.
MESSAGE e000(zrpt) WITH 'You do not have the authorization to'
'access plant'
ls_t001w-wer


QUESTION: Can any one tell how to Trace & Rectify issues in Cup & Rar
ANSWER:
QUESTION: Can anyone give examples of False positive & False negative in GRC AC- RAR
ANSWER: http://www.youtube.com/watch?v=hKVGACsbO58
QUESTION: I dont have idea about the Reference user... what is use of it.. it is just for providing aditional
authorisation... can any one tell what is d exact use with Reference user
ANSWER: Exact use of reference user is, wen we cannnot assign any more access to user, i.e, users
user buffer gets full, then to that user we assign a reference user in role tab. Thrs a reference user field in
role tab. In this way a dialog user gets additional access of a reference user. A ref user needs to be
created as a Reference user type. Rest info is already provided here. Lemme know if anymore info is
required here.
we will use reference user means if any user is going for vacation then we will give his authorizations to
this reference type user for limited period.so he cant access his authorizations until he will come back.


QUESTION: What are the issues faced by you in ERM & CUP after golive?
6. Can we change Single roles, objects & Profile description through mass maintenance of role? If yes, how?
ANSWER:
QUESTION: What does PRGN_STAT & TCODE_MOD table consist of?
ANSWER:
QUESTION: Is it possible to assign two roles with different validity period to a user in one shot through
GRC? If yes, how?
ANSWER: Yes its possible. While creating access request in CUP we can select one or more roles in one
request and we can set it validity periode for each role.


QUESTION: When does a profile become 11 character string?
ANSWER: Not exactly 150.. in my case I have seen after 170 auth obj in a role it will create new profile
after 171... :)


QUESTION: How will you control GRC system if you have multiple rule sets activated?
ANSWER: We can SET as Default rule set in RAR-->Configuraion -->Risk analysis-->Default values


QUESTION: Is it possible to derive a role which is not having any t-code but have some manually entered
authorization objects? If yes, how?
ANSWER: T-codes are also a part of auth objects. We cn definitely derive such roles. This concept is
known as Value Roles.


QUESTION: Can we view the changes of a role, happened in PFCG, through GRC?
ANSWER: yes
QUESTION: What is d Exact Definition of the table USOBX & also Usobx_c
ANSWER: USOBX_C table contains customized authorization objects which you are maintaing in user
masterrecords.that means what ever authorizations you are maintaing as yes/no for users those
autherizations will store in USOBX_C table.USOBX table contains standered checkindicators for the
USOBT table


QUESTION: Wht is d diffrence Between
Profile Generator Upgrade & Sap load Generator....
And i also want to know when this Slg is used..
ANSWER: SGEN-You can use transaction SGEN to generate the ABAP loads of a number of programs,
function groups, classes, and so on, as well as Business Server Page applications


QUESTION: I have query where in need to restrict user by the Personnel Area...
This is for t-code PHAP_ADMIN and PHAP_ADMIN_PA, this is HR t-code and there is no Org. Values for this t-
code to restrict, only Plan Version is available....
Does any one know the possibility to restrict based on Personnel Area ? any object related to this t-code that can
useful. Please let me know.. as soon as possible will be better for resolving i
ANSWER: P_ORGIN is the object you can use to restrict on personal area..according to standard
behavior this object is getting checked for the tcode PHAP_ADMIN and PHAP_ADMIN_PA, just change
the proposal value for this object in SU24 to yes and add it in role, you will be able to achieve restrictions
on personal area by maintaining P_ORGIN along with Infotype restrcitions...also personal area is not org
level field.


QUESTION: Sometimes I could see the below values for authorization group under the table maintainance object
S_TABU_DIS
Activity : 02
DICBERCLS: &NC&(Table Authorization Group)

What does it mean by &NC&. Does it mean no value maintain.
Also what is the meaning of #,' '?
ANSWER: The value '&NC&' stands for non class that means the table is not belongs to any table class
and accessible by anyone.without this value even having the auth object S_TABU_DIS with the fields
DICBERCLS left blank,the table will not be accessible.From the security point of view,there should be
certain authorisation group created by SE54 as the groups are dedicated for the legitimate users.....
To give table authorizations to any user, will give the change
authorizations through S_TABU_DIS object with the activity 02 and the authorizations groups &NC&
(which is already assigned to the table).

" " will give S_TABU_CLI ( cross client access value should be "X" to get
change authorization) with the above above object. Otherwise user will not
get the change authorization. With " " user will not get the change authorization.
http://www.youtube.com/watch?v=kjaY7BRywOQ
QUESTION: What is a business role in CRM security?
ANSWER: i just know that if user has sap_all or new also he cannot login to crm system.. there shud be
some business roles assigned .. business roles may many types like service business role,sales business
role,purchase business role,w.h bus role ... etc.. one more thing to remember is that v can also set
parameter in user master record for this business role purpose

Business roles means its an indirect assignment (Org assignment) of positions to user through
PPOMA_CRM.


QUESTION: C an any one explain how to use SPRO T-code?
ANSWER: http://www.youtube.com/watch?v=QDcOgrWqHgQ
QUESTION: AS KNOWN IN SE16 IF ENTER TDDAT V CAN C AUTH GROUPS AND FROM THERE WE
CAN C THE TABLES AVAILABLE FOR THE AUTH GROUP..
@@@ANY ANS WERE AT A TIME IN SE16 WERE V CAN C ALL THE TABLES AT A TIME
ANSWER: SE15, suggest you to do r&d on that. This t-code is very helpful in finding tables for a
particular field.
DD02L - where we can see list of all the tables.


QUESTION: can any one explain RZ10 n RZ11 in detail..
ANSWER: RZ11 is used to view system profile parameters and RZ10 is mainly for profile
maintenance..for more details refer ADM100
Note: does any one have ADM955 SAP GRC Access Control document?
http://filevelocity.com/l5n0l69pb5ml/ADM955_-_SAP_GRC_Access_Control_-_Installation.pdf

QUESTION: What is alternative t-code for PFCG?
ANSWER : It is UG_BW_PFCG
there are alternative tcodes to PFCG. I dont have system access right now to give the right tcode.. but
starts with OY. For eg: OY27, OY28 invokes SU01 transaction code.. similar way, you have 1 for PFCG