Top SAP Security Interview Questions and Answers

Q1. What is SAP security?

Ans. SAP stands for Systems, Applications, and Products in the data processing. SAP security is a module that protects
the SAP data and applications from unauthorized use and access. It refers to providing the right access to business users
according to their authority or responsibility. Permissions are given as per their roles in the organizations or
departments.

To stand out with this SAP security interview question, do mention that it has three areas:

• Confidentiality: Data should not be disclosed in an unauthorized way.

• Integrity: Data should not be modified in an unauthorized way.

• Availability: Distributed denial-of-service (DDoS) attacks should not occur.

Q2. Name the different layers of Security in SAP.

Ans. The different layers of security in SAP are:

• Authentication – For validated users for system access

• Authorization – For users to perform designation tasks

• Integrity – Granting data integrity

• Privacy – No unauthorized access

• Obligation – Making sure there is a liability for validation

Q3. Explain some SAP security T-codes (Transaction Codes).

Ans. A T-code (or transaction code) is used to access functions or a running program in an SAP application. Some of the
SAP security T-codes are:

SAP T-code Description

PFUD To compare User master in Dialog

RZ10 Profile configuration

SCC8 Data exchange takes place at the operating system level

PFCG To maintain role using profile generator

SE43 To maintain and display Area Menus

ST01 System Trace

SECR Audit Information System

SM12 Display and Delete Locks

SU01 Create and maintain the users

 SU25 For initial Customer table fill

SUPC Generation of Mass profile

SUIM User Information System

Q4. Explain different types of Users in SAP.

Ans. This is one of the basic SAP security interview questions. In SAP systems, users are categorized according to their
purpose. This is important since while creating a new user ID, the administrator has to specify the user type. Following
are the different types of users in SAP

User Type Description

It is used for an individual user. During a dialog logon, the system checks
Dialog User (A) for expired/initial passwords. The user can change his or her password.
Several dialog logons are checked and logged.

These are non-interactive users and are used to perform some system
System User (B)
activities like ALE, background processing, Workflow, TMS, and CUA.

Dialog user is available to a larger group of users. Only user

Service User (S) administrators can change the password. The system does not check for
expired/initial passwords during login.

Reference User (L) It is like a System user. It involves a general, non-personally related user.

Communication It allows dialogue-free communication between systems. These users are

User (C) not permitted to dialogue logon.

Q5. How to check table logs?

Ans. The first step is to check if logging is activated for a table using t-code SE13. If it is enabled then we can see the table
logs with the t-code SCU3.

Q6. What is a ‘role’ in SAP security?

Ans. Role refers to the group of t-codes that is assigned to execute particular tasks.

Q7. What is an ‘authorization’?

Ans. Each role in SAP requires privileges to execute a function, which is known as authorization.

Q8. How many fields can be in one authorization object?

Ans. There are 10 fields in one authorization object in SAP.

Q9. What is the difference between a role and a profile?

Ans. A role and profile go hand-in-hand. When a role is created, a profile is automatically created.

Q10. What is the difference between a single role and a composite role?

Ans. A single role is a container that collects transactions and generates an associated profile. A composite role is a
container that collects different roles.
Q11. Differentiate between authorization object and authorization object class?

Ans. An authorization object is a group of authorization fields and is related to a particular activity, while an
authorization object class comes under the authorization class and is grouped by function areas.

Q12. What is the maximum number of profiles and objects in a role?

Ans. In a role, the maximum number of profiles is 312 and the maximum number of objects is 170.

Q13. How to find out who has deleted users in the system?

Ans. To find out who has deleted users in the system, first debug or use RSUSR100 to find the info. Then run transaction
SUIM and download the Change documents.

Q14. Can you change a role template? What are the three ways to work with a role template?

Ans. Yes. There are three ways to change a role template:

• Use it as they are delivered in SAP

• Modify them as per your needs through PFCG

• Create them from scratch

Q15. What are the authorization objects required to create and maintain user records?

Ans. The following authorization objects are required to create and maintain user records:

• S_USER_GRP: to assign user groups.

• S_USER_PRO: to assign authorization.

• S_USER_AUT: create and maintain authorizations.

Q16. How can you delete multiple roles from QA, DEV and Production System?

Ans. The following steps should be taken to delete all the roles from QA, DEV and Production System:

• Place the roles to be deleted in a transport.

• Delete the roles.

• Push the transport through to QA and production.

Q17. Explain the difference between USOBT_C and USOBX_C.

Ans. The differences between USOBT_C and USOBX_C are:

USOBT_C USOBX_C

It provides information about the

This specifies which particular authorization
authorization proposal data that contains the
checks need execution within the transaction
authorization data which are relevant for a
and which authorization checks do not.
transaction

It also includes the checks which are present It includes the default set values that need to
in the profile generator. be present in the profile generator.

Q18. Can you add a composite role to another composite role?

Ans. No, you cannot add a composite role to another composite role.

Q19. How can the password rules be enforced?

Ans. Password rules can be enforced using the profile parameter.

Q20. Which t-code can be used to delete old security audit logs?

Ans. The t-code SM-18 can be used to delete old security and audit logs.

Q21. What are the main tabs available in PFCG?

Ans. The main tabs available in PFCG are description, menu, authorization, and user. The functions of these tabs are:

• Description: Used to describe the changes done, such as details related to the role, the authorization object, and
the addition or removal of t-codes.

• Menu: To design user menus like the addition of t-codes.

• Authorization: To maintain authorization data and authorization profile.

• User: Used to adjust user master records and assign users to the role.

Q22. Which t-code is used to display the user buffer?

Ans. The t-code SU56 is used to display the user buffer.

Q23. What does a USER COMPARE do in SAP security?

Ans. USER COMPARE compared the user master record so that the produced authorization profile can be entered in the
user master record.

Q24. What is the difference between CM (Check/Maintain), C (Check), N (No Check), and U (Unmentioned)?

Ans. This is an important SAP Security interview question. The differences you can mention are:

CM (Check/Maintain) C (Check) N (No Check) U (Unmentioned)

An authority check is An authority check is The authority check An authority check is

carried out against this carried out against this against this object is carried out against this
object. object. disabled. object.

PG creates an PG does not create The PG does not create The PG does not create
authorization for this authorization for this authorization for this authorization for this
object. Field values are object. Field values are object. Field values are object. Field values are
displayed. not displayed. not displayed. not displayed.

Default values cannot

Default values can be The default values cannot Default values cannot be
be maintained for this
maintained. be maintained. maintained.
authorization.

Q25. Explain a user buffer.

Ans. A user buffer is formed when a user signs on to an SAP system. This user buffer contains authorizations for that
particular user. Every user has his or her own user buffer. A user buffer is a monitoring tool. It means that no further
action can be taken from within this transaction. It can be used to analyze for a particular user or reset the buffer for the
user. A user can display his or her own user buffer using the t-code SU56.
Q26. What are the values for user lock?

Ans. The values for user lock are:

• 00 – not locked

• 32 – Locked by CUA central administrator

• 64 – Locked by the system administrator

• 128 – Locked after a failed logon

Q27. How to create a user group in SAP?

Ans. For this SAP security interview question, you can mention that you can create a user group in the SAP system by
following the below steps:

• Enter SUGR T-code in SAP Easy Access Menu.

• A new screen will open up. Now provide a name for the new user group in the text box.

• Click on create button.

• Provide a description and click on the Save button.

• The user group will be created in the SAP system.

Q28. Which parameter is used to control the number of entries in the user buffer?

Ans. To control the number of entries in the user buffer, we use the profile parameter.

“Auth/auth_number_in_userbuffer”.

Q29. When a background user faces problems, how will you troubleshoot them?

Ans. System Trace ST01 can be used to troubleshoot problems for background users.

Q30. When you create a username, which fields are mandatory?

Ans. The last name and password are required.

Q31. List the pre-requisites before assigning the SAP_ALL to users even in the case of approval from the authorization
controllers.

Ans. Even in case of the approval, pre-requisites are as follows:

• Enabling audit log- using the SM19 t-code

• Retrieving audit log- using the SM20 t-code

Q32. What should be considered before executing the Run System Trace?

Ans. In case you are tracing the batch user ID or CPIC, then before executing Run System Trace, ensure that the id has
been assigned to SAP_NEW and SAP_ALL. The user will be able to execute the job without authorization check failure.

Q33. Which t-code is used to lock transactions from execution?

Ans. t-code SM01 is used for locking transactions.

Q34. Why is SOD implemented in SAP Security?

Ans. Segregation of Duties (SOD) is implemented in SAP for the detection and prevention of errors/frauds during
business transactions.

Q35. What is the use of PFCG Time Dependency?

Ans. It is a report used for the purpose of user master comparison. It also clears expired profiles from user master
record.

Q36. How can you directly execute PFCG Time Dependency?

Ans. To directly execute it, you can use the PFUD transaction code.

Q37. What is the use of USR40 table?

Ans. USR40 table is used for storing illegal passwords. It stores the pattern of words that cannot be used as passwords.

Q38. What is SAP Cryptographic Library?

Ans. It is the default SAP security product. Its primary use is for conducting any encryption function in SAP systems. Open
SSL and CommonCryptoLib are two libraries.

Q39. What is a Profile version in SAP security?

Ans. To answer this SAP security interview question, describe how a profile is created.

A profile version is created when the existing user changes their profile. The original profile still exists alongside with the
new version but there is an individual number or identifier for each new profile version in a sequential manner.

Q40. What do you mean by CUA Configuration in SAP?

Ans. CUA stands for Central User Administrator. This useful tool for SAP ABAP applications allows the Security
Administrator to manage multiple accounts on multiple clients.

Q41. How do you create PRT Master Records?

Ans. The exact steps and fields may vary depending on your organization’s SAP system version, configuration, and specific
security roles assigned to your user account. But these are the main steps.

• Access the SAP system: Log in to the SAP system using your user ID and password.

• Enter the appropriate transaction code in the command field at the top of the SAP screen to launch the
transaction for creating PRT master records. The transaction code for creating PRT master records may vary
depending on the SAP system and configuration, but it is often “IR01” or “IR02.” In the PRT master record
creation screen, enter the relevant information for the PRT. This typically includes: PRT Type, PRT Number,
Description, Plant, Storage Location, Status, etc.

• Once you have entered all the required information, click on the “Save” button to create the PRT master record.
The system will generate a unique PRT number and store the record in the database.

• Depending on your organization’s requirements, you may need to perform additional configurations for the PRT
master record, such as assigning it to a work center, creating task lists, or linking it to a material.

• After creating the PRT master record, it is recommended to perform testing and validation to ensure that the PRT
functions correctly within the SAP system. This may involve executing relevant transactions or processes that
utilize the PRT.