Explore topic-wise InterviewSolutions in .

To determine whether the user is locked or not, we use the USR02 table. Below is a table showing the 6 types of user lock VALUES:

The SAP Security solution allows you to monitor and regulate access to your company's systems and data both internally and externally. Globally, leading multinational businesses rely on SAP solutions to manage their operations and workflow. Consequently, SAP Security is one of the most rewarding careers in the technology world today, and SAP Security developers are in high demand. Therefore, you have an excellent chance of moving AHEAD as an SAP Security developer.

Are you ready to ACE your SAP Security interview? 

Useful Resources:

• SAP ABAP Interview Questions
• SAP HANA Interview Questions

SAP PROVIDES a report i.e., (AGR_DELETE_ALL_ACTIVITY_GROUPS), which you can COPY, then remove the system type check, and then execute/run. For mass deletion of roles without deleting the new roles in SAP, simply enter the roles that you wish to delete in a TRANSPORT (a package used for transferring data between SAP installations), run/execute the delete program or either delete manually, then RELEASE the transport and finally import the roles into all client systems. ​As soon as your transport, the role is deleted from all client systems.

It is necessary to tweak/debug & replace the code in AGR_DELETE_ALL_ACTIVITY_GROUPS to ENSURE it is deleting only SAP delivered roles. Getting past that little bit makes it work well.

Profiles contain a set of rights and restrictions associated with a specific user or group.  User profiles specify what actions (like viewing, creating, and editing) a user is allowed to perform on various resources, like SOURCING documents or master data.

Changing and saving a profile does not OVERWRITE the old status in the database. ​Instead, a new version is CREATED with the UPDATED values. SAP ASSIGNS a unique number to each profile version. Create a new profile, for example, and it will have a version number of 1. After that, additional profiles will have sequential version numbers.

This information can be OBTAINED by debugging the system or by using the RSUSR100 report. This report can be USED to DETERMINE all changes made to the user (user change HISTORY).

The PFCG_TIME_DEPENDENCY report is an Executable ABAP (Advanced Business Application Programming) Report WITHIN your SAP system. PFCG_TIME_DEPENDENCY is a report used for comparing user MASTERS. In ADDITION, it deletes or removes expired profiles from the user master record. This report can also be DIRECTLY executed using the PFUD T-code.

The USR40 table is a standard authentication and SSO (Single Sign-On) TRANSPARENT Table in SAP Basis, which stores data about ILLEGAL PASSWORDS. It is used to gather illegal passwords and STORE them in various arrangements and patterns of words that can be implemented at the moment of creating the passwords. 

There are a few things that need to be done before one WANTS to execute the Run system trace. If one is going to trace the CPIC or the user ID prior to executing the Run system then one has to MAKE sure that the SAID ID is given to SOMEONE that is either SAP_new or SAP_all.

This has to be done because it ENSURES that one is able to execute the work without any kind of checking failure by authorization.

In the PFCG, there are MANY important and essential tabs, including the following:

• Description: Used to DESCRIBE changes made, such as those made to roles, AUTHORIZATION objects, or other T-codes (addition or removal).
• Menu: Design user menus such as ADDING T-codes.
• Authorization: Used for maintaining authorization profiles and authorization data.
• User: Used to adjust user master records and assign users to the ROLE.

In ORDER to delete multiple ROLES from QA, DEV, and Production systems, you must FOLLOW the steps below:

• Put the roles to be removed in a transport (in DEVELOPMENT).
• Delete the roles.
• Push the transport to the QA and production DEPARTMENTS.

T-code used to display USER buffers, and delete old SECURITY audit logs are as follows:

• SM18: Delete old security audit logs/ Reorganize Security audit log in SAP.
• SU56: Monitor the number of objects buffered from INDIVIDUAL user authorization roles and PROFILES.

An SAP system AUTOMATICALLY creates a USER buffer when a user signs on. This buffer includes all authorizations for that user. Each user has their own buffer, which they can display using the T-code SU56. The tool is only for monitoring purposes, and no further ACTION can be taken. The following profile PARAMETER controls the number of entries in the user buffer: “Auth/auth_number_in_userbuffer”.

In ORDER to CREATE and MAINTAIN a user RECORD, you need the following authorization objects:

• S_USER_GRP: Assign user groups.
• S_USER_PRO: Assign authorization profile.
• S_USER_AUT: Create and maintain authorizations.

T-code used to MAINTAIN Authorization OBJECT and profile are as follows:

• SU21: This is used to maintain authorization objects in SAP.
• SU02: This is used to maintain authorization profiles in SAP.

• Authorization OBJECT: An authorization object is a group of authorization fields that REGULATES a particular activity. While authorization relates to a particular action or activity, the authorization field relates to security administrators for configuring or DEFINING specific parameters/values in that particular action. 
• Authorization CLASS: Authorization classes, on the other hand, are GROUPS of Authorization objects. These classes can contain one or more authorization objects.

USOBX_C and USOBT_C are customer-specific tables, and the C in their names INDICATES that these tables contain customer-specific values that are maintained/changed using the T-code SU24.  Differences between USOBT_C and USOBX_C are as follows: