Explore topic-wise InterviewSolutions in .

Report RSUSR406 or T-code SU21 can be used to manually regenerate the SAP_ALL PROFILE. In this case, the SAP_ALL profile is only generated in the client where the report is EXECUTED. You can ALSO generate SAP_ALL profiles using the report AGR_REGENERATE_SAP_ALL. In this case, the SAP_ALL profile is generated in all the CLIENTS.

A ROLE can have a MAXIMUM of 312 PROFILES and 170 objects.

A ROLE is essentially a combination of transactions and authorizations stored in a profile. PROFILES associated with a role can vary in number DEPENDING on the number of transactions and authorizations that are contained within the role. As soon as you generate a role, it automatically CREATES a profile. 

As part of SAP AIF (Application Interface Framework), predefined template roles are AVAILABLE. These role templates can be used to define or customize roles based on SPECIFIC requirements. Each role template comes with a set of authorizations that typical SAP AIF users would REQUIRE. You can change a role template in three ways:

• Use them as they are DELIVERED in SAP
• Modify them according to your needs using the PFCG T-code
• Build them from scratch

Below are some examples of role templates offered by SAP AIF 4.0:

• SAP_AIF_ADMIN: AIF Administrator
• SAP_AIF_ALL: AIF All Authorizations
• SAP_AIF_ARCHITECT: AIF Architect
• SAP_AIF_AUDITOR: AIF Auditor
• SAP_AIF_POWER_USER: AIF Power User
• SAP_AIF_USER: AIF BUSINESS User

The following STEPS explain how to create a user GROUP in SAP:

• STEP1: In SAP Easy Access Menu, enter the SUGR T-code and execute it. SUGR is the SAP T-code for maintaining user groups.
• STEP2: You will SEE a new screen. FILL in the text box with the name of the new user group. 
• STEP3: Then click on the Create button.
• STEP4: Add a description and click Save.
• STEP5: A new user group will be created in SAP.

Segregation of Duties (SOD) refers to segregating duties or roles between different users. SOD involves separating individuals who handle different steps of business transactions in order to reduce fraud and errors.  The SAP SOD is an essential internal control system meant to minimize the risk of errors and irregularities, identify problems and ensure the onset of remedial action. All of this can be achieved by making sure that no single person controls all phases of the transaction.

Example: Let's say that the process of disbursing the money is preceded by a series of steps. As a FIRST step, a business MANAGER generally drafts a purchase order (PO) that outlines how a vendor will be paid for the product or service. That vendor must be approved by the purchasing department before payment can be made. A senior manager will usually approve the purchase order. An invoice for products and services must then be ISSUED by the vendor. Prior to signing a check, a person from the accounts payable department needs to approve the invoice. The following diagram illustrates the basic procurement process.

In the diagram, there are four people with different responsibilities. In this workflow, all four people act as CHECKS on each other.

Imagine if one person could carry out all four steps of this process, then he or she would be capable of requesting a purchase, approving it and signing the check. It has unfortunately been observed that employees can misuse this concentration of authority to commit fraud. This emphasizes the importance of segregating duties.

SU53 is the best T-code to find the authorizations that are missing. There MAY be TIMES that this T-code is REQUIRED for SAP GUI troubleshooting. We can then insert those missing authorizations with the T-code PFCG. PFCG is the T-code for maintaining roles and authorization DATA.

In SAP, there are several types of roles as follows:

• Single Role: Single roles TYPICALLY contain all authorization objects as well as FIELD values (both organizational and non-organizational) required to execute the transactions that the role contains. The term "Single Role" is commonly used to refer to a job/position-based role design. In such cases, the single role includes all AUTHORIZATIONS required for a user's position or job.
• Derived Role: Roles can also be derived from single roles. In derived roles, there is a parent or master role and more child roles that differ only in their organizational values from each other. 
• Composite Role: You can group multiple single roles TOGETHER to MAKE a composite role. By assigning only the composite role, you can indirectly assign multiple single roles to a user.

In SAP, ROLES and authorization are the mechanisms that allow users to execute transactions (execute programs) in a secure way. Each role in SAP requires authorization in order to execute a function. There are several different types of standard roles in SAP for different modules and scenarios. In ADDITION, user-defined roles can be created based on the PROJECT scenario. The SAP SYSTEM GRANTS access to users based on roles stored in their user master. PFCG is the T-code for maintaining roles and authorization data.

The FIRST THING we need to do is make sure that logging is enabled or not for this table, and we can check this by using the T-code SE13. Then, if the table loggings are enabled, we can VIEW the HISTORY of the table (table logs) by using T-code SCU3.

The user types for background jobs are as follows:

• System user: Users with this user type can perform CERTAIN system activities such as background processing,  ALE (Application Link ENABLING), workflows, etc. 
• Communication user: It enables dialog-free interaction or communication between SYSTEMS. Dialog logon cannot be done with this type of user.

We can schedule background jobs using the SM36 T-code, VIEW and monitor background jobs running in the system using SM37 T-code, and troubleshoot PROBLEMS for background users using ST01 T-code. 

In SAP systems, when an ADMINISTRATOR creates a new user ID, he has to specify the TYPE of user this user ID should be assigned to. Users in a system can be categorized according to their purposes. This allows different security policies to be specified for different types of users. A security policy may, for example, specify that a human user (end-user) who executes tasks interactively needs to change their passwords regularly, whereas this requirement does not apply to users who are running jobs in the background. Following are some types of users in SAP:

• System user: Users with this user type can perform certain system activities such as background processing, ALE (Application Link Enabling), workflows, etc. The system user does not allow interactive access to the system. When a user has the service user type, the system won't check for expired/INITIAL passwords, only a user administrator can change the password, and multiple logins are allowed.
• Dialogue user: Dialogue users represent human users, also called end-users. This user type is needed for INDIVIDUAL, interactive sessions in the SAP system. When a user has dialogue user type, the system checks their expiring or initial password, enables them to change their passwords, and checks for multiple logins.
• Service user: Service user types generally represent a larger user community and allow. This user type facilitates guest access, or the ability to connect to REMOTE systems with certain rights. When a user has the service user type, the system won't check for expired/initial passwords, only a user administrator can change the password, and multiple logins are allowed.
• Communication user: It enables dialogue-free interaction or communication between systems. Dialogue logon cannot be done with this type of user.
• Reference user: Rather than assigning roles individually to each user, a reference user is created to hold a selection of roles that are to be assigned to a larger group of users. If you need to create a large number of users in your SAP system with the same authorization assigned, you can use this method.

In SAP, a TRANSACTION code (T Code) is basically a four-digit shortcut KEY that can be used to access a specific function or any running program in the SAP application. Using a transaction code, you can access desired functions directly within the SAP system. In the SAP system, there are more than 10,000 T-codes used for configuration, end-user ACTIVITIES, implementation, reporting, updating, security, etc. Below is a list of some SAP Security T-codes:

DIFFERENT layers of security in SAP are as follows:

• Authentication: It verifies the USER and only authorized users should be permitted ACCESS to the SAP system.
• Authorization: The SAP system can authorize users only to access SAP based on the roles and profiles they have been assigned.
• Integrity: It is vital to ensure the integrity (validity, accuracy, and consistency) of data at all times. 
• PRIVACY: It keeps data safe from unauthorized access.
• Obligation: Securing the company's liability and legal obligations towards stakeholders and shareholders, as well as validating them.

In CASES where a ROLE is used to generate authorization profiles, the generated profile is not entered into the user master record until the user master record is COMPARED. It can be automated by SCHEDULING the report FCG_TIME_DEPENDENCY every DAY.