Explore topic-wise InterviewSolutions in .

• Frequently USED security T-codes
• SU01 Create/ Change USER SU01 Create/ Change User
• PFCG Maintain Roles
• SU10 Mass CHANGES
• SU01D Display User
• SUIM Reports
• ST01 Trace
• SU53 Authorization ANALYSIS

Personalization is a way to save INFORMATION that could be common to users, I MEANT to a user role… E.g. you can create SAP queries and manage authorizations by user groups. Now this information can be STORED in the personalization tab of the role. (I supposed that it is a way for SAP to address his AMBIGUITY of its concept of user group and roles: is “usergroup” a grouping of people sharing the same ACCESS or is it the role who is the grouping of people sharing the same access).

Personalization is a way to save information that could be common to users, I meant to a user role… E.g. you can create SAP queries and manage authorizations by user groups. Now this information can be stored in the personalization tab of the role. (I supposed that it is a way for SAP to address his ambiguity of its concept of user group and roles: is “usergroup” a grouping of people sharing the same access or is it the role who is the grouping of people sharing the same access).

PARAMETER rsau/no_of_filters are USED to DECIDE the NUMBER of FILTERS.

Parameter rsau/no_of_filters are used to decide the number of filters.

Table AGR_AGRS will be helpful in determining the SINGLE ROLE that is assigned to a given composite role.

Table AGR_AGRS will be helpful in determining the single role that is assigned to a given composite role.

User BUFFER can be displayed by USING TRANSACTION CODE AL08.

User buffer can be displayed by using transaction code AL08.

Table TSTCT can be USED to DISPLAY TRANSACTION CODE TEXT.

Table TSTCT can be used to display transaction code text.

To REGENERATE SAP_ALL PROFILE, REPORT AGR_REGENERATE_SAP_ALL can be USED.

To regenerate SAP_ALL profile, report AGR_REGENERATE_SAP_ALL can be used.

SM-18 t-code is used to delete the old SECURITY AUDIT LOGS.

SM-18 t-code is used to delete the old security audit logs.

Description: The tab is used to DESCRIBE the changes made like DETAILS related to the role, addition or removal of t-codes, the AUTHORIZATION object, etc.

Menu: It is used for designing user MENUS like addition of t-codes

Authorization: Used for maintaining authorization data and authorization profile

User: It is used for adjusting user MASTER records and for assigning users to the role.

Description: The tab is used to describe the changes made like details related to the role, addition or removal of t-codes, the authorization object, etc.

Menu: It is used for designing user menus like addition of t-codes

Authorization: Used for maintaining authorization data and authorization profile

User: It is used for adjusting user master records and for assigning users to the role.

In SAP security, USER COMPARE option will compare the user MASTER record so that the PRODUCED AUTHORIZATION profile can be entered into the user master record.

In SAP security, USER COMPARE option will compare the user master record so that the produced authorization profile can be entered into the user master record.

PFCG_TIME_DEPENDENCY is a REPORT that is used for user master comparison. It ALSO clears up the expired profiles from user master RECORD. To directly EXECUTE this report PFUD transaction CODE can also be used.

PFCG_TIME_DEPENDENCY is a report that is used for user master comparison. It also clears up the expired profiles from user master record. To directly execute this report PFUD transaction code can also be used.

To store ILLEGAL PASSWORDS, table USR40 is USED, it is used to store PATTERN of words which cannot be used as a PASSWORD.

To store illegal passwords, table USR40 is used, it is used to store pattern of words which cannot be used as a password.

To a role maximum of 14000 TRANSACTION CODES can be ASSIGNED.

To a role maximum of 14000 transaction codes can be assigned.

In USER buffer NUMBER of entries are controlled by the PROFILE PARAMETER “Auth/auth_number_in_userbuffer”.

In user buffer number of entries are controlled by the profile parameter “Auth/auth_number_in_userbuffer”.

A user buffer CONSISTS of all AUTHORIZATIONS of a user. User buffer can be executed by t-code SU56 and user has its own user buffer. When the user does not have the NECESSARY authorization or contains too many entries in his user buffer, authorization check FAILS.

A user buffer consists of all authorizations of a user. User buffer can be executed by t-code SU56 and user has its own user buffer. When the user does not have the necessary authorization or contains too many entries in his user buffer, authorization check fails.

SU03: It GIVES an OVERVIEW of an AUTHORIZATION object
SU02: It gives an overview of the PROFILE DETAILS

SU03: It gives an overview of an authorization object
SU02: It gives an overview of the profile details

SOD means Segregation of Duties; it is implemented in SAP in order to DETECT and PREVENT error or fraud during the BUSINESS transaction. For example, if a user or employee has the privilege to access BANK ACCOUNT detail and payment run, it might be possible that it can divert vendor payments to his own account.

SOD means Segregation of Duties; it is implemented in SAP in order to detect and prevent error or fraud during the business transaction. For example, if a user or employee has the privilege to access bank account detail and payment run, it might be possible that it can divert vendor payments to his own account.

For the SINGLE ROLE, we can ADD or DELETE the t-codes while for a DERIVED role you cannot do that.

For the single role, we can add or delete the t-codes while for a derived role you cannot do that.

For LOCKING the TRANSACTION from EXECUTION t-code SM01, is USED.

For locking the transaction from execution t-code SM01, is used.

Maximum NUMBER of PROFILES in a ROLE is 312, and maximum number of object in a role is 150.

Maximum number of profiles in a role is 312, and maximum number of object in a role is 150.

USOBT_C: This table CONSISTS the authorization proposal DATA which contains the authorization data which are relevant for a transaction
USOBX_C: It TELLS which authorization check are to be executed WITHIN a transaction and which MUST not

USOBT_C: This table consists the authorization proposal data which contains the authorization data which are relevant for a transaction
USOBX_C: It tells which authorization check are to be executed within a transaction and which must not

If you are tracing batch user ID or CPIC, then before executing the Run System Trace, you have to ensure that the id should have been assigned to SAP_ALL and SAP_NEW. It enables the user to execute the job WITHOUT any AUTHORIZATION check FAILURE.

If you are tracing batch user ID or CPIC, then before executing the Run System Trace, you have to ensure that the id should have been assigned to SAP_ALL and SAP_NEW. It enables the user to execute the job without any authorization check failure.

To delete multiple roles from QA, DEV and Production System, you have to FOLLOW below STEPS:

• Place the roles to be deleted in a transport (in dev)
• Delete the roles
• PUSH the transport through to QA and production
• This will delete all the all roles

To delete multiple roles from QA, DEV and Production System, you have to follow below steps:

Authorization Object: Authorization objects are groups of authorization field that REGULATES particular activity. Authorization relates to a particular action while Authorization field relates for security administrators to CONFIGURE SPECIFIC values in that particular action.

Authorization object CLASS: Authorization object falls under authorization object classes, and they are grouped by function area like HR, finance, accounting, etc.

Authorization Object: Authorization objects are groups of authorization field that regulates particular activity. Authorization relates to a particular action while Authorization field relates for security administrators to configure specific values in that particular action.

Authorization object class: Authorization object falls under authorization object classes, and they are grouped by function area like HR, finance, accounting, etc.

Pre-requisites follows like

• ENABLING the audit log- using sm 19 tcode
• RETRIEVING the audit log- using sm 20 tcode

Pre-requisites follows like

By EXECUTING EWZ5 t-code in SAP, all the USER can be LOCKED at the same TIME in SAP.

By executing EWZ5 t-code in SAP, all the user can be locked at the same time in SAP.

“Roles” is referred to a GROUP of t-codes, which is assigned to EXECUTE particular BUSINESS task. Each role in SAP requires particular privileges to execute a function in SAP that is called AUTHORIZATIONS.

“Roles” is referred to a group of t-codes, which is assigned to execute particular business task. Each role in SAP requires particular privileges to execute a function in SAP that is called AUTHORIZATIONS.

SAP security is PROVIDING correct access to BUSINESS users with respect to their AUTHORITY or responsibility and giving PERMISSION according to their roles.

SAP security is providing correct access to business users with respect to their authority or responsibility and giving permission according to their roles.