SAP Security Interview Questions

The following steps explain how to create a user group in SAP:

• STEP1: In SAP Easy Access Menu, enter the SUGR T-code and execute it. SUGR is the SAP T-code for maintaining user groups.
• STEP2: You will see a new screen. Fill in the text box with the name of the new user group. 
• STEP3: Then click on the Create button.
• STEP4: Add a description and click Save.
• STEP5: A new user group will be created in SAP.

In SAP, a transaction code (T Code) is basically a four-digit shortcut key that can be used to access a specific function or any running program in the SAP application. Using a transaction code, you can access desired functions directly within the SAP system. In the SAP system, there are more than 10,000 T-codes used for configuration, end-user activities, implementation, reporting, updating, security, etc. Below is a list of some SAP Security T-codes:

In SAP systems, when an administrator creates a new user ID, he has to specify the type of user this user ID should be assigned to. Users in a system can be categorized according to their purposes. This allows different security policies to be specified for different types of users. A security policy may, for example, specify that a human user (end-user) who executes tasks interactively needs to change their passwords regularly, whereas this requirement does not apply to users who are running jobs in the background. Following are some types of users in SAP:

• System user: Users with this user type can perform certain system activities such as background processing, ALE (Application Link Enabling), workflows, etc. The system user does not allow interactive access to the system. When a user has the service user type, the system won't check for expired/initial passwords, only a user administrator can change the password, and multiple logins are allowed.
• Dialogue user: Dialogue users represent human users, also called end-users. This user type is needed for individual, interactive sessions in the SAP system. When a user has dialogue user type, the system checks their expiring or initial password, enables them to change their passwords, and checks for multiple logins.
• Service user: Service user types generally represent a larger user community and allow. This user type facilitates guest access, or the ability to connect to remote systems with certain rights. When a user has the service user type, the system won't check for expired/initial passwords, only a user administrator can change the password, and multiple logins are allowed.
• Communication user: It enables dialogue-free interaction or communication between systems. Dialogue logon cannot be done with this type of user.
• Reference user: Rather than assigning roles individually to each user, a reference user is created to hold a selection of roles that are to be assigned to a larger group of users. If you need to create a large number of users in your SAP system with the same authorization assigned, you can use this method.

The user types for background jobs are as follows:

• System user: Users with this user type can perform certain system activities such as background processing,  ALE (Application Link Enabling), workflows, etc. 
• Communication user: It enables dialog-free interaction or communication between systems. Dialog logon cannot be done with this type of user.

We can schedule background jobs using the SM36 T-code, view and monitor background jobs running in the system using SM37 T-code, and troubleshoot problems for background users using ST01 T-code. 

The first thing we need to do is make sure that logging is enabled or not for this table, and we can check this by using the T-code SE13. Then, if the table loggings are enabled, we can view the history of the table (table logs) by using T-code SCU3.

In SAP, roles and authorization are the mechanisms that allow users to execute transactions (execute programs) in a secure way. Each role in SAP requires authorization in order to execute a function. There are several different types of standard roles in SAP for different modules and scenarios. In addition, user-defined roles can be created based on the project scenario. The SAP system grants access to users based on roles stored in their user master. PFCG is the T-code for maintaining roles and authorization data.

In SAP, there are several types of roles as follows:

• Single Role: Single roles typically contain all authorization objects as well as field values (both organizational and non-organizational) required to execute the transactions that the role contains. The term "Single Role" is commonly used to refer to a job/position-based role design. In such cases, the single role includes all authorizations required for a user's position or job.
• Derived Role: Roles can also be derived from single roles. In derived roles, there is a parent or master role and more child roles that differ only in their organizational values from each other. 
• Composite Role: You can group multiple single roles together to make a composite role. By assigning only the composite role, you can indirectly assign multiple single roles to a user.

SU53 is the best T-code to find the authorizations that are missing. There may be times that this T-code is required for SAP GUI troubleshooting. We can then insert those missing authorizations with the T-code PFCG. PFCG is the T-code for maintaining roles and authorization data.

Segregation of Duties (SOD) refers to segregating duties or roles between different users. SOD involves separating individuals who handle different steps of business transactions in order to reduce fraud and errors.  The SAP SOD is an essential internal control system meant to minimize the risk of errors and irregularities, identify problems and ensure the onset of remedial action. All of this can be achieved by making sure that no single person controls all phases of the transaction.

Example: Let's say that the process of disbursing the money is preceded by a series of steps. As a first step, a business manager generally drafts a purchase order (PO) that outlines how a vendor will be paid for the product or service. That vendor must be approved by the purchasing department before payment can be made. A senior manager will usually approve the purchase order. An invoice for products and services must then be issued by the vendor. Prior to signing a check, a person from the accounts payable department needs to approve the invoice. The following diagram illustrates the basic procurement process.

In the diagram, there are four people with different responsibilities. In this workflow, all four people act as checks on each other.

Imagine if one person could carry out all four steps of this process, then he or she would be capable of requesting a purchase, approving it and signing the check. It has unfortunately been observed that employees can misuse this concentration of authority to commit fraud. This emphasizes the importance of segregating duties.

Different layers of security in SAP are as follows:

• Authentication: It verifies the user and only authorized users should be permitted access to the SAP system.
• Authorization: The SAP system can authorize users only to access SAP based on the roles and profiles they have been assigned.
• Integrity: It is vital to ensure the integrity (validity, accuracy, and consistency) of data at all times. 
• Privacy: It keeps data safe from unauthorized access.
• Obligation: Securing the company's liability and legal obligations towards stakeholders and shareholders, as well as validating them.

As part of SAP AIF (Application Interface Framework), predefined template roles are available. These role templates can be used to define or customize roles based on specific requirements. Each role template comes with a set of authorizations that typical SAP AIF users would require. You can change a role template in three ways:

• Use them as they are delivered in SAP
• Modify them according to your needs using the PFCG T-code
• Build them from scratch

Below are some examples of role templates offered by SAP AIF 4.0:

• SAP_AIF_ADMIN: AIF Administrator
• SAP_AIF_ALL: AIF All Authorizations
• SAP_AIF_ARCHITECT: AIF Architect
• SAP_AIF_AUDITOR: AIF Auditor
• SAP_AIF_POWER_USER: AIF Power User
• SAP_AIF_USER: AIF Business User

A role is essentially a combination of transactions and authorizations stored in a profile. Profiles associated with a role can vary in number depending on the number of transactions and authorizations that are contained within the role. As soon as you generate a role, it automatically creates a profile. 

A role can have a maximum of 312 profiles and 170 objects.

Report RSUSR406 or T-code SU21 can be used to manually regenerate the SAP_ALL profile. In this case, the SAP_ALL profile is only generated in the client where the report is executed. You can also generate SAP_ALL profiles using the report AGR_REGENERATE_SAP_ALL. In this case, the SAP_ALL profile is generated in all the clients.

In cases where a role is used to generate authorization profiles, the generated profile is not entered into the user master record until the user master record is compared. It can be automated by scheduling the report FCG_TIME_DEPENDENCY every day.

Profiles contain a set of rights and restrictions associated with a specific user or group.  User profiles specify what actions (like viewing, creating, and editing) a user is allowed to perform on various resources, like sourcing documents or master data.

Changing and saving a profile does not overwrite the old status in the database. ​Instead, a new version is created with the updated values. SAP assigns a unique number to each profile version. Create a new profile, for example, and it will have a version number of 1. After that, additional profiles will have sequential version numbers.

An SAP system automatically creates a user buffer when a user signs on. This buffer includes all authorizations for that user. Each user has their own buffer, which they can display using the T-code SU56. The tool is only for monitoring purposes, and no further action can be taken. The following profile parameter controls the number of entries in the user buffer: “Auth/auth_number_in_userbuffer”.

T-code used to display user buffers, and delete old security audit logs are as follows:

• SM18: Delete old security audit logs/ Reorganize Security audit log in SAP.
• SU56: Monitor the number of objects buffered from individual user authorization roles and profiles.

In order to delete multiple roles from QA, DEV, and Production systems, you must follow the steps below:

• Put the roles to be removed in a transport (in development).
• Delete the roles.
• Push the transport to the QA and production departments.

In the PFCG, there are many important and essential tabs, including the following:

• Description: Used to describe changes made, such as those made to roles, authorization objects, or other T-codes (addition or removal).
• Menu: Design user menus such as adding T-codes.
• Authorization: Used for maintaining authorization profiles and authorization data.
• User: Used to adjust user master records and assign users to the role.

There are a few things that need to be done before one wants to execute the Run system trace. If one is going to trace the CPIC or the user ID prior to executing the Run system then one has to make sure that the said ID is given to someone that is either SAP_new or SAP_all.

This has to be done because it ensures that one is able to execute the work without any kind of checking failure by authorization.

The USR40 table is a standard authentication and SSO (Single Sign-On) Transparent Table in SAP Basis, which stores data about illegal passwords. It is used to gather illegal passwords and store them in various arrangements and patterns of words that can be implemented at the moment of creating the passwords. 

The PFCG_TIME_DEPENDENCY report is an Executable ABAP (Advanced Business Application Programming) Report within your SAP system. PFCG_TIME_DEPENDENCY is a report used for comparing user masters. In addition, it deletes or removes expired profiles from the user master record. This report can also be directly executed using the PFUD T-code.

This information can be obtained by debugging the system or by using the RSUSR100 report. This report can be used to determine all changes made to the user (user change history).

In order to create and maintain a user record, you need the following authorization objects:

• S_USER_GRP: Assign user groups.
• S_USER_PRO: Assign authorization profile.
• S_USER_AUT: Create and maintain authorizations.

SAP provides a report i.e., (AGR_DELETE_ALL_ACTIVITY_GROUPS), which you can copy, then remove the system type check, and then execute/run. For mass deletion of roles without deleting the new roles in SAP, simply enter the roles that you wish to delete in a transport (a package used for transferring data between SAP installations), run/execute the delete program or either delete manually, then release the transport and finally import the roles into all client systems. ​As soon as your transport, the role is deleted from all client systems.

It is necessary to tweak/debug & replace the code in AGR_DELETE_ALL_ACTIVITY_GROUPS to ensure it is deleting only SAP delivered roles. Getting past that little bit makes it work well.

To determine whether the user is locked or not, we use the USR02 table. Below is a table showing the 6 types of user lock values:

Conclusion:

The SAP Security solution allows you to monitor and regulate access to your company's systems and data both internally and externally. Globally, leading multinational businesses rely on SAP solutions to manage their operations and workflow. Consequently, SAP Security is one of the most rewarding careers in the technology world today, and SAP Security developers are in high demand. Therefore, you have an excellent chance of moving ahead as an SAP Security developer.

Are you ready to ace your SAP Security interview? 

Useful Resources:

• SAP ABAP Interview Questions
• SAP HANA Interview Questions

USOBX_C and USOBT_C are customer-specific tables, and the C in their names indicates that these tables contain customer-specific values that are maintained/changed using the T-code SU24.  Differences between USOBT_C and USOBX_C are as follows: 

• Authorization Object: An authorization object is a group of authorization fields that regulates a particular activity. While authorization relates to a particular action or activity, the authorization field relates to security administrators for configuring or defining specific parameters/values in that particular action. 
• Authorization Class: Authorization classes, on the other hand, are groups of Authorization objects. These classes can contain one or more authorization objects.

T-code used to maintain Authorization Object and profile are as follows:

• SU21: This is used to maintain authorization objects in SAP.
• SU02: This is used to maintain authorization profiles in SAP.

Security roles are defined based on the positions/jobs of users. A role is essentially a combination of transactions and authorizations stored in a profile.

Learning something won't be difficult as long as we're interested in it. By acquiring SAP security skills, you gain exposure to all business functions that involve SAP security configuration. It only takes a positive attitude, a proactive approach, and an analytical mind to learn it.

SAP Basis is System Administrator and SAP security is User administration. SAP Basis handles System Administration (system installation, system performance, OS/SB administration etc.). SAP Security handles User administration (granting access to a limited set of data that users can access within the SAP system).

SAP GRC generally stands for Systems Applications and Products in Data Processing Governance, Risk, and Compliance. It is a powerful SAP security tool that allows companies to ensure that their data is secured and authorized.

Leading multinational corporations around the world use SAP solutions to manage their operations and workflow. Therefore, SAP Security is among the most rewarding careers today, and SAP Security developers are in high demand. SAP security is undoubtedly one of the best long-term career options to choose if you are not afraid of challenges.

Depending on the level of experience and skills, the average salary for an SAP Security Analyst ranges between ₹ 4 LPA - ₹ 15 LPA.