SAP Security Flashcards
Prepare for SAP Security interview.
1
Q
How do you determine who deleted another user’s session?
A
Use STAD to determine who used SM04
2
Q
What are the return codes for ST01?
A
- 0 – Authorization check passed
- 1 – No Authorization
- 2 – Too many parameters for authorization check
- 3 – Object not contained in user buffer
- 4 – No profile contained in user buffer
- 6 – Authorization check incorrect
- 7,8,9 – Invalid user buffer
3
Q
What is SU25 used for?
A
Research needed
4
Q
How do you assign multiple roles to more than 20 users in one-shot using tcode SU10?
A
To perform this mass role assignment, we need to follow below steps in SU10:
* In SU10 home screen, click on the button “Authorization Data” * This will take to the new screen similar to screen in t-code SUIM -> User by complex search criteria. Enter the search criteria for users needed to be changed in SU10 and execute the same * Once the list of users is reflected, click on “select all” button on left top corner of the list and click on “Transfer” button. This will take us back to SU10 screen with all the selected users in users * Now, click on select all button in SU10 home screen and then click on change button. * Above step will take us to the next screen where you can perform the role assignment as in normal case of SU10 t-code
5
Q
How do you generate a list of roles having authorization objects with status “maintained”?
A
The list can be generated by using table AGR_1251
- Execute tcode SE16
- Enter table name AGR_1251
- Enter the field value as “G” in field “Object Status” and click on execute.
Other status:
Modified = M
Manuel = U
6
Q
How do you check the transport request created by another user?
A
Use tcode SE10
7
Q
How do you find the transport requests containing a specific role?
A
- Execute SE03
- Select “Search for Objects in requests/tasks” under node “Requests”
- In the object selection screen enter the field value as ACGR and check the checkbox.
- Enter the role name for which we need the list of transport request.
- Execute
8
Q
How do you create a user group?
A
- Execute tcode SUGR
- Enter the name of the user group
- Click Create
- Enter the description
- Save
9
Q
What is the difference between USOBX_C and USOBT_C?
A
The table USOBX_C defines which authorization checks are to be performed within a transaction and which not (despite authority- check command programed). This table also determines which authorization checks are maintained in the Profile Generator.
The table USOBT_C defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator.
10
Q
What is one use for SU25?
A
You can use tcode SU25 to transfer the USOBT values to the USOBT_C table/
11
Q
What is the difference betwen SU22 and SU24?
A
SU22 displays and updates the values in tables USOBT and USOBX, while SU24 does the same in tables USOBT_C and USOBX_C. The _C stands for Customer. The profile generator gets its data from the _C tables. In the USOBT and USOBX tables the values are the SAP standard values as shown in SU24. With SU25 one can (initially) transfer the USOBT values to the USOBT_C table
12
Q
How do you check table logs?
A
- Make sure they are activated using tcode SE13.
2. Use tcode SCU3 to view the logs.
13
Q
How do you restrict access to one table in display mode?
A
We can use the authorization object S_TABU_NAM. In the authorization object we can maintain the values for required activity and the table name.
14
Q
Which tcodes are used to see an overview of an authorization object and profile?
A
SU03 - overview of an auth object
SU02 - overview of a profile
15
Q
How many fields can be present in one authorization object?
A
10 fields
16
Q
What is table RFCDES used for?
A
Research needed
17
Q
What is table DEVACCESS used for?
A
Table of development users including developer keys
18
Q
What is table TACT used for?
A
Table for available activities in SAP
19
Q
What is table TOBJ used for?
A
Table for authorization obects
20
Q
What are parameter IDs used for?
A
Research needed
21
Q
What is table TPARA used for?
A
List of parameter IDs
22
Q
What is table E070 used for?
A
Store information about transport requests and tasks
23
Q
What is table DDBTABLOG used for?
A
Log records for tables changes
24
Q
What is table TSTCA used for?
A
Contains information related to tcodes.
25
What is table TSTC used for?
It is a list of tcodes.
26
What is table T000 used for?
It is a list of defined clients.
27
What is table TRDIR used for?
Table for program to authorization group relation
28
What is an authorization group?
Research needed
29
What is table TBRG used for?
Table authorization groups
30
What is table TDDAT used for?
Table authorization group to table relation
It is the relationship between authorization groups and tables.
31
What is table AGR_TIME used for?
Time stamp role (including profile)
32
What is an authorization profile?
A collection of authorization objects.
33
What is table USR10 used for?
Table for authorization profiles
34
What is table USR04 used for?
User master authorization
... what does that mean?
35
What is table USOBX_C used for?
Check table for table USOBT_C
36
What is table USOBT_C used for?
Relation transaction to authorization (customer)
37
What is a "check table"?
Needs research
38
What is table USOBX used for?
Check table for table USOBT
39
What is a relation transaction?
Needs research
40
What is table USOBT used for?
Relation transaction to authorization object (SAP)
41
How does role menu maintenance work?
Needs research
42
What is a menu node?
Needs research
43
What is table AGR_OBJ used for?
Table for assignment of menu nodes to role
44
What is table USH02 used for?
Table for change history of logon data.
45
What is the relationship between a profile and a role?
Needs research
46
What is table AGR_PROF used for?
Table for the profile name of a role
47
What is an activity group profile?
Needs research
48
What is table AGR_1016 used for?
Table for the name of the activity group profile.
49
What are user groups and how do you maintain them?
Needs research
50
What is table USRGRP used for?
Table for user groups
51
What is table USR40 used for?
Table for illegal passwords
52
What is table AGR_DEFINE used for?
Role defintion
53
What is table AGR_AGRS used for?
What is table AGR_AGRS used for?
54
What is a derived role?
research
55
What is a composite role?
research
56
What is table AGR_1252 used for?
Organizational elements for authorizations
57
What is an organizational element for an authorization?
research
58
What is an "activity" group?
research
59
What is table AGR_1250 used for?
Authorization data for activity group.
60
What is table USER_ADDR used for?
Maintains address data for users.
61
What is table AGR_USERS used for?
The assignment of roles to users.
62
What is table USR02 used for?
Logon data
63
List the types of users
```
Dialog
Service
System
Communication
Reference
```
64
What is RZ20 used for?
need to research more
65
What is SA38 used for?
Run report RSUSR006 for account lockouts
66
What is SE16 used for?
It is used for table browsing.
67
What is a client?
research
68
What is SCC4 used for?
Use this tcode to verify client lock settings.
69
What is STAD used for?
research
70
What is a logon group?
reserarch
71
What is SMLG used for?
It is used to maintain logon groups.
72
What is an authorization object?
research
73
What is SM21 used for?
It is used to create an authorization object.
74
What is an authorization field?
research
75
What is SU20 used for?
It is used to create an authorization field.
76
What is PFUD used for?
It is used for user master record comparison.
77
What is used to search and display IDOCS.
research
78
What is used for mass profile generation?
research
79
What is TU02 used for?
It lists active parameters for application servers.
It is important to review the security parameters for changes.
80
What is SM59 used for?
It is a BASIS tool for maintaining RFC destinations.
81
What is asynchronous RFC?
research
82
What is SM58 used for?
It provides access to asynchronous RFC error logs.
83
What is SM18 used for?
It is used to purge old audit files.
84
What is SM04 used for?
Used to manage users logged into a system.
85
What is a parameter transaction?
research
86
What is SE93 used for?
It is a developer's tcode but it useful for troubleshooting parameter transactions.
87
What is SCUL used for?
It is used to check the records submitted to CUA. It is a CUA log.
88
What is RZ11 used for?
It provides documentation for system parameters.
89
What is RZ10 used for?
It is used to manage system security parameters.
... needs more explanation
90
What is BDM2 used for?
It is used for IDOC troubleshooting.
91
What is AL08 used for?
It is used to monitor the users logged into a system.
92
What is SU3 used for?
It is used for the maintenance of address and parameters.
93
What is SU03 used for?
Used to manually maintain authorizations.
94
What is SU02 used for?
This tcode was used to manually create profiles but has been replaced by PFCG.
95
What is SUIM used for?
The tcode is used to crate custom reports, research and troubleshoot.
It is also important for reviewing who has SAP_ALL assigned to them and how they are using it.
96
What is SUGR used for?
The tcode is used to create user groups.
... needs more explanation.
97
What is SU53 used for?
The tcode is used for immediate-point-in-time error troubleshooting.
98
What is ST01 used for?
This tcode is used for user traces
... needs more explanation.
99
What is a Remote Function Call (RFC)?
research
100
What is a function module?
research
101
What is SM20 used for?
Use this tcode to monitor the audit log ...
* Dialog logon attempts
* RFC logon attempts
* RFC calls to function modules
* User master record changes
* Transaction starts
* Changes to audit configuration
102
What is SM19 used for?
You define the events to write to the log in the Security Audit Log's filters (transaction SM19) and you can analyze the log's contents in the audit analysis report (transaction SM20).
103
What us SU24 used for?
It is used to control what authorizations objects are associated with transaction.
104
What is PFCG used for?
Used to create and maintain user roles and profiles.
105
What is SU01d used for?
This tcode is used to display a user.
106
What is SU01 used for?
It is used to create, maintain and delete users. You can also unlock users.
107
Explain the composition of a role.
1) Role: A role is a container for authorization objects.
2) Authorization Profile: A collection of authorizations.
3) Authorization: An instance of an authorization object.
4) Authorization Field: Defined as the smallest authorization unit against which a check is made.
5) Authorization Class: A logical grouping of similar authorization objects.
6) Authorization Object: A collection of 1-10 authorization objects.
108
What tcodes should be used for monthly tasks and why?
TU02 – Parameter Changes
* Review security parameters for changes.
SUIM – User Information
* For users with SAP_ALL assigned, open the “Where Used” section, and then go to “Profiles” > “In Users”. Enter the SAP_ALL profile name in the screen field and exec
109
Security for SAP Web AS ABAP should be addressed on which layers?
Presentation - SAP graphical user interface, web browsers
Application - The ABAP application logic
Transport - SNC and SSL are used for secure network transportation
110
How do you assign an authorization group to a program?
In the attributes section of tcode SE38.
111
What three sections should be included when creating custom authorization object documentation?
Definition - The purpose of the object
Defined Fields - List of values to be used
Procedure - How to use the object
112
Which tcode used to create an authorization object?
Tcode SU21 can be used to create the authorization object as well as the documentation.
It's important to group the custom authorization objects into classes.
113
How do you assign an authorization group to a table?
1. Execute tcode SM30
2. In the table/view field , enter the maintenance view name V_DDAT_54 and press the maintain button.
3. Click the new entries button and enter the table name and authorization group name (the auth group can only be 4 characters long)
114
How do you see the tables in an authorization group?
You can see which tables are in a given group by querying table TDDAT with tcode SE16.
115
What tcodes should be used for weekly tasks?
SE16 – Table Browser
* Review AGR_DEFINE for new roles, who created it and when.
* Review AGR_TCODES for critical/restricted tcode assigments in the roles
* Review AGR_1251 for critical/restricted authorization assignments in the roles
* Review USR02 for new users and who created them.
* Review USR02 for users not assigned to a user group if you use user groups.
* Review USR02 for users that have not logged on for a specific period of time.
* Review AGR_USERS for invalid role assignments to user IDs.
SCC4 – Client Administration
* Verify client lock settings.
SCU3 – Table History
* Check for table T000 to review client lock changes and who is making the changes.
PFCG – Role Maintenance
* Go to Utilities > Overview Stats. Review the resulting list for red or yellow lights and make corrections.
116
Explain the tcodes used for AIS?
research
117
What is S_DATASET and S_RFC used for?
research
118
What is a logon group?
research
119
Which tcodes should be used for daily tasks and why?
SM04/AL08 – User Overview
* Are all users using the defined logon groups?
* Are users logging on using multiple machines?
* Are there any unrecognizable user IDs (incorrect name convention)?
SM21 – The System Log
* Review failed logon attempts
* “Failed to activate authorization check for user xxx”
SM19 – AIS Configuration
* Make sure that AIS is running
RZ20 – CCMS Monitoring
* Review and acknowledge all alerts
SUIM – User Information
* Run change document reports
* Check for repeated password locks or resets
ST22 – ABAP Dump Analysis
* Review all dump logs for potential security issues.
* Look for authorization check errors for S_DATASET and S_RFC
SA38 – Run Report RSUSR006
* Check for user accounts that are locked.
120
How do you unlock a user?
Use tcode SU01
121
What is the user buffer?
A user buffer contains all authorizations of a user. The user buffer can be viewed using tcode SU56.
122
What is PFCG_TIME_DEPENDENCY?
PFCG_TIME_DEPENDENCY is a report which is used for user master record comparison. It should be a practice to do user master comparison after every role change and profile generation so that the user’s master record gets updated with the correct authorization. This report also cleans up expired profiles from user-master record. Role names still remains in the SU01 tab of the user. Tcode PFUD can also be used to directly execute this program.
123
Where can I find all activities performed in SAP?
All activities in SAP are stored in table TACT. All valid activities are stored in table TACTZ. The tables can be accessed via SE16.
124
What do the different color lights represent in PFCG?
Red - It means that some organizational value has not been maintained in PFCG.
Yellow - It means that there are some or all fields in certain authorization instances which are blank (not maintained)
Green - It means that all authorization fields are maintained (values are assigned)
125
How do you create a user?
1. Execute SU01
2. Provide a username
3. In the "address tab" enter the user info (the last name is required)
4. In the "logon data" tab select the "user type" and enter the initial password.
5. Fill in the information for tabs "default", "parameters", "systems" and "roles".
6. Save
126
Explain the authorization process.
1. The system checks the table TSTC (a list of all tcodes) to confirm that the tcode exists.
2. If the tcode exists, the system checks whether the tcode is locked or unlocked by referencing field CINFO in the TSTC table.
3. The system them checks to see if the tcode is present in authorization object S_TCODE.
4. Next, the system checks table TSTCA for additional checks added through tcode SE93.
5. Lastly, additional checks take place based on the values present in the source code under "authority-check."
127
An object class contains what?
One of more authorization objects.
128
Explain the process for creating a specific authorization field, create the authorization class and authorization object for which the field will be added, create a new role and profile that will contain the actual authorization for data, assign the role to the user master data, execute the tcode that will call the authorization object in code.
1. Use tcode SU20 to create authorization fields.
2. Use tcode SU21 to create an authorization class (object class).
3. Use tcode SU21, select the object class and then create an authorization object Under the "Authorization Fields" section enter the Authorization Fields you created and then define the activity values.
4. Use tcode PFCG to create a Role.
5. Use tcode PFCG to assign a Profile and Authorization to a role. Go to Maintain Authorization Data and Generate Profiles". Select the Authorizatiobn Object you created.
6. Select the line of the tcode and enter SE01 and Save.
7. Use the generate button to generate the authorizaiton. We now have a profile assigned to our role.
129
How do you transport roles to a different system?
You wont transport the roles to different systems ... you will transport the roles to different clients.
130
What is an activity group profile?
Research
131
What is the secret?
Ask, Believe, Receive
132
What is a composite role?
Unlike a single role, does not contain aothorization data. It is merely a reference point to group related single roles. Users who are assigned to a composite role are automatically assigned to the corresponding single roles during a user comparison.
133
What is a derived role?
Refers to roles that already exists; it inherits the menu structure and transactions from the referenced role. Default values may be passed on; however the organization values and user assignments are not passed on.
134
What is an organization unit?
research
135
What is table USR01 used for?
User master
136
What is table USR02 used for?
Logon data
137
What is table USR03 used for?
User address data
138
What is table USR04 used for?
User master authorizations
139
What is table USR05 used for?
User Master Parameter ID
140
What is table USR10 used for?
User master authorization profiles
141
What is table UST12 used for?
User master: Authorizations
142
What is table USR21 used for?
Assign user address key
143
What is table USOBT used for?
Transaction > Authorization object
144
What is table TSTCA used for?
Transaction > Authorizations
145
What is table TOBJ used for?
Authorization objects
146
What is table TOBC used for?
Class assignment of authorization objects
147
What is table DEVACCESS used for?
Table for development users
148
What is table USR41 used for?
User logon data (sm04)
149
What is table UST04 used for>
User > Profile
150
What is table USR40 used for?
Prohibited passwords
151
What is table ADCP used for?
Person / Address assignment
152
What is table AGR_1016 used for?
Role and Profile
153
What is table AGR_1016B used for?
Role and Profile
154
What is table AGR_1250 used for?
Role and authorization data
155
What is table AGR_1252 used for?
Organizational elements for authorizations
156
What is AGR_AGRS used for?
Roles in composite roles
157
What is table AGR_DEFINE used for?
To see all roles (role definition)
158
What is table AGR_HIER2 used for?
Menu structure
159
What is table AGR_HIERT used for?
Role menu texts
160
What is table AGR_OBJ used for?
Assignment of menu nodes to role
161
What is table AGR_PROF used for?
Profile name for role
162
What is table AGR_TCDTXT used for?
Assignment of roles to tcodes
163
What is table AGR_TEXTS used for?
File structure for hierarchical menu - Cus
164
What is table AGR_TIME used for?
Time stamp for role: including profile
165
What is table AGR_USERS used for?
Assignment of roles to users
166
What is table DD02L used for?>
SAP tables
167
What is table TSTC used for?
SAP transaction codes
168
What is table TSTCA used for?
Transaction code, object, field and value
169
What is table USER_ADDR used for?
Address data for users
170
What is table USGRP used for?
User groups
171
What is table USGRPT used for?
Text table for USGRP
172
What is table USH02 used for?
Change history for logon data
173
What is USOBT used for?
Relation transaction to authorization object
174
What is table USOBX used for?
Check table for table USOBT
