SAP Security

Question 1

How do you determine who deleted another user’s session?

Answer 1

Use STAD to determine who used SM04

Question 2

What are the return codes for ST01?

Answer 2

• 0 – Authorization check passed
  
  • 1 – No Authorization
  • 2 – Too many parameters for authorization check
  • 3 – Object not contained in user buffer
  • 4 – No profile contained in user buffer
  • 6 – Authorization check incorrect
  • 7,8,9 – Invalid user buffer

Question 3

What is SU25 used for?

Answer 3

Research needed

Question 4

How do you assign multiple roles to more than 20 users in one-shot using tcode SU10?

Answer 4

To perform this mass role assignment, we need to follow below steps in SU10:

* In SU10 home screen, click on the button “Authorization Data”
* This will take to the new screen similar to screen in t-code SUIM -> User by complex search criteria. Enter the search criteria for users needed to be changed in SU10 and execute the same
* Once the list of users is reflected, click on “select all” button on left top corner of the list and click on “Transfer” button. This will take us back to SU10 screen with all the selected users in users
* Now, click on select all button in SU10 home screen and then click on change button.
* Above step will take us to the next screen where you can perform the role assignment as in normal case of SU10 t-code

Question 5

How do you generate a list of roles having authorization objects with status “maintained”?

Answer 5

The list can be generated by using table AGR_1251

1. Execute tcode SE16
2. Enter table name AGR_1251
3. Enter the field value as “G” in field “Object Status” and click on execute.

Other status:
Modified = M
Manuel = U

Question 6

How do you check the transport request created by another user?

Answer 6

Use tcode SE10

Question 7

How do you find the transport requests containing a specific role?

Answer 7

1. Execute SE03
2. Select “Search for Objects in requests/tasks” under node “Requests”
3. In the object selection screen enter the field value as ACGR and check the checkbox.
4. Enter the role name for which we need the list of transport request.
5. Execute

Question 8

How do you create a user group?

Answer 8

1. Execute tcode SUGR
2. Enter the name of the user group
3. Click Create
4. Enter the description
5. Save

Question 9

What is the difference between USOBX_C and USOBT_C?

Answer 9

The table USOBX_C defines which authorization checks are to be performed within a transaction and which not (despite authority- check command programed). This table also determines which authorization checks are maintained in the Profile Generator.
The table USOBT_C defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator.

Question 10

What is one use for SU25?

Answer 10

You can use tcode SU25 to transfer the USOBT values to the USOBT_C table/

Question 11

What is the difference betwen SU22 and SU24?

Answer 11

SU22 displays and updates the values in tables USOBT and USOBX, while SU24 does the same in tables USOBT_C and USOBX_C. The _C stands for Customer. The profile generator gets its data from the _C tables. In the USOBT and USOBX tables the values are the SAP standard values as shown in SU24. With SU25 one can (initially) transfer the USOBT values to the USOBT_C table

Question 12

How do you check table logs?

Answer 12

1. Make sure they are activated using tcode SE13.

2. Use tcode SCU3 to view the logs.

Question 13

How do you restrict access to one table in display mode?

Answer 13

We can use the authorization object S_TABU_NAM. In the authorization object we can maintain the values for required activity and the table name.

Question 14

Which tcodes are used to see an overview of an authorization object and profile?

Answer 14

SU03 - overview of an auth object

SU02 - overview of a profile

Question 15

How many fields can be present in one authorization object?

Answer 15

10 fields

Question 16

What is table RFCDES used for?

Answer 16

Research needed

Question 17

What is table DEVACCESS used for?

Answer 17

Table of development users including developer keys

Question 18

What is table TACT used for?

Answer 18

Table for available activities in SAP

Question 19

What is table TOBJ used for?

Answer 19

Table for authorization obects

Question 20

What are parameter IDs used for?

Answer 20

Research needed

Question 21

What is table TPARA used for?

Answer 21

List of parameter IDs

Question 22

What is table E070 used for?

Answer 22

Store information about transport requests and tasks

Question 23

What is table DDBTABLOG used for?

Answer 23

Log records for tables changes

Question 24

What is table TSTCA used for?

Answer 24

Contains information related to tcodes.

Question 25

What is table TSTC used for?

Answer 25

It is a list of tcodes.

Question 26

What is table T000 used for?

Answer 26

It is a list of defined clients.

Question 27

What is table TRDIR used for?

Answer 27

Table for program to authorization group relation

Question 28

What is an authorization group?

Answer 28

Research needed

Question 29

What is table TBRG used for?

Answer 29

Table authorization groups

Question 30

What is table TDDAT used for?

Answer 30

Table authorization group to table relation

It is the relationship between authorization groups and tables.

Question 31

What is table AGR_TIME used for?

Answer 31

Time stamp role (including profile)

Question 32

What is an authorization profile?

Answer 32

A collection of authorization objects.

Question 33

What is table USR10 used for?

Answer 33

Table for authorization profiles

Question 34

What is table USR04 used for?

Answer 34

User master authorization

… what does that mean?

Question 35

What is table USOBX_C used for?

Answer 35

Check table for table USOBT_C

Question 36

What is table USOBT_C used for?

Answer 36

Relation transaction to authorization (customer)

Question 37

What is a “check table”?

Answer 37

Needs research

Question 38

What is table USOBX used for?

Answer 38

Check table for table USOBT

Question 39

What is a relation transaction?

Answer 39

Needs research

Question 40

What is table USOBT used for?

Answer 40

Relation transaction to authorization object (SAP)

Question 41

How does role menu maintenance work?

Answer 41

Needs research

Question 42

What is a menu node?

Answer 42

Needs research

Question 43

What is table AGR_OBJ used for?

Answer 43

Table for assignment of menu nodes to role

Question 44

What is table USH02 used for?

Answer 44

Table for change history of logon data.

Question 45

What is the relationship between a profile and a role?

Answer 45

Needs research

Question 46

What is table AGR_PROF used for?

Answer 46

Table for the profile name of a role

Question 47

What is an activity group profile?

Answer 47

Needs research

Question 48

What is table AGR_1016 used for?

Answer 48

Table for the name of the activity group profile.

Question 49

What are user groups and how do you maintain them?

Answer 49

Needs research

Question 50

What is table USRGRP used for?

Answer 50

Table for user groups

Question 51

What is table USR40 used for?

Answer 51

Table for illegal passwords

Question 52

What is table AGR_DEFINE used for?

Answer 52

Role defintion

Question 53

What is table AGR_AGRS used for?

Answer 53

What is table AGR_AGRS used for?

Question 54

What is a derived role?

Answer 54

research

Question 55

What is a composite role?

Answer 55

research

Question 56

What is table AGR_1252 used for?

Answer 56

Organizational elements for authorizations

Question 57

What is an organizational element for an authorization?

Answer 57

research

Question 58

What is an “activity” group?

Answer 58

research

Question 59

What is table AGR_1250 used for?

Answer 59

Authorization data for activity group.

Question 60

What is table USER_ADDR used for?

Answer 60

Maintains address data for users.

Question 61

What is table AGR_USERS used for?

Answer 61

The assignment of roles to users.

Question 62

What is table USR02 used for?

Answer 62

Logon data

Question 63

List the types of users

Answer 63

Dialog
Service
System
Communication
Reference

Question 64

What is RZ20 used for?

Answer 64

need to research more

Question 65

What is SA38 used for?

Answer 65

Run report RSUSR006 for account lockouts

Question 66

What is SE16 used for?

Answer 66

It is used for table browsing.

Question 67

What is a client?

Answer 67

research

Question 68

What is SCC4 used for?

Answer 68

Use this tcode to verify client lock settings.

Question 69

What is STAD used for?

Answer 69

research

Question 70

What is a logon group?

Answer 70

reserarch

Question 71

What is SMLG used for?

Answer 71

It is used to maintain logon groups.

Question 72

What is an authorization object?

Answer 72

research

Question 73

What is SM21 used for?

Answer 73

It is used to create an authorization object.

Question 74

What is an authorization field?

Answer 74

research

Question 75

What is SU20 used for?

Answer 75

It is used to create an authorization field.

Question 76

What is PFUD used for?

Answer 76

It is used for user master record comparison.

Question 77

What is used to search and display IDOCS.

Answer 77

research

Question 78

What is used for mass profile generation?

Answer 78

research

Question 79

What is TU02 used for?

Answer 79

It lists active parameters for application servers.

It is important to review the security parameters for changes.

Question 80

What is SM59 used for?

Answer 80

It is a BASIS tool for maintaining RFC destinations.

Question 81

What is asynchronous RFC?

Answer 81

research

Question 82

What is SM58 used for?

Answer 82

It provides access to asynchronous RFC error logs.

Question 83

What is SM18 used for?

Answer 83

It is used to purge old audit files.

Question 84

What is SM04 used for?

Answer 84

Used to manage users logged into a system.

Question 85

What is a parameter transaction?

Answer 85

research

Question 86

What is SE93 used for?

Answer 86

It is a developer’s tcode but it useful for troubleshooting parameter transactions.

Question 87

What is SCUL used for?

Answer 87

It is used to check the records submitted to CUA. It is a CUA log.

Question 88

What is RZ11 used for?

Answer 88

It provides documentation for system parameters.

Question 89

What is RZ10 used for?

Answer 89

It is used to manage system security parameters.

… needs more explanation

Question 90

What is BDM2 used for?

Answer 90

It is used for IDOC troubleshooting.

Question 91

What is AL08 used for?

Answer 91

It is used to monitor the users logged into a system.

Question 92

What is SU3 used for?

Answer 92

It is used for the maintenance of address and parameters.

Question 93

What is SU03 used for?

Answer 93

Used to manually maintain authorizations.

Question 94

What is SU02 used for?

Answer 94

This tcode was used to manually create profiles but has been replaced by PFCG.

Question 95

What is SUIM used for?

Answer 95

The tcode is used to crate custom reports, research and troubleshoot.

It is also important for reviewing who has SAP_ALL assigned to them and how they are using it.

Question 96

What is SUGR used for?

Answer 96

The tcode is used to create user groups.

… needs more explanation.

Question 97

What is SU53 used for?

Answer 97

The tcode is used for immediate-point-in-time error troubleshooting.

Question 98

What is ST01 used for?

Answer 98

This tcode is used for user traces

… needs more explanation.

Question 99

What is a Remote Function Call (RFC)?

Answer 99

research

Question 100

What is a function module?

Answer 100

research

Question 101

What is SM20 used for?

Answer 101

Use this tcode to monitor the audit log …

* Dialog logon attempts
* RFC logon attempts
* RFC calls to function modules
* User master record changes
* Transaction starts
* Changes to audit configuration

Question 102

What is SM19 used for?

Answer 102

You define the events to write to the log in the Security Audit Log’s filters (transaction SM19) and you can analyze the log’s contents in the audit analysis report (transaction SM20).

Question 103

What us SU24 used for?

Answer 103

It is used to control what authorizations objects are associated with transaction.

Question 104

What is PFCG used for?

Answer 104

Used to create and maintain user roles and profiles.

Question 105

What is SU01d used for?

Answer 105

This tcode is used to display a user.

Question 106

What is SU01 used for?

Answer 106

It is used to create, maintain and delete users. You can also unlock users.

Question 107

Explain the composition of a role.

Answer 107

1) Role: A role is a container for authorization objects.
2) Authorization Profile: A collection of authorizations.
3) Authorization: An instance of an authorization object.
4) Authorization Field: Defined as the smallest authorization unit against which a check is made.
5) Authorization Class: A logical grouping of similar authorization objects.
6) Authorization Object: A collection of 1-10 authorization objects.

Question 108

What tcodes should be used for monthly tasks and why?

Answer 108

TU02 – Parameter Changes

* Review security parameters for changes.

SUIM – User Information

* For users with SAP_ALL assigned, open the “Where Used” section, and then go to “Profiles” > “In Users”. Enter the SAP_ALL profile name in the screen field and exec

Question 109

Security for SAP Web AS ABAP should be addressed on which layers?

Answer 109

Presentation - SAP graphical user interface, web browsers
Application - The ABAP application logic
Transport - SNC and SSL are used for secure network transportation

Question 110

How do you assign an authorization group to a program?

Answer 110

In the attributes section of tcode SE38.

Question 111

What three sections should be included when creating custom authorization object documentation?

Answer 111

Definition - The purpose of the object
Defined Fields - List of values to be used
Procedure - How to use the object

Question 112

Which tcode used to create an authorization object?

Answer 112

Tcode SU21 can be used to create the authorization object as well as the documentation.

It’s important to group the custom authorization objects into classes.

Question 113

How do you assign an authorization group to a table?

Answer 113

1. Execute tcode SM30
2. In the table/view field , enter the maintenance view name V_DDAT_54 and press the maintain button.
3. Click the new entries button and enter the table name and authorization group name (the auth group can only be 4 characters long)

Question 114

How do you see the tables in an authorization group?

Answer 114

You can see which tables are in a given group by querying table TDDAT with tcode SE16.

Question 115

What tcodes should be used for weekly tasks?

Answer 115

SE16 – Table Browser

* Review AGR_DEFINE for new roles, who created it and when.
* Review AGR_TCODES for critical/restricted tcode assigments in the roles
* Review AGR_1251 for critical/restricted authorization assignments in the roles
* Review USR02 for new users and who created them.
* Review USR02 for users not assigned to a user group if you use user groups.
* Review USR02 for users that have not logged on for a specific period of time.
* Review AGR_USERS for invalid role assignments to user IDs.

SCC4 – Client Administration

* Verify client lock settings.

SCU3 – Table History

* Check for table T000 to review client lock changes and who is making the changes.

PFCG – Role Maintenance

* Go to Utilities > Overview Stats. Review the resulting list for red or yellow lights and make corrections.

Question 116

Explain the tcodes used for AIS?

Answer 116

research

Question 117

What is S_DATASET and S_RFC used for?

Answer 117

research

Question 118

What is a logon group?

Answer 118

research

Question 119

Which tcodes should be used for daily tasks and why?

Answer 119

SM04/AL08 – User Overview

* Are all users using the defined logon groups?
* Are users logging on using multiple machines?
* Are there any unrecognizable user IDs (incorrect name convention)?

SM21 – The System Log

* Review failed logon attempts
* “Failed to activate authorization check for user xxx”

SM19 – AIS Configuration

* Make sure that AIS is running

RZ20 – CCMS Monitoring

* Review and acknowledge all alerts

SUIM – User Information

* Run change document reports
* Check for repeated password locks or resets

ST22 – ABAP Dump Analysis

* Review all dump logs for potential security issues.
* Look for authorization check errors for S_DATASET and S_RFC

SA38 – Run Report RSUSR006

* Check for user accounts that are locked.

Question 120

How do you unlock a user?

Answer 120

Use tcode SU01

Question 121

What is the user buffer?

Answer 121

A user buffer contains all authorizations of a user. The user buffer can be viewed using tcode SU56.

Question 122

What is PFCG_TIME_DEPENDENCY?

Answer 122

PFCG_TIME_DEPENDENCY is a report which is used for user master record comparison. It should be a practice to do user master comparison after every role change and profile generation so that the user’s master record gets updated with the correct authorization. This report also cleans up expired profiles from user-master record. Role names still remains in the SU01 tab of the user. Tcode PFUD can also be used to directly execute this program.

Question 123

Where can I find all activities performed in SAP?

Answer 123

All activities in SAP are stored in table TACT. All valid activities are stored in table TACTZ. The tables can be accessed via SE16.

Question 124

What do the different color lights represent in PFCG?

Answer 124

Red - It means that some organizational value has not been maintained in PFCG.

Yellow - It means that there are some or all fields in certain authorization instances which are blank (not maintained)

Green - It means that all authorization fields are maintained (values are assigned)

Question 125

How do you create a user?

Answer 125

1. Execute SU01
2. Provide a username
3. In the “address tab” enter the user info (the last name is required)
4. In the “logon data” tab select the “user type” and enter the initial password.
5. Fill in the information for tabs “default”, “parameters”, “systems” and “roles”.
6. Save

Question 126

Explain the authorization process.

Answer 126

1. The system checks the table TSTC (a list of all tcodes) to confirm that the tcode exists.
2. If the tcode exists, the system checks whether the tcode is locked or unlocked by referencing field CINFO in the TSTC table.
3. The system them checks to see if the tcode is present in authorization object S_TCODE.
4. Next, the system checks table TSTCA for additional checks added through tcode SE93.
5. Lastly, additional checks take place based on the values present in the source code under “authority-check.”

Question 127

An object class contains what?

Answer 127

One of more authorization objects.

Question 128

Explain the process for creating a specific authorization field, create the authorization class and authorization object for which the field will be added, create a new role and profile that will contain the actual authorization for data, assign the role to the user master data, execute the tcode that will call the authorization object in code.

Answer 128

1. Use tcode SU20 to create authorization fields.
2. Use tcode SU21 to create an authorization class (object class).
3. Use tcode SU21, select the object class and then create an authorization object Under the “Authorization Fields” section enter the Authorization Fields you created and then define the activity values.
4. Use tcode PFCG to create a Role.
5. Use tcode PFCG to assign a Profile and Authorization to a role. Go to Maintain Authorization Data and Generate Profiles”. Select the Authorizatiobn Object you created.
6. Select the line of the tcode and enter SE01 and Save.
7. Use the generate button to generate the authorizaiton. We now have a profile assigned to our role.

Question 129

How do you transport roles to a different system?

Answer 129

You wont transport the roles to different systems … you will transport the roles to different clients.

Question 130

What is an activity group profile?

Answer 130

Research

Question 131

What is the secret?

Answer 131

Ask, Believe, Receive

Question 132

What is a composite role?

Answer 132

Unlike a single role, does not contain aothorization data. It is merely a reference point to group related single roles. Users who are assigned to a composite role are automatically assigned to the corresponding single roles during a user comparison.

Question 133

What is a derived role?

Answer 133

Refers to roles that already exists; it inherits the menu structure and transactions from the referenced role. Default values may be passed on; however the organization values and user assignments are not passed on.

Question 134

What is an organization unit?

Answer 134

research

Question 135

What is table USR01 used for?

Answer 135

User master

Question 136

What is table USR02 used for?

Answer 136

Logon data

Question 137

What is table USR03 used for?

Answer 137

User address data

Question 138

What is table USR04 used for?

Answer 138

User master authorizations

Question 139

What is table USR05 used for?

Answer 139

User Master Parameter ID

Question 140

What is table USR10 used for?

Answer 140

User master authorization profiles

Question 141

What is table UST12 used for?

Answer 141

User master: Authorizations

Question 142

What is table USR21 used for?

Answer 142

Assign user address key

Question 143

What is table USOBT used for?

Answer 143

Transaction > Authorization object

Question 144

What is table TSTCA used for?

Answer 144

Transaction > Authorizations

Question 145

What is table TOBJ used for?

Answer 145

Authorization objects

Question 146

What is table TOBC used for?

Answer 146

Class assignment of authorization objects

Question 147

What is table DEVACCESS used for?

Answer 147

Table for development users

Question 148

What is table USR41 used for?

Answer 148

User logon data (sm04)

Question 149

What is table UST04 used for>

Answer 149

User > Profile

Question 150

What is table USR40 used for?

Answer 150

Prohibited passwords

Question 151

What is table ADCP used for?

Answer 151

Person / Address assignment

Question 152

What is table AGR_1016 used for?

Answer 152

Role and Profile

Question 153

What is table AGR_1016B used for?

Answer 153

Role and Profile

Question 154

What is table AGR_1250 used for?

Answer 154

Role and authorization data

Question 155

What is table AGR_1252 used for?

Answer 155

Organizational elements for authorizations

Question 156

What is AGR_AGRS used for?

Answer 156

Roles in composite roles

Question 157

What is table AGR_DEFINE used for?

Answer 157

To see all roles (role definition)

Question 158

What is table AGR_HIER2 used for?

Answer 158

Menu structure

Question 159

What is table AGR_HIERT used for?

Answer 159

Role menu texts

Question 160

What is table AGR_OBJ used for?

Answer 160

Assignment of menu nodes to role

Question 161

What is table AGR_PROF used for?

Answer 161

Profile name for role

Question 162

What is table AGR_TCDTXT used for?

Answer 162

Assignment of roles to tcodes

Question 163

What is table AGR_TEXTS used for?

Answer 163

File structure for hierarchical menu - Cus

Question 164

What is table AGR_TIME used for?

Answer 164

Time stamp for role: including profile

Question 165

What is table AGR_USERS used for?

Answer 165

Assignment of roles to users

Question 166

What is table DD02L used for?>

Answer 166

SAP tables

Question 167

What is table TSTC used for?

Answer 167

SAP transaction codes

Question 168

What is table TSTCA used for?

Answer 168

Transaction code, object, field and value

Question 169

What is table USER_ADDR used for?

Answer 169

Address data for users

Question 170

What is table USGRP used for?

Answer 170

User groups

Question 171

What is table USGRPT used for?

Answer 171

Text table for USGRP

Question 172

What is table USH02 used for?

Answer 172

Change history for logon data

Question 173

What is USOBT used for?

Answer 173

Relation transaction to authorization object

Question 174

What is table USOBX used for?

Answer 174

Check table for table USOBT