Top 41 SAP Security Interview Questions and Answers

Through this article, you will know about the top SAP security interview questions. These will be really useful from the perspective of technical round of the interview.

Table of Contents

• Top SAP Security Interview Questions and Answers

Preparing for the technical SAP security role? This article will provide the most commonly asked SAP security interview questions to boost your preparation. SAP systems are loaded with critical information and sensitive data of financials, customers, and employees of an organization. An SAP security mechanism must be in place so that there is no risk to the system. There are a lot of opportunities in this area as skilled SAP security professionals are very few in the industry. Read on to know more about what type of questions can be asked in an SAP security interview.

Top SAP Security Interview Questions and Answers

Q1. What is SAP security?

Ans. SAP stands for Systems, Applications, and Products in the data processing. SAP security is a module that protects the SAP data and applications from unauthorized use and access. It refers to providing the right access to business users according to their authority or responsibility. Permissions are given as per their roles in the organizations or departments.

To stand out with this SAP security interview question, do mention that it has three areas:

• Confidentiality: Data should not be disclosed in an unauthorized way.
• Integrity: Data should not be modified in an unauthorized way.
• Availability: Distributed denial-of-service (DDoS) attacks should not occur.

Explore popular courses on Shiksha Online: 

Popular Technology Courses	Popular Cybersecurity Courses
Top Programming Courses	Top Networking Courses

Q2. Name the different layers of Security in SAP. 

Ans. The different layers of security in SAP are:

• Authentication – For validated users for system access
• Authorization – For users to perform designation tasks
• Integrity – Granting data integrity
• Privacy – No unauthorized access
• Obligation – Making sure there is a liability for validation

Q3. Explain some SAP security T-codes (Transaction Codes). 

Ans. A T-code (or transaction code) is used to access functions or a running program in an SAP application. Some of the SAP security T-codes are: 

SAP T-code	Description
PFUD	To compare User master in Dialog
RZ10	Profile configuration
SCC8	Data exchange takes place at the operating system level
PFCG	To maintain role using profile generator
SE43	To maintain and display Area Menus
ST01	System Trace
SECR	Audit Information System
SM12	Display and Delete Locks
SU01	Create and maintain the users
SU25	For initial Customer table fill
SUPC	Generation of Mass profile
SUIM	User Information System

Q4. Explain different types of Users in SAP. 

Ans. This is one of the basic SAP security interview questions. In SAP systems, users are categorized according to their purpose. This is important since while creating a new user ID, the administrator has to specify the user type. Following are the different types of users in SAP

User Type	Description
Dialog User (A)	It is used for an individual user. During a dialog logon, the system checks for expired/initial passwords. The user can change his or her password. Several dialog logons are checked and logged.
System User (B)	These are non-interactive users and are used to perform some system activities like ALE, background processing, Workflow, TMS, and CUA.
Service User (S)	Dialog user is available to a larger group of users. Only user administrators can change the password. The system does not check for expired/initial passwords during login.
Reference User (L)	It is like a System user. It involves a general, non-personally related user.
Communication User (C)	It allows dialogue-free communication between systems. These users are not permitted to dialogue logon.

Q5. How to check table logs?

Ans. The first step is to check if logging is activated for a table using t-code SE13. If it is enabled then we can see the table logs with the t-code SCU3.

Check out free SAP courses.

Q6. What is a ‘role’ in SAP security?

Ans. Role refers to the group of t-codes that is assigned to execute particular tasks.

Q7. What is an ‘authorization’?

Ans. Each role in SAP requires privileges to execute a function, which is known as authorization.

Q8. How many fields can be in one authorization object?

Ans. There are 10 fields in one authorization object in SAP.

Q9. What is the difference between a role and a profile?

Ans. A role and profile go hand-in-hand. When a role is created, a profile is automatically created.

Q10. What is the difference between a single role and a composite role?

Ans. A single role is a container that collects transactions and generates an associated profile. A composite role is a container that collects different roles.

Check out the top 100+ Networking Interview Questions and Answers

Q11. Differentiate between authorization object and authorization object class?

Ans. An authorization object is a group of authorization fields and is related to a particular activity, while an authorization object class comes under the authorization class and is grouped by function areas.

Q12. What is the maximum number of profiles and objects in a role?

Ans. In a role, the maximum number of profiles is 312 and the maximum number of objects is 170.

Q13. How to find out who has deleted users in the system?

Ans. To find out who has deleted users in the system, first debug or use RSUSR100 to find the info. Then run transaction SUIM and download the Change documents.

Check out the best cybersecurity courses

Q14. Can you change a role template? What are the three ways to work with a role template?

Ans. Yes. There are three ways to change a role template:

• Use it as they are delivered in SAP
• Modify them as per your needs through PFCG
• Create them from scratch

Q15. What are the authorization objects required to create and maintain user records?

Ans. The following authorization objects are required to create and maintain user records:

• S_USER_GRP: to assign user groups.
• S_USER_PRO: to assign authorization.
• S_USER_AUT: create and maintain authorizations.

Q16. How can you delete multiple roles from QA, DEV and Production System?

Ans. The following steps should be taken to delete all the roles from QA, DEV and Production System:

• Place the roles to be deleted in a transport.
• Delete the roles.
• Push the transport through to QA and production.

Q17. Explain the difference between USOBT_C and USOBX_C.

Ans. The differences between USOBT_C and USOBX_C are: 

USOBT_C	USOBX_C
It provides information about the authorization proposal data that contains the authorization data which are relevant for a transaction	This specifies which particular authorization checks need execution within the transaction and which authorization checks do not.
It also includes the checks which are present in the profile generator.	It includes the default set values that need to be present in the profile generator.

Q18. Can you add a composite role to another composite role?

Ans. No, you cannot add a composite role to another composite role.

Know all about Cisco Certification and its Scope, read our blog – what is Cisco Certifications?

Q19. How can the password rules be enforced?

Ans. Password rules can be enforced using the profile parameter.

Q20. Which t-code can be used to delete old security audit logs?

Ans. The t-code SM-18 can be used to delete old security and audit logs.

Q21. What are the main tabs available in PFCG?

Ans. The main tabs available in PFCG are description, menu, authorization, and user. The functions of these tabs are:

• Description: Used to describe the changes done, such as details related to the role, the authorization object, and the addition or removal of t-codes.
• Menu: To design user menus like the addition of t-codes.
• Authorization: To maintain authorization data and authorization profile.
• User: Used to adjust user master records and assign users to the role.

Q22. Which t-code is used to display the user buffer?

Ans. The t-code SU56 is used to display the user buffer.

Q23. What does a USER COMPARE do in SAP security?

Ans. USER COMPARE compared the user master record so that the produced authorization profile can be entered in the user master record.

Q24. What is the difference between CM (Check/Maintain), C (Check), N (No Check), and U (Unmentioned)?

Ans. This is an important SAP Security interview question. The differences you can mention are: 

CM (Check/Maintain)	C (Check)	N (No Check)	U (Unmentioned)
An authority check is carried out against this object.	An authority check is carried out against this object.	The authority check against this object is disabled.	An authority check is carried out against this object.
PG creates an authorization for this object. Field values are displayed.	PG does not create authorization for this object. Field values are not displayed.	The PG does not create authorization for this object. Field values are not displayed.	The PG does not create authorization for this object. Field values are not displayed.
Default values can be maintained.	Default values cannot be maintained for this authorization.	The default values cannot be maintained.	Default values cannot be maintained.

Q25. Explain a user buffer. 

Ans. A user buffer is formed when a user signs on to an SAP system. This user buffer contains authorizations for that particular user. Every user has his or her own user buffer. A user buffer is a monitoring tool. It means that no further action can be taken from within this transaction. It can be used to analyze for a particular user or reset the buffer for the user. A user can display his or her own user buffer using the t-code SU56.

Want to start a career in cybersecurity? Read our blog – what is cybersecurity that covers its scope, skills required, top companies hiring cybersecurity professionals, and more.

Q26. What are the values for user lock?

Ans. The values for user lock are: 

• 00 – not locked
• 32 – Locked by CUA central administrator
• 64 – Locked by the system administrator
• 128 – Locked after a failed logon

Q27. How to create a user group in SAP?

Ans. For this SAP security interview question, you can mention that you can create a user group in the SAP system by following the below steps: 

• Enter SUGR T-code in SAP Easy Access Menu.
• A new screen will open up. Now provide a name for the new user group in the text box. 
• Click on create button.
• Provide a description and click on the Save button.
• The user group will be created in the SAP system.

Q28. Which parameter is used to control the number of entries in the user buffer?

Ans. To control the number of entries in the user buffer, we use the profile parameter. 

“Auth/auth_number_in_userbuffer”.

Q29. When a background user faces problems, how will you troubleshoot them?

Ans. System Trace ST01 can be used to troubleshoot problems for background users. 

Q30. When you create a username, which fields are mandatory?

Ans. The last name and password are required. 

Q31. List the pre-requisites before assigning the Sap_all to users even in the case of approval from the authorization controllers.

Ans. Even in case of the approval, pre-requisites are as follows:

• Enabling audit log- using the sm 19 tcode
• Retrieving audit log- using the sm 20 tcode

Q32. What should be considered before executing the Run System Trace?

Ans. In case you are tracing the batch user ID or CPIC, then before executing Run System Trace, ensure that the id has been assigned to SAP_NEW and SAP_ALL. The user will be able to execute the job without authorization check failure.

Q33. Which t-code is used to lock transactions from execution?

Ans. t-code SM01 is used for locking transactions.

Q34. Why is SOD implemented in SAP Security?

Ans. Segregation of Duties (SOD) is implemented in SAP for the detection and prevention of errors/frauds during business transactions.

Q35. What is the use of PFCG_Time_Dependency?

Ans. It is a report used for the purpose of user master comparison. It also clears expired profiles from user master record.

Q36. How can you directly execute PFCG_Time_Dependency?

Ans. To directly execute it, you can use the PFUD transaction code.

Q37. What is the use of USR40 table?

Ans. USR40 table is used for storing illegal passwords. It stores the pattern of words that cannot be used as passwords.

Q38. What is SAP Cryptographic Library?

Ans. It is the default SAP security product. Its primary use is for conducting any encryption function in SAP systems. Open SSL and CommonCryptoLib are two libraries.

Q39. What is a Profile version in SAP security?

Ans. To answer this SAP security interview question, describe how a profile is created.

A profile version is created when the existing user changes their profile. The original profile still exists alongside with the new version but there is an individual number or identifier for each new profile version in a sequential manner.

Q40. What do you mean by CUA Configuration in SAP?

Ans. CUA stands for Central User Administrator. This useful tool for SAP ABAP applications allows the Security Administrator to manage multiple accounts on multiple clients.

Q41. How do you create PRT Master Records?

Ans. The exact steps and fields may vary depending on your organization’s SAP system version, configuration, and specific security roles assigned to your user account. But these are the main steps.

• Access the SAP system: Log in to the SAP system using your user ID and password.
• Enter the appropriate transaction code in the command field at the top of the SAP screen to launch the transaction for creating PRT master records. The transaction code for creating PRT master records may vary depending on the SAP system and configuration, but it is often “IR01” or “IR02.” In the PRT master record creation screen, enter the relevant information for the PRT. This typically includes: PRT Type, PRT Number, Description, Plant, Storage Location, Status, etc.
• Once you have entered all the required information, click on the “Save” button to create the PRT master record. The system will generate a unique PRT number and store the record in the database.
• Depending on your organization’s requirements, you may need to perform additional configurations for the PRT master record, such as assigning it to a work centre, creating task lists, or linking it to a material.
• After creating the PRT master record, it is recommended to perform testing and validation to ensure that the PRT functions correctly within the SAP system. This may involve executing relevant transactions or processes that utilize the PRT.

Ace the SAP Security Interview Round

With the above SAP security interview questions, you can now prepare better with the included answers. You can also learn more about the best SAP certifications and find a suitable one for your career growth.