SAP Security Authorization Interview question
- How do you determine what organization value to be given to user?
Refer request form, change request, functional team, copy from sample user, consult their subordinate or manager. Some business sense is needed. Never give more values then requested. - How would you map a tcode to user?
Check request form. Investigate the user's role function. Research the function of the tcode. Do not give any tcode which that is not needed by the user in business point of view. - What background or periodic job security consultant should know?
- Daily check on sap* and ddic user. It should be locked times (unless there is upgrade)
- Run RSUSR006 to check locked users.
- Check is production client is lock against direct changes
- Check on sap_all profile. No one should have it. - Single Role Naming conventionSample : MY1XFCSOA or MY1XFCSOD
Explain:
- MY (country code)
- 1X (domain - which correspond to org level value excel sheet)
- FCSO (abbreviation of the function role - Finance Create sales order)
- A (activity type - A means change, D means display) - Max profile?
-312 - How to check how much profiles a user have?- Table USR04
- System parameter used by security- login/no_automatic_user_sapstar
- Login/failed_to_user_lock
- Login/fails_to_session_end
- Login/gui_auto_logout
- many more, google for results. - Why sap* cannot be used?- SAP is design not to check authorization for user sap*
- Who ever has sap* get control over the whole system - Tcode frequently use
- SUIM, PFCG, SU01, SU53 and google for more - What is SU24- Remove and add authorization object check (to be display in PFCG)
- Use to standardized common authorization object to be pulled in a role - What is a derived role- A child role derived from master template
- Authorization object
- A collection of authorization field. - How to check user access issue- SU53, ST01
- User do not have access but SUIM search indicates authorization givenReason:
- Max profile reach
- Didn't relogin
- Did not perform user comparison - Which tables shows what profile a user have?- UST04
- PFCG tables- agr_agrs, agr_1251, agr_1252, USR02 and etc
- How to transport a role- PFCG > there is a transport truck icon. Alternately, use mass transport from the menu
- Convert field to org level- Run program PFCG_ORGFIELD_CREATE
- What is GRC- Governance Risk and Compliance
- Help company to put in place a set of policy and control to be SOX compliance - Components of GRC- CUP (Compliance user provision - enable self request for role and also approval)
- RAR (Risk Analysis and Remediation - check SOD, generate report and propose solution)
- ERM (Enterprise role Management - Assist in role designing)
- SPM ( Super privileged management - profile super user access like firecoll and mitigation) - Why do single roles sometimes has more profile
- When there are more then 150 object in a profile, SAP auto generates new profile
End of SAP Security Authorization Interview question