1. How do you determine what organization value to be given to user?
    Refer request form, change request, functional team, copy from sample user, consult their subordinate or manager. Some business sense is needed. Never give more values then requested.
  2. How would you map a tcode to user?
    Check request form. Investigate the user's role function. Research the function of the tcode. Do not give any tcode which that is not needed by the user in business point of view.
  3. What background or periodic job security consultant should know?
    - Daily check on sap* and ddic user. It should be locked times (unless there is upgrade)
    - Run RSUSR006 to check locked users.
    - Check is production client is lock against direct changes
    - Check on sap_all profile. No one should have it.
  4. Single Role Naming conventionSample : MY1XFCSOA or MY1XFCSOD
    - MY (country code)
    - 1X (domain - which correspond to org level value excel sheet)
    - FCSO (abbreviation of the function role - Finance Create sales order)
    - A (activity type - A means change, D means display)
  5. Max profile?
  6. How to check how much profiles a user have?- Table USR04
  7. System parameter used by security- login/no_automatic_user_sapstar
    - Login/failed_to_user_lock
    - Login/fails_to_session_end
    - Login/gui_auto_logout
    - many more, google for results.
  8. Why sap* cannot be used?- SAP is design not to check authorization for user sap*
    - Who ever has sap* get control over the whole system
  9. Tcode frequently use
    - SUIM, PFCG, SU01, SU53 and google for more
  10. What is SU24- Remove and add authorization object check (to be display in PFCG)
    - Use to standardized common authorization object to be pulled in a role
  11. What is a derived role- A child role derived from master template
  12. Authorization object
    - A collection of authorization field.
  13. How to check user access issue- SU53, ST01
  14. User do not have access but SUIM search indicates authorization givenReason:
    - Max profile reach
    - Didn't relogin
    - Did not perform user comparison
  15. Which tables shows what profile a user have?- UST04
  16. PFCG tables- agr_agrs, agr_1251, agr_1252, USR02 and etc
  17. How to transport a role- PFCG > there is a transport truck icon. Alternately, use mass transport from the menu
  18. Convert field to org level- Run program PFCG_ORGFIELD_CREATE
  19. What is GRC- Governance Risk and Compliance
    - Help company to put in place a set of policy and control to be SOX compliance
  20. Components of GRC- CUP (Compliance user provision - enable self request for role and also approval)
    - RAR (Risk Analysis and Remediation - check SOD, generate report and propose solution)
    - ERM (Enterprise role Management - Assist in role designing)
    - SPM ( Super privileged management - profile super user access like firecoll and mitigation)
  21. Why do single roles sometimes has more profile
    - When there are more then 150 object in a profile, SAP auto generates new profile

End of SAP Security Authorization Interview question