1. What is SAP?

SAP stands for "Systems Applications and Products in Data Processing." It was
founded in 1972 by five former IBM employees in Germany.

The great advantage of SAP is, it creates a common centralized database for all the
applications running in an organization. The application has been assembled in such a
versatile way that it handles the entire functional department within an organization. Today
major companies including Microsoft and IBM are using SAP's Products to run their own
businesses.

R/2, which ran on Mainframe architecture, was the first SAP version. Sap's products are
generally focused on Enterprise Resource Planning (ERP). Sap's applications are built around
R/3 system which provides the functionality to manage product operations, cost accounting,
assets, materials and personnel. The R/3 system of SAP runs on majority of platforms
including windows 2000 and it uses the client/server model.

2. What is ERP?

ERP is a package with the techniques and concepts for the integrated management of
business as a whole, for effective use of management resources, to improve the efficiency
of an enterprise. Initially, ERP was targeted for manufacturing industry mainly for planning
and managing core business like production and financial market. As the growth and merits
of ERP package ERP software is designed for basic process of a company from
manufacturing to small shops with a target of integrating information across the company.

3. What is IDES?

IDES stands for International Demonstration and Education System. A sample application
provided for faster learning and implementation by SAP. This version is only used for
training purpose. IDES comes with some dummy data, to enable you to quickly learn SAP.

4. What are the different transactions used to create users?

User IDs in SAP can be created by following the below procedures:

• Using SU01 transaction code - This transaction code is widely used in day-to-day
operations and is also used to perform other user management activities such as
password reset, user locking/unlocking etc.,
• Using SU10 transaction code - This transaction code is rarely used for creating
users, due to its limitations such as Address data maintenance, pre-defined password
assignment, and role assignment. All the specified users should have the same set of
roles, and belong to the same user group.
• Using SECATT (works in ECC versions)/SCAT (till SAP 4.7) scripts - CATT
Scripts are widely used during the implementations and major roll-outs. Once the
production system is live, authorization to CATT scripts will be restricted.

5. What is PFCG?

PFCG is the transaction code used to invoke profile generator tool. SAP Profile Generator is
a tool which can be used to automatically generate and assign authorization profiles.

SAP profile generator reduces the time for authorization implementation. The profile
generator automatically selects authorization objects which are relevant based on the
transaction codes added in the role. An administrator only needs to configure the customer
specific settings.

Profile Generator was released with the 3.1G version of SAP and has really changed the way
authorizations were implemented in SAP.

6. What is the difference between USOBX_C and USOBT_C?

The USOBX_C, and USOBT_C tables are referred as Customer tables, which should be
created using SU25 transaction code in a fresh implementation or an upgrade.

• The table USOBX_C defines which authorization checks are to be performed within a
transaction and also determines which authorization checks are maintained in the
Profile Generator.
• The table USOBT_C defines for each transaction and for each authorization object
which default values an authorization created from the authorization object should
have in the Profile Generator.

7. What authorization is required to create and maintain user master records?

To create/maintain users, the following are the minimum authorization objects which are
required:

• S_USER_GRP: User Master Maintenance: Assign user groups

• S_USER_PRO: User Master Maintenance: Assign authorization profile
• S_USER_AUT: User Master Maintenance: Create and maintain authorizations

8. What is a role?

A role is a grouping of privileges, which can be assigned to the users. In the other words, a
role is a collection of transaction codes, reports, and authorization objects which are further
restricted based on the function of the user.

9. What is a derived role?

A derived role is a role which inherits the menu structure and the functions included
(transactions, reports, Web links, and so on) from a reference role. However, note that a
role can only inherit menus and functions if no transaction codes have been assigned to it
before. The higher-level role passes on its authorizations to the derived role as default
values which can be changed afterwards.

The Organizational level definitions are not inherited to the derived role, which means they
should be maintained individually.

10. What is a composite role?

A composite role is a container which can collect several different roles. It is also referred
as a collective role. Composite roles do not contain authorization data. If you wish to change
the authorizations (that are represented by a composite role), you must maintain the data
for each role of the c composite role.

Creating composite roles makes sense if some of your employees need authorizations from
several roles. Instead of adding each user separately to each role required, you can set up a
composite role and assign the users to that group.

A composite role can't add to another composite role.

11. What is user comparison?

User Comparison will reconcile the PROFILES within a user's account and make the
necessary changes. This is especially true when you've assigned specific Valid-To dates for
the roles on an account. If the Valid-To (expiry) date of a role has passed, the User
Comparison will REMOVE the profile/role from that account.

As mentioned above, if you see a red button in PFCG this means that a User Comparison
should be executed to help reconcile the profiles for the users. You can also see this in SU01
if a specific role has a red button.

As a suggestion, SAP recommends running the report PFCG_TIME_DEPENDENCY once a

day to perform a User Comparison and help 'clean up' the User Master Record for your
system.

12. What is Security?

Security is the degree of protection against danger, loss, or a business threat.

Security as a form of protection is structures and processes that provide or improve security
as a condition.

In an application level, it is the condition that prevents unauthorized persons from having
access to official information that is safeguarded through various security measures.

13. What is Application Security?

Application security encompasses measures taken throughout the application's life-cycle to

prevent exceptions in the security policy of an application or the underlying system
(vulnerabilities) through flaws in the design, development, deployment, upgrade, or
maintenance of the application.

Below are some of the Security standards and regulations:

- Sarbanes-Oxley Act (SOX)

- Health Insurance Portability and Accountability Act (HIPAA)
- IEEE P1074
- ISO/IEC 7064:2003 Information technology -- Security techniques -- Check character
systems

14. What is SAP Security and which security standards and regulations it
recommends?

SAP Security also follows the Application Security methods, where in the measures are
taken throughout the SAP's life-cycle to prevent un authorized access to the SAP system. It
follows the Sarbanes-Oxley Act (SOX), which helps the companies to quickly identify any
threats and either to fix them or mitigate them as and when they occur with a periodic
review.

Maintaining the system with defined processes in the User Management, Role Management
activities are also a part of these Security standards.
15. What is user buffer?

Whenever a user logs on to the SAP System, a user buffer is built containing all
authorizations for that user. Each user has their own individual user buffer. This can be
viewed using transaction code SU56

A user would fail an authorization check if:

• The authorization object does not exist in the user buffer

• The values checked by the application are not assigned to the authorization object in
the user buffer
• The user buffer contains too many entries and has overflowed. The number of entries
in the user buffer can be controlled using the system profile parameter
auth/number_in_userbuffer.

16. How to reset the user buffer? And also the other various buffers?

It is always recommended to make the user logoff and login again to the SAP system, which
will automatically reset the user buffer. However, if you wish to manually reset the buffer
for any user, go to SU53 or SU56 transaction codes, click authorization values, select "Reset
User Buffer" option.

However, if you wish to reset the buffer for a different user, select the other user using
button.

Below are the various commands to reset the buffers:

/$SYNC - buffers of the application server

/$CUA - CUA buffer of the application server
/$TAB - the TABLE buffers of the application server
/$DYNP - the screen buffer of the application server

17. How many roles/profiles can be assigned to any user?

SAP doesn't restrict on the number of roles assigned. However, the maximum Profiles that
can be assigned to any user is ~ 312.

Table USR04 holds the Profile assignments for users. This table contains both information
about the change status of a user as well as the list of profile names that were assigned to
the user.

The PROFS field is used to save the change indicator (C = User created, M = User changed)
and the name of the profiles assigned to the user. The field is defined with a length of 3,750
characters. Since the first two characters are for the change indicator, 3,748 characters are
still available for the list of profile names per user. Since the maximum length for each
profile name is 12 characters, the maximum number of profiles per user is 312.

18. How can I find out all field values for ACTVT?

All possible activities (ACTVT) are stored in table TACT. Also, the valid activities for each
authorization object can be found in table TACTZ.
19. How can I check all the Organization value in a role?

Execute SE16 or SE16N transaction code. Enter the table name "AGR_1252". Enter the
Role name in the role field and hit execute.

20. How to remove duplicate roles with different start and end date from user
master?

To remove duplicate roles from the user master, perform the following:

1. Go to SE38 (you can also use SA38 transaction code)

2. Enter the program name "PRGN_COMPRESS_TIMES"
3. Click Execute.

4. Enter the Role name (you can also specify a group of roles or users.)

NOTE: A list of user IDs can be specified to remove the duplicate/expired roles.

5. Click Execute.

Simulation Run - will perform a simulation on the mentioned roles/user IDs.

21. How to change the parent role for a derived role, i.e., changes the role
inheritance?

It is not possible to change the inheritance of the role, once a role has inherited the
properties from a different role. The only option is to delete the derived role which is not
required, and create a new derived role with the new relationship.

22. How to find derived roles under master roles?

To get a list of derived roles under master roles, perform the following:

1. Goto transaction code SE16 or SE16N

2. Enter the table name : AGR_DEFINE
3. Enter the master role in the second role field ( this field is in the second row) and
execute

This will list out all the master & derived roles.

23. How many authorizations fit into a profile?

A maximum of 150 authorization objects fit into a profile. If the number of authorizations
exceed, the Profile Generator will automatically create more profiles for the role. Hence, the
PFCG tool either assigns a 10 character length profile name or allows to name it at a
maximum of 10 characters. The remaining 2 characters will be automatically assigned, if the
# of authorization objects are more.

24. What is the procedure to convert an Authorization field to Org field?

Authorization field can be changed to Organization field using the ABAP program
PFCG_ORGFIELD_CREATE. Below are the steps to do the same:

1. Goto SE38 or SA38 transaction code.

2. Enter the ABAP program name.
3. Enter the Authorization field.
4. Click Execute.
Use the Test mode option to identify a list of roles which are affected with this change. Also,
note that organizational level fields should only be created before you start setting up your
system. If you create organizational level fields later, you might have to do an impact
analysis.

25. Can I convert ACTVT and TCD authorization fields to Org fields?

The fields "ACTVT" (activity) and "TCD" (transaction code) cannot be converted into an
organizational level field.

26. How a transaction code works?

When user executes a transaction code, the below checks will be done:

• Authorization to the transaction code

• Authorization objects with the required activities/field values.

The authorization for a transaction code is identified with S_TCODE authorization object.
Further, the system will check for the minimum authorization activities/values that are
required. Table TSTCA will list these minimum activities/values that are required.

27. What are the different ways to set password limitations/exceptions in SAP?

Password limitations/exceptions in SAP can be set by following the below ways:

• Profile parameters
• Maintaining forbidden password list in USR40 table.

A complete list of logon parameters with complete description is available in the SAP help
website:

http://help.sap.com/saphelp_nw2004s/helpdata/en/22/41c43ac23cef2fe10000000a114084/
content.htm

To maintaining forbidden password list, follow the below steps:

1. Goto transaction code SM30

2. Enter table USR40 and click maintain.
3. Click New entries, and maintain the character list.

NOTE: You can use ? and * wild card characters to specify a range/character.

28. Other than SU53, how can you get missing authorization details?

Missing authorization can be traced out using transaction code ST01 trace analysis also.

29. How can we reset the password for mass users?

To reset password for mass users, create a eCATT script. There is no other way that you can
follow to reset the password for mass users.
30. Is it possible to derive a role which is not having any t-code but have some
manually entered authorization objects?

No. The imparting role will only inherit the menu structures. The authorization objects that
are manually inserted will not be inherited.

31. Can we reset our own SAP password?

Yes. Every user will have the option to reset his/her own password. In the SAP logon screen
enter the user name and click the New password button.

Note that user will be able to change his/her password only once in a day.

32. I have 3 clients in my Development system. Client 100 is used for new
developments, and initial tests are carried in client 200. How the changes will be
reflected in the other clients?

The role/transaction code changes made in a specific client doesn't reflect in the other
clients. The changes made should be captured in a transport request and should be
imported in the other clients using SCC1 transaction code.

33. Through which transaction code I can do a mass user comparison? What's the
daily background job for the same?

PFUD transaction code is used to perform a mass user comparison. The daily background
job that is scheduled in the system is PFCG_TIME_DEPENDENCY. Below SAP help website
provides more information:

http://help.sap.com/saphelp_46b/helpdata/ru/52/6711ec439b11d1896f0000e8322d00/cont
ent.htm

If the job is not currently active, you can set up the same in PFUD transaction code.

34. Which are the necessary objects for controlling the t-code SU01?

S_USR_GRP, S_USR_AGR, S_USR_AUT are the main authorization objects that control
SU01 transaction code access.

35. How can I create a new Authorization object?

New authorization object can be created using transaction code SU21. Below are the steps:

1. Goto SU21 transaction code.

2. Click Create, Authorization Object option.
3. Enter Object name, Text, Class.
4. Enter Field names that you wish to include under the authorization object, For eg:
ACTVT, BUKRS etc.,
5. Click Save button.

NOTE: Custom field names can be created using SU20 transaction code.

36. Why the profile should be re-generated after making modifications in the role?

When changes are made in a role, the profile should be re-generated again. This will update
the profile data with the new/modified authorization objects, fields, activities, and values.

If the profile is not re-generated, the Authorizations tab will be displayed Red color.
37. How can we find out the roles that got directly generated in the Production
system?

Ideally, all the roles should be modified in the Development system, and imported in the
Quality and Production systems.

However, in critical business situations, the roles are directly modified in the production
system. Further, to normalize the same changes will be carried out in Development again
and transported across the landscape.

To identify the role changes that are made directly in the production environment, you can
view the Role changes under change documents in SUIM transaction code.

38. What are the various ways to re-generated SAP_ALL profile? Why it is
required?

There are two ways to re-generate SAP_ALL profile:

1. Using SU21 transaction code.

2. Using ABAP program AGR_REGENERATE_SAP_ALL.

SAP_ALL composite profile should be re-generated to update the profile with the new
authorization objects, values, and fields. This will also avoid the assignment of SAP_NEW
profile.

Regenerate SAP_ALL option in SU21 will regenerate the profile only in the current client.
The ABAP program AGR_REGENERATE_SAP_ALL will regenerate the profile in all the existing
clients.

39. What are the 5 steps of the authorization concept conception?

Below are the 5 steps:

• Preparation: Set up a team, define communication process

• *Analysis and Conception: *analyze process and determine role framework
• *Implementation: *Creation of roles
• *Quality assurance and Tests: *positive and negative testing
• *Cutover: *production start

40. What are the different types of users that can be created in SAP?

Below are the different types of users:

1. Dialog: For interactive user

2. System: For background processing and communication within a System. No dialog
possible, no change of password
3. Communication: For dialog. Free communication between systems. No dialog
possible, no a change of password.
4. Service: Dialog user available to anonymous group of users
5. Reference: For general, non‐person‐related users that allow the assignment of
additional, identical authorizations.

41.What is the meaning of the traffic lights Icons for the authorization maintenanc
e?

• Green: All fields below this level have been filled with values
 • Yellow: There is at least one field (but no organizational levels) below this level for
which no data has been proposed or entered
• Red: There is at least one organizational level field below this level for which no
value has been maintained.
42. What are the 4 status texts about authorizations maintenance?

Status text will quickly help you to identify how the authorization object is
added/maintained in any role. Below are the various texts:

• Standard: Unchanged from the SAP defaults. It has the values that are added by
PFCG automatically.
• Maintained: At least one field in the subordinate levels of the hierarchy was empty
by default and has been maintained.
• Changed: The proposed value for at least one field in the subordinate levels of the
hierarchy has been changed from the SAP default value.
• Manual: The authorization object is added manually and maintained.

43. How can you deactivate the special properties of SAP*?

To deactivate the special properties of SAP*, set the system profile parameter
login/no_automatic_user_sapstar to a value greater than zero.

44. What is the use of S_TABU_DIS authorization object?

S_TABU_DIS is the authorization object which allows access for table entries. The activity
field determines the kind of action a user can make on table entries (create, display, change
etc.,) Secondly the field DICBERCLS makes use of the authorization group assigned to the
table. You can check for it in table maintenance generator in SE11 or TDDAT table from
SE16. Once you give access for one authorization group then the user will have same access
for all tables belonging to that group.

45. Which authorization object grants authorization to maintain cross client tables
with the standard table maintenance transaction?

S_TABU_CLI authorization object enables you to protect cross-client tables from

unintentional accesses. It has the field CLIIDMAINT, in which the value X can be added to
grant a user authorization to maintain cross-client tables. Value ' ' will retain the
authorization to the current client only. Best example is T000 table which can be maintained
from SCC4 transaction code.

46. How to identify the list of roles in which S_TCODE is assigned manually?

ABAP program PFCG_AGRS_WITH_MANUAL_S_TCODE will help you to quickly identify

the roles in which S_TCODE is manually included.

In ECC systems this report is obsolete.

47. How to restrict users from scheduling A class jobs?

Authorization object S_BTCH_ADM with "Y" provides the batch administration access to the
users. If this is restricted to "N" or disabled, the user will be restricted to work with only
class C (low priority) jobs and to only his or her own jobs in the client that he or she is
logged on to.
48. How to restrict users from deleting jobs of other users?

Restriction of deleting the jobs of other users can be maintained using S_BTCH_ADM and
S_BTCH_JOB authorization objects. When the S_BTCH_ADM value is set to Y, users will
be able to manage the jobs of other users also. The value should be set to N, and also for
the S_BTCH_JOB, the operation DELE should be revoked. This will retain access of deleting
users own jobs, but not for the other users.

49. How to identify the authorization group for a table?

There are 2 ways to identify the authorization group.

Procedure # 1:

1. Go to SE11 transaction code.

2. Enter the table or view name.
3. Click Display button.
4. Go to Utilities menu, Table Maintenance Generator option

You can see the Authorization group associated with the table.

Procedure # 2:

1. Go to SE16
2. Enter TDDAT as the table name
3. Enter the table for which you wish to know the authorization group
4. Click Execute

50. Which table holds the information of all the tables in SAP?

DD02L table holds the information of all the other tables in SAP.

51. What are the different types of tables and how the restrictions are
maintained?

In SAP Security terms, the tables can be majorly divided into two groups:

• Cross-client tables and

• Client-dependant [client-specific] tables.

Cross-client tables are the tables that are valid for the whole system, and not only for one
client. For eg: T000 table. However, client-dependent tables are always valid for one client.
The classification documented by a technical setting that can be reviewed by looking up the
table DD02L. The column "client-specific" is relevant. The entry X means, that this is a
client-specific table. If the field is empty, the table is a cross-client table.

In SAP, the table level protection can be done at two different levels:

The first level is the general protection of tables that is covered by the authorization object
S_TABU_DIS. (Also refer SAP Note 1434284 - FAQ about S_TABU_NAM, in which
restriction can be made at an individual table rather than on the group). Users who wants to
have a table access needs a corresponding authorization on S_TABU_DIS. The object
S_TABU_DIS consists of two fields. The field ACTVT [activity], and the field DICBERCLS
[authorization group].
Valid values for the field ACTVT are:

• 02 - for create, change, delete

• 03 - for display
• BD - override change lock for customizing distribution

Concerning the values for the field DICBERCLS the assignment and selection is a bit more
complex. Tables are protected by so-called authorization groups. The defined groups are
listed in the table TBRG. The assignment of tables to authorization groups is listed in the
table TDDAT.

Every table can only have one authorization group. But every authorization group may
protect a number of tables. Tables that are not especially protected by an explicitly defined
authorization group are protected by the authorization group &NC&. "NC" stands for "Non
Classified".

So that we can conclude as a rule that for maintenance access to tables an authorization on
the object S_TABU_DIS with a corresponding ACTVT as well as a matching authorization
group is required.

The second step in the table access control is based on the object S_TABU_CLI.

To summarize, for accessing client dependent tables an authorization on the object

S_TABU_DIS is required and for accessing cross-client tables for maintenance an
authorization on the objects S_TABU_DIS and _TABU_CLI is required.

Further, the object S_TABU_LIN was created for further table access limitation.S_TABU_LIN
allows an access granularity down to the line level of the tables. This is connected to special
customizing adjustments, the definition and activation of so-called organizational criteria.

With the predefinition of organizational criteria like e.g. a plant or a country, access to
tables can then be limited to the lines of the organizational criteria only. Because of the
additional complexity of these fine tuning requirements, this is rarely used in companies so
far.

52. What is a developer access key? How to get it and which table holds this
information?

Any ABAP developer can create/work on custom programs (program that start with a "Y" or
"Z") requires a developer access. Assigning the authorizations itself will not provide the
access, and the user should be registered with the developer access key. The same can be
obtained from the below website:

https://www.service.sap.com/licensekey

The key will be valid for only the installation number for which it is registered with SAP.

Table DEVACCESS holds the Developer key information, which can be viewed with SE16.

53. What is the use of TCDCOUPLES table?

TCDCOUPLES is a table which provides you the information of the transaction codes that are
called by a transaction internally. It is used quickly to identify the "CALL TRANSACTIONS"
for custom transaction codes. Also, it is a good method to give back-end access to a
transaction code if we do not want to enable S_TCODE access for it. After a transaction is
called, all those authority checks are performed, which may not be part of the check in the
calling transaction code.

54. What is the use of TACT table?

TACT table contains the various activities in the SAP system. All the authorization objects
pull the activity values from this table.

55. What is PDAG?

PDAG stands for Pre Delivered Activity Groups. These are the roles that come along with
the SAP installation. You may quickly see in the system for SAP* roles. The PDAGs are used
as templates in creating the administration and functional roles during the implementations
or assigned to the users, till the custom build roles are available to carry out the
configuration changes in the system.

56. When a user is not able to download reports from SAP, what authorization you
will check?

To download various data from SAP system, users should have access to S_GUI
authorization object with activity 60. This authorization is normally added in the common
role.
57. What is the use of TSTCA table?

The user calling transaction must have an authorization for the authorization object listed in
table TSTCA in his or her user master record. TSTCA contains the minimum required
authorization objects/values that are required to execute a transaction code. In simple, it
makes the transaction executable.

58. What are variants, and how can they be created?

Variants allow you to save sets of input values for programs that you often start with the
same selections.

There are various methods to create variants. To know the standard process, visit the below
link:

http://help.sap.com/saphelp_nw04/helpdata/en/c0/980389e58611d194cc00a0c94260a5/co
ntent.htm

To quickly create a variant, execute the report using SA38 or SE38 transaction code, enter
all the values, click Goto menu, Variants, Save as variant option.

The variant can be further loaded using the Get variant icon on any execution screen.

59. What is user master record and which tables holds the User master record
information?

User Master Record is the record that contains important master data for a user in the SAP
system. The user master record contains the assignment of one or more roles to the user.
In this way, a user menu and the corresponding authorizations for the activities contained in
the user menu are assigned to the user. Only users who have a user master record can log
on to the system.
User data resides in table USR01-USR31 and USH*. This can be used as a quick way to
obtain user data for any quick reporting such as user type, last logon, or any other
information related to users. The primary header data table is USR02.

60. Which report gives you the information of users with missing address data
such as email ID, phone number etc?

When users are created in the SAP system, their details including address are entered into
the system. For some reasons or the other, it is possible to have users that have incomplete
address data.

Report RSUSR007 is used to generate a list of such users. These users can be reviewed
and their address data completed appropriately.

Please note, it is good practice to have complete address for all users. It helps user
organization and management.

61. What is the difference between a dialog and service type user ID?

A user of the type Service is a dialog user that is available to an anonymous, larger group of
users. Generally, this type of user should only be assigned very restricted authorizations.

For example, service users are used for anonymous system access via an ITS service. Once
an individual has been authenticated, a session that started anonymously using a service
user can be continued as a personal session using a dialog user.

During logon, the system does not check for expired and initial passwords. Only the user
administrator can change the password. Best example is Fire Fighter IDs.

62. What are the maximum number of profiles that can be assigned to a user?

Maximum Profiles that can be assigned to any user is ~ 312. Table USR04 (Profile
assignments for users). This table contains both information on the change status of a user
and also the list of the profile names that were assigned to the user.

The field PROFS is used for saving the change flag (C = user was created, M = user was
changed), and the name of the profiles assigned to the user. The field is defined with a
length of 3750 characters. Since the first two characters are intended for the change flag,
3748 characters remain for the list of the profile names per user. Because of the maximum
length of 12 characters per profile name, this results in a maximum number of 312 profiles
per user.

63. How you will allow the functional teams to perform direct changes in the
production environment?

Direct changes in the production system are not allowed. However, there are a few
instances where changes should be made in the production system directly such as number
range maintenance, factory calendar maintenance etc.,

In such cases, a System modification required should be raised and approved by the system
owner or the system controller who owns the system.
After the changes are made, the client will be set to No changes allowed.

64. How to check the dependency of a role?

Dependency of the role can be checked using SE03 transaction code. Dependency of the
roles should be checked before making any changes to the role. Below are the step by step
instructions:

1. Goto SE03 transaction code.

2. Click Search for Objects in Requests/Tasks option.
3. Enter ACGR and the role name, click the check box and click Execute.

This will display all the transport requests that are created for the role entered. Pick the last
Transport request and check the Logs. If the changes are moved to production system, it
means the role has no dependency.

65. What are the various types of transport requests?

There are four types of transport requests:

Customizing request
Workbench request
Transport of copies
Relocation

66. How to create a config role?

Config roles are created during the time of a new implementation and when no other roles
are existed. Following are the steps to create a Config role:

Creating a role from IMG:

1. Go to SPRO_ADMIN transaction code.

2. Click Create button.
3. Enter Project name and click Check mark button.
4. Enter the project description and click Save
5. Go to Scope tab, select "Specify project scope by making manual selections in
reference IMG" check box and click "Specify Scope" button
6. Select the IMG nodes for which access should be provided
7. Click "Generate Project IMG" button.
8. Click Generate in the background option when prompted.
9. Click Save button.

Once the Project is created, we will have to create the role in the Profile Generator:

1. Go to PFCG transaction code.

2. Enter the new role name, click Create Role icon.
3. Enter the description for the role.
4. Click Save, and goto Menu tab
5. Click Utilities, Customizing auth. Option as shown below:
6. Click Add button.
7. Select IMG project radio box and click Check mark button.
8. Select the project from the list.
This will add all the transaction codes. However, note that no menu changes are further
possible in the IMG config role and you may not see other buttons also in the Menu tab.

67.What is DEBUG access? And how to restrict it?

Debug access is a critical access that should be restricted in the Production system. It is
a way to look behind all screens, inside the running programs. This also may allow users to
see data which is normally hidden from them according to their authorizations.

Debug access can be provided with the authorization object S_DEVELOP and object type
DEBUG.

NOTE - In most of the landscapes the DEBUG access is only assigned to FF IDs.

68. What is the difference between SU53 and ST01?

SU53 is a quick solution to identify any missing authorizations for the users. However, it will
only display the last missing authorization.

ST01is used in two scenarios:

- To quickly identify the list of authorization objects, fields, values that needs to be
included in a role when you are creating it for the first time.
- To trace for the repetitive missing authorizations

69. How to give authorization to multiple printers?

Authorization to use a specific printer(s) or other output device(s) can be provided with the
authorization object S_SPO_DEV. The object consists of the field Spool: Output device,
where you can include the SAP names of the output devices for which a user is to be
authorized. Example The value "LT*" authorizes a user to use all printers with beginning
with "LT" in spool administration.

70. How to revoke "Import All" transport authorization to a user?

To revoke the Import All requests (The Full truck icon), you need to remove the IMPA
authorization under S_CTS_ADMI authorization object.

Also, if you wish to remove individual requests also, the IMPS authorization should be
unchecked.

71. What is Secure area? Why it is maintained in the OSS Connection?

OSS - Online service system, which is a service provided by SAP to help on any critical
issues in your SAP instance. When SAP needs to connect to your system to analyze the root
cause of the issues, you will be requested to open an OSS connection. To enable SAP login
to your system, an OSS IDhas to be created and further the user login information should
be updated in an area called "Secure area".

Also note, all the systems will be listed when you login to service.sap.com and all that you
need to do is to open the system for SAP specifying the number of days till which the
connection should be active using the secure area information.
72. What is the difference between USOBX_C and USOBT_C?

The table USOBX_C defines which authorization checks are to be performed within a
transaction and which not (despite authority-check command programmed). This table also
determines which authorization checks are maintained in the Profile Generator.

The table USOBT_C defines for each transaction and for each authorization object which
default values an authorization created from the authorization object should have in the
Profile Generator.

73. How to create a new Authorization object?

To create the authorization object, perform the following:

1. Goto transaction code SU21.

2. Click Create, Authorization object option.
3. Enter all the details
4. Click Save button.
5. Select the relevant package from the drop down list
6. Save again.

The New authorization objected is created now. Further maintain the default values from
SU24 transaction code.

74. If users were not able to run CATT scripts, what changes do you
recommend?

If the user can't run the CATT script, you need to enable the option in SCC4 transaction
code. Below are the steps:

1. Goto SCC4 transaction code.

2. Click Change button.
3. Double-click the client which you wish to allow the CATT scripts.
4. Change the "CATT and eCATT Restrictions" option to Allowed as shown below:
5. Click Save.

75. What are the ways to identify the number of users in a client?

Below are the different ways to identify the # of users in a client:

1. Goto SE16, enter USR02, and click "Number of Entries" button.

2. Goto SUIM transaction codes, Users, Users by complex selection criteria, By user ID,
Execute.

Both the ways will give you the count of the user IDs in the system.

76. How to get a list of locked users in a client?

Using the report RSUSR200, you can generate a list of locked users. Alternatively, you can
use RSUSR006.
77. How to generate a list of users who haven't logged in for the last 30 days?

ABAP Report (available as an individual tcode also) RSUSR200 can be used to generate a
list of users who haven't logged in the last 30 days. Enter 30 in the text area "No. days
since last logon" and hit execute.

78. What is dormant ID review?

Dormant user ID review is identifying the users who haven't logged in to the system from a
long period. These IDs will be identified using RSUSR200 report or generating a list of IDs
from USR02 table. The ERDAT field can be used to identify the last logon date.

79. Which report shows the status of standard system users status in all the
clients?

Report RSUSR003 displays the status of the standard system users (SAP* and DDIC) in all
the available clients in the system.

80. What is the use of PFCG_TIME_DEPENDENCY job?

PFCG_TIME_DEPENDENCY is a program used to do the user comparison. It will update

the user master records with new data.

If you schedule the report PFCG_TIME_DEPENDENCY daily before the start of business, the
authorization profiles in the user master will be updated and the users will have only the
valid roles.

It users the program RHAUTUPD_NEW.

81. How to perform a mass generation of profiles?

To perform a mass generation of profiles, use transaction code SUPC.

1. In role maintenance (transaction SUPC), choose Utilities, Mass Generation in the role
maintenance (transaction SUPC).
2. Specify the desired selection criteria.

To generate all profiles to be generated automatically (last checkbox), you can further
restrict the role selection in the next screen.

Source - help.sap.com

82. How to run a comparison for a group of roles?

To perform a user comparison, use transaction code PFUD.

83. How to lock/unlock a transaction code. Give some examples on the usage?

A transaction code can be locked using SM01 transaction code. Below are the steps:

1. Goto SM01 transaction code.

2. Enter the transaction code in the Search box which is available at the end of Tcode box.
3. Once the tcode is listed, select the check box, place the cursor in the transaction code
box and click Lock/Unlock button.

Alternative is to press the F2 key.

For eg: SCC5 is locked to further protect the system with Deleting the clients. Even though
a user has authorization to SCC5 transaction code, he will not be able to execute the tcode.

84. How a role is deleted in real-time scenarios?

A role(s) should be deleted in Development system, and further transported across the
landscape. You will not be able to delete the role in a production system directly, since the
production environment is freezed for changes.

Below are the steps to delete a role in real-time scenarios:

1. Create a transport request.

2. Add the role in the transport request.
3. Delete the role.
4. Release the transport request.
5. Import the request in the other systems.

85. How to trace a user activity in SAP?

Audit logs for a user can be enabled using SM19 transaction code. Below are the steps:

1. Go to transaction SM19.
2. Select the Filter1 to activate.
3. Click checkbox of Filter 1.
4. Enter the Client and User names to be traced. (NOTE - A * value can be given to trace in
all the clients/for all the users.)
5. In the Audit classes section, click "on" all the auditing functions you need for this profile.
6. In the Events section, click the radio button to the left of the level of auditing you need.
7. Once you have entered all your trace information, click the Save picture-icon.

You will receive an Audit profile saved in the status bar at the bottom of the screen.

Please note that while the user trace has been saved, it is not yet active. To activate the
user trace, see the next sectionActivating a User Audit Profile.

86. How to read the audit logs for a particular user?

Below are the steps to read the audit logs:

1. Log on to any client in the appropriate SAP system.

2. Go to transaction SM20.
3. In the Selection, Audit classes, and Events to select sections of the Security Audit Log:
Local Analysis screen, provide your information to filter the audit information. If you need
to trace the activities of a specific user, be sure to include that user's ID. Click the Re-read
audit log button.
4. The resulting list is displayed. This list can be printed using the usual methods.

87. What are the various reason codes in ST01?

Below are the various return codes:

RC 0 - Authorization check passed

RC 1 - No authorization
RC 2 - Too many parameters for auth check
RC 3 - Object not contained in user buffer
RC 4 - No profile contained in user buffer
RC 6 - Authorization check incorrect
RC 7,8,9 - Invalid user buffer

88. What are user groups? How to create them?

One of the primary advantages of user groups is to sort the users into logical groups. This
allows users to be categorized based on functional areas/positions.

User Groups also allow segregation of user maintenance, this is especially useful in a large
organization as you can control a specific group of users and give authorization to
administer them.

The most important factor identified is that the lack of user groups is an indication that
there may be problems with the user build process. This is very "fuzzy" but is a bit of a
warning flag. User groups can be created using SUGR transaction code.

89. What is the difference between user group in Logon data tab, and Groups
tab?

Group for Authorization Check (User group in Logon Data tab):

If you assign a user to a user group for the authorization check on the Logon Data tab, you
can distribute user maintenance tasks among several user administrators. The system
administrator can assign the respective user administrator the right to create and change
users in a group. Using the authorization object User Master Maintenance:User Groups (
S_USER_GRP), you can assign user groups to different administrators.

Users that are not assigned to any of the groups, can be maintained by all administrators.

General User Groups (Groups tab):

You use the division of users into user groups on the Groups tab primarily to group users for
mass maintenance (transaction SU10). No authorization check can be performed on the
user groups assigned to the users under the Groups tab.

90. How to assign parameters and what are they used for?

Parameters can be assigned to the users from SU01 transaction, Parameters tab. Parameter
has fields that a user wants to get auto filled when he open some transaction code. This
field can be filled with proposed values from SAP memory using a parameter ID.

For example, if a user only has authorization for company code AU50 and he wants the
company code field to be auto-filled in every transaction. For this, a parameter is defined in
the parameter ID column. Fields that refer to the data element are automatically filled with
the value 300 in all subsequent screen templates.

NOTE - Users can also set their own parameters from transaction code SU3.
91. How to extract data from tables and what are the minimum authorizations
required?

Data from tables can be extracted using SE16 or SE16N transaction code. To download the
data, a user should have authorization to S_GUI with activity 60.

92. How to determine the instance on which user has logged in SAP system?

To identify the instance on which user has logged in, go to AL08 transaction code and
search for the user ID.

93. What is an application instance and how different it is from the central
instance?

Application instance is a collection of Dialog Work process which is maintain for the load
balancing for the End users.

However, a Central Instance is the combination of Database instance and Dispatcher and
Message Server, Enqeue Server. Note that both the instances will be running under the
same SID.

94. How to forcefully logoff a user from the system?

To forcefully logoff a user, perform the following steps:

1. Goto SM04 transaction code.

2. Select the user from the list.
3. Goto User Menu, and select Log Off

However, make note that the user current data will not be saved, when you force log off.
You should be careful when using this option, especially in the production systems.

95. How to convert manually created profiles in to roles?

It is not recommended to convert profiles to roles manually and the best approach is to
create the roles from the scratch. However, if you wish to create roles from profiles, use
SU25 transaction code and select the option 6, which is highlighted below:

Once you execute, you will be prompted with the list of profiles and you can select the role
and click Optimized option and click when prompted to create a role.

The alternative procedure is to create a role and Insert a profile. Below are the steps:

1. Create a role in PFCG transaction code.

2. Go to Authorizations tab.
3. Create a profile, and click Change Authorization data button.
4. Select "Do not select templates option".
5. Click Edit, Insert Authorization(s), from Profile option.
6. Select the profile that you want to insert.
7. Click check mark.
96. How to identify the changes done to a user/role in the system?

The Change Documents under SUIM transaction code helps you to quickly identify the
various changes made to Users & Roles:

You may also execute the reports RSUSR102 for change documents for Authorizations.
RSUSR100 for change documents for Users and RSUSR101 for change document for
Profiles.

97. How to get the user ID list along with the mail IDs?

There is no standard report that gives you this information. You may join tables ADR6 and
USR21 by PERSNUMBER. Use SQVI transaction code, if you are allowed to do this, else
you may need to use MS Access to get the report by maintaining the relationship of
PERSNUMBER.

98. How to restrict users to have access to their own spools?

Spool access is controlled with S_SPO_ACT authorization object. To restrict the access to
users own spools, you may use the special characters _USERS_

99. What transaction codes should be added in the COMMON role?

Common Role will have transaction codes which are required for every Dialog user in the
SAP system. Below are the list of commonly used transaction codes:

- SU53
- SMX
- SP01
- SP02
- SU3
- SU56
- SBWP

Also, note that it contains commonly required authorization objects such as S_GUI, S_RFC,
etc.,

100. How to re-generate SAP_ALL profile using SU21? And why it is required?

If you add any new authorization objects, it is recommended to re-generate the SAP_ALL
profile. Below are the steps to re-generate SAP_ALL:

1. Goto SU21 transaction code.

2. Click "Regenerate SAP_ALL" button.
3. Select Yes when you are prompted to confirm the re-generation.

This will re-generate the SAP_ALL Profile.

101. How to maintain the company address?

Company address can be maintained in 2 ways:

- Using transaction code SUCOMP

- Goto SU01, Environment, Maintain company address:
Click Create button to create a new company.

102. Can we assign a multiple company addresses to a single user?

No. It's not possible. A user can be assigned only with 1 company address.

103. How can I change the existing company address?

To change the existing company address, follow the below steps:

1. Goto Su01 transaction code

2. Enter the user name and click Edit
3. Choose one of the below buttons:

The Assign other company address will prompt a list of existing company addresses from
which the required company can be selected. However, the "Assign new company
address..." button will allow you to create new company address.

104. We are unable to modify the users thru SU01 transaction code, and
experiencing "company address locked" error. How to troubleshoot this issue?

This is an identified issue is SAP R/3 version 4.5 and 4.6C. SAP has released a source code
correction for this issue. Refer SAP note: 312714 - Unnecess. lock on company addr. in
displ. mode SU01 .

105. How to setup a company address as default?

To setup a default company code, perform the following:

1. Go to SUCOMP transaction code

2. Select the company address that you wish to set as default.
3. Click Edit.
4. Click Standard Address, Define.

106. Which table contains all the fields currently set as Organizational Levels in
PFCG?

Table USORG holds the information of Org fields.

107. How should I grant PFCG display access and SU01 maintain access?

Assignment of roles to users in SU01, SU10, and PFCG transaction codes require
authorization to S_USER_GRP with Assign (22) activity and S_USER_AGR with Change
(02) activity.

If Change activity is assigned, the user will get access to change roles too. To limit the
authorization to PFCG display, you have to set a switch in PRGN_CUST table. This will check
only S_USER_AGR activity 22 while assigning roles. Below are the steps:

1. Goto transaction code SM30.

2. Enter table name "PRGN_CUST"
3. Click Maintain
4. Add new entry 'ASSIGN_ROLE_AUTH'and value 'ASSIGN.