SAP Basis Interview Questions

 Q.What is difference between 4.7, ECC 5 and ECC6 from SAP Security point of view? Ans: SAP GRC which is a security tool can be implemented only to ECC 5.0 and ECC 6.0 but not to the 4.7EE. SAP 4.7 is an ABAP based system, here we can see only about R/3 security. SAP ECC5.0 and SAP ECC6.0 included both ABAP + JAVA stacks, means enterprise portal also included here we can have both R/3 security for ABAP stack and JAVA stack security which includes in portal concept(Enterprise Portal Security). SAP GRC which is a security tool can be implemented only to ECC 5.0 and ECC 6.0 but not to the 4.7EE. Q.What do you mean by profile and object? Ans: Well, profile is a authorization profile and where as object can be an authorization class or authorization object or field and value. So, to make up a profile it requires several objects..... More precisely profile is set of different authorizations for different objects. It means when you create role and go for generating profile whatever the list of transactions you have added in role menu its corresponding objects automatically fetch up by profile generator. For which transaction which objects get fetch up this you can check using SU24 tcode only objects with check/maintain status get fetch up by profile generator during profile generation. And for better understanding you just keep in mind for every tcode there are certain set of objects. And Each objects has different fields and its value is called its value i.e. 01, 02, 03 create, change, display respectively. Q.What is the profile? Ans: Profile is what a user can do within that role that is assigned to the user. When a role is created; a profile is created based on the authorization data i.e. object class, authorization object, filed and values. The word "profile" is used in 2 different concepts. 1) Authorization Profiles 2) System Profiles Authorization Profile:This profile is the one created when a role is created and is called as authorization profile. System Profile: This profile exists to change the parameters for the instances... Q.I want a list of users along with roles for a client? How to do it? Ans: We can use tcode se16 in it AGR_USERS  uname: enter the user ids and AGRname: role name Youcan get in SUIM also. Q.In an environment of derived roles; a user is asking for a t-code; which is not found in suim in search of roles? What will u do? Ans:

1. Check if the tcode exists or not.
2. Try to search the role with S_tcode and then putting the tcode in "roles by complex selection criteria"
3. You should at least get SAP standard role which should not be assigned.

So after doing all these you are not able to find any end user role available in system. Next step is the proposal of adding the tcode to a suitable role. as it's a derived role envi---> need to add the tcode in template / parent role Take approval from BPR/role owner for role modification. They will decide which parent role to change. Change role in Dev and transport to rest of the sys in landscape Q.Can u secure profiles? If so , how to do it ? Ans: Yes you can. Secure Profile S_User_PRF Q.I want to lock all the users except sap* and DDIC of a particular client ? Ans: SU10 F4 on user id field Change the hit list restriction according to users present Enter It will bring all available users Remove SAP* and DDIC from list Select all and enter It will bring u back to SU10 With all users except SAP* and DDIC Select all Lock it will lock your user also (OR) We can do it by ewz5 Q.I want to delete 1000 users of a particular client, how can I do it? Ans: You can create a SECATT script to delete the users which is easy to create and easy to execute. You can also delete users of a particular client by using t-code su10. Q.Can u tell me some of the password related parameters ? Ans: Password related parameters are: login/min_password_lng (Defines minimum length for password) login/min_password_digits login/password_expiration_time These are the main parameters - which can be maintained via RZ10 (OR) You can go to t-code se16 Write login/* and enter ... then u will get all login parameters Here there is no need of remembering Q.How can I assign a same role to 200 users? Ans: You can do using PFCG- > enter the role -> change -> go to users tab -> paste the users -> click on user comparison-> complete comparison -> Save the role - it's done (OR) One can also use "Authorization Data" functionality in transaction SU10 to complete this task. Q.A user is asking for a t-code to assign? How do you assign the t-code? Ans: First we have to check if user has access to particular tcode. If not then run suim with roles by complex selection criteria -->put object1 as S_tcode as the required tcode and hit execute button. The query will fetch you a result of roles. Select a role that has minimum authorization and satisfy the user requirement. And assign the role to user. Q.A user is not able to execute a t-code; how do you solve that? What are the different reasons that might be existing? Ans: Reason:

1. Tcode does not exist
2. User context missing auth for that tcode
3. User comparison is not current

How to solve: 1.check if the user is having the tcode or not. by SUIM--> role by complex selection criteria

2. if the tcode is not assigned to user -->assign suiatablle role after taking approval. Make sure to user

compare to update the user master record 3.if the tcode is available for the user and user still cant access--> ask for result of SU53 screen shot, there might be some other authorization which is missing for the user 4.we can also trace the user's auth check by use of st01 fine searching user's missing access by analyzing st01 report and rc. Q.What is difference between se16 and sm31? Ans:  SE16: table display SM31: table, view modification Q.What are the authorization objects which are always present in user master record? Ans: For user master record as u must be knowing that different tabs of UMR..So as per my understanding As UMR stores information of users...Like his name, roles assigned to him, License data. Objects which are always present for UMR are: S_USER_AGR, S_USER_GRP,S_USER_AUT,S_USER_PRO and each of this object has its own importance... bcoz S_USER_AGR helps to maintain roles assigned, S_USER_GRP helps to maintain Auth. group in Logon Data and S_USER_AUT AND S_USER_PRO helps to maintain set of Auth. profiles and different Authorizations included in each profile. Q.What is use of System Task Tab on menu bar in PFCG? Ans: Role creation, change and delete. Q.How can we Lock transaction? What happens exactly? Ans: In SM01 transaction we can lock the transactions; we can lock one or many at a time in the system. After locking transactions, it won’t allow any body to use the transaction. (OR) SM01 transaction can use to lock the transactions; we can lock one or many at a time in the system. When a user starts a transaction, the system checks in table TSTC whether the transaction code is valid and whether the system administrator has locked the transaction. Q.What is Use of SM35P and SM35 is there any difference between these two? Ans: Tcode SM35P use to display/monitor sessions. Using Tcode SM35 you the run/process the sessions in background or foreground. Q.Is there any transaction to see Transport Log.? Means, Which data or roles have been transported from which system at what time? Ans: SE01 transaction is use to see Transport Log. By clicking tab "DISPLAY" you can able to see the logs. You can also see the roles or data has been transported from which system at what time. Q.Which role is commonly used? Ans: Composite and single role commonly used. Q.How to find the already locked users list before a particular date? Ans: Example: list of users already locked before 01/01/2010 Goto SUIM - USERS - USERS BY COMPLEX SELECTION CRITERIA,scroll down to the bottom, goto ADDTIONAL SELECTION CRITERIA, then give the validity date and check the check box of the option LOCKED USERS ONLY, then execute, u will get the list of the locked users. Q.What is the correct procedure for Mass Generation of Roles ? Ans: 1)Tcode SPUC is for mass generation of roles. Or you can use scripts 2)Program SAPPROFC_NEW inserted roles to be generated and execute. 3)PFCG > Utilities > Mass Generation Q.Can we assign generated profiles to users directly ? Ans: No, we can't assign a generated profile to user directly; we have to as the role associated with that particular profile The best practice is not to assign profile to a user master record. But then we can assign... Check it for example, assign sap_all to a user master record and can actually work. So, yes a profile can be assigned to user and can work. Q.How many maximum profiles we can assign to one user ? Ans: apprx 312 Q.In which way we can assign single role to many users (more than 5000 users) ? Ans: Go to Su10 Click on authorization data Click on multiple selection button beside user input field a pop up will appear-->click on green import from text file Give the destination of the excel sheet where you have already kept 5000 users Execute-->execute-->select all -->transfer this will bring all 5000 users in su10 Now change--> role tab--> assign the single role-->save Q.I want to see list of roles assigned to 10 different users. How do you do it ? Ans: 1.Go to SE16 Transaction 2.Type agr_users and go to next screen 3.in the user’s field I have the list of user ids 4.Result (OR) GO to suim -->ROLES-->By user assignment Click multiple selection Select user’s ans execute Now you get a list roles assign to selected users Q.What is the advantage of CUA from a layman/manager point of view ? Ans: CUA - Central User Administration Advantage of CUA is to lessen the time by creating users in one single system, and distribute it to the respective systems (where the user  id is requested)Helps in avoiding logging to each individual systems. Layman point of view we don’t have any advantage, But SAP security admin point it takes lesser time for user Admin. Q.how do we create firefigter Id in VIRSAs VRAT ? Ans: First create service user and mapp this user in /n/virsa/vFat Q.What is the procedure to delete a role ? Ans: First add the role that need to be deleted in a Transport. Then delete it. If there is no transport already, then create one for it and then add the role marked for deletion to it and then only we have to delete the role. If the role is deleted without adding it to a transport then we will not be able to delete the same role in other  systems like Acceptance / Quality / Production in CUA Environment. Q.What is the main difference between role and profile ? Ans: Roles are the set of authorizations. Profiles are sub component of roles. We can assign role to user but not profile. Roles are collection of different transactions, reports/web links where its profile is nothing but set of authorizations which defines the behavior of transactions listed in Role Menu. And another difference could be we canassign roles to user using PFCG but we cannot assign manually created or generated profile directly to users using PFCG. Q.How do I assign roles to a specific group, not to a specific user, and apply the roles to all users in that group? This particular group has four users? Ans: Go to suim,enter the user group name in user by complex selection criteria, execute user's list,execute su10 enter list of user's and assign role to them Q.What is fire fighter? When we are using fire fighter? Ans: Fire Fighter is used if you have implemented Virsa/GRC Fire Fighter is Virsa tool, this used to execute critical tcode when doing configuration Fire fighter is also a normal user ID but having some specific access as per the needs. User type is kept as "service user' When it is used: Say, in your project you are security administrator who Does not have access to direct SU01 but you needs the access urgently. Then FFID owner/administrator assigns you a FFID for limited period so that you can perform the task from your login ID and pwd, using tcode /n/virsa/vfat and login with that FFID. While logging you will be prompted to give business reason for access. Everything you perform in that period gets recorded for auditing. Q.What are the components in VIRSA tool and GRC? Ans: In GRC we have these tools: Access Enforcer Complaince Caliber Role expert Fire Fighter In VERAS Tool we have: VRAT and VFAT Q.How to create new authorization object? Ans: Using SU21 we can create the New Authorization Object Q.Can anyone tell me what the use of SU24 and SU25 transaction code is exactly? Ans: SU25: A transaction that copies SAP defaults from USBOT & USOBX to USOBT_C and USOBX_C. USOBT is a table that consists of transactions and authorization objects. It stores default values of authorization from authorization objects. USOBX is a table that defines the necessary authorization checks that needs to be performed within a transaction. Initially both tables USOBT and USOBX consist of default values. These two tables are then used for fill up of the customer tables USBOT_C and USOBT_X through the transaction SU25. SU24: A transaction that maintains the assignment of authorization objects in the customer tables USOBT_C and USOBX_C. Q.What is the difference b/w Copy Roles and Derived Roles? Ans: In derived role, all the transactions of parent role r copied but not the org structure and auth. and we can’t add more transactions in derived role. In copy roles all the transactions with auth are copied Q.What is temp role and copy role? Ans: Temp role: - it is the sap standard role, which is defined by sap. Copy role: - copy from an existing role is copy role. Q.What are various user types? Ans: Dialog (A) System (B) Communication (C) Service (S) Reference (L) Dialog users are used for individual user. Check for expired/initial passwords.Possible to change your own password. Check for multiple dialog logon A Service user - Only user administrators can change the password.No check for expired/initial passwords. Multiple logon permitted System users are not capable of interaction and are used to perform certain system activities, such as background processing, ALE, Workflow, and so on. A Reference user is, like a System user, a general, non-personally related, user. Additional authorizations can be assigned within the system using a reference user. A reference user for additional rights can be assigned for every user in the Roles tab. Q.Describe how SAP handles Memory Management? Ans: ST02 / ST03 In general via table buffers, you could go into the whole Work Process, roll in, roll out, heap (private) memory, etc. however just as a Unix or DBA admin would know, is you look this up when needed for the exact specifics. Q.When we should use Transactional RFC ? Ans: A "transactional RFC" means, that either both parties agree that the data was correctly transfered - or not. There is no "half data transfer". Q.What is a developer key? and how to generate a developer key? Ans: The developer key is a combination of you installation number, your license key (that you get from http://service.sap.com/licensekey) and the user name. You need this for each person that will make changes (Dictionary or programs) in the system. Q.How should I set priority for Printing say like user, team lead, project manager? Ans: There's nothing like "priority" settings for spool processes. Just define more (profile parameter rdisp/wp_no_spool) processes so people don't need to wait. Q.Why do you use DDIC user not SAP* for Support Packs and SPAM? Ans: Do _NOT_ use neither DDIC nor SAP* for applying support packages. Copy DDIC to a separate user and use that user to apply them Q.What is the use of profile paramater ztta/roll_area? Ans: The value specifies the size of the roll area in bytes. The roll area is one of several memory areas, which satisfies the user requests of user programs. For technical reasons, however, the first 250 KB or so of a user context are always stored in the roll area, further data - up to the roll area limit ztta/roll_first, - in the extended memory, up to the limit ztta/roll_extension or if extended memory is exhausted, then - again in the roll area, until the roll area is full, then - in the local process area, up to the limit abap/heap_area_dia or abap/heap_area_total or until the address space or the swap space is exhausted. Followed by termination with errors like STORAGE_PARAMETERS_WRONG_SET an error code, that points to memory bottleneck Minimum data transfer with context change; however, the increase helps to avoid problems (address space, swap space, operating system paging). Q.What are the various configuration methods available in STMS? Ans: 1. Single system configuration

2. Development and Production systems
3. Three systems in a group

Q.What is a standard transport layer? Ans: This describes the transport route that the data from the development systems follows. Q.What is SAP transport layer? Ans: It is a predefined transport layer for DEV classes of SAP standard objects Q.What are the various qualifier option or what are the various import options? Ans: There are six import options

1. Leave transport request in queue for later import
2. Import transport request again
3. Overwrite originals
4. Overwrite objects in unconfirmed repairs
5. Ignore unpermitted transport type
6. Ignore predecessor relations

contact for more on SAP Basis Online Training

Write A Review