141540314 2 SAP Security Interview Questions

8/13/2019 141540314 2 SAP Security Interview Questions

1/22

. Can we convert Authorization field to Org, fieldA. Authorization field can be changed to Organization field using PFCG_ORGFIELD_CREA E or!PFCG_ORGFIELD_CREA E"se #E$% or #A$% to run the abo&e re'ort.

Organizational le&el fields should onl( be created before (ou start setting u' (our

s(ste). If (ou create organizational le&el fields later* (ou )ight ha&e to do an i)'actanal(sis. he authentication data )a( ha&e to be 'ost'rocessed in roles.

he fields +Acti&it(+* +AC , + and + ransaction code+* + CD+ cannot be con&erted intoan organizational le&el field.

In addition* all affected roles are anal(zed and the authorization data is ad-usted. he &alues ofthe authorization field hich is no to beco)e the organizational le&el field are re)o&ed andentered into the organizational le&el data of the role./ote0 able for Org Ele)ent1 "#ORGRefer to /ote $2$%34 for )ore detail.

Q. How many profiles can be assigned to any user master record.

A. 5a6i)u) Profiles that can be assigned to an( user is 7 $32. able "#R89 :Profileassign)ents for users;. his table contains both infor)ation on the change status of a user andalso the list of the 'rofile na)es that ere assigned to the user.

he field PROF# is used for sa&ing the change flag :C < user as created* 5 < user aschanged;* and the na)e of the 'rofiles assigned to the user. he field is defined ith a lengthof $4=8 characters. #ince the first t o characters are intended for the change flag* $49%characters re)ain for the list of the 'rofile na)es 'er user. >ecause of the )a6i)u) length of32 characters 'er 'rofile na)e* this results in a )a6i)u) nu)ber of $32 'rofiles 'er user.

Q. Can you add a composite role to another composite role?A. /o

Q. How to reset A!" password from oracle database.A. Logon to (our database ith orasid as user id and run this s?ldelete from sapSID.usr02 where bname='SAP*' and mandt='XXX';comm t;

@here )andt is the client.

/o (ou can login to the client using sa' and 'ass ord 'ass

Q. #hat is difference between role and profile.A. A role act as container that collect transaction and generates the associated 'rofile. he'rofile generator :PFCG; in #AP #(ste) auto)aticall( generates the corres'ondingauthorization 'rofile. De&elo'er used to 'erfor) this ste' )anuall( before PFCG as introducedb(#AP. An( )aintenance of the generated 'rofile should be done using PFCG.

Q. #hat is user buffer?A. @hen a user logs on to the #AP RB$ #(ste)* a user buffer is built containing allauthorizations for that user. Each user has their o n indi&idual user buffer. For e6a)'le* if user#)ith logs on to the s(ste)* his user buffer contains all authorizations of role"#ER_#5I _ROLE. he user buffer can be dis'la(ed in transaction #"= .

A user ould fail an authorization chec if0

he authorization ob-ect does not e6ist in the user buffer he &alues chec ed b( the a''lication are not assigned to the authorization ob-ect in

the user buffer he user buffer contains too )an( entries and has o&erflo ed. he nu)ber of entries

in the user buffer can be controlled using the s(ste) 'rofile 'ara)eter


2/22

auth$number%in%userbuffer .

Q. A! ecurity &'codesA. Fre?uentl( used securit( 1codes

#"83 CreateB Change "ser #"83 CreateB Change "serPFCG 5aintain Roles#"38 5ass Changes#"83D Dis'la( "ser#"I5 Re'orts# 83 race#"=$ Authorization anal(sisClic( here for all ecurity &'codes

End User

Transaction Code

Menu Path Purpose

SU3 System --> User Profile --> OwnData

Set address/defaults/parameters

SU53 System --> Utilities --> Display Authorization Check

Display last authority check thatfailed

SU56 Tools --> Administration --> Monitor--> User Buffer

Display user buffer

Role Administration

Transaction CodeMenu Path Purpose

PFCG Tools --> Administration --> UserMaintenance --> oles

Mai tai roles usi ! the ProfileGe erator

PFUD " o e# Compare user master i dialo!$%his fu ctio ca also be called ithe Profile Ge erator&!n"ironment --> Mass compare%he 'ob for user mastercompariso is&PFCG(%)M*(D*P*+D*+C, -to.elease $0 .12U%UP 4

SUPC Tools ##$ Administration ##$ UserMaintenance ##$ oles ##$!n"ironment ##$ Mass %eneration

Mass Ge eratio of Profiles

User Administration
http://www.sapsecurityonline.com/r3_security/r3_security_tcodes.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_tcodes.htm


3/22


SU0 Tools --> Administration --> UserMaintenance --> Users

Mai tai Users

SU0 D Tools --> Administration --> UserMaintenance --> Display Users

Display Users

SU 0 Tools --> Administration --> UserMaintenance --> User MassMaintenance

User mass mai te a ce

SU0 Tools ##$ Administration ##$ UserMaintenance ##$ ManualMaintenance ##$ !dit ProfilesManually

Ma ually create profiles

SU03 Tools --> Administration --> UserMaintenance --> ManualMaintenance --> !dit

Authorizations Manually

Ma ually create authori atio s

Profile Generator Configuration


.7 0 Tools ##$ CCMS ##$Confi&uration ##$ ProfileMaintenance

Mai tai system profile parameters$-auth/ o(check(i (some(cases8 ,4$

SU 5 IMG Activity:!nterprise 'M% --> BasisComponents --> System

Administration --> Users and Authorizations --> Maintainauthorizations and profilesusin& Profile %enerator --> (ork on SAP check indicatorsand field "alues Select: Co y SAP chec! I"#sand field values

) stallatio$ ) itial Customer %ables Fill

Up!radea$ Preparatio & Compare 9ith S2P

:aluesb$ .eco cile affected tra sactio sc$ .oles to be checkedd$ Display cha !ed tra sactio

codes

SU Same as for SU 5&Select: Change Chec!Indicators

Mai tai Check ) dicators

Mai tai %emplates

Trans ort


4/22


SCC; Tools ##$ Administration ##$ Administration ##$ Client Administration ##$ Client Copy##$ )ocal Copy

;ocal clie t copy -9ithi o e systemcha !eo:er a et9ork - ot files4$

SCC? Tools ##$ Administration ##$ Administration ##$ Client Administration ##$ ClientTransport ##$ Client !*port

Clie t tra sport -bet9ee clie ts idiffere t systems4 Data e>cha !eusi ! a data e>port at operati !system le:el$

" o e# Tools ##$ Administration ##$ UserMaintenance ##$ oles ##$!n"ironment ##$ Mass Transport

Mass tra sport of roles

" o e# Tools ##$ Administration ##$ UserMaintenance ##$ oles ##$ ole##$ Upload+Download

Upload/Do9 load of .oles

SU 5 Point ,- %ra sport of Check i dicators

S%MS Tools ##$Administration ##$Transports ##$ TransportMana&ement System

Transport Mana&ement System

System configuration


.7 0 Tools $$% CCMS $$% Confi&uration $$%ProfileMaintenance

Mai tai system profile parameters$-auth/ o(check(i (some(cases 8 ,4$

.7 Descriptio of system profileparameters

SM0 Tools --> Administration --> Administration --> TransactionCode Administration

;ock tra sactio codes frome>ecutio

Authori&ation '()ect


5/22


SU 0 Tools ##$ ABAP (ork.ench ##$De"elopment ##$ Other Tools ##$

Authorization O./ects ##$ 0ields

;ist of authori atio fields

SU Tools ##$ ABAP (ork.ench ##$De"elopment ##$ Other Tools ##$

Authorization O./ects ##$O./ects

;ist of authori atio ob@ects -) itialscree lists by ob@ect class4

Audit


S*? Tools $$% Administration $$% UserMaintenance $$% 'nformationSystem

) formatio System for S2P ./3 2uthori atio s

S*C.A " o e# 2udit ) formatio System

Ta(le maintenance


SM30-%ablesB( .Gpert mode4

S103 Call *>te ded 1elp S% 0 %able CallStatistics

2; 5 Customi e S2P SC ;desti atio

S)CH ) stallatio Check S% DisplayDe:eloper %races

2; ? ;ocal File SystemMo itor

S;D ;o!ical Databases-%ree Structure4

S% 2pplicatioMo itor

2; = .emote File SystemMo itor

S;E %ra slatio & 2pplicatio1ierarchy

S% 2pplicatio 2 alysis

2; 0 *arly Eatch DataCollector ;ist

SM0 ;ock %ra sactio s S% 2 2P/ .u time*rror 2 alysis

D 0 2 aly e *>clusi:e ;ockEaits

SM0 System Messa!es S%2% ;ocal %ra sactioStatistics


7/22

D 0 2 aly e %ables a d) de>es

SM0 User :er:ie9 S%D. %2D).Co siste cyCheck

D 03 Parameter Cha !es iD

SM Display a d Delete;ocks

S%U+ Performa ceMo itor Me u

D *arly Eatch ProfileMai te a ce

SM 3 Display Up!rade.ecords

SU0 Mai tai User.ecords

D :er:ie9 of ackup;o!s

SM System ;o! SU0 Mai tai 2uthori atioProfiles

D 3 Database 2dmi istratio Cale dar

SM3 %able Mai te a ce SU03 Mai tai 2uthori atio s

D Sho9 D 2 2ctio ;o!s SM35 atch ) put Mo itori ! SU 0 Mass Cha !es toUser Master.ecords

PFCG Profile Ge erator I 2cti:ity Groups

SM36 ack!rou d 'obScheduler

SU Mass Cha !es toUser Master.ecords

.70 'ob Scheduli ! Mo itor SM3 ack!rou d 'ob:er:ie9

SU 0 Mai tai 2uthori atioFields

.70 +et9ork Graphics forS2P ) sta ces

SM3? ueue Mai te a ce%ra sactio

SU Mai tai 2uthori atio

b@ects

.703 Prese tatio < Co trolS2P ) sta ces

SM3= 'ob 2 alysis SU 2uth b@ectsUsa!e i%ra sactio s

.70 Mai tai S2P ) sta ces SM50 Eorkprocess :er:ie9 SU Mai tai Profile

Ge erator %ables

.706 2lert %hresholdsMai te a ce

SM5 ;ist of S2P Ser:ers SU 5 Copy S2P toCustomer ProfGe %ables

.70? S2P 2lert Mo itor SM63 Display/Mai taiperatio Mode Sets

SU30 :erall 2uthori atioChecks

.7 0 Mai te a ce of ProfileParameters

SM6 .elease of a *:e t SU50 Mai tai UserDefaults


8/22

.7 Profile Parameters SM65 ack!rou d Processi ! 2 alysis %ool

SU5 Mai tai User 2ddress

S2. Mai tai %ra sactio

Codes

SM66 SystemJ9ide Eork

Process :er:ie9

SU5 Mai tai User

Parameters

S2.2 2rchi:e Ma a!eme t SM6 'ob Scheduli ! SU53 2 aly e 2uthori atio*rror

SC2% Computer 2ided %est%ool

SM6? 'ob 2dmi istratio SU56 Display list ofUser

2uthori atio s

SCC0 Clie t Copy SMGE Gate9ay Mo itor SB*. 2 2P/Berificatio

SCU3 %able 1istory SM;G ;o!o Groups SBMC Start Bie9Mai te a ce 9ithMemory

SD Data Modeler SMK Display 9 'obs SE%0 Co fi!ureEorkflo9 %race

SD * Matchcode b@ects-test4

S FF S2Poffice& 2rea Me u SEU? %ech ical %race/ ff

S*0 %ra sports a dCorrectio System

SP00 Spool a d .elated 2reas

SEU= Display %ech ical%race

S*0 * :iro me t 2 aly er SP0 utput Co troller SEUD Dia! ostic %ools

S*03 %ra sport Utilities SP %emSe Directory SEU* ) itiate *:e t

S*0 %ra sport SystemStatus Display

SP %emSe 2dmi istratio SEUF Eorkflo9 Mo itor

S*0= Eorkbe ch r!a i er SP)% utput Co troller SEU1 %est Method

S* 0 Customi er r!a i er SP2D Spool 2dmi istratio SEED S9itch o Eork)tem *rrorMo itori !

S* 2 2P/ Dictio aryMai te a ce

SP2M S2P Patch Ma a!er S,+% Display Sy ta>%race utput

S* 2 2P/ Dictio aryDisplay

SP2% Spool 2dmi istratio Jtest

%U0 Call Statistics


9/22

S* 3 Mai tai %ech icalSetti !s -%ables4

SPDD Display Modified DD)Cob@ects

%U0 2cti:e ) sta ceProfileparameters

Q )ist few security &ablesClic( here for security tables

Q How to create users?E6ecute transaction #"83 and fill in all the field. @hen creating a ne user* (ou )ust enter aninitial 'ass ord for that user on the !o"on data tab. All other data is o'tional. Clic( here forturotial on creating sap user id

Q #hat is the difference between * O+ %C and * O+&%C?he table "#O> _C defines hich authorization chec s are to be 'erfor)ed ithin a

transaction and hich not :des'ite author t#$chec% co))and 'rogra))ed ;. his table alsodeter)ines hich authorization chec s are )aintained in the Profile Generator.

he table "#O> _C defines for each transaction and for each authorization ob-ect hichdefault &alues an authorization created fro) the authorization ob-ect should ha&e in the ProfileGenerator.
http://www.sapsecurityonline.com/r3_security/r3_security_tables.htmhttp://www.sapsecurityonline.com/tutorials/create_user.htmhttp://www.sapsecurityonline.com/tutorials/create_user.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_tables.htmhttp://www.sapsecurityonline.com/tutorials/create_user.htmhttp://www.sapsecurityonline.com/tutorials/create_user.htm


10/22

Q #hat authorization are re-uired to create and maintain user master records?he follo ing authorization ob-ects are re?uired to create and )aintain user )aster records0

#_"#ER_GRP0 "ser 5aster 5aintenance0 Assign user grou's #_"#ER_PRO0 "ser 5aster 5aintenance0 Assign authorization 'rofile S& S()&A 0 "ser 5aster 5aintenance0 Create and )aintain authorizations

Q )ist $/ *ser &ypes

1. D alo" users are used for indi&idual user. Chec for e6'iredBinitial 'ass ords Possibleto change (our o n 'ass ord. Chec for )ulti'le dialog logon

2. A Ser+ ce user 1 Onl( user ad)inistrators can change the 'ass ord. /o chec fore6'iredBinitial 'ass ords. 5ulti'le logon 'er)itted

3. S#stem users are not ca'able of interaction and are used to 'erfor) certain s(ste)acti&ities* such as bac ground 'rocessing* ALE* @or flo * and so on.

4. A )eference user is* li e a #(ste) user* a general* non1'ersonall( related* user.Additional authorizations can be assigned ithin the s(ste) using a reference user. Areference user for additional rights can be assigned for e&er( user in the )oles tab.

Q #hat is a derived role?

Deri&ed roles refer to roles that alread( e6ist. he deri&ed roles inherit the )enustructure and the functions included :transactions* re'orts* @eb lin s* and so on; fro)the role referenced. A role can onl( inherit )enus and functions if no transaction codesha&e been assigned to it before.

he higher1le&el role 'asses on its authorizations to the deri&ed role as default &alueshich can be changed after ards. Organizational le&el definitions are not 'assed on.he( )ust be created ane in the inheriting role. "ser assign)ents are not 'assed on

either. Deri&ed roles are an elegant a( of )aintaining roles that do not differ in their

functionalit( :identical )enus and identical transactions; but ha&e differentcharacteristics ith regard to the organizational le&el. Follo this lin for )ore info

Q #hat is a composite role?

A co)'osite role is a container hich can collect se&eral different roles. For reasons ofclarit(* it does not )a e sense and is therefore not allo ed to add co)'osite roles toco)'osite roles. Co)'osite roles are also called roles.

Co)'osite roles do not contain authorization data. If (ou ant to change theauthorizations :that are re'resented b( a co)'osite role;* (ou )ust )aintain the datafor each role of the co)'osite role.

Creating co)'osite roles )a es sense if so)e of (our e)'lo(ees need authorizationsfro) se&eral roles. Instead of adding each user se'aratel( to each role re?uired* (oucan set u' a co)'osite role and assign the users to that grou'.

he users assigned to a co)'osite role are auto)aticall( assigned to thecorres'onding :ele)entar(; roles during co)'arison. 0ollow the lin( to learn more

Q. #hat does the different color light mean in profile generator?A.
http://www.sapsecurityonline.com/tutorials/derived_role.htmhttp://www.sapsecurityonline.com/tutorials/composite_role.htmhttp://www.sapsecurityonline.com/tutorials/composite_role.htmhttp://www.sapsecurityonline.com/tutorials/derived_role.htmhttp://www.sapsecurityonline.com/tutorials/composite_role.htm


11/22

Q. #hat are the different tabs in !0C1?A.

Q #hat does user compare do?If (ou are also using the role to generate authorization 'rofiles* then (ou should note that thegenerated 'rofile is not entered in the user )aster record until the user )aster records ha&ebeen co)'ared. ou can auto)ate this b( scheduling re'ort FCG_ I5E_DEPE/DE/C on adail(.

. Can we convert Authorization field to Org, fieldA. Authorization field can be changed to Organization field using PFCG_ORGFIELD_CREA E or!PFCG_ORGFIELD_CREA E"se #E$% or #A$% to run the abo&e re'ort.

Organizational le&el fields should onl( be created before (ou start setting u' (our s(ste). If (oucreate organizational le&el fields later* (ou )ight ha&e to do an i)'act anal(sis. heauthentication data )a( ha&e to be 'ost'rocessed in roles.

he fields +Acti&it(+* +AC , + and + ransaction code+* + CD+ cannot be con&erted into anorganizational le&el field.

In addition* all affected roles are anal(zed and the authorization data is ad-usted. he &alues of theauthorization field hich is no to beco)e the organizational le&el field are re)o&ed and entered intothe organizational le&el data of the role./ote0 able for Org Ele)ent1 "#ORGRefer to /ote $2$%34 for )ore detail.

Q. How many profiles can be assigned to any user master record.A. 5a6i)u) Profiles that can be assigned to an( user is 7 $32. able "#R89 :Profile assign)ents forusers;. his table contains both infor)ation on the change status of a user and also the list of the 'rofilena)es that ere assigned to the user.

he field PROF# is used for sa&ing the change flag :C < user as created* 5 < user as changed;* andthe na)e of the 'rofiles assigned to the user. he field is defined ith a length of $4=8 characters. #incethe first t o characters are intended for the change flag* $49% characters re)ain for the list of the'rofile na)es 'er user. >ecause of the )a6i)u) length of 32 characters 'er 'rofile na)e* this results ina )a6i)u) nu)ber of $32 'rofiles 'er user.

Q. Can you add a composite role to another composite role?A. /o

Q. How to reset A!" password from oracle database.A. Logon to (our database ith orasid as user id and run this s?ldelete from sapSID.usr02 where bname='SAP*' and mandt='XXX';comm t;

@here )andt is the client.

/o (ou can login to the client using sa' and 'ass ord 'ass


12/22

Q. #hat is difference between role and profile.A. A role act as container that collect transaction and generates the associated 'rofile. he 'rofilegenerator :PFCG; in #AP #(ste) auto)aticall( generates the corres'onding authorization 'rofile.De&elo'er used to 'erfor) this ste' )anuall( before PFCG as introduced b(#AP. An( )aintenance ofthe generated 'rofile should be done using PFCG.

Q. #hat is user buffer?A. @hen a user logs on to the #AP RB$ #(ste)* a user buffer is built containing all authorizations forthat user. Each user has their o n indi&idual user buffer. For e6a)'le* if user #)ith logs on to thes(ste)* his user buffer contains all authorizations of role "#ER_#5I _ROLE. he user buffer can bedis'la(ed in transaction #"= .

A user ould fail an authorization chec if0

he authorization ob-ect does not e6ist in the user buffer he &alues chec ed b( the a''lication are not assigned to the authorization ob-ect in the user

buffer he user buffer contains too )an( entries and has o&erflo ed. he nu)ber of entries in the

user buffer can be controlled using the s(ste) 'rofile 'ara)eter

auth$number%in%userbuffer .

Q. How to find out all roles with &'code *23?A. ou can use #"I5 H Roles b( co)'le6 criteria or R#"#R848 to find out this. Go to the #election b( Authorization ,alue. In Ob-ect 3 'ut #_ CODE and hit enter. And 'ut #"83 in ransaction code and hit e6ecute :cloc ith chec ; button. I use authorization ob-ect* as (ou can use this to test an( ob-ect.

ou can also get this infor)ation directl( fro) table* if (ou ha&e access to #E3 or #E3 /. E6ecute#E3 /

able AGR_32=3 Ob-ect #_ CODE

,AL"E :lo ; #"83

Q. How to find out all the users who got *23 ?A. ou can use #"I5 H"ser b( co)'le6 criteria or :R#"#R882; to find this out. Go to the #election b( Authorization ,alue. In Ob-ect 3 'ut #_ CODE and hit enter. And 'ut #"83 in ransaction code and hit e6ecute :cloc ith chec ; button. I use authorization ob-ect* as (ou can use this to test an( ob-ect.

Q. How to find out all the roles for one composite role or a selection of composite roles?A. E6ecute #E3 /

able AGR_AGR#

Co)'osite roles ou can 'ut )ulti'le co)'osite roles using the )ore button

Q. How to find out all the derived roles for one or more 4aster 5!arent6 roles?A. E6ecute #E3 / able AGR_DEFI/E

"se either agr_na)e field or Parent_agr field.

Q. How can 7 chec( all the Organization value for any role?A. E6ecute #E3 / able AGR_32=2


13/22

Role ('e in the role here and hit e6ecute.

ou can al a(s do nload all the infor)ation to s'readsheet also using .

Q. How do 7 restrict access to files through A)33?A. First create an alias. Go to t1code AL33 H configure H create alias. Let sa( e are tr(ing to restrictalias DIR_ E5P hich is Bt)'. O'en PFCG and assign t1code AL33* and change the authorization for#_DA A#E as )entioned belo

Acti&it( $$Ph(sical file na)e Bt)'BProgra) /a)e ith #earch el'

Q. How can 7 add one role to many users?A. #"38. If (ou ha&e less than 3 users then (ou can 'aste the userids.

If (ou ha&e )ore than 3 users Clic on Authorization data and clic on ne6t to users and

u'load fro) cli'board .it the change button and go to the role tab and add the roles to be assigned and hit sa&e.

Q. #hat are the +est practices for loc(ing e8pired users JA. Loc the user. Re)o&e all the roles and 'rofiles assigned to the user. 5o&e the) to ER5 "ser grou'.

Q. How can be the password rules enforced ?A. Pass ord rules can be enforced using 'rofile 'ara)eter. Follo the lin to learn )ore about theprofile parameter .

Q. How to remove duplicate roles with different start and end date from user master?A. ou can use PRG/_CO5PRE##_ I5E# to do this. Please refer to note % =%93 for )ore info.

Q. How come the users have authorization in !0C1, but user still complains with noauthorization?A. 5a e sure the user )aster is co)'ared. 5a( be the there is a user buffer o&erflo Also chec the 'rofile1 Follo the instruction belo . #"I5 H "ser b( co)'le6 criteria.

Put the userid of user ho is ha&ing issue. E6ecute Double clic on the user id and e6'and the tree. #elect the 'rofile in ?uestion and see if theauthorization is correct or not. If not do the role reorg in PFCG and see if that hel's.

Q. How can 7 have a display all roles.A. Co'( sa'_all and o'en the role and change the acti&it( to 8$ and 8%

Q. How can 7 find out all actvt in sap?A. All 'ossible acti&ities :AC , ; are stored in table &AC& :transaction #5$8;* and also the &alidacti&ities for each authorization ob-ect can be found in table &AC&9 :transaction #E3 ;.

Q. How to find all the users who got access to change and create users?

ou can find all users ho ha&e access to create or change users using #"I5

E6ecute ransaction #"I5Go to 1 "sers b( Co)'le6 #election Criteria HH"sers b( Co)'le6 #election Criteria or (ou could runre'ort R#"#R882 using #A$% or #E$%

Fill in the screen as sho n belo * and e6ecute the ?uer(. here are cou'le of other authorization: #_"#ER_AGR* #_"#ER_GRP and #_"#ER_PRO; (ou )ight ant to chec as ell.

On the other hand (ou could -ust gi&e the user #"83D* hich is dis'la( user )aster.
http://www.sapsecurityonline.com/r3_security/r3_security_profile_param.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_profile_param.htm


14/22

Q. #hat is A!? A. #AP is the na)e of the co)'an( founded in 3K42 under the Ger)an na)e :#(ste)s* A''lications*and Products in Data Processing; is the leading ERP :Enter'rise Resource Planning; soft are 'ac age.

Q. :8plain the concept of ;+usiness Content< in A! +usiness 7nformation #arehouse? A. >usiness Content is a 're1configured set of role and tas 1rele&ant infor)ation )odels based onconsistent 5etadata in the #AP >usiness Infor)ation @arehouse. >usiness Content 'ro&ides selectedroles ithin a co)'an( ith the infor)ation the( need to carr( out their tas s. hese infor)ation)odels essentiall( contain roles* or boo s* ?ueries* Info#ources* InfoCubes* e( figures*characteristics* u'date rules and e6tractors for #AP RB$* )(#AP.co) >usiness A''lications and otherselected a''lications.

Q. #hat is 7=: ? A. International De)onstration and Education #(ste). A sa)'le a''lication 'ro&ided for faster learning

and i)'le)entation.

Q. #hat is A! $/? A. A third generation set of highl( integrated soft are )odules that 'erfor)s co))on business functionbased on )ultinational leading 'ractice. a es care of an( enter'rise ho e&er di&erse in o'eration*s'read o&er the orld. In RB$ s(ste) all the three ser&ers li e 'resentation* a''lication ser&er anddatabase ser&er are located at different s(ste).

Q. #hat are presentation, application and database servers in A! $/?A. he a''lication la(er of an RB$ #(ste) is )ade u' of the a''lication ser&ers and the )essage ser&er.A''lication 'rogra)s in an RB$ #(ste) are run on a''lication ser&ers. he a''lication ser&ersco))unicate ith the 'resentation co)'onents* the database* and also ith each other* using the)essage ser&er. All the data are stored in a centralized ser&er. his ser&er is called database ser&er.


15/22

Q. #hat should be the approach for writing a +=C program? A. Con&ert the legac( s(ste) data to a flat file and con&ert flat file into internal table. ransfer the flatfile into sa' s(ste) called sa' data transferM. Call transaction:@rite the 'rogra) e6'licitl(; or createsessions :sessions are created and 'rocessed *if success data ill transfer;.

Q. #hat are the ma>or benefits of reporting with +# over $/? Q. #ould it be sufficient >ust to #eb'enable $/ eports? A. Perfor)ance N ea&( re'orting along ith regular OL P transactions can 'roduce a lot of load bothon the RB$ and the database :c'u* )e)or(* dis s* etc;. ust ta e a loo at the load 'ut on (our s(ste)during a )onth end* ?uarter end* or (ear1end N no i)agine that occurring e&en )ore fre?uentl(. Dataanal(sis N >@ uses a Data @arehouse and OLAP conce'ts for storing and anal(zing data* here RB$

as designed for transaction 'rocessing. @ith a lot of or (ou can get the sa)e anal(sis out of RB$ but)ost li el( ould be easier fro) a >@.

Q. #hat is the difference between O)A! and =ata 4ining? A. OLAP 1 On line Anal(tical 'rocessing is a re'orting tool configured to understand (our databasesche)a* co)'osition facts and di)ensions. >( si)'le 'oint1n1clic ing* a user can run an( nu)ber ofcanned or user1designed re'orts ithout ha&ing to no an(thing of # L or the sche)a. >ecause ofthat 'rior configuration* the OLAP engine buildsM and e6ecutes the a''ro'riate # L. 5ining is to buildthe a''lication to s'ecificall( loo at detailed anal(ses* often algorith)icQ e&en )ore often)isa''ro'riate called re'orting.

Q. #hat is ;:8tended tar chema< and how did it emerge? A. he #tar #che)a consists of the Di)ension ables and the Fact able. he 5aster Data related tablesare e't in se'arate tables* hich has reference to the characteristics in the di)ension table:s;. hesese'arate tables for )aster data is ter)ed as the E6tended #tar #che)a.

Q. =efine 4eta data, 4aster data and &ransaction data A. 5eta Data0 Data that describes the structure of data or 5etaOb-ects is called 5etadata. In other

ords data about data is no n as 5eta Data. 5aster Data0 5aster data is data that re)ains unchangedo&er a long 'eriod of ti)e. It contains infor)ation that is al a(s needed in the sa)e a(.Characteristics can bear )aster data in >@. @ith )aster data (ou are dealing ith attributes* te6ts orhierarchies. ransaction data0 Data relating to the da(1to1da( transactions is the ransaction data.

Q. #hat is +e8? A. >e6 stands for >usiness E6'lorer. >e6 enables end user to locate re'orts* &ie re'orts* anal(zeinfor)ation and can e6ecute ?ueries. he ?ueries in or boo can be sa&ed to there res'ecti&e roles inthe >e6 bro ser. >e6 has the follo ing co)'onents0 >e6 >ro ser* >e6 anal(zer* >e6 5a'* >e6 @eb.

Q. #hat are variables? A. ,ariables are 'ara)eters of a ?uer( that are set in the 'ara)eter ?uer( definition and are not filled

ith &alues until the ?ueries are inserted into or boo s. here are different t('es of &ariables hichare used in different a''lication0 Characteristics &ariables* ierarchies and hierarch( node* e6ts*For)ulas* Processing t('es* "ser entr(BDefault t('e* Re'lace)ent Path.

Q. #hat is A#+? . #hat is its purpose?A. A@> stands for Administrator #or(+ench . A@> is a tool for controlling* )onitoring and

)aintaining all the 'rocesses connected ith data staging and 'rocessing in the business infor)ationarehousing.

Q. #hat is the significance of O= in +7#? A. An OD# Ob-ect ser&es to store consolidated and debugged transaction data on a docu)ent le&el:ato)ic le&el;. It describes a consolidated dataset fro) one or )ore Info#ources. his dataset can beanal(zed ith a >E6 uer( or Info#et uer(. he data of an OD# Ob-ect can be u'dated ith a deltau'date into InfoCubes andBor other OD# Ob-ects in the sa)e s(ste) or across s(ste)s. In contrast to)ulti1di)ensional data storage ith InfoCubes* the data in OD# Ob-ects is stored in trans'arent* flatdatabase tables.

Q. #hat is :8tractor? A. E6tractors is a data retrie&al )echanis)s in the #AP source s(ste). @hich can fill the e6tractstructure of a data source ith the data fro) the #AP source s(ste) datasets. he e6tractor )a( be

able to su''l( data to )ore fields than e6ist in the e6tract structure.
http://help.sap.com/saphelp_nw04/helpdata/en/a8/6b023b6069d22ee10000000a11402f/content.htmhttp://help.sap.com/saphelp_nw04/helpdata/en/a8/6b023b6069d22ee10000000a11402f/content.htmhttp://help.sap.com/saphelp_nw04/helpdata/en/a8/6b023b6069d22ee10000000a11402f/content.htm


16/22

Q. How do 7 change the name of master $ parent role (eeping the name of derived$child rolesame? 7 would li(e to (eep the name of derived $child role same and also the profileassociated with the child roles.A. First co'( the )aster role using PFCG to a role ith ne na)e (ou ish to ha&e. hen (ou ha&e togenerate the role. /o o'en each deri&ed role and delete the )enu. Once the )enus are re)o&ed it

ill let (ou 'ut ne inheritance. ou can 'ut the na)e of the ne )aster role (ou created. his ill hel'(ou ee' the sa)e deri&ed role na)e and also the sa)e 'rofile na)e. Once the ne roles are done (oucan trans'ort it. he trans'ort auto)aticall( includes the Parent roles.

#hat is the difference between C 5Chec(6 and * 5*nmaintained6?A. >ac ground0@hen defining authorizations using Profile Generator* the table "#O> _C defines hich authorizationchec s should occur ithin a transaction and hich authorization chec s should be )aintained in the PG.

ou deter)ine the authorization chec s that can be )aintained in the PG using Chec Indicators. It is aChec able for able "#O> _C.

In "#O> _C there are 9 Chec Indicators. C5 :Chec B5aintain;

1 An authorit( chec is carried out against this ob-ect.1 he PG creates an authorization for this ob-ect and field &alues are dis'la(ed for changing.1 Default &alues for this authorization can be )aintained.

C :Chec ;1 An authorit( chec is carried out against this ob-ect.1 he PG does not create an authorization for this ob-ect* so field &alues are not dis'la(ed.1 /o default &alues can be )aintained for this authorization.

/ :/o chec ;1 he authorit( chec against this ob-ect is disabled.1 he PG does not create an authorization for this ob-ect* so field &alues are not dis'la(ed.1 /o default &alues can be )aintained for this authorization.

" :"n)aintained;1 /o chec indicator is set.1 An authorit( chec is al a(s carried out against this ob-ect.

1 he PG does not create an authorization for this ob-ect* so field &alues are not dis'la(ed.1 /o default &alues can be )aintained for this authorization..

Q. #hat does user compare do?A. Co)'aring the user )aster0 his is basicall( u'dating 'rofile infor)ation into user )aster record. #othat users are allo ed to e6ecute the transactions contained in the )enu tree of their roles* their user)aster record )ust contain the 'rofile for the corres'onding roles.

ou can start the user co)'are 'rocess fro) ithin the Profile Generator :"ser tab and "ser co)'are'ushbutton;. As a result of the co)'arison* the 'rofile generated b( the Profile Generator is entered intothe user )aster record. /e&er enter generated 'rofiles directl( into the user )aster record :usingtransaction #"83* for e6a)'le;S During the auto)atic user co)'are 'rocess : ith re'ort'fcg_ti)e_de'endenc(* for e6a)'le;* generated 'rofiles are re)o&ed fro) the user )asters if the( donot belong to the roles that are assigned to the user.

If (ou assign roles to users for a li)ited 'eriod of ti)e onl(* (ou )ust 'erfor) a co)'arison at thebeginning and at the end of the &alidit( 'eriod. ou are reco))ended to schedule the bac ground -ob'fcg_ti)e_de'endenc( in such cases

Q. Can wildcards be used in authorizations?A. Authorization &alues )a( contain ildcardsQ ho e&er* the s(ste) ignores e&er(thing after the

ildcard. herefore* A > is the sa)e as A .

Q. #hat does the !0C1%&74:%=:!: =: C@ clean up?A. he TPFCG_ I5E_DEPE/DE/C T bac ground re'ort onl( cleans u' the 'rofiles :that is* it does notclean u' the roles in the s(ste);. Alternati&el(* (ou )a( use transaction TPF"DT.


17/22

Q. #hat happens to change documents when they are transported to the production system?A. Change docu)ents cannot be dis'la(ed in transaction T#"I5T after the( are trans'orted to the'roduction s(ste) because e do not ha&e the Tbefor in'utT )ethod for the trans'ort. his )eans that ifchanges are )ade* the T"#R38T table is filled ith the current &alues and rites the old &alues to theT"# 38T table beforehand. he difference bet een both tables is then calculated and the &alue for thechange docu)ents is deter)ined as a result. o e&er* this does not or hen change docu)ents aretrans'orted to the 'roduction s(ste). he T"#R38T table is auto)aticall( filled ith the current &aluesfor the trans'ort and there is no o'tion for filling the T"# 38T table in ad&ance :for the histor(; because

e do not ha&e a Tbefor in'utT )ethod to fill the T"# 38T table in ad&ance for the trans'ort.

Q. #hat is the difference between the table buffer and the user buffer?A. he table buffers are in the shared )e)or(. >uffering the tables increases 'erfor)ance henaccessing the data records contained in the table. able buffers and table entries are ignored duringstartu'. A user buffer is a buffer fro) hich the data of a user )aster record is loaded hen the userlogs on. he user buffer has different setting o'tions ith regard to the TauthBne _bufferingT 'ara)eter.

Q. #hat does the !rofile 1enerator do?A. he Profile Generator creates roles. It is i)'ortant that suitable user roles* and not 'rofiles* areentered )anuall( in transaction T#"83T. he s(ste) should enter the 'rofiles for this user auto)aticall(.

Q. How many authorizations fit into a profile?A. A )a6i)u) of 3=8 authorization fit into a 'rofile. If the nu)ber of authorizations e6ceed this )ar er*the Profile Generator ill auto)aticall( create )ore 'rofiles for the role. A 'rofile na)e consists oft el&e :32; characters and the first ten :38; )a( be changed hen generated for the first ti)e.

Q. #hat authorization ob>ects are needed for !0C1?

A! &ransport Authorization

&o release &as(

%& A ! &AC ,


18/22

Authorization ob>ect needed for !0C1 access

%* : %A1AC _GRO"P< : ou can restrict b( role* if 'ro'er na)ing con&ention is used;

AC ,


19/22

#hat are the different type of wor( process ?he follo ing or 'rocess in #AP RB$

Dialog :D;0 each dis'atcher needs at least 2 dialog or 'rocesses :not sho n abo&e; #'ool :#;0 at least 3 'er RB$ #(ste) :)ore than 3 'er dis'atcher allo ed; "'date :,;0 at least 3 'er RB$ #(ste) :)ore than 3 'er dis'atcher allo ed; >ac ground :>;0 at least 2 'er RB$ #(ste) :)ore than 3 'er dis'atcher allo ed; En?ueue :E;0 e6actl( 3 'er RB$ #(ste) :onl( 3 E or 'rocess is re?uired and allo ed;

How do you start A! $/?o start RB$* run the shell scri't startsap fro) the ho)e director( of user VsidH adm .

startsap starts the sa'oscol 'rocess* hich is the statistics collector for o'erating s(ste) resource data*if it is not (et running.

startsap calls the scri't startdb * hich starts the database if it is not alread( started. startsap then starts the central instance. he RB$ #(ste) ad)inistrator can start additional instances and a''lication ser&ers. o start

the instances inde'endentl( of the database* use the scri't startsap . startsap has the follo ing o'tions0 startsap r, 0 Chec s if the database is runningQ if it is* onl( the instance is started startsap db 0 #tarts onl( the database startsap all 0 Default entr(Q starts both the database and the RB$ instance

7n what se-uence are profile parameter read?RB$ 'rocesses read the a''ro'riate 'ara)eters fro) a C source in the RB$ ernel

he default 'rofile BusrBsa'BV#IDHB# #B'rofileBDEFA"L .PFL is readQ 'rofile &alues alread(defined in the C source are re'laced ith the &alues in the default 'rofile

he instance 'rofile BusrBsa'BV#IDHB# #B'rofileBV#IDH_VinstanceH_Vhostna)eH is readQ'rofile &alues alread( defined in the default 'rofile or in the C source are re'laced ith the

&alues defined in the instance 'rofile his 'rocedure ensures that s(ste) 'ara)eter &alues reflect the instance 'rofile and the &alues

in the default 'rofile and the C source.

#hat are the step involved before stopping $/ system?>efore sto''ing an( RB$ s(ste) follo ing ste's are basic ste's to be 'erfor)ed.

>efore the RB$ #(ste) is sto''ed* the RB$ #(ste) ad)inistrator should chec the0 Chec if an( bac ground -obs fro) an( a''lication ser&er are acti&e or ha&e been triggered

e6ternall(. "se transaction S-, Chec if the bac ground or 'rocess > C is running in an( a''lication ser&er. Chec if an( u'date records are o'en hen the s(ste) is sto''ed* the records are rolled bac

and set to status init. At startu'* the records are 'rocessed again. he ad)inistrator )ust decide hether to interru't the -obs or ait until the( are finished. Gi&e s(ste) users ad&ance arning of the s(ste) shutdo n. o create a s(ste) )essage* (ou

can use transaction S-02 . >efore shutting do n the s(ste)* use transaction S-0/ to chec hether users are still logged

on* and as the) to log off. he RB$ #(ste) ad)inistrator and ad)inistrators of e6ternal s(ste)s should also infor) one

another about data transfers bet een their res'ecti&e s(ste)s.

How do you chec( the wor( process from * 7 ?"se the follo ing co))ands.

o chec all the or 'rocesses0's 1ef W gre' V#IDH W gre' d


20/22

o chec the )essage ser&er0's 1ef W gre' V#IDH W gre' )s

o chec the #AP O# collector0's 1ef W gre' sa'os

How do you display the server name?o dis'la( the ser&er na)e* use transaction S- 1 . Infor)ation about the 'rocess t('es is alsodis'la(ed. For further infor)ation* select one of the instances and choose Processes . Alternati&el(* todis'la( the s(ste) 'rocesses* use transaction S- .

How do you display all active users in your system?o dis'la( the o&er&ie of all acti&e users on the instance here (ou are logged on* use transaction

S-0/ . For a user o&er&ie of the hole s(ste)* call transaction A!03 .

. What happens to locks when the enqueue server is restarted? A. If the( ha&e not been sa&ed to dis in the bac u' file* the( ill be lost. he loc s that are inheritedb( the u'date tas hen CO447& #O is e6ecuted after CA)) 0* C&7O .. 7 *!=A&: &A aresa&ed to the dis . he loc s are sa&ed to dis hen the u'date re?uest beco)es &alid* that is* ith theCO447& #O . Each ti)e the en?ueue ser&er is restarted* the loc entries sa&ed on the dis arereloaded to the loc table. A loc is sa&ed to dis at the 'oint at hich the bac%up fla" is set.

Q. The enqueue server is a single-point-of-failure in the SAP System. an ! guarantee highavaila"ility for the #nqueue Server? A. o guarantee this (ou )ust use the standalone En?ueue #er&er ith the Re'lication #er&er. his isdescribed in the docu)entation #tandalone En?ueue #er&er.

#AP note =29%3 contains the 'rere?uisites that )ust be fulfilled for using the standalone En?ueue#er&ers ith the Re'lication #er&er.

Q. Where is the lock ta"le stored? A. In the )ain )e)or( :shared )e)or(; of the en?ueue ser&er. All or 'rocesses on the en?ueue

ser&er has access to the table. E6ternal a''lication ser&ers e6ecute their loc o'erations in the en?ueue'rocess on the en?ueue ser&er. Co))unication in this case ta es 'lace &ia the rele&ant dis'atchers andthe )essage ser&er.

Q. an locks e$ist directly after startup? A. es* the sa&ed loc s* hich ere inherited b( the u'date tas * are reloaded to the loc table duringstartu' :see first ?uestion;.

Q. %ow fast are lock operations? A. In or 'rocesses on the en?ueue ser&er* a fe 388 )icroseconds. In or 'rocesses of e6ternala''lication ser&ers (ou ha&e to include net or co))unications and 'rocess changes. De'ending onCP" and net or load this a)ounts to a fe )illiseconds.

Q. What should ! do first if a pro"lem arises? A. "se the diagnosis functions0sm3B E6tras X Diagnosis and thensm3B E6tras X Diagnosis in u'dateIf a 'roble) is re'orted* bac u' the trace files de&_ * de&_dis'* de&_e? and chec the#(slog.

Q. The following message is displayed in the diagnosis details in S&'())oc( management operation mode7nternal loc( management in same processWhat does this message mean and what are the other options? A. +Internal loc )anage)ent in sa)e or 'rocess+ in the diagnosis function )eans that (ou arelogged onto the en?ueue ser&er and (our or 'rocess can access the loc table straight a a(. ou donot ha&e to delegate en?ueue re?uests to an en?ueue 'rocess on a re)ote en?ueue ser&er. If (ou are

logged onto an a''lication ser&er that is not an en?ueue ser&er* the diagnosis function ill 'ro&ide (ou


21/22

ith the na)e of the en?ueue ser&er.Each #AP #(ste) has e6actl( one a''lication ser&er that functions as an en?ueue ser&er. his en?ueueser&er )aintains the loc table* hich is located in a shared )e)or( seg)ent. All of the or 'rocesseson the en?ueue ser&er can access the loc table. All or 'rocesses on other a''lication ser&ersdelegate their en?ueue re?uests to a s'ecial en?ueue or 'rocess on the en?ueue ser&er.

his 'rocedure is configured auto)aticall(. he 'ara)eter line +rdis'Ben?na)e


22/22

ser&er* dis'atchers* and or 'rocesses are occu'ied si)ultaneousl(. Due to as(nchronous s(ste)'rocesses :for e6a)'le* s(ncer;* using )ore 'rocessors can further enhance through'ut.

Q. The Syslog often contains messages such as 9#nqueue) total wait time during locking)(:;; seconds9. %ow should ! analy

Documents

141540314 2 SAP Security Interview Questions