SAP Security Authorization Interview question

1. How do you determine what organization value to be given to user?
   Refer request form, change request, functional team, copy from sample user, consult their subordinate or manager. Some business sense is needed. Never give more values then requested.
   
   
2. How would you map a tcode to user?
   Check request form. Investigate the user's role function. Research the function of the tcode. Do not give any tcode which that is not needed by the user in business point of view.
   
   
3. What background or periodic job security consultant should know?
   - Daily check on sap* and ddic user. It should be locked times (unless there is upgrade)
   - Run RSUSR006 to check locked users.
   - Check is production client is lock against direct changes
   - Check on sap_all profile. No one should have it.
   
   
4. Single Role Naming convention
   Sample : MY1XFCSOA or MY1XFCSOD
   Explain:
   - MY (country code)
   - 1X (domain - which correspond to org level value excel sheet)
   - FCSO (abbreviation of the function role - Finance Create sales order)
   - A (activity type - A means change, D means display)
   
   
5. Max profile?
   -312
   
   
6. How to check how much profiles a user have?
   - Table USR04
   
   
7. System parameter used by security
   - login/no_automatic_user_sapstar
   - Login/failed_to_user_lock
   - Login/fails_to_session_end
   - Login/gui_auto_logout
   - many more, google for results.
   
   
8. Why sap* cannot be used?
   - SAP is design not to check authorization for user sap*
   - Who ever has sap* get control over the whole system
   
   
9. Tcode frequently use
   - SUIM, PFCG, SU01, SU53 and google for more
   
   
10. What is SU24
    - Remove and add authorization object check (to be display in PFCG)
    - Use to standardized common authorization object to be pulled in a role
    
    
11. What is a derived role
    - A child role derived from master template
    
    
12. Authorization object
    - A collection of authorization field.
    
    
13. How to check user access issue
    - SU53, ST01
    
    
14. User do not have access but SUIM search indicates authorization given
    Reason:
    - Max profile reach
    - Didn't relogin
    - Did not perform user comparison
    
    
15. Which tables shows what profile a user have?
    - UST04
    
    
16. PFCG tables
    - agr_agrs, agr_1251, agr_1252, USR02 and etc
    
    
17. How to transport a role
    - PFCG > there is a transport truck icon. Alternately, use mass transport from the menu
    
    
18. Convert field to org level
    - Run program PFCG_ORGFIELD_CREATE
    
    
19. What is GRC
    - Governance Risk and Compliance
    - Help company to put in place a set of policy and control to be SOX compliance
    
    
20. Components of GRC
    - CUP (Compliance user provision - enable self request for role and also approval)
    - RAR (Risk Analysis and Remediation - check SOD, generate report and propose solution)
    - ERM (Enterprise role Management - Assist in role designing)
    - SPM ( Super privileged management - profile super user access like firecoll and mitigation)
    
    
21. Why do single roles sometimes has more profile
    - When there are more then 150 object in a profile, SAP auto generates new profile

End of SAP Security Authorization Interview question