SAP SECURITY AUTHORIZATION ABAP AUTHORITY-CHECK

Applications use the ABAP statement AUTHORITY-CHECK, which is inserted in the source code
of the program, to check whether users have the appropriate authorization and whether these
authorizations are suitably defined; that is, whether the user administrator has assigned the
values required for the fields by the programmer. In this way, you can also protect transactions
that are called indirectly by other programs.

AUTHORITY-CHECK searches profiles specified in the user master record to see whether the
user has authorization for the authorization object specified in the AUTHORITY-CHECK. If one of
the authorizations found matches the required values, the check is successful.

How to create derived role and When to use it ?

Article below was found from URL: 

http://sap-securityguide.com/how-to-create-derived-role-and-when-to-use-it/#more-264

There are 2 possible reasons to use derive role method ( deriving a role authorization from an existing role)

●      The role menus are identical but the authorizations for the menu actions are different in the derived role.

●      The menu and authorizations of the derived role are identical, but the organizational levels are different in the derived role.

Step by step to create derived role

1.      Create a single role that will use as a template .

2.      Enter a role description text.

3.      Enter the name of the role from which all transactions including the menu structure are to be copied in the Derive from role field in the Description tab page.

create derived role

4.      Save to create a role whose menu was derived from another role.

If there are additional transaction codes added to the menu of the original role, they are copied into the derived role.

Step by step to Copying the Authorizations of the Original Role to the Derived Role

1.     Made change in the original role from which the authorizations are to be derived.

2.      Click on generate derived role button to copy authorization to derived role.

**Remarks ***

The organization level data is only copied the first time the authorization data is adjusted for the derived role. If data is maintained for the organizational levels in the derived role,  and if you have maintained the organizational levels using the dialog box, the data is not overwritten by another conciliation (See more detail in  SAP Note 314513).

How to Extract users list like who didn't login since 3 months

1. SUIM > Users > Click on By Logon Date and password change

2. Give * in user and give 90 days since last logon and check locked users.

SAP SECURITY INTERVIEW - Customized and Workbench differences

Workbench changes are cross-client Customising and Repository Objects. The objects are independent of the client.

Customizing changes recorded to client-specific Customizing objects 

SAP SECURITY INTERVIEW - Can we assign generated profiles to users directly?

Yes but the best practice is not to assign profile to a user master record instead, assign single role or composite role to the user

SAP SECURITY INTERVIEW - How do you remove a developer's access and developer keys from a system? What else would you check for?

Delete the Developer in the table - DEVACCESS.