Sunday, 8 May 2011

SAP Security Authorization Interview question

  1. How do you determine what organization value to be given to user?
    Refer request form, change request, functional team, copy from sample user, consult their subordinate or manager. Some business sense is needed. Never give more values then requested.

  2. How would you map a tcode to user?
    Check request form. Investigate the user's role function. Research the function of the tcode. Do not give any tcode which that is not needed by the user in business point of view.

  3. What background or periodic job security consultant should know?
    - Daily check on sap* and ddic user. It should be locked times (unless there is upgrade)
    - Run RSUSR006 to check locked users.
    - Check is production client is lock against direct changes
    - Check on sap_all profile. No one should have it.

  4. Single Role Naming convention
    Sample : MY1XFCSOA or MY1XFCSOD
    Explain:
    - MY (country code)
    - 1X (domain - which correspond to org level value excel sheet)
    - FCSO (abbreviation of the function role - Finance Create sales order)
    - A (activity type - A means change, D means display)

  5. Max profile?
    -312

  6. How to check how much profiles a user have?
    - Table USR04

  7. System parameter used by security
    - login/no_automatic_user_sapstar
    - Login/failed_to_user_lock
    - Login/fails_to_session_end
    - Login/gui_auto_logout
    - many more, google for results.

  8. Why sap* cannot be used?
    - SAP is design not to check authorization for user sap*
    - Who ever has sap* get control over the whole system

  9. Tcode frequently use
    - SUIM, PFCG, SU01, SU53 and google for more

  10. What is SU24
    - Remove and add authorization object check (to be display in PFCG)
    - Use to standardized common authorization object to be pulled in a role

  11. What is a derived role
    - A child role derived from master template

  12. Authorization object
    - A collection of authorization field.

  13. How to check user access issue
    - SU53, ST01

  14. User do not have access but SUIM search indicates authorization given
    Reason:
    - Max profile reach
    - Didn't relogin
    - Did not perform user comparison

  15. Which tables shows what profile a user have?
    - UST04

  16. PFCG tables
    - agr_agrs, agr_1251, agr_1252, USR02 and etc

  17. How to transport a role
    - PFCG > there is a transport truck icon. Alternately, use mass transport from the menu

  18. Convert field to org level
    - Run program PFCG_ORGFIELD_CREATE

  19. What is GRC
    - Governance Risk and Compliance
    - Help company to put in place a set of policy and control to be SOX compliance

  20. Components of GRC
    - CUP (Compliance user provision - enable self request for role and also approval)
    - RAR (Risk Analysis and Remediation - check SOD, generate report and propose solution)
    - ERM (Enterprise role Management - Assist in role designing)
    - SPM ( Super privileged management - profile super user access like firecoll and mitigation)

  21. Why do single roles sometimes has more profile
    - When there are more then 150 object in a profile, SAP auto generates new profile
End of SAP Security Authorization Interview question

No comments:

Post a Comment