SAP R/3 Security – Interview Questions

1. How to create the user group in SAP system?
Ans :

User group can be created by performing the below steps:

  • Execute the t-code SUGR
  • Enter the name of user group to be created in the textbox
  • Click on the create the button
  • Enter the description and click on save button

2. How to find the Transport requests containing the specific role?
Ans :

The list of Transport requests containing the specific role can be retrieved by performing below steps:

  • Execute the t-code SE03
  • Double click on option “Search for Objects in requests/Tasks” under node “Objects in Requests” in left panel of screen. This will take us to new screen.
  • In object selection screen, enter the field value as ACGR and check the checkbox present at left side.
  • Enter the role name for which we need the list of transport request.
  • In screen “Request/Task Selection” screen (below section of the same screen), check the status of the requests which we need in the list
  • Click on execute button

3. How to check the transport requests created by other user?

The t-code SE10 provide the option to enter the user name. By using this facility, we can search the transport requests created by other users.

4. How to generate the list of roles having authorization objects with status as “maintained”?

This list can be generated by using the table AGR_1251 as below:

  • Execute the t-code SE16
  • Enter the table name as AGR_1251 and hit enter button
  • Enter the field value as “G” in field “Object Status” and click on execute

The same table can be used to generate the list of roles with authorization objects having status modified and manual with field values M and U respectively.

5. How to find the email ids if given a list of users (say 100)?

The list of email ids for given users can be generated by performing the below steps:

  • Execute the t-code SE16
  • Enter the table name as USR21.
  • Upload the list of users using multiple selection option and execute. This will give us the list of users and their respective person numbers
  • Extract this data to excel sheet
  • Now, go back to SE16 and enter table name ADR6
  • Upload the list of person number extracted from table USR21 and execute
  • Now, table ADR6 will give us the list of person numbers and their email ids.
  • Download the list in excel and perform V-look up in excel to map the email ids of users with their SAP IDs

6. How to find user defined, system default values for security parameters?
Ans :

The values for parameters can be checked by using the t-code RSPFPAR. After executing the t-code, given the parameter name and click on execute.

7. How to assign the logical system to client?
Ans :

Logical system can be assigned to client by using the t-code SCC4. We need to be very careful while doing this change as it can affect the CUA (if configured).

8. Which entities are not distributed while distributing the authorization data from master role to derived roles?

During the distribution of authorization data from master role to derived roles, Organizational values and user assignment are not distributed. The Org. values and user assignments are specific to individual roles hence has no bearing on master-derived role relationship.

9. How to assign the multiple roles to more than 20 users in one shot in t-code SU10?
Ans :

To perform this mass role assignment, we need to follow below steps in SU10:

  • In SU10 home screen, click on the button “Authorization Data”
  • This will take to the new screen similar to screen in t-code SUIM -> User by complex search criteria. Enter the search criteria for users needed to be changed in SU10 and execute the same
  • Once the list of users is reflected, click on “select all” button on left top corner of the list and click on “Transfer” button. This will take us back to SU10 screen with all the selected users in users
  • Now, click on select all button in SU10 home screen and then click on change button.
  • Above step will take us to the next screen where you can perform the role assignment as in normal case of SU10 t-code

10. What is the use of SU25 t-code?

The t-code SU25 is used to copy the data from tables USOBT and USOBX to tables USOBT_C and USOBX_C. Generally, this t-code needs to be executed after the installation of system upgrade so that the values in customer tables are updated accordingly.

11. What is the use of authorization object S_TABU_LIN?

This authorization object is used to provide the access to tables on row level.

12. What are the authorization groups and how to create them?
Ans :

Authorization groups are the units comprising of tables for common functional area. Generally, each table is assigned to a authorization group due to this reason we need to mention the value of authorization group while restricting the access to table in authorization object S_TABU_DIS.
The authorization group can be created by using the t-code SE54. The assignment of tables to authorization group can be checked by using table TDDAT.

13. What is SOX (Sarbanes Oxley)?

Sarbanes-Oxley is a US law passed in 2002 to strengthen corporate governance and restore investor confidence. Act was sponsored by US Senator Paul Sarbanes and US Representative Michael Oxley.

The Sarbanes-Oxley Act is legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. Sarbanes-Oxley defines which records are to be stored and for how long. The legislation not only affects the financial side of corporations, but also affects the IT departments whose job it is to store a corporation’s electronic records. The Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages, must be saved for “not less than five years”. The consequences for non-compliance are fines, imprisonment, or both. IT departments are increasingly faced with the challenge of creating and maintaining a corporate records archive in a cost-effective fashion that satisfies the requirements put forth by the legislation.

Organizations should be able to guarantee the integrity of some of their operations like PTP or OTC which can have quiet a significant impact on the way the financial statements are projected if not controlled.

Organizations today are thereby moving in direction of automating their softwares for SOX compliance. A key factor towards achieving SOX compliance is to seperate the duties amongst individuals to such an extent that no one person has the authorization to fulfill a complete cycle say procurement or sales.

14. How to create a query in SAP R/3 system?

The query can be created and executed using the t-code SQVI:

  • Execute the t-code SQVI.
  • Enter the name of query to be created and click on create button.
  • Enter the Title and comments for query and select the data source such as table or table join.
  • Select the preferred view as Basis Mode or Layout Mode and click on continue button.
  • Above step will take us to the new screen, add the respective table on which we need to create a query.
  • If Data source is selected as table join, select the respective tables as needed and joining fields.
  • Save and come to main screen. Here, you need to select the fields to be displayed in output and their sequence.

The query can be created and executed using the t-code SQVI.

15. What is the use of ST01? What are the return codes of t-code ST01

Transaction code ST01 is used to trace the user authorizations. This can be useful if we need to check which all the authorizations have been checked in background when any t-code is being executed by the business user.

Below are the return codes of ST01 :

  • 0 – Authorization check passed
  • 1 – No Authorization
  • 2 – Too many parameters for authorization check
  • 3 – Object not contained in user buffer
  • 4 – No profile contained in user buffer
  • 6 – Authorization check incorrect
  • 7,8,9 – Invalid user buffer





Related Posts


6 responses to “SAP R/3 Security – Interview Questions”

  1. srinivas reddy Avatar
    srinivas reddy

    really superb

  2. Guest Avatar

    return values for ST01 mentioned above are incorrect…

  3. pavani Avatar

    HI all i have a question related to sap security.
    As a security consultant, on what basis do you select a role for particular user? And How do you decide that user is actually authorized to have that particular role.

    1. Wahed Avatar

      SAP Roles are created based on Business role requirement. Based on the user functionality in the business the roles are assigned.

    2. Animesh Chavan Avatar
      Animesh Chavan

      Hi Pavani We need to check what transaction is user going to user as per functionality and need to check wich transaction code is present in which role

  4. Gia Avatar

    Return codes for ST01 mentioned above is incorrect. The return codes are:
    0 – authorisations present and executed successfully
    4 – authorisation object present but missing field values
    12 – authorisation object is missing


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Jitendra Zaa

Subscribe now to keep reading and get access to the full archive.

Continue Reading