1. What are the components of GRC?2. What are the upgrades happened in GRC 5.3 from GRC 5.2?3. Is it possible to have a request type by which we can change the validity period of a user? If possible, then what are the actions?4. What's the latest Support Pack for GRC 5.3? How it differs from the previous one?5. What are the issues faced by you in ERM & CUP after golive?6. Can we change Single roles, objects & Profile description through mass maintenance of role? If yes, how?7. What are the prerequisites for creating a workflow for user provisioning?8. How will you control GRC system if you have multiple rulesets activated?9. Can we view the changes of a role, happened in PFCG, through GRC? 10. How will you mitigate a user against an authorization object which is decided as sensitive by Business?11. Give an example of SOD with object level control & also decide the Risk implication from the Technical standpoint.12. Is it possible to assign two roles with different validity period to a user in one shot through GRC? If yes, how?13. What's the use of Detour path? How Fork path differs from Detour path?14. How can you enable self password reset facility in GRC?15. Can we have customized actions for creating request types in CUP?16. Which SOX rules got inherited in SAP GRC?17. How many types of Background job you are familiar with? Why Role/Profile & User Sync. job is required?18. Where from can we change the default expiration time for mitigating controls? What's the default value for the same?19. How will you do the mass import of role in GRC?20. Explain the total configuration & utility of SPM?21. Can we create Logical systems in GRC? If yes, how & what can be the advantages & disadvantages of the same?22. Can we have different set of number ranges activated for request generation?23. Explain, how can we create derived roles in ERM? What will be the significant changes in methodology for creating composite roles? GRC is a tool that helps improve controls. From a security perspective it automates monitoring of SoD's, allows automated provisioning of emergency access and automation of the user provisioning process

Security Q's:Explain the authorisation concept in detailExplain how config relates to securityExplain why SU53 is not always accurate

GRC Q's:Explain in detail how the different components of the Access Controls suite integrate with each otherExplain the key problem areas in implementation of RARExplain the key problem areas in implementation of CUP

Some GRC Questions:1. What are the components of GRC?2. What are the upgrades happened in GRC 5.3 from GRC 5.2?3. Is it possible to have a request type by which we can change the validity period of a user? If possible, then what are the actions?4. What's the latest Support Pack for GRC 5.3? How it differs from the previous one?5. What are the issues faced by you in ERM & CUP after golive?6. Can we change Single roles, objects & Profile description through mass maintenance of role? If yes, how?7. What are the prerequisites for creating a workflow for user provisioning?

8. How will you control GRC system if you have multiple rulesets activated?9. Can we view the changes of a role, happened in PFCG, through GRC? 10. How will you mitigate a user against an authorization object which is decided as sensitive by Business?11. Give an example of SOD with object level control & also decide the Risk implication from the Technical standpoint.12. Is it possible to assign two roles with different validity period to a user in one shot through GRC? If yes, how?13. What's the use of Detour path? How Fork path differs from Detour path?14. How can you enable self password reset facility in GRC?15. Can we have customized actions for creating request types in CUP?16. Which SOX rules got inherited in SAP GRC?17. How many types of Background job you are familiar with? Why Role/Profile & User Sync. job is required?18. Where from can we change the default expiration time for mitigating controls? What's the default value for the same?19. How will you do the mass import of role in GRC?20. Explain the total configuration & utility of SPM?21. Can we create Logical systems in GRC? If yes, how & what can be the advantages & disadvantages of the same?22. Can we have different set of number ranges activated for request generation?23. Explain, how can we create derived roles in ERM? What will be the significant changes in methodology for creating composite roles?

Some SAP Security Questions:1. How a transaction code works?2. Can we set any password limitations/exceptions in SAP? If yes, how?3. What's the basic difference in between SU22 & SU24?4. What exactly is SU25? What's the significance of it's 2a,2b,2c & 2d sections?5. Other than SU53, how can you get missing authorisation details?6. How can we reset the password for 1000 users at one shot? Is it possible?7. Is it possible to derive a role which is not having any t-code but have some manually entered authorization objects? If yes, how?8. Can we reset our self SAP password? Please note, you don't have SU01's authorization.9. Suppose my Dev system has 3 clients. In one of the client, I'm making some changes in a tcode. Will the changes get reflected in other client's also? If yes, how?10. Through which tcode I can do a mass user comparision? What's the daily background job for the same?11. What does PRGN_STAT & TCODE_MOD table consist of?12. What does we check through SM50 & SM51?13. Which are the necessary objects for controlling the t-code SU01?14. Can we give display access for DEBUGGING to a user? If yes, how?15. What are the SAP default Service users & what are their default passwords? What password does system bydefault generate for these Service User/s while installing a new client within the system?16. From where we can create new Authorization field?17. Is it possible to assign ABAP role to Portal user? If yes, how?18. How can we gain control over Infotypes?19. Why we have to generate the profile again after saving the authorization data while role creation/modification?20. When does a profile become 11 character string?21. How can we find out the roles that got directly generated into Production & not imported from Quality System? Please note, you don't have any Quality user id.22. How CUA can help from Management standpoint of a Business, having SAP installed?

GRC is a tool that helps improve controls. From a security perspective it automates monitoring of SoD's, allows automated provisioning of emergency access and automation of the user provisioning process

Security Q's:Explain the authorisation concept in detailExplain how config relates to securityExplain why SU53 is not always accurate

GRC Q's:Explain in detail how the different components of the Access Controls suite integrate with each otherExplain the key problem areas in implementation of RARExplain the key problem areas in implementation of CUP

Some GRC Questions:1. What are the components of GRC?2. What are the upgrades happened in GRC 5.3 from GRC 5.2?3. Is it possible to have a request type by which we can change the validity period of a user? If possible, then what are the actions?4. What's the latest Support Pack for GRC 5.3? How it differs from the previous one?5. What are the issues faced by you in ERM & CUP after golive?6. Can we change Single roles, objects & Profile description through mass maintenance of role? If yes, how?7. What are the prerequisites for creating a workflow for user provisioning?8. How will you control GRC system if you have multiple rulesets activated?9. Can we view the changes of a role, happened in PFCG, through GRC? 10. How will you mitigate a user against an authorization object which is decided as sensitive by Business?11. Give an example of SOD with object level control & also decide the Risk implication from the Technical standpoint.12. Is it possible to assign two roles with different validity period to a user in one shot through GRC? If yes, how?13. What's the use of Detour path? How Fork path differs from Detour path?14. How can you enable self password reset facility in GRC?15. Can we have customized actions for creating request types in CUP?16. Which SOX rules got inherited in SAP GRC?17. How many types of Background job you are familiar with? Why Role/Profile & User Sync. job is required?18. Where from can we change the default expiration time for mitigating controls? What's the default value for the same?19. How will you do the mass import of role in GRC?20. Explain the total configuration & utility of SPM?21. Can we create Logical systems in GRC? If yes, how & what can be the advantages & disadvantages of the same?22. Can we have different set of number ranges activated for request generation?23. Explain, how can we create derived roles in ERM? What will be the significant changes in methodology for creating composite roles?

Some SAP Security Questions:1. How a transaction code works?2. Can we set any password limitations/exceptions in SAP? If yes, how?3. What's the basic difference in between SU22 & SU24?4. What exactly is SU25? What's the significance of it's 2a,2b,2c & 2d sections?5. Other than SU53, how can you get missing authorisation details?

6. How can we reset the password for 1000 users at one shot? Is it possible?7. Is it possible to derive a role which is not having any t-code but have some manually entered authorization objects? If yes, how?8. Can we reset our self SAP password? Please note, you don't have SU01's authorization.9. Suppose my Dev system has 3 clients. In one of the client, I'm making some changes in a tcode. Will the changes get reflected in other client's also? If yes, how?10. Through which tcode I can do a mass user comparision? What's the daily background job for the same?11. What does PRGN_STAT & TCODE_MOD table consist of?12. What does we check through SM50 & SM51?13. Which are the necessary objects for controlling the t-code SU01?14. Can we give display access for DEBUGGING to a user? If yes, how?15. What are the SAP default Service users & what are their default passwords? What password does system bydefault generate for these Service User/s while installing a new client within the system?16. From where we can create new Authorization field?17. Is it possible to assign ABAP role to Portal user? If yes, how?18. How can we gain control over Infotypes?19. Why we have to generate the profile again after saving the authorization data while role creation/modification?20. When does a profile become 11 character string?21. How can we find out the roles that got directly generated into Production & not imported from Quality System? Please note, you don't have any Quality user id.22. How CUA can help from Management standpoint of a Business, having SAP installed?

Answers to Security Questions:1. How a transaction code works?Ans. When a TCODE is accessed the main authorization object S_TCODE is checked for field TCDThe following sequence specifies the order of controlling objects in SAP

1. Client Field is used to allow working only on the client specific data and subsequent changes in SCC4 allow working on Cross Client and Rep objects. It is not possible to work with other clients data2. User id and password are checked3. Control the Access by using SM01 (Transaction code is locked for every user globally). example SCC4,SE03,SE06,SE38,SE37 are locked 4. Maintain S_TCODE to access the Transactions. The Authorization Object S_TCODE is checked whether user has access to this transactionAll the transactions are checked against this authorization object (S_TCODE).if the entries are not available in this Authorization Object the user is denied the access and it is documented in SU53(Missing Authorizations)5. Checks for the minimal authorizations in the table TSTCA (TSTC is tablefor transaction codes). TSTCA Provides Authorizations for Transactions TCode Checks whether the TCode is assigned or not, if the TCode is assigned then it allows to login to that transaction.But in order to execute there are minimal authorizations that are assigned to TCODE in Table "TSTCA" example for TCode �SU01� S_USER_GRP has to be maintained with authorization field and activity (Class and ACTVT)6. Checks the Transaction SU24 for Assigned Authorization ObjectsIt displays the list of Authorization Objects that are assigned to a Transaction7. Checks �authority-check� command in the programs(it is a customcode/sap standard code which contains command authority-check followed by Author

ization Object, Authorization Field, Activities and Field Values)

Note: The Allowed authorizations are displayed in SU56 and the current missing Authorizations are displayed in SU53Each Action is defined in Table TACT (table actions/activities)

2. Can we set any password limitations/exceptions in SAP? If yes, how?Ans. Yes we can .using security parameters For that we have to set the parameters in RZ10 Like :login/falield_to_user_auto_unlockLogin/fails_to_user_session_endLogin/min_password_letter:Login/min_password_len:Login/min_password_digit:Login/min_password_uppercase:Login/min_password_lowercase:Login/min_password_diff:Login/min_password_:special :Login/no_automatic_user_sapstar:Login/disable_multi_gui_login:Login/multi_logon_users;Login/system_client: etc

3. What's the basic difference in between SU22 & SU24?Ans- SU22 displays and updates the values in tables USOBT and USOBX, while SU24 does the same in tables USOBT_C and USOBX_C. The _C stands for Customer. The profile generator gets its data from the _C tables. In the USOBT and USOBX tables the values are the SAP standard values as shown in SU24. With SU25 one can (initially) transfer the USOBT values to the USOBT_C table.

4. What exactly is SU25? What's the significance of it's 2a,2b,2c & 2d sections?Ans- USOBT Contains the List of Transactions and their associated Authorization ObjectsUSOBX contains the list of Transactions vs. Authorization Objects and Check Indicators.Note: Run only once to fill the customer tables, if it ran more then once it set the customer tables to default values.Execute SU25These Two tables USOBT and USOBX are SAP Standard Tables which maintains the SAP Standard Authorizations. Customers are not allowed to modify in these two tables. So, they are advised to copy these standard tables into customer tables USOBT_C and USOBX_C.If modification is performed on standard tables they are lost during upgrade.As part of the SAP System Post �Initialization? Transaction SU25 is executed Select the option 01? initially fill the customer tables?Under Profile Generator Installation

2. A. Preparation: Compare with SAP values This step will provide the delta between the SAP® standard tables USOBT and USOBX and the respective custom tables USOBT_C and USOBX_C. The hanges from the SAP® standard tables will be updated in the custom tables. To transport these tables you have to perform step 3 later on.

2. B. Compare Affected Transaction In this step an overview of affected transaction will be displayed that were maintained by the customer in SU24 [maintaining SU24 for SAP® standard], and have been updated by SAP® with the upgrade now. It can be determined whether the customer specific entries are to be kept or to be adapted based on the SAP® suggestions tha

t come in with the upgrade.

2. C. Roles To Be Checked This step will provide an overview of the roles that are actually affected by the upgrade. The roles can be worked on individually according to prioritization, and can then be transported2. D. Display Changed Transaction Codes Sometimes SAP® transactions are replaced or become obsolete. This step will provide the necessary overview. Per double-click the affected transactions can be replaced by SAP® suggestions. 3. Transport of Customer Tables This step will allow you to transport the changes performed in 2.A. and B. The tables mentioned above will be completely transported [not only the delta].

5. Other than SU53, how can you get missing authorisation details?Ans. You can use Trace function, ST01, you can trace the user activity and from the log you can see the authorization missing. Start an authorization trace using the ST01 transaction and carry out the transaction with a user who has full authorizations. On the basis of the trace, you can see which authorizations were checked

6. How can we reset the password for 1000 users at one shot? Is it possible?Ans. Using Scatt program .

7. Is it possible to derive a role which is not having any t-code but have some manually entered authorization objects? If yes, how?Ans. No its not possible . why becoz it never carry the manually added authorization objects

8. Can we reset our self SAP password? Please note, you don't have SU01's authorization.Ans. Yes using SU3 tcode

9. Suppose my Dev system has 3 clients. In one of the client, I'm making some changes in a tcode. Will the changes get reflected in other client's also? If yes, how?Ans. If its standard tcode means it will reflect (Cross client objects changes will happen . but in client specific object it wont reflect )

10. Through which tcode I can do a mass user comparison? What's the daily background job for the same?Ans. User Comparison/User Master Reconciliation:The Roles which are assigned to the user are not effective immediately until a user comparison is performed. It is performed by the following means:1. During assignment of Roles to the Users and selecting the option USER COMPARISON2. Execute Transaction PFUD (profile Update) so that User Master Records are reconciled3. The above two options consumes more time when they run in the peak hours.So it is recommended to schedule a Report PFCG_TIME_DEPENDENCYExecute Transaction SA38?specify the Report Name? PFCG_TIME_DEPENDENCYSchedule to run in the background mode.This report reconciles the user master records

11. What does PRGN_STAT & TCODE_MOD table consist of?Ans. The transport that is created from performing each step of SU25 contains the following tables:

PRGN_STAT

SMENAKTNEW SMENAKTT SMEN_DATES SSM_LANGU TCODE_MOD USOBT_C USOBX_C

12. What does we check through SM50 & SM51?Ans: SM50 local work process over viewSM51global Work Process over view When u doing sytem trace we can check the user logging in to which app sever in SM51

13. Which are the necessary objects for controlling the t-code SU01?Ans. S_USER_GRPS_USER_PROS_USER_AUT

14. Can we give display access for DEBUGGING to a user? If yes, how?15. What are the SAP default Service users & what are their default passwords? What password does system bydefault generate for these Service User/s while installing a new client within the system?Ans: Default users DDIC,SAP* .default passwords master password,pass.

16. From where we can create new Authorization field?Ans. In tcode SU20 Authorization Field: it is a field, or a data element in the database tables that needs to be protected.Example: PO, Material Number, Username etc

17. Is it possible to assign ABAP role to Portal user? If yes, how?18. How can we gain control over Infotypes?

19. Why we have to generate the profile again after saving the authorization data while role creation/modification?Ans. While modifying a role the values which we wil give in the role that wil reflect to the user only after generating profile only . that y we have to do

20. When does a profile become 11 character string?21. How can we find out the roles that got directly generated into Production & not imported from Quality System? Please note, you don't have any Quality user id.

22. How CUA can help from Management standpoint of a Business, having SAP installed?Ans. By using CUA we can maintains the users form central system or client

1) Explain me about your SAP Career?2) Tell me your daily monitoring jobs and most of them you worked on?3) which version of SAP are you working on? Is it a java stack or abap stack?4) Tell me about derived role?5) what is the main difference between single role and a derived role6) Does s_tabu_dis org level values in a master role gets reflected in the child role?? 7) Tell me the steps to configure CUA?

8) Is RAR a java stack or Abap Stack?9) What is the report which states the critical T-codes? and also What is the T-code?10) What is the T-code to get into RAR from R/3? 11) Explain about SPM?

4) Tell me about derived role?Ans:Derived roles..To restrict the user access based onorganizational level values.Derived role will be inherited by master role and inheritall the properties except org level values.5) what is the main difference between single role and a derived role?Ans:Main difference--we can add/delete the tcodes for thesingle roles but we cann't do it for the derived roles.6) Does s_tabu_dis org level values in a master role gets reflected in the child role?? Ans:If we do the adjusted derived role in the master rolewhile updating the values in the master role thn values willbe reflected in the child roles.10) What is the T-code to get into RAR from R/3? Ans:/virsar/ZVRAT11: Explain about SPM?Ans:SPM can be used to maintain and monitor the super useraccess in an SAP system. This enables the super-users toperform emergency activities and critical transactionswithin a completely auditable environment. The logs of theSPM user IDs helps auditors in easily tracing the criticaltransactions that have been performed by the Business users

Ans 1) Elaborate about your complete SAP experienceand yes be true with them.

Ans 2) As a part of my daily job being a SAP Security consultant i have to take care of tickets monitoring and assigning them within the team. I have to take care of critical incidents and emphasize themon high priority for their faster resolution. I have to troubeshoot different authorization issues that come across in daily work with the users.

Ans 3) You have to check this with your systems.

Ans 8) RAR is Java stack. It was ABAP when it was called as Complance Calibrator.

Ans 9) RSUSR005

1)What does the Profile Generator do?2)What is the main purpose of Parameters, Groups & Personalization tabs3)in SU01? purpose of Miniapps in PFCG?4)What happens to change documents when they are transported to theproduction system?5)what are the issues you faced with UME?6)what is the Ticketing tool that you are using in your organisation?andexplain?

7)what do you know abt LSMW?8)Difference b/w su22 and su24 ?9)what is the landscape of GRC?10)What is the difference between Template role & Derive role?

1. we can create roles , transport , copy , download,modifications , all these thing done from pfcg t-code.

2.parameters : when ever user want some defaults values when ever he/she excute the t-code we can mainatian some pid's by taking help of abapers.

group : based on user roles and responsibiltes security admin can asssign to particular group.

personalization : this data provides by sap itself based on t-codes which are maintained at menu tab.

3. using mini apps we can add some third party functionality

6.remedy tools and some comapny internal tools used for geeting issues from client side .

7.lsmw is used for creating large number of user at a time .

8.su22 is maintaind standard t-codes and thier standard autorisation object ( usobx and usobt ).

su24 : here we can mainatin customer related t-code and their authorisation objects ( usobx_c and usobt_c ).

9.grc land scape develop and production .

9. tempaltes rrole : it is provided by sap it self.dervide role : a role which is derived from a master role it can inherit the menu structure t-codes and all but it cant inherit the organisation level , here we can maintain orgnisation levels only .

4) Change documents cannot be displayed in transaction 'SUIM' after they are transported to the production system because we do not have the 'befor input' method for the transport. This means that if changes are made, the 'USR10' table is filled with the current values and writes the old values to the 'USH10' table beforehand. The difference between both tables is then calculated and the value for the change documents is determined as a result. However, this does not work when change documents are transported to the production system. The 'USR10' table is automatically filled with the current values for the transport and there is no option for filling the 'USH10' table in advance (for the history) because we do not have a 'befor input' method to fill the 'USH10' table in advance for the transport.

what is the difference between PFCG,PFCG_TIME_DEPENDENCY&PFUD???

PFCG is used to create maintain and modify the roles.PFCG_TIME_DEPENDENCY is a background job of PFUD.PFUD is used for mass user comparison but the difference isif you set the background job daily basis it will do massuser comparison automatically

What is the maximum number of profiles in a role ?What is the maximum number of authorization objects in a role?What is the maximum number of authorization in an object ?

312 profiles in a role ,150 authorization objects,not more than 10 authorization fields in object,

please correct me if i am wrong

Q)if u r using 10 firefighter ids at a time? How will thelog reports goes to controller?Q)wt is ruleset? and how to update risk id in rule set?

Q)wt is the procedure for Role modifications?explain withexample?

Q)who will done user comparision?

1) log reports send through ( mail , workflow or logdispaly ) these are available at options tab when we are assigning fids to the controller tab.

2) ruleset which contains ( busniessprocess , risks , function and action,authorisations ) is know as rule set.

User comparision:

This is done when ever role is already assigned to users and changes are done in that role. In order to get the changes adjusted in the roles, user comparision is done.

Also during indirect asssignment of roles to user using t codes Po13 and po10, we have to to do user comparision, so that the roles get reflected in the SU01 record of user.

Generally this task is done PFCG_TIME_DEPENDENCY background job which runs once daily so that roles are adjusted after running this report.

If changes are to be reflected immediately, user comparision is recommended.

What are the Critical Tcodes and Authorization Objects in R/3.

pfcg n su01rz02 n rz03

what are the prerequisites we should take before assigningsap_all to a user even we have approval from authorizationcontrollers ?

prerequisites are follows before assigning sap_all to any user .

1.enabling the audit log ---- using sm19 tcode.

2.retreving the audit log-----using sm20 tcode.

this process follows when your not implementing grc in your system.

I have deleted single role from composite role now i wantto find out the changes in composite role without using SUIM.Is there any other possibilitie to get?

yes , it is possible from role screen its self .

go to menutab

go to utilities--->change documents .

what is the difference between su25 & su24 , when we canmake the authorization checks in su25 then what is the useof su24

T-code SU24 is used to select the check objects and default values for an authorization when any t-code or report is addedto a role.On the other hand t-code SU25 is used at the time of systemupgrade to perform below actions :1) Initially fill the customer tables by copying from SAP tables.2) Comparing the corresponding values between SAP tables and customer tables.3) Find out which new t-codes are moved to Production system during upgrade.4) Find out all t-codes whose name has been changed in upgrade, lets say ST03 is now called ST03N.

why we are using the landscape in sap r/3 ?

SAP systems are used in large industries where daily transactions are carried out at large scale. In order to avoid any affect on production system directly because of change and to avoid the blockage of business process we are using landscape in R/3.

Please rectify if my answer is not valid.

How to Create SCAT program for any mass upload purpose?

SCAT is similar to LSMW/BDC to upload/updated data in SAP from legacy system.

The differences between SCAT and LSMW :-

LSMW and SCAT has different functionalities and different advantages, but common thing is they are used for data upload.

SCAT is mainly used as a testing tool for follow-on transactions i.e. Purchase Requisition, Purchase order, Goods Receipt etc.

Whereas LSMW is used for Master data (Materials, Customer, Vendor, BOM, Info record etc) and some of the transactions data (Purchase order, purchase requisition)

There are many standard objects are available in LSMW so most of the consultants use LSMW, but again depends on the requirement.

Writing a CAT script to create user:-

1 Recording a test case

1.1 To record a test case, call Transaction SCAT and enter test case Zuser_creat. - Do not choose Enter. - Choose Test Case ? Record Transaction. Enter Transaction SU01, and choose Record/Enter. - The system runs Transaction SU01. - Enter the user name TESTZ and choose Create. - Enter the user�s title first name ZEBRA and the last name TEST. - Select the Logon data tab, enter init as the initial password, and repeat the password, profile select sap_all then choose Save. - Go back a screen and in the dialog box displayed, select End recording. - A message is displayed stating that the recording has ended. - Enter the test case title User maintenance. - In the field Component, enter BC-SEC-USR. - Save the test case. - In the field package class, enter $TMP. - Choose Save to save the attributes. - To save the test case functions, go back.

2 Entering parameters for a test case

2.1 To define parameters for a test case, call Transaction SCAT. - Enter the test case name Zuser_creat. - Select Functions and choose Change. - Double-click on TCD. - Then double-click on program SAPLSUU5 screen 0050. (first appearance of this program) - The first screen of Transaction SU01 is displayed. (If you backed out, enter the procedure name again and double-click on TCD.) - Double-click on the user name field. In the field Param. name, enter an "&", and choose Copy/Enter. - Choose Next screen and double-click the last name. In the field Param. name, enter an "&" and choose Copy/Enter. - Go back until the Save folder appears, and choose Save.

3 Creating and using an external variant for the test case

3.1 To export the default parameters into a frontend file, in the test case, select Goto? Variants ? Export Default. Note: The default file name is <the name of your test case>.txt. Do not change the default values.

3.2 Open the file, with excel and edit and add another couple of user, and save the text file

3.3 To execute the test case using the external variant from file, from the initial CATT screen, enter the test case name and choose Execute. In the field Variants, select External from file and choose Choose. Select the file created above, and choose Open. Under Processing mode, select Errors, and choose Execute. Note: When you use this method, the file must be imported each time the test case is executed (file remains only on PC).