SAP Security Interview Questions And Answers

Collection of rules is nothing but rule set. There is a
default rule set in GRC called Global Rule Set.

Displays the current users Authorization Profiles available
ti the ID. Can also be used to reset their User buffer to
pick up new roles and authorizations.

Derived roles are also called as Child Roles and Master
Roles are called as Parent Roles.

Derived Roles refers to the roles that already exist. As
name indicates Derived roles are derived from other role
(Master Role).

Derived ROles inherits the menu structure and functions
included (transactions, reports, Weblinks and so on) from
the role referenced.
The default authorization values of the derived role are
that of the inherited role. The Org Levels are to be
maintained in the derived Role

This is one way to lock the users by executing Tcode EWZ5.

another way is by executing su10... authoriztion tab....
evaluate the users list......... transfer...... execute

Execute su01
You can find out a tab called system tab....
If system tab is not displayed there in su01 screen there
is no CUA is configured.

We need to login to the system the change has taken, Go to
SM20 you need to select the date and time or range in time
tab, select * in the user tab once you key in all the
inputs be sure to select the servers or instance on left
hand side and then execute.
you need to select the user master record.

You will get report for user master record, find the user
id in the list

Through Tcode SU56, We will check the users buffer

GRC Landscape is 2 system landscape,
1. SAP GRC DEV
2. SAP GRC PRD

in GRC there is no Quality system.

Execute SM37 and search for PFCG_TIME_DEPENDENCY

scheduling and administrating of background jobs can be done
by using tcodes sm36 and sm37

We can restrict autho groups via object S_TABU_DIS, first
we need to create a autho group in SE54 then assign this
autho group in a role by using the object: S_TABU_DIS.

prerequisites are follows before assigning sap_all to any
user .

1.enabling the audit log ---- using sm19 tcode.
2.retreving the audit log-----using sm20 tcode.

this process follows when your not implementing grc in your
system.

Just to say all the t-codes which can affect roles and user master records are critical ones. SU01, PFCG, RZ10, RZ11, SU21, SU03, Sm37 are some of critical t-codes.
Below are critical objects
S_TABU_DIS
S_USER_AGR
S_USER_AUT
S_USER_PRO
S_USER_GRP

This is done when ever role is already assigned to users and changes are done in that role. In order to get the changes adjusted in the roles, user comparision is done.

Also during indirect asssignment of roles to user using t codes Po13 and po10, we have to to do user comparision, so that the roles get reflected in the SU01 record of user.

Generally this task is done PFCG_TIME_DEPENDENCY background job which runs once daily so that roles are adjusted after running this report.

If changes are to be reflected immediately, user comparison is recommended.

312 profiles in a role ,

150 authorization objects,

not more than 10 authorization fields in object,

PFCG is used to create maintain and modify the roles.
PFCG_TIME_DEPENDENCY is a background job of PFUD.
PFUD is used for mass user comparison but the difference is
if you set the background job daily basis it will do mass
user comparison automatically

we can create roles , transport , copy ,
download,modifications , all these thing done from pfcg t-
code.

parameters : when ever user want some defaults values
when ever he/she excute the t-code we can mainatian some
pid's by taking help of abapers.

Derived roles..To restrict the user access based on
organizational level values.
Derived role will be inherited by master role and inherit
all the properties except org level values.

Main difference--we can add/delete the tcodes for the
single roles but we cann't do it for the derived roles.