1).what is the diff b/w adding the tcode in s_tcode
authorization object
and addind the tcode inmenu tab of pfcg?
4) What is the difference between Owner, Controller and
Administrator
in Firefighter?
2) Can you tell me why do you use S_TABU_DIS authorization
object?
3) Explain How do you restrict a particular table acces then?
5)In RAR ,What are the default Back ground Jobs?
6)Which job will update all user master records?
7)What will happen whenever we execute a t-code?
8)What is the purpose of the report RSUSR006?
9) Lets say a user is locked by admin? What value will you
see in USR02
table and in UFLAG column?
10) What will you do if the user complains that he is not
able to access a
t-code?
11)why we have to delete users ?
12)a. What is Direct role assignment and indirect role
assignment?
b. What is the process of adding a t-code to an existing role?
c. If client asked you to modify a role directly in
PRODUCTION for
emergency? Is it possible? What you will do in that situation?
d. What is the purpose of customized Transaction codes? Have you
created any custom t-codes?
13)
Answers were Sorted based on User's Feedback
Answer / lucky
).what is the diff b/w adding the tcode in s_tcode
authorization object and addind the tcode inmenu tab of
pfcg?
When you add Tcode in S_tcode, assign that role to user.
and try to login, you will see that you have access to
transaction
but you cannot see the name and desc in SAP User menu
4) What is the difference between Owner, Controller and
Administrator in Firefighter?
Owner: persson responsible for FF id
Controller: Check what activity done by the particulcar id
Adminisrtra: Admin work( Ex: lock/unlock or Check logs )
2) Can you tell me why do you use S_TABU_DIS authorization
object?
You can use this authorization object to limit users’
access authorization
users with authorization for the se16 transaction (that
is, for all Data Dictionary objects)
can only access data of the table entries defined using
this authorization object.
You can also deny system administrators specific access to
application data, for example. As soon as you have set up
this authorization object, you can edit or change only the
table entries for which corresponding authorization has
been granted explicitly by S_TABU_DIS.
3) Explain How do you restrict a particular table acces
then?
TABU_DIS _CLNT
6)Which job will update all user master records?
PFUD,PFCG_TIME_DEPENDNCY
7)What will happen whenever we execute a t-code?
a system program makes various checks to
ensure that the user has the appropriate authorization.
Is the transaction code valid? (table TSTC check).
Is the transaction locked by the system administrator?
(table
TSTC check).
Is the user authorized to call the transaction?
The authorization object S_TCODE (call transaction)
contains the
field TCD (transaction code).
The user must have an authorization with a value for the
selected
transaction code.
8)What is the purpose of the report RSUSR006?
Report RSUSR006 provides a list of all users that have been
locked
as a result of entering incorrect password in the system.
9) Lets say a user is locked by admin? What value will you
see in USR02 table and in UFLAG column?
SE16N-USR02
Wecan find the value 64 in usr02 table, UFLAG field the
user is locked , if the value is 0 the user is not locked
10) What will you do if the user complains that he is not
able to access a t-code?
Check that if he has access to that TCODE
Report SU53
11)why we have to delete users ?
Its a two question , its depends upon the process that if
we have to delete the user or not.
As per my understanding we can lock the user and not-used
(in logon tab ).
12)a. What is Direct role assignment and indirect role
assignment?
Direct assignment - SU01 Assign role
Indirect assignment - ORg level and Postion level( HR
system PO13-BOO7 sttribute)
b. What is the process of adding a t-code to an existing
role?
Execute the t_code PFCG and select what ever the role you
have then edit.
In the menu tab Click on transaction. Then add the t_code
for the role.
Base on the requirement manage the authorization. (Check in
the
authorization TAB)
c. If client asked you to modify a role directly in
PRODUCTION for emergency? Is it possible? What you will
do in that situation?
It is not recommended as per SAP Standard.
Depends upon the critcal issue of the customer.
d. What is the purpose of customized Transaction codes?
Have you
created any custom t-codes?
Go to SE93 transaction code.
Enter the transaction code (Z or Y transaction code
Double-click the program which has been associated with the
transaction code.
Click Find button in the program screen.
This will display all the strings that have Auth included.
Find out the lines
that display “Authority check” statement and identify the
authorization object.
Note: You can double-click on the line to view the specific
lines in the program.Enter “auth” in the Find text box,
select “In main program” option and click Execute.
Incase, if you don’t find any authorization objects, check
for the string “Transaction” instead of “Auth
When the program is calling another transaction, follow the
steps mentioned below:
Double-click the transaction code in the main program.
Click Find button.
Enter “auth” as the string and look for the authorization
objects associated.
Record the list of authorization objects that are used by
the call-in transaction code and ensure to include all of
them in the current role.
Parameter transaction codes
Tables in the SAP environment are treated as critical and
hence direct maintenance is not allowed in the production
systems using SM30 or SM31 transaction codes.
When a custom table (Z or Y table) requires periodic
modification by the business, a Z transaction code is
created, which is controlled via a parameter transaction,
which will call SM30 or SM31 internally and skips the
initial screen, or the application program.
They are further protected by an authorization group. The
same will be maintained using S_TABU_DIS, and S_TABU_LIN
objects.
Identifying the authorization group (S_TABU_DIS)
When the custom transaction code is a parameter
transaction, the authorization group for table should be
added to the role. Below are the steps which will help you
to identify the authorization group:
Go to SE93, and enter the tcode.
Scroll down and copy the view name:
Is This Answer Correct ? | 8 Yes | 0 No |
Answer / karunakar
Hi Rav,
This is karunakar,
As per my knowledge i am able to answer some of the
questions , If you find complete answers please mail to my
id m.karna99@gmail.com.
1. The difference is if you add the T code in s_tcode the
user will access to that t code only , To restrict the user
to specific tcode we use s_tcode.
2. We use this object to restrict the autorization groups
s_tabu_dis
7. when we execute a T code , first it will check the user
is having the access to that Tcode in S_TCODE,
9. If we find the value 64 in usr02 table, UFLAG field the
user is locked , if the value is 0 the user is not locked.
10. If user complaints that he is not accessed to tcode ,
ask the user to send his su53 report , login as user with
his user id and password check his authorizations wether he
has the accessed to that t-code or not, get the balck &
white approval from you senior authorities and assign the
missing authorizations to that t code.
Is This Answer Correct ? | 4 Yes | 2 No |
Answer / ravkadi
Sorry guys in ibm i have faced the interview for an hour and
in which i could not answer these questions so please give
me the answers.
thanks in advance
rav
Is This Answer Correct ? | 1 Yes | 0 No |
two company codes ex 1001,1002 and two users ,one user need to access both company codes and another user need to access only one company code need to access by giving same role (one role ) to both of them.how can give access or restrict company codes in one role?
can we restrict access through tcode added manually in authorisation data in creating a role?
Differentiate between derived role and composite role
How to get the list of tcodes having by all users(EX-20 users)at a time?(through SUIM or TABLE) [we can get single user through SUIM->TRANSACTIONS- >EXECUTABLE USER....but same thing i want for multiple users at a time)
in my production system there are some 20 roles created in the production system itself without following the standard procedure of creating in dev testing it qas and then moving it to prd.so how do you find out all the roles created in prd system?
SAP SECURITY Training in Hyderbad,contact 7893255000. R3 SEC,BW/BI Sec,HR SEC,SRM SEC,EP SEC,VIRSA and GRC Tools. Will provide guidance on real time concepts and profile prepartion also.
What is the latest change that was done to the SU53 trace, which is used to find the last authorization failure in SAP..???
How to create secatt script in sap step by step
How many Tcodes can be assigned to a role ?
SAP SECURITY Training in Hyderbad,contact 7893255000. R3 SEC,BW/BI Sec,HR SEC,SRM SEC,EP SEC,VIRSA and GRC Tools.
1)What does the Profile Generator do? 2)What is the main purpose of Parameters, Groups & Personalization tabs 3)in SU01? purpose of Miniapps in PFCG? 4)What happens to change documents when they are transported to the production system? 5)what are the issues you faced with UME? 6)what is the Ticketing tool that you are using in your organisation?and explain? 7)what do you know abt LSMW? 8)Difference b/w su22 and su24 ? 9)what is the landscape of GRC? 10)What is the difference between Template role & Derive role?
What r the daily activity in BI security