SAP Security Interview Questions and Answers

SAP Security is required to protect SAP Systems and Critical Information from Unauthorized Access in a Distributed Environment while accessing the system locally or remotely. It covers various Authentication Methods, Database Security, Network and Communication Security and protecting standard users and other best practices that should be followed in maintaining your SAP Environment. In a SAP Distributed Environment, there is always a need that you protect your critical information and data from unauthorized access. Human Errors, Incorrect Access Provisioning shouldn’t allow unauthorized access to system and there is a need to maintain and review the profile policies and system security policies in your SAP environment.

Secure Network Communication (SNC) can also be used to login to an application server using secure authentication method. You can use SNC for user authentication via SAP GUI for windows or by using an RFC connection. The SNC uses an external security product to perform the authentication between the communication partners. You can use security measures like public key infrastructure PKI, and procedures to generate and distribute key pairs.

Single Sign-On (SSO) is one of the key concepts that allows you to login to one system and you can access multiple systems in the backend. SSO allows the user to access software resources across SAP systems in the back-end.

SAP Internet Transaction Server (ITS) was the first approach of SAP to extend business applications to a Web Browser or the Internet by converting SAP dynpro screens into HTML format making it possible to access SAP systems with user-friendly Web technology. SAP ITS as middleware component provides Web access for several SAP products like SAP ERP, SAP Supplier Relationship Management (SRM), SAP Employee Self Services (ESS), SAP Enterprise Buyer Professional (EBP).

The SAP Cryptographic Library is the default security product for performing encryption functions in SAP systems. For example, you can use it for providing SNC.The SAP Cryptographic Library provides the entire functionality defined in the standard interface of Generic Security Services Application Programming Interface Version 2 (GSS-API V2).

 T-code stands for Transaction Code. A transaction code consists of letters, numbers, or both. You enter transaction codes in the command field. You use a transaction code to go to any task in an SAP application faster. By entering a transaction code instead of using the menu, you go to a task and start the function in a single step.

SAP Security Transaction Codes and description

1. PFCG: For maintaining role using profile generator.
2. PFUD: For Comparing User master in Dialog.
3. SCC8: Data exchange happens at operating system level
4. SCC9:For data exchange over the network and remote client copy between clients in different systems.
5. RZ10: Profile configuration
6. RZ11: Maintain profile parameters
7. SCCL: For Local Client Copy on same system between different clients.
8. SE43: Maintain and display Area Menus
9. SE84: Information System for SAP R/3 Authorizations
10. SECR: Audit Information System
11. SM01: For locking the transaction from execution.
12. SM02: System Messages
13. SM04: User Overview
14. SM12: Display and Delete Locks
15. SM13: Display Update Records
16. SM19: Security audit – configuration.
17. SM20: Security audit – reporting.
18. SM21:System Log
19. SM30:For creation of table authorization groups and for maintaining assignments to tables
20. SM35:Batch Input Monitoring
21. SM50:Work Process Overview
22. SM51:List of SAP Servers
23. SM59:Display/Maintain RFC Destinations
24. SMLG:Maintain Logon Group
25. ST01:System Trace
26. ST02:Setups/Tune Buffers
27. ST05:Performance trace
28. ST11:Display Developer Traces and error log files
29. ST22:ABAP/4 Runtime Error Analysis
30. STMS:Transport Management System
31. SU01: To create and maintain the users.
32. SU01D:To Display Users
33. SU02: For Manual creation of profiles.
34. SU03: For Manual creation of authorization.
35. SU05:Maintain Internet Users
36. SU10: For mass maintenance.
37. SU20: Lists down the authorization fields.
38. SU21: Lists the Object classes and authorization objects.
39. SU24: For Maintaining Check Indicators and for Maintaining templates.
40. SU25: For initial Customer table fill.
41. SU3: For setting address and default parameters.
42. SU53:To display last authority check that failed
43. SU56:Display User buffer
44. SUGR:Maintain User groups
45. SUIM:User Information System
46. SUPC:For generation of Mass profile
47. SWDC: Workflow Definition: Administration
48. RSSM: Authorizations for Reporting
49. PB10:Init.entry of applicant master data
50. SU22: Maintain Authorization Defaults (sap)
51. SU02: Maintain Authorization Profiles
52. OOSB: User (Structural Authorization)
53. TPM13: Treasury Ledger: Flow List
54. SE17: General Table Display
55. SU56: Analyze User Buffer
56. SUPC: Role Profiles CRMD_BUS2000126   Maintain Activities   CRM
57. SODS: sapoffice: LDAP Browser
58. CF00:Prod. Resources/Tools Master Menu
59. SM18: Reorganize security Audit Log
60. RSUSR003: Check standard user passwords
61.     OOAC HR: Authorization main switch  
62. SECR          Obsolete: Audit Information System        

                       Table           Description         Functional Area

• MARA   General Material Data         Logistics – Material Master
• VBAK  Sales Document: Header Data        SD – Sales
• EKPO   Purchasing Document Item  MM – Purchasing
• VBAP   Sales Document: Item Data  SD – Sales
• MARC  Plant Data for Material       Logistics – Material Master
• EKKO  Purchasing Document Header         MM – Purchasing
• MSEG  Document Segment: Material         MM – Inventory Management
• BKPF   Accounting Document Header        FI – Financial Accounting
• KNA1  General Data in Customer Master   Logistics – Customer Master
• LFA1   Vendor Master (General Section)    FI – Financial Accounting
• VBRK  Billing Document: Header Data      SD – Billing
• MAKT  Material Descriptions          Logistics – Material Master
• SFLIGHT  Flight        Basis – ABAP Workbench, Java IDE and Infrastructure
• VBRP   Billing Document: Item Data         SD – Billing
• SPFLI   Flight schedule         Basis – ABAP Workbench, Java IDE and Infrastructure
• MKPF  Header: Material Document MM – Inventory Management
• LIPS    SD document: Delivery: Item data  Logistics Execution – Shipping
• TADIR  Directory of Repository Objects      Basis – Transport Organizer
• MARD  Storage Location Data for Material Logistics – Material Master
• LIKP    SD Document: Delivery Header Data         Logistics Execution – Shipping
• T001   Company Codes        FI – Financial Accounting
• CDHDR Change document header    Basis – Change Documents
• BSID    Accounting: Secondary Index for Customers         FI – Financial Accounting
• TSTC   SAP Transaction Codes        Basis – ABAP Runtime Environment
• EBAN  Purchase Requisition MM – Purchasing

USR Tables:

• USR01                   User master record (run time data)
• USR02                   Logon data (Kernel-side use)
• USR03                   User address data
• USR04                   User master authorizations
• USR05                   User master parameter ID
• USR06                   Additional data per user
• USR06SYS            System Specific User classification
• USR07                   Object/value of last authorization check
• USR08                   Table for user menu entries
• USR09                   Entries for user menu (work areas)
• USR10                   User master authorization profiles
• USR11                   User master texts for authorization profiles(USR10)
• USR12                   User master authorization values
• USR13                   Short texts for authorizations
• USR14                   Sur-chargeable Language Versions per user
• USR15

• USR16                   Values for variable for user authorizations
• USR20                   Date of last user master reorganization
• USR21                   Assign user name address key
• USR40                   Table for illegal passwords
• USR41                   User master additional data
• USRVAR               Variants for critical authorizations
• USH02                   Change history for Logon data
• USGRP                  User groups
• USER_ADDR       Address data for users
• USOBT                  Relation transaction to authorization object(SAP)
• USOBX                  Check table for USOBT
• USOBT_C             Relation transaction to authorization object(Customer)
• USOBX_C            Check table for USOBT_C

AGR Tables (Related to roles):

• AGR_1250           Authorization data for the activity group
• AGR_1251           Authorization data for the activity group
• AGR_1252           Organizational elements for authorizations
• AGR_USERS       Assignment of roles to users
• AGR_TCODES    Assignment of roles to t-codes
• AGR_AGRS         Roles in the composite roles
• AGR_DEFINE      Role definition/single and derived roles
• AGR_1016           Name of the activity group profile
• AGR_PROF         Profile name for role
• AGR_OBJ             Assignment of Menu nodes to role
• AGR_TIME          Time stamp for role (including profile)

Developer Key Table:

• DEVACCESS        Table for development users – developer keys

Transport Requests:

• E070                       Change & transport system: Header of requests/tasks
• E071                       System: Object entries of requests/tasks

Email id for users:

• ADR6    E-mail addresses of sap user

Other Tables:

• TDDAT                  Table authorization group to Table relation
• TBRG                     Table authorization groups
• TRDIR                    Program to authorization group relation
• T000                       List of defined clients
• TSTC                      List of t-codes
• TPARA                  List of parameter ids
• TOBJ                      Authorization objects
• TACT                      Available activities in SAP system
• RFCDES                 Remote function call destinations
• DBTABLOG          Log records of table changes

SAP system transactions may be defined to run as any of the following Internet applications:

Web transactions (IACs)

WebRFC or WebReporting

Transactions that are delivered with the SAP system are defined in one of the categories listed above. When developing your own transactions, develop them according to the needs of the transaction. For example, when defining Web transactions, you can change the screen layout to meet your own needs.

Defining Web Transactions (IACs)

SAP system transactions may be accessible as IACs (also known as Web transactions). In this case, executed transactions find all of the information they need for the front-end presentation layer in its own service file and templates. This includes the transaction code that must be started in the SAP system (defined with the parameter ~transaction in the service file).

Declaring Services that Use WebRFC

The IT’S also supports RFC-based access to the SAP system using WebRFC or WebReporting, which is based on WebRFC. Only those WebRFC or WebReporting modules that have been specifically developed for an Internet access scenario can be accessed from the Internet.

Any physical network architecture completely depends on the size of your SAP System.A SAP System is commonly implemented with client-server architecture and each system is commonly divided into the following three layers:

• Database Layer
• Application Layer
• Presentation Layer

When your SAP system is small, it may not have a separate application and database server. However, in a large system, many application servers communicate with a database server and several frontends. This defines the network topology of a system from simple to complex and you should consider different scenarios when organizing your network topology.

SAP has provided the TMS (Transport Management System) as an environment for coordinated customizing and team development that protects the modification of objects and settings across a SAP landscape. Unfortunately the TMS is a facet of the SAP enterprise that is often under secured.When security fails at this level it is typically because

System landscape settings are not properly configured.

Repairs are freely allowed.

There are no filters that control which objects are being transported.

Authorizations are not completely implemented.

Transport monitoring is not a periodic task.

SAP’s standard Secure Store and Forward provides the required support to protect SAP systems data and documents as independent data units. You can use the SSF functions to “wrap” SAP systems data in secure formats before the data are transmitted over insecure communications links. These secure formats are based on public and private keys using cryptographic algorithms. While SAP provides a Security Library (SAPSECULIB) as a software solution for digital signatures as well as standard support for SSF in certain application modules such as PDM or Archive Link, a high degree of protection is achieved only when private keys are secured using hardware devices such as smart cards.

The GRC (Governance, Risk, and Compliance) tools from SAP offers a complete suite of tools to control and manage risk. SAP GRC Access Control delivers a comprehensive access control facilities and helps companies to define and monitor Segregation of Duties (SOD), profile management, and compliance. In SAP’s risk detection module, SAP’s applications for Access Control detect access and authorization risks across SAP applications. Access control also prevents new risks from entering the system

A critical component is what I call the “Internet level,” which addresses the interactions that take place between a SAP system and browsers, Web servers, SAP Web Application Server, ITS, SAP EP, firewalls, and so on When security fails at this level it is typically because

• Secure protocols are not properly set.
• Encryption and certificates are not used.
• Remote debugging of ITS is not disabled.
• Service files are not protected.
• Firewalls and authentication might not be properly configured.
• Security measures at Web servers are weak.
• Monitoring is scarce.

As a result you see many types of attacks on Web servers that might make systems unavailable or compromise critical information. There are thousands of Internet security incidents and break-ins reported; some of them make the CNN headlines. There are dozens of books and hundreds of Web sites covering security, hacking, and protection software. It is the job of the Basis administrator, Network administrator, and Web administrator to set in place a system design for implementing the best security measures that protect against attacks to the SAP systems that are tightly connected to the Internet. A comprehensive security strategy limits access at each of these security layers to only authorized users and/or authorized external systems.

If the security products use an address book for holding the public keys just in the case of the private keys, then the files must be protected from unauthorized access or modifications. An alternative is to use certificates that are issued by a trusted Certification Authority (CA) to grant the authenticity of those certificates. There are several countries that have regulated the use of cryptography and digital signatures. However, these rules or laws frequently generate a big amount of controversy and even change. Some countries already accept the digital signatures as a valid proof of obligation and therefore digital signatures can be used for secure business.

SAP security services must guarantee the integrity, confidentiality, and authenticity of any type of business documents such as electronic files, mail messages, and others. At this level SAP provides Secure Store and Forward (SSF) mechanisms, which include digital signatures and digital envelopes based on public key technology. And these mechanisms can be deployed using external security services like digital certificates and digital envelopes. When security fails at this level it is typically because:

Certificates and encryption are not used/implemented.

Private keys are not properly protected.

There is scarce tracing and monitoring.

As a result you see documents intercepted by unauthorized persons or access to confidential information. It is the job of the Basis administrators and expert security consultants with the help of the legal department to define and implement secure mechanisms like encryption methods for protecting the secure transfer of documents.

If you understand the security components and infrastructure, there is a lot you can do to improve SAP systems security without compromising normal users’ operation. You can improve security by

• Designing and implementing a secure systems infrastructure by means of firewalls and setting password policies and parameters
• Setting the most appropriate values for security-related instance profile parameters
• Using external security products
• Establishing a security policy and efficiently communicating it
• Creating a security checklist that can be periodically tested either manually or automatically so you can evaluate the efficiency of your security policy
• Enforcing the security policy by means of logging and auditing
• Monitoring security alerts and locating threats
• Establishing a procedure for constant update of the security policies

The Business Transaction Analysis (Transaction STAD) delivers workload statistics across business transactions (that is, a user’s transaction that starts when a transaction is called [/n….] and that ends with an update call or when the user leaves the transaction) and jobs.

A composite role is a container which can collect several different roles. For reasons of clarity, it does not make sense and is therefore not allowed to add composite roles to composite roles. Composite roles are also called roles.

Composite roles do not contain authorization data. If you want to change the authorizations (that are represented by a composite role), you must maintain the data for each role of the composite role.

Creating composite roles makes sense if some of your employees need authorizations from several roles. Instead of adding each user separately to each role required, you can set up a composite role and assign the users to that group.

The users assigned to a composite role are automatically assigned to the corresponding (elementary) roles during comparison.

 An authorization object is a group of authorization fields and is related to a particular activity, while authorization object class comes under authorization class and is grouped by function areas.

Transaction code SM12 is used to manage lock entries.

Maximum number of profiles in a role is 312, and maximum number of object in a role is 150.

SOD means Segregation of Duties; it is implemented in SAP in order to detect and prevent error or fraud during the business transaction. For example, if a user or employee has the privilege to access bank account detail and payment run, it might be possible that it can divert vendor payments to his own account.

The audit information system (AIS) is an auditing tool that you can use to analyze security aspects of SAP NetWeaver Application Server (SAP NetWeaver AS) for ABAP system

The PFCG time dependency is nothing but a report which is normally used for comparison of the user master. The PFCG Time dependency also makes sure to wipe away any profiles from the main record which seem to have expired and are of no use. There is also a transactional code which can be employed in order to execute this particular action. The transactional code which is used to do this is PFUD.

We can get the user list by using SM04/AL08 transaction code.

Using SM37 transaction code we can check the background jobs.

 USOBT_C consists of the authorization tables which contains the authorization data which are relevant for a transaction. On the other hand, USOBX_C tells which authorization check is to be executed or not within a transaction.

There are a lot of important and essential tabs which are present in the PFCG. The following tabs are included in the PFCG.

The first is the description tab. This tab is essential for describing any changes which are made such as the details which are related to any role. Mentioning if there are any additions or removing of any transactional codes. Also mentioning if there are any changes in the authorization object and many more.

Second is the menu tabs. It is essential to design the user menu such as addition of any transactional codes.

The third id the authorization tabs. This tab is used for the maintenance of the authorization profile and authorization data.

The third is the user. This tab is used for any adjustment in the main user record and for assigning the users to any roles. 

The t-code SU25 is used to copy the data from tables USOBT and USOBX to tables USOBT_C and USOBX_C. Generally, this t-code needs to be executed after the installation of system upgrade so that the values in customer tables are updated accordingly.

 To find out who has deleted users in the system, first debug or use RSUSR100 to find the info. Then run transaction SUIM and download the Change documents.

Authorization groups are the units comprising of tables for common functional area. Generally, each table is assigned to a authorization group due to this reason we need to mention the value of authorization group while restricting the access to table in authorization object S_TABU_DIS. The authorization group can be created by using the t-code SE54. The assignment of tables to authorization group can be checked by using table TDDAT.

The following authorization objects are required to create and maintain user master records:

S_USER_GRP: User Master Maintenance: Assign user groups

S_USER_PRO: User Master Maintenance: Assign authorization profile

S_USER_AUT: User Master Maintenance: Create and maintain authorizations

This authorization object is used to provide the access to tables on row level. The values for parameters can be checked by using the t-code RSPFPAR. After executing the t-code, give the parameter name and click on execute.