20 Common SAP SECURITY Interview Questions and Answers Updated 2022

1. Explain what is SAP security?

SAP security is providing correct access to business users with respect to their authority or responsibility and giving permission according to their roles.

2. Explain what is “roles” in SAP security?

“Roles” is referred to a group of t-codes, which is assigned to execute a particular business task. Each role in SAP requires particular privileges to execute a function in SAP that is called AUTHORIZATIONS.

3. Explain how you can lock all the users at a time in SAP?

By executing EWZ5 t-code in SAP, all the users can be locked at the same time in SAP.

4. Mention what are the pre-requisites that should be taken before assigning Sap_all to a user even there is approval from authorization controllers?

Pre-requisites follows like

Enabling the audit log- using sm 19 tcode

Retrieving the audit log- using sm 20 tcode

5. Explain what is authorization object and authorization object classes?

Authorization Object: Authorization objects are groups of authorization field that regulates particular activity. Authorization relates to a particular action while the Authorization field relates for security administrators to configure specific values in that particular action.

Authorization object class: Authorization object falls under authorization object classes, and they are grouped by function area like HR, finance, accounting, etc.

6. What is the table name to see the authorization objects for a user?


7. What are two main tables to maintain authorization objects?


8. How to secure tables in SAP?

Using Authorization group (S_TABU_DIS, S_TABU_CLI) in T.Code SE54

9. What is the user type for a background jobs user?

1 System User, 2. Communication User

10. What is the t-code used for locking the transaction from execution?

For locking the transaction from execution t-code SM01, is used.

11. Mention what is the main difference between the derived role and a single role?

For the single role, we can add or delete the t-codes while for a derived role you cannot do that.

12. Explain what is SOD in SAP Security?

SOD means Segregation of Duties; it is implemented in SAP in order to detect and prevent error or fraud during the business transaction. For example, if a user or employee has the privilege to access bank account detail and payment run, it might be possible that it can divert vendor payments to his own account.

13. Mention which t-codes are used to see the summary of the Authorization Object and Profile details?

SU03: It gives an overview of an authorization object

SU02: It gives an overview of the profile details

14.  What is the use of role templates?

 User role templates are predefined activity groups in SAP consisting of transactions, reports, and web addresses.

15.  What is the difference between a single role & composite role?

A role is a container that collects the transaction and generates the associated profile.  A composite role is a container that can collect several different roles

16.  Is it possible to change role template? How?

Yes, we can change a user role template.  There are exactly three ways in which we can work with user role templates

  • we can use it as they are delivered in sap
  • we can modify them as per our needs through pfcg
  • we can create them from scratch.

For all the above specified we have to use pfcg transactions to maintain them.

17.  What is the difference between USOBX_C and USOBT_C?

The table USOBX_C defines which authorization checks are to be performed within a transaction and which not (despite authority-check command programmed ). This table also determines which authorization checks are maintained in the Profile Generator.  The table USOBT_C  defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator.

Execute transaction SU01 and fill in all the fields. When creating a new user, you must enter an initial password for that user on the Logon data tab. All other data is optional. Click here for tutorials on creating sap user id.

18. Explain what is PFCG_Time_Dependency?

PFCG_TIME_DEPENDENCY is a report that is used for user master comparison.  It also clears up the expired profiles from the user master record. To directly execute this report PFUD transaction code can also be used.

19. Explain what does USER COMPARE do in SAP security?

In SAP security, USER COMPARE option will compare the user master record so that the produced authorization profile can be entered into the user master record.

20. How are authorization reports generated? 

The reports should include activity by object and be accessible to all users with access.

 Run SUSR_SYNC_USER_TABLES and then try tcode SUIM/report RSUSR002. Enter your object in Object 1 and press enter.  Follow the prompts.