Register Login

SAP Security Interview Questions and Answers

Updated Jul 02, 2019

Following are the SAP Security FAQs:

1. What is the user type for a background jobs user?

Ans: 1 System User, 2. Communication User

2. How to troubleshoot problems for background user?

Ans: using system Trace ST01

3. There are two options in the PFCG while modifying a role. One change authorizations and another expert mode-what is the difference between them?

Ans: Change authorization: This option we will use when we create new role and modify old role

Expert mode: i. Delete and recreate authorizations and profile

(All authorizations are recreated. Values which had previously been maintained, changed or entered manually are lost. Only the maintained values for organizational levels remain.)

ii. Edit old status(The last saved authorization data for the role is displayed. This is not useful if transactions in the role menu have been changed.)

iii. Read old data and merge with new data(If any changes happen in SU24 Authorizations we have to use this)

4. If we give Organizational values as * in the master role and want to restrict the derived roles for a specific country, how do we do?

Ans: We have to maintain org level for the country based on the plant and sales area etc in the derived Role.

5. What is the table name to see illegal passwords?

Ans: USR40

6. What is the table name to see the authorization objects for a user?

Ans: USR12

7. What are two main tables to maintain authorization objects?


8. How to secure tables in SAP?

Ans: Using Authorization group (S_TABU_DIS, S_TABU_CLI) in T.Code SE54

9. What are the critical authorization objects in Security?

Ans:S_user_obj,s_user_grp, s_user_agr , s_tabu_dis, s_tabu_cli , s_develop ,s_program

10. Difference between USOBT and USOBX tables?

Ans: 1.USOBT-Transaction VS Authorization objects

2. USOBX- Transaction VS Authorization objects check indicators

11. Use of Firefighter application

Ans: Whenever the request coming from the user for new authorization .the request goes to firefighter owner. FF owner proved the FF ID to the normal user then the user (security admin) will assign the authority to those users (end user)

12. Where do we add the FF ids to the SAP user ids?

Ans:Go to Tcode /n/virsa/vfat >>goto fireFighter tab the give the ffID to firefighter with validity

13. How to create FF ids?


14. Different types of users

Ans: 1.Diolag user 2.service user 3.system user 4.communication user 5.refrences user

15. Different types of roles?

Ans: 1.Single role 2.Composite role 3.Derived role

16. Can a single role be used as a master role?

Ans: yes

17. How to create a derived role?

Ans: Go to PFCG type the Role name starting with Z .click on create role icon. Then right side you will find derived from here types the parent Role name 

18. HR Security: How to create structural authorizations in HR


19. HR Security: What are the objects for HR and what is the importance of each HR object

Ans: P_PERNR object is used by a Person to see data related to his Personal Number

P_ORGXX HR: Master Data - Extended Check

20. How to copy 100 roles from a client 800 to client 900?

Ans: Add all 100 roles as one single composite Role and Transfer the Composite role automatically the 100 Role will transfer to the target client (Using SCC1)

21. User reports that they lost the access. We check in SUIM and no change docs found. How do you troubleshoot

Ans: Maybe user buffer full or role expired

22. What is the correct procedure for Mass Generation of Roles?

Ans: Using T.Code –SUPC

23. What is the T.Code SQVI? What is the main usage of this SQVI?

Ans: SQVI -Quick View

24. How can we maintain Organizational values? How can we create Organizational?


25. I want to see the list of roles assigned to 10 different users. How do you do it?


  1. Goto se16 > agr_users then mention the 10 users name
  2. Goto SUIM > role by complex selection > type user names

26. What do you mean by User Buffer? How does it work with the user's Authorizations?

Ans: User buffer means user context it contains user related information i.e.) authorizations, parameters, reports, earlier acceded screens .We can see the user context using T.Code –SU56

27. What is the advantage of CUA from a layman/manager point of view?

Ans: CUA used for maintaining and manage the users centrally.

28. What is the purpose of these Org. values?

Ans: Values: it’s used to restrict the user by values e.g. Sale order value (1-100) it means the user can  create only 100 sales orders not more than that

29. What is the main purpose of Parameters Groups & Personalization tabs in SU01 and Miniapps in PFCG?  


  1. Parameter tab: it's used to auto fills some of the values during the creation of orders
  2. Personalization tab is used to restrict the user in selection criteria E.g.: while selecting pay slip it will show only last month pay slip by default. If u select the attendances it will show current month by default
  3. Miniapps- we can add some mini-applications like calculator, calendar etc

30. How many maximum profiles we can assign to one user?

Ans: 312

31. What is the name of a critical auth object for table access through SE16?



  • 08 Jul 2011 1:10 pm Joseph
    Dear SAP Gurus,

    Please help. My company is decentralising their HR department, therefore, we need to build derived roles for each site. Is it possible to use one set of roles but provide the restrictions to the other sites via the HR org Structure profiles (i.e. PD profiles)?

    Your assistance is greatly appreciated.