Q1. How to check table logs?

Ans. The first step is to check if logging is activated for a table using t-code SE13. If it is enabled
then we can see the table logs with the t-code SCU3.

Q2. What is a ‘role’ in a SAP security?

Ans. Role refers to the group of t-codes which is assigned to execute particular tasks.

Q3. What is an ‘authorization’?

Ans. Each role in SAP requires privileges to execute a function, which is known as authorization.

Q4. How many fields can be in one authorization

object?
Ans. There are 10 fields in one authorization object in SAP.

Explore SAP Courses Now>>

Q5. What is the difference between a role and a
profile?
Ans. A role and profile go hand-in-hand. When a role is created, a profile is automatically created.

Q6. What is the difference between a single role and a

composite role?
Ans. A single role is a container that collects transactions and generates an associated profile. A
composite role is a container that collects different roles.

Also Read>> SAP Certification: All You Need to Know About

Q7. Differentiate between authorization object and

authorization object class?
Ans. An authorization object is a group of authorization fields and is related to a particular activity,
while authorization object class comes under authorization class and is grouped by function areas.

Q8. What is the maximum number of profiles and

objects in a role?
Ans. In a role, the maximum number of profiles is 312 and the maximum number of objects is 170.
SAP GRC Interview Questions
What is the rule set in GRC?
Collection of rules is nothing but rule set. There is a default rule set in GRC called Global
Rule Set.
What is the landscape of GRC?
GRC Landscape is 2 system landscape,
SAP GRC DEV
SAP GRC PRD
in GRC there is no Quality system.
Explain about SPM?
SPM can be used to maintain and monitor the super user access in an SAP system. This
enables the super-users to perform emergency activities and critical transactions
within a completely auditable environment. The logs of the SPM user IDs help auditors in
easily tracing the critical transactions that have been performed by the Business users
What is use of su56?
Displays the current users Authorization Profiles available it the ID. Can also be used to
reset their User buffer to pick up new roles and authorizations.
What is the use of RSECADMIN?
IN SAP BI
Reporting Users – Analysis Authorization using transaction
RSECADMIN, to maintain authorizations for reporting users.
RSECADMIN – To maintain analysis authorization and role
assignment to user.
What is offline risk analysis?
Offline Mode Risk Analysis process is performed with the help of Risk Identification and
Remediation module in SAP GRC Access Control Suite. Offline mode Analysis helpos in
identifying SOD Violations in an ERP System remotely. The data from system is exported to
flat files and then it can be imported into the CC instance with the help of data extractor
utility.
It can also be used to remotely analyze an ERP system which may be present in a different
ERP Landscape.
How can find out whether CUA (Central User Administration) is configured on your
sap system?
Execute su01 You can find out a tab called system tab.... If system tab is not displayed
there in su01 screen there
is no CUA is configured.
How do we test security systems? What is the use of SU56?
Through Tcode SU56, We will check the users buffer
How we Schedule and administering Background jobs?
Scheduling and administrating of background jobs can be done by using tcodes sm36 and
sm37
What are the Critical Tcodes and Authorization Objects in R/3?
Just to say all the t-codes which can affect roles and user master records are critical ones.
SU01, PFCG, RZ10, RZ11, SU21, SU03, Sm37 are some of critical t-codes.
Below are critical objects
S_TABU_DIS
S_USER_AGR
S_USER_AUT
S_USER_PRO
S_USER_GRP

Interested in mastering SAP GRC Training? Enroll now for FREE demo on SAP GRC Trainin
g.

How we Check if the PFCG_TIME_DEPENDENCY is running for user master

reconciliations?
Execute SM37 and search for PFCG_TIME_DEPENDENCY
What is ruleset? and how to update risk id in rule set?
Also during indirect asssignment of roles to user using t codes Po13 and po10, we must to
do user comparision, so that the roles get reflected in the SU01 record of user.
What is the difference between PFCG,PFCG_TIME_DEPENDENCY&PFUD?
PFCG is used to create maintain and modify the roles.
PFCG_TIME_DEPENDENCY is a background job of PFUD.
PFUD is used for mass user comparison but the difference is if you set the background job
daily basis it will do mass
user comparison automatically
What does user compare do?
If you are also using the role to generate authorization profiles, then you should note that
the generated profile is not entered in the user master record until the user master records
have been compared. You can automate this by scheduling report
FCG_TIME_DEPENDENCY on.
Does s_tabu_dis org level values in a master role gets reflected in the child role?
If we do the adjusted derived role in the master role while updating the values in the master
role thn values will
be reflected in the child roles.
What is the T-code to get into RAR from R/3?
/virsar/ZVRAT
How do I change the name of master / parent role keeping the name of derived/child
role same? I would like to keep the name of derived /child role same and the profile
associated with the child roles.
First copy the master role using PFCG to a role with new name you wish to have. Then you
must generate the role. Now open each derived role and delete the menu. Once the menus
are removed it will let you put new inheritance. You can put the name of the new master
role you created. This will help you keep the same derived role name and the same profile
name. Once the new roles are done you can transport it. The transport automatically
includes the Parent roles.
What is the difference between C (Check) and U (Unmentioned)?
Background:
When defining authorizations using Profile Generator, the table USOBX_C defines which
authorization checks should occur within a transaction and which authorization checks
should be maintained in the PG. aeck Table for Table USOBT_C.
In USOBX_C there are 4 Check Indicators.
CM (Check/Maintain)
-An authority check is carried out against this object.
-The PG creates an authorization for this object and field values are displayed for changing.
-Default values for this authorization can be maintained.
C (Check)
-An authority check is carried out against this object.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization.
N (No check)
-The authority check against this object is disabled.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization.
 U (Unmaintained)
-No check indicator is set.
-An authority check is always carried out against this object.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization.

Q9. How to find out who has deleted users in the

system?
Ans. To find out who has deleted users in the system, first debug or use RSUSR100 to find the info.
Then run transaction SUIM and download the Change documents.

Q10. Can you change a role template? What are the

three ways to work with a role template?
Ans. Yes. There are three ways to change a role template:

1. Use it as they are delivered in SAP

2. Modify them as per your needs through PFCG
3. Create them from scratch

Also Read>> How to become a successful SAP Consultant!

Q11. What are the authorization objects required to

create and maintain user records?
Ans. The following authorization objects are required to create and maintain user records:

 S_USER_GRP: to assign user groups.

 S_USER_PRO: to assign authorization.
 S_USER_AUT: create and maintain authorizations.

Q12. How can you delete multiple roles from QA, DEV
and Production System?
Ans. The following steps should be taken to delete all the roles from QA, DEV and Production
System:

 Place the roles to be deleted in a transport.

 Delete the roles.
 Push the transport through to QA and production.
Q13. What is the difference between USOBT_C and
USOBX_C?
Ans. USOBT_C consists of the authorization tables which contains the authorization data which are
relevant for a transaction. On the other hand, USOBX_C tells which authorization check is to be
executed or not within a transaction.

Q14. Can you add a composite role to another

composite role?
Ans. No, you cannot add a composite role to another composite role.

Q15. How can the password rules be enforced?

Ans. Password rules can be enforced using profile parameter.

Q16. What is a t-code in SAP?

Ans. A t-code (or transaction code) is used to access functions or a running program in an SAP
application.

Q17. Which t-code can be used to delete old security

audit logs?
Ans. The t-code SM-18 can be used to delete old security and audit logs.

Q18. What are the main tabs available in PFCG?

Ans. The main tabs available in PFCG are description, menu, authorization and user.

Q19. Which t-code is used to display the user buffer?

Ans. The t-code SU56 is used to display the user buffer.

Q20. What does a USER COMPARE do in SAP

security?
Ans. USER COMPARE compared the user master record so that the produced authorization profile
can be entered in the user master record.
The above questions and answers will give you a good hint of what you can expect in an SAP
security interview. If you want to have high-level skills in SAP, then you can go for a professional
course. Naukri Learning offers a variety of online courses in SAP which will help you to boost your
career.