1. What is SAP?

SAP stands for "Systems Applications and Products in Data Processing." It was founded in
1972 by five former IBM employees in Germany.
The great advantage of SAP is, it creates a common centralized database for all the applications
running in an organization. The application has been assembled in such a versatile way that it
handles the entire functional department within an organization. Today major companies
including Microsoft and IBM are using SAP's Products to run their own businesses.
R/2, which ran on Mainframe architecture, was the first SAP version. Sap's products are
generally focused on Enterprise Resource Planning (ERP). Sap's applications are built around
R/3 system which provides the functionality to manage product operations, cost accounting,
assets, materials and personnel. The R/3 system of SAP runs on majority of platforms including
windows 2000 and it uses the client/sever model.
2. What is ERP?
ERP is a package with the techniques and concepts for the integrated management of business as
a whole, for effective use of management resources, to improve the efficiency of an enterprise.
Initially, ERP was targeted for manufacturing industry mainly for planning and managing core
business like production and financial market. As the growth and merits of ERP package ERP
software is designed for basic process of a company from manufacturing to small shops with a
target of integrating information across the company.
3. What is IDES?
IDES stands for International Demonstration and Education System. A sample application
provided for faster learning and implementation by SAP. This version is only used for training
purpose. IDES comes with some dummy data, to enable you to quickly learn SAP.
4. What are the different transactions used to create users?
User IDs in SAP can be created by following the below procedures:

Using SU01 transaction code - This transaction code is widely used in day-to-day
operations and is also used to perform other user management activities such as password
reset, user locking/unlocking etc.,
Using SU10 transaction code - This transaction code is rarely user for creating users,
due to its limitations such as Address data maintenance, pre-defined password
assignment, and role assignment. All the specified users should have the same set of
roles, and belong to the same user group.
Using SECATT (works in ECC ve rsions)/SCAT (till SAP 4.7) scripts - CATT Scripts
are widely used during the implementations and major roll-outs. Once the production
system is live, authorization to CATT scripts will be restricted.

5. What is PFCG?
PFCG is the transaction code used to invoke profile generator tool. SAP Profile Generator is a
tool which can be used to automatically generate and assign authorization profiles.
SAP profile generator reduces the time for authorization implementation. The profile generator
automatically selects authorization objects which are relevant based on the transact ion codes
added in the role. An administrator only needs to configure the customer specific settings.
Profile Generator was released with the 3.1G version of SAP and has really changed the way
authorizations were implemented in SAP.
6. What is the differe nce between USOBX_C and USOBT_C?
The USOBX_C, and USOBT_C tables are referred as Customer tables, which should be created
using SU25 transaction code in a fresh implementation or an upgrade.

The table USOBX_C defines which authorization checks are to be performed within a
transaction and also determines which authorization checks are maintained in the Profile
Generator.
The table USOBT_C defines for each transaction and for each authorization object which
default values an authorization created from the authorization object should have in the
Profile Generator.

7. What authorization are require d to create and maintain user master records?
To create/maintain users, the following are the minimum authorization objects which are
required:

S_USER_GRP: User Master Maintenance: Assign user groups

S_USER_PRO: User Master Maintenance: Assign authorization profile
S_USER_AUT: User Master Maintenance: Create and maintain authorizations

8. What is a role?
A role is a grouping of privileges, which can be assigned to the users. In the other words, a role
is a collection of transaction codes, reports, and authorization objects which are further restricted
based on the function of the user.
9. What is a derived role?
A de rived role is a role which inherits the menu structure and the functions included
(transactions, reports, Web links, and so on) from a reference role. However, note that a role can
only inherit menus and functions if no transaction codes have been assigned to it before. The
higher- level role passes on its authorizations to the derived role as default values which can be
changed afterwards.

The Organizational level definitions are not inherited to the derived role, which means they
should be maintained individually.
10. What is a composite role?
A composite role is a container which can collect several different roles. It is also referred as a
collective role. Composite roles do not contain authorization data. If you wish to change the
authorizations (that are represented by a composite role), you must maintain the data for each
role of the composite role.
Creating composite roles makes sense if some of your employees need authorizations from
several roles. Instead of adding each user separately to each role required, you can set up a
composite role and assign the users to that group.
A composite role can't added to another composite role.
11. What is user comparison?
User Comparison will reconcile the PROFILES within a user's account and make the necessary
changes. This is especially true when you've assigned specific Valid-To dates for the roles on an
account. If the Valid-To (expiry) date of a role has passed, the User Comparison will REMOVE
the profile/role from that account.
As mentioned above, if you see a red button in PFCG this means that a User Comparison should
be executed to help reconcile the profiles for the users. You can also see this in SU01 if a
specific role has a red button.
As a suggestion, SAP recommends running the report PFCG_TIME_DEPENDENCY once a
day to perform a User Comparison and help 'clean up' the User Master Record for your system.
You can also do it manually using transaction code PFUD. Refer the below link for more details:
http://help.sap.com/saphelp_bw21c/helpdata/en/52/6711ec439b11d1896f0000e8322d00/content.
htm
12. What is Security?
Security is the degree of protection against danger, loss, or a business threat.
Security as a form of protection are structures and processes that provide or improve security as a
condition.
In an application level, it is the condition that prevents unauthorized persons from having access
to official information that is safeguarded through various security measures.
13. What is Application Security?

Application security encompasses measures taken throughout the application's life-cycle to

prevent exceptions in the security policy of an application or the underlying system
(vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance
of the application, .
Below are some of the Security standards and regulations:
- Sarbanes-Oxley Act (SOX)
- Health Insurance Portability and Accountability Act (HIPAA)
- IEEE P1074
- ISO/IEC 7064:2003 Information technology -- Security techniques -- Check character
systems
14. What is SAP Security and which security standards and regulations it recomme nds?
SAP Security also follows the Application Security methods, where in the measures are taken
throughout the SAP's life-cycle to prevent un authorized access to the SAP system. It follows the
Sarbanes-Oxley Act (SOX), which helps the companies to quickly identify any threats and either
to fix them or mitigate them as and when they occur with a periodic review.
Maintaining the system with defined processes in the User Management, Role Management
activities are also a part of these Security standards.
15. What is user buffer?
Whenever a user logs on to the SAP System, a user buffer is built containing all authorizations
for that user. Each user has their own individual user buffer. This can be viewed using
transaction code SU56
A user would fail an authorization check if:

The authorization object does not exist in the user buffer

The values checked by the application are not assigned to the authorization object in the
user buffer
The user buffer contains too many entries and has overflowed. The number of entries in
the user buffer can be controlled using the system profile parameter
auth/number_in_userbuffer.

16. How to reset the user buffe r? And also the other various buffers?
It is always recommended to make the user logoff and login again to the SAP system, whic h will
automatically reset the user buffer. However, if you wish to manually reset the buffer for any
user, go to SU53 or SU56 transaction codes, click authorization values, select "Reset User
Buffer" option.
However, if you wish to reset the buffer for a different user, select the other user using button.

Please note: resetting of the buffers could change the performance of the entire system.
Below are the various commands to reset the buffers:
/$SYNC - buffers of the application server
/$CUA - CUA buffer of the application server
/$TAB - the TABLE buffers of the application server
/$DYNP - the screen buffer of the application server
17. How many roles/profiles can be assigned to any user?
SAP doesn't restrict on the number of roles assigned. However, the maximum Profiles that can
be assigned to any user is ~ 312.
Table USR04 holds the Profile assignments for users. This table contains both information about
the change status of a user as well as the list of profile names that were assigned to the user.
The PROFS field is used to save the change indicator (C = User created, M = User changed) and
the name of the profiles assigned to the user. The field is defined with a length of 3,750
characters. Since the first two characters are for the change indicator, 3,748 characters are still
available for the list of profile namesw32 per user. Since the maximum length for each profile
name is 12 characters, the maximum number of profiles per user is 312.
Note 841612 delivered a solution for increasing the number of usable profiles per user from 300
to the maximum value of 312.
18. How can I find out all field values for ACTVT?
All possible activities (ACTVT) are stored in table TACT. Also, the valid activities for each
authorization object can be found in table TACTZ.
19. How can I check all the Organization value in a role?
Execute SE16 or SE16N transaction code. Enter the table name "AGR_1252". Enter the Role
name in the role field and hit execute.
20. How to re move duplicate roles with diffe rent start and end date from user master?
To remove duplicate roles from the user master, perform the following:
1.
2.
3.
4.

Go to SE38 (you can also use SA38 transaction code)

Enter the program name "PRGN_COMPRESS_TIMES"
Click Execute.
Enter the Role name (you can also specify a group of roles or users.)

NOTE: A list of user IDs can be specified to remove the duplicate/expired roles.

5.

Click Execute.

Simulation Run - will perform a simulation on the mentioned roles/user IDs.

21. How to change the parent role for a derived role, i.e., change the role inheritance?
It is not possible to change the inheritance of the role, once a role has inherited the properties
from a different role. The only option is to delete the derived role which is not required, and
create a new derived role with the new relation ship.
22. How to find derived roles under master roles?
To get a list of derived roles under master roles, perform the following:
1. Goto transaction code SE16 or SE16N
2. Enter the table name : AGR_DEFINE
3. Enter the master role in the second role field ( this field is in the second row) and execute
This will list out all the master & derived roles.
23. How many authorizations fit into a profile?
A maximum of 150 authorization objects fit into a profile. If the number of authorizations
exceed, the Profile Generator will automatically create more profiles for the role. Hence, the
PFCG tool either assigns a 10 character length profile name or allows to name it at a maximum
of 10 characters. The remaining 2 characters will be automatically assigned, if the # of
authorization objects are more.

24. What is the procedure to convert an Authorization field to Org field?

Authorization field can be changed to Organization field using the ABAP program
PFCG_ORGFIELD_CREATE. Below are the steps to do the same:
1.
2.
3.
4.

Goto SE38 or SA38 transaction code.

Enter the ABAP program name.
Enter the Authorization field.
Click Execute.

Use the Test mode option to identify a list of roles which are affected with this change. Also,
note that organizational level fields should only be created before you start setting up your
system. If you create organizational level fields later, you might have to do an impact analysis.
25. Can I convert ACTVT and TCD authorization fields to Org fields?

The fields "ACTVT" (activity) and "TCD" (transaction code) cannot be converted into an
organizational level field.
26. How a transaction code works?
When user executes a transaction code, the below checks will be done:

Authorization to the transaction code

Authorization objects with the required activities/field values.

The authorization for a transaction code is identified with S_TCODE authorization object.
Further, the system will check for the minimum authorization activities/values that are required.
Table TSTCA will list these minimum activities/values that are required.
27. What are the different ways to set password limitations/exceptions in SAP?
Password limitations/exceptions in SAP can be set by following the below ways:

Profile parameters
Maintaining forbidden password list in USR40 table.

A complete list of logon parameters with complete description is available in the SAP help
website:
http://help.sap.com/saphelp_nw2004s/helpdata/en/22/41c43ac23cef2fe10000000a114084/conten
t.htm
To maintaining forbidden password list, follow the below steps:
1. Goto transaction code SM30
2. Enter table USR40 and click maintain.
3. Click New entries, and maintain the character list.
NOTE: You can use ? and * wild card characters to specify a range/character.
28. Other than SU53, how can you get missing authorization details?
Missing authorization can be traced out using transaction code ST01 trace analysis also.
29. How can we reset the password for mass users?
To reset password for mass users, create a eCATT script. There is no other way that you can
follow to reset the password for mass users.
30. Is it possible to derive a role which is not having any t-code but have some manually
entered authorization objects?

No. The imparting role will only inherit the menu structures. The authorization objects that are
manually inserted will not be inherited.
31. Can we reset our own SAP password?
Yes. Every user will have the option to reset his/her own password. In the SAP logon screen
enter the user name and click the New password button.
Note that user will be able to change his/her password only once in a day.
32. I have 3 clients in my Development system. Client 100 is used for new developments,
and initial tests are carried in client 200. How the changes will be reflected in the other
clients?
The role/transaction code changes made in a specific client doesn't reflect in the other clients.
The changes made should be captured in a transport request and should be imported in the other
clients using SCC1 transaction code.
33. Through which transaction code I can do a mass user comparison? What's the daily
background job for the same?
PFUD transaction code is used to perform a mass user comparison. The daily background job
that is scheduled in the system is PFCG_TIME_DEPENDENCY. Below SAP help website
provides more information:
http://help.sap.com/saphelp_46b/helpdata/ru/52/6711ec439b11d1896f0000e8322d00/content.ht
m
If the job is not currently active, you can set up the same in PFUD transaction code.
34. Which are the necessary objects for controlling the t-code SU01?
S_USR_GRP and S_USR_AGR are the main authorization objects that control SU01
transaction code access.
35. How can I create a ne w Authorization object?
New authorization object can be created using transaction code SU21. Below are the steps:
1.
2.
3.
4.

Goto SU21 transaction code.

Click Create, Authorization Object option.
Enter Object name, Text, Class.
Enter Field names that you wish to include under the authorization object, For eg:
ACTVT, BUKRS etc.,
5. Click Save button.

NOTE: Custom field names can be created using SU20 transaction code.
36. Why the profile should be re-generated after making modifications in the role?
When changes are made in a role, the profile should be re-generated again. This will update the
profile data with the new/modified authorization objects, fields, activities, and values.
If the profile is not re- generated, the Authorizations tab will be displayed Red color.
37. How can we find out the roles that got directly generated in the Production system?
Ideally, all the roles should be modified in the Development system, and imported in the Quality
and Production systems.
However, in critical business situations, the roles are directly modified in the production system.
Further, to normalize the same changes will be carried out in Development again and transported
across the landscape.
To identify the role changes that are made directly in the production environment, you can view
the Role changes under change documents in SUIM transaction code.
38. What are the various ways to re-generated SAP_ALL profile? Why it is required?
There are two ways to re-generate SAP_ALL profile:
1.
2.

Using SU21 transaction code.

Using ABAP program AGR_REGENERATE_SAP_ALL.

SAP_ALL composite profile should be re-generated to update the profile with the new
authorization objects, values, and fields. This will also avoid the assignment of SAP_NEW
profile.
Regenerate SAP_ALL option in SU21 will regenerate the profile only in the current client. The
ABAP program AGR_REGENERATE_SAP_ALL will regenerate the profile in all the existing
clients.
39. What are the 5 steps of the authorization concept conception?
Below are the 5 steps:

Preparation: Set up a team, define communication process

*Analysis and Conception: *analyze process and determine role framework
*Implementation: *Creation of roles
*Quality assurance and Tests: *positive and negative testing
*Cutover: *production start

40. What are the different types of users that can be created in SAP?
Below are the different types of users:
1. Dialog: For interactive user
2. System: For background processing and communication within a System. No dialog poss
ible, no change of password
3. Communication: For dialog. Free communication between systems. No dialog possible,
no a change of password.
4. Service: Dialog user available to anonymous group of users
5. Reference: For general, nonpersonrelated users that allows the assignment of
additional, identical authorizations.

41. What is the meaning of the traffic lights Icons for the authorization maintenance?

Green: All fields below this level have been filled with values
Yellow: There is at least one field (but no organizational levels) below this level for
which no data has been proposed or entered
Red: There is at least one organizational level field below this level for which no value
has been maintained.

42. What are the 4 status texts about authorizations maintenance?

Status text will quickly help you to identify how the authorization object is added/maintained in
any role. Below are the various texts:

Standard: Unchanged from the SAP defaults. It has the values that are added by PFCG
automatically.
Maintained: At least one field in the subordinate levels of the hierarchy was empty by
default and has been maintained.
Changed: The proposed value for at least one field in the subordinate levels of the
hierarchy has been changed from the SAP default value.
Manual: The authorization object is added manually and maintained.

43. How can you deactivate the special properties of SAP?

To deactivate the special properties of SAP*, set the system profile parameter
login/no_automatic_user_sapstar to a value greater than zero.
44. What is the use of S_TABU_DIS authorization object?
S_TABU_DIS is the authorization object which allows access for table entries. The activity filed
determines the kind of action a user can make on table entries (create, display, change etc.,)

Secondly the field DICBERCLS makes use of the authorization group assigned to the table.
You can check for it in table maintenance generator in SE11 or TDDAT table from SE16. Once
you give access for one authorization group then the user will have same access for all tables
belonging to that group.
45. Which authorization object grants authorization to maintain cross client tables with the
standard table maintenance transaction?
S_TABU_CLI authorization object enables you to protect cross-client tables from unintentional
accesses. It has the field CLIIDMAINT, in which the value X can be added to grant a user
authorization to maintain cross-client tables. Value ' ' will retain the authorization to the current
client only. Best example is T000 table which can be maintained from SCC4 transaction code.
46. How to identify the list of roles in which S_TCODE is assigned manually?
ABAP program PFCG_AGRS_WITH_MANUAL_S_TCODE will help you to quickly
identify the roles in which S_TCODE is manually included.
In ECC systems this report is obsolete.
47. How to restrict users from scheduling A class jobs?
Authorization object S_BTCH_ADM with "Y" provides the batch administration access to the
users. If this is restricted to "N" or disabled, the user will be restricted to work with only class C
(low priority) jobs and to only his or her own jobs in the client that he or she is logged on to.
48. How to restrict users from deleting jobs of other users?
Restriction of deleting the jobs of other users can be maintained using S_BTCH_ADM and
S_BTCH_JOB authorization objects. When the S_BTCH_ADM value is set to Y, users will be
able to manage the jobs of other users also. The value should be set to N, and also for the
S_BTCH_JOB, the operation DELE should be revoked. This will retain access of deleting users
own jobs, but not for the other users.
49. How to identify the authorization group for a table?
There are 2 ways to identify the authorization group.
Procedure # 1:
1.
2.
3.
4.

Go to SE11 transaction code.

Enter the table or view name.
Click Display button.
Go to Utilities menu, Table Maintenance Generator option

You can see the Authorization group associated with the table.

Procedure # 2:
1.
2.
3.
4.

Go to SE16
Enter TDDAT as the table name
Enter the table for which you wish to know the authorization group
Click Execute

50. Which table holds the information of all the tables in SAP?
DD02L table holds the information of all the other tables in SAP.
51. What are the different types of tables and how the restrictions are maintained?
In SAP Security terms, the tables can be majorly divided into two groups:

Cross-client tables and

Client-dependant [client-specific] tables.

Cross-client tables are the tables that are valid for the whole system, and not only for one client.
For eg: T000 table. However, client-dependent tables are always valid for one client. The
classification documented by a technical setting that can be reviewed by looking up the table
DD02L. The column "client-specific" is relevant. The entry X means, that this is a client-specific
table. If the field is empty, the table is a cross-client table.
In SAP, the table level protection can be done at two different levels:
The first level is the general protection of tab les that is covered by the authorization object
S_TABU_DIS. (Also refer SAP Note 1434284 - FAQ about S_TABU_NAM, in which
restriction can be made at an individual table rather than on the group). Users who wants to have
a table access needs a corresponding authorization on S_TABU_DIS. The object S_TABU_DIS
consists of two fields. The field ACTVT [activity], and the field DICBERCLS [authorization
group].
Valid values for the field ACTVT are:

02 - for create, change, delete

03 - for display
BD - override change lock for customizing distribution

Concerning the values for the field DICBERCLS the assignment and selection is a bit more
complex. Tables are protected by so-called authorization groups. The defined groups are listed
in the table TBRG. The assignment of tables to authorization groups is listed in the table
TDDAT.

Every table can only have one authorization group. But every authorization group may protect a
number of tables. Tables that are not especially protected by an explicitly defined authorization
group are protected by the authorization group &NC&. "NC" stands for "Non Classified".
So that we can conclude as a rule that for maintenance access to tables an authorization on the
object S_TABU_DIS with a corresponding ACTVT as well as a matching authorization group is
required.
The second step in the table access control is based on the object S_TABU_CLI.
To summarize, for accessing client dependent tables an authorization on the object
S_TABU_DIS is required and for accessing cross-client tables for maintenance an authorization
on the objects S_TABU_DIS and _TABU_CLI is required.
Further, the object S_TABU_LIN was created for further table access limitation.S_TABU_LIN
allows an access granularity down to the line level of the tables. This is connected to special
customizing adjustments, the definition and activation of so-called organizational criteria.
With the predefinition of organizational criteria like e.g. a plant or a country, access to tables can
then be limited to the lines of the organizational criteria only. Because of the additional
complexity of these fine tuning requirements, this is rarely used in companies so far.
52. What is a developer access key? How to get it and which table holds this
information?
Any ABAP developer can create/work on custom programs (program that start with a "Y" or
"Z") requires a developer access. Assigning the authorizations itself will not provide the access,
and the user should be registered with the developer access key. The same can be obtained from
the below website:
https://www.service.sap.com/licensekey
The key will be valid for only the installation number for which it is registered with SAP.
Table DEVACCESS holds the Developer key information, which can be viewed with SE16.
53. What is the use of TCDCOUPLES table?
TCDCOUPLES is a table which provides you the information of the transaction codes that are
called by a transaction internally. It is used quickly to identify the "CALL TRANSACTIONS"
for custom transaction codes. Also, it is a good method to give back-end access to a transaction
code if we do not want to enable S_TCODE access for it. After a transaction is called, all those
authority checks are performed, which may not be part of the check in the calling transaction
code.
54. What is the use of TACT table?

TACT table contains the various activities in the SAP system. All the authorization objects pull
the activity values from this table.
55. What is PDAG?
PDAG stands for Pre Delivered Activity Groups. There are the roles that come along with the
SAP installation. You may quickly see in the system for SAP* roles. The PDAGs are used as
templates in creating the administration and functional ro les during the implementations or
assigned to the users, till the custom build roles are available to carry out the configuration
changes in the system.
56. When a user is not able to download reports from SAP, what authorization you will
check?
To download various data from SAP system, users should have access to S_GUI authorization
object with activity 60. This authorization is normally added in the common role.
57. What is the use of TSTCA table?
The user calling transaction must have an authorization for the authorization object listed in table
TSTCA in his or her user master record. TSTCA contains the minimum required authorization
objects/values that are required to execute a transaction code. In simple, it makes the transaction
executable.
58. What are variants, and how can they be created?
Variants allow you to save sets of input values for programs that you often start with the same
selections.
There are various methods to create variants. To know the standard process, visit the below link:
http://help.sap.com/saphelp_nw04/helpdata/en/c0/980389e58611d194cc00a0c94260a5/content.h
tm
To quickly create a variant, execute the report using SA38 or SE38 transaction code, enter all the
values, click Goto menu, Variants, Save as variant option.
The variant can be further loaded using the Get variant icon on any execution screen.
59. What is user master record and which tables holds the User master record
information?
User Master Record is the record that contains important master data for a user in the SAP
system. The user master record contains the assignment of one or more roles to the user. In this
way, a user menu and the corresponding authorizations for the activities contained in the user

menu are assigned to the user. Only users who have a user master record can log on to the
system.
User data resides in table USR01-USR31 and USH*. This can be used as a quick way to obtain
user data for any quick reporting such as user type, last logon, or any other information related to
users. The primary header data table is USR02.
60. Which report gives you the information of users with missing address data such as
email ID, phone number etc?
When users are created in the SAP system, their details including address are entered into the
system. For some reasons or the other, it is possible to have users that have incomplete address
data.
Report RSUSR007 is used to generate a list of such users. These users can be reviewed and their
address data completed appropriately.
Please note, it is good practice to have complete address for all users. It helps user organization
and management.
61. What is the diffe rence between a dialog and service type user ID?
A user of the type Service is a dialog user that is available to an anonymous, larger group of
users. Generally, this type of user should only be assigned very restricted authorizations.
For example, service users are used for anonymous system access via an ITS service. Once an
individual has been authenticated, a session that started anonymously using a service user can be
continued as a personal session using a dialog user.
During logon, the system does not check for expired and initial passwords. Only the user
administrator can change the password. Best example is Fire Fighter IDs.
62. What are the maximum number of profiles that can be assigned to a user?
Maximum Profiles that can be assigned to any user is ~ 312. Table USR04 (Profile
assignments for users). This table contains both information on the change status of a user and
also the list of the profile names that were assigned to the user.
The field PROFS is used for saving the change flag (C = user was created, M = user was
changed), and the name of the profiles assigned to the user. The field is defined with a length of
3750 characters. Since the first two characters are intended for the change flag, 3748 characters
remain for the list of the profile names per user. Because of the maximum length of 12 characters
per profile name, this results in a maximum number of 312 profiles per user.
63. How you will allow the functional teams to perform direct changes in the production
environme nt?

Direct changes in the production system are not allowed. However, there are a few instances
where changes should be made in the production system directly such as number range
maintenance, factory calendar maintenance etc.,
In such cases, a System modification required should be raised and approved by the system
owner or the system controller who owns the system.
After the changes are made, the client will be set to No changes allowed.
64. How to check the dependency of a role?
Dependency of the role can be checked using SE03 transaction code. Dependency of the roles
should be checked before making any changes to the role. Below are the step by step
instructions:
1. Goto SE03 transaction code.
2. Click Search for Objects in Requests/Tasks option.
3. Enter ACGR and the role name, click the check box and click Execute.
This will display all the transport requests that are created for the role entered. Pick the last
Transport request and check the Logs. If the changes are moved to production system, it means
the role has no dependency.
65. What are the various types of transport requests?
There are Four types of transport requests:
-

Customizing request
Workbench request
Transport of copies
Relocation

66. How to create a config role?

Config roles are created during the time of a new implementation and when no other roles are
existed. Following are the steps to create a Config role:
Creating a role from IMG:
1.
2.
3.
4.
5.

Go to SPRO_ADMIN transaction code.

Click Create button.
Enter Project name and click Check mark button.
Enter the project description and click Save
Go to Scope tab, select "Specify project scope by making manual selections in reference
IMG" check box and click "Specify Scope" button
6. Select the IMG nodes for which access should be provided

7. Click "Generate Project IMG" button.

8. Click Generate in the background option when prompted.
9. Click Save button.
Once the Project is created, we will have to create the role in the Profile Generator:
1.
2.
3.
4.
5.
6.
7.
8.

Go to PFCG transaction code.

Enter the new role name, click Create Role icon.
Enter the description for the role.
Click Save, and goto Menu tab
Click Utilities, Customizing auth. Option as shown below:
Click Add button.
Select IMG project radio box and click Check mark button.
Select the project from the list.

This will add all the transaction codes. However, note that no menu changes are further possible
in the IMG config role and you may not see other buttons also in the Menu tab.
67.What is DEBUG access? And how to restrict it?
Debug access is a critical access that should be restricted in the Production system. It is a way
to look behind all screens, inside the running programs. This also may allow users to see data
which is normally hidden from them according to their authorizations.
Debug access can be provided with the authorization object S_DEVELOP and object type
DEBUG.
NOTE - In most of the landscapes the DEBUG access is only assigned to FF IDs.
68. What is the diffe rence between SU53 and ST01?
SU53 is a quick solution to identify any missing authorizations for the users. However, it will
only display the last missing authorization.
ST01is used in two scenarios:
- To quickly identify the list of authorization objects, fields, values that needs to be included in
a role when you are creating it for the first time.
- To trace for the repetitive missing authorizations

69. How to give authorization to multiple printe rs?

Authorization to use a specific printer(s) or other output device(s) can be provided with the
authorization object S_SPO_DEV. The object consists of the field Spool: Output device, where

you can include the SAP names of the output devices for which a user is to be authorized.
Example The value "LT*" authorizes a user to use all printers with beginning with "LT" in
spool administration.
70. How to revoke "Import All" transport authorization to a user?
To revoke the Import All requests (The Full truck icon), you need to remove the IMPA
authorization under S_CTS_ADMI authorization object.
Also, if you wish to remove individual requests also, the IMPS authorization should be
unchecked.
71. What is Secure area? Why it is maintained in the OSS Connection?
OSS - Online service system, which is a service provided by SAP to help on any critical issues in
your SAP instance. When SAP needs to connect to your system to analyze the root cause of the
issues, you will be requested to open an OSS connection. To enable SAP login to your system,
an OSS IDhas to be created and further the user login information should be updated in an area
called "Secure area".
Also note, all the systems will be listed when you login to service.sap.com and all that you need
to do is to open the system for SAP specifying the number of days till which the connection
should be active using the secure area information.
72. What is the diffe rence between USOBX_C and USOBT_C?
The table USOBX_C defines which authorization checks are to be performed within a
transaction and which not (despite authority-check command programmed). This table also
determines which authorization checks are maintained in the Profile Generator.
The table USOBT_C defines for each transaction and for each authorization object which
default values an authorization created from the authorization object should have in the Profile
Generator.
73. How to create a ne w Authorization object?
To create the authorization object, perform the following:
1.
2.
3.
4.
5.
6.

Goto transaction code SU21.

Click Create, Authorization object option.
Enter all the details
Click Save button.
Select the relevant package from the drop down list
Save again.

The New authorization objected is created now. Further maintain the default values from SU24
transaction code.
74. If users were not able to run CATT scripts, what changes do you recomme nd?
If the user can't run the CATT script, you need to enable the option in SCC4 transaction code.
Below are the steps:
1.
2.
3.
4.
5.

Goto SCC4 transaction code.

Click Change button.
Double-click the client which you wish to allow the CATT scripts.
Change the "CATT and eCATT Restrictions" option to Allowed as shown below:
Click Save.

75. What are the ways to identify the number of users in a client?
Below are the different ways to identify the # of users in a client:
1. Goto SE16, enter USR02, and click "Number of Entries" button.
2. Goto SUIM transaction codes, Users, Users by complex selection criteria, By user ID,
Execute.
Both the ways will give you the count of the user IDs in the system.
76. How to get a list of locked users in a client?
Using the report RSUSR200, you can generate a list of locked users. Alternatively, you can use
RSUSR006.
77. How to gene rate a list of users who haven't logged in for the last 30 days?
ABAP Report (available as an individual tcode also) RSUSR200 can be used to generate a list of
users who haven't logged in the last 30 days. Enter 30 in the text area "No. days since last logon"
and hit execute.
78. What is dormant ID revie w?
Dormant user ID review is identifying the users who haven't logged in to the system from a long
period. These IDs will be identified using RSUSR200 report or generating a list of IDs from
USR02 table. The ERDAT field can be used to identify the last logon date.
79. Which report shows the status of standard system users status in all the clients?
Report RSUSR003 displays the status of the standard system users (SAP* and DDIC) in all the
available clients in the system.

80. What is the use of PFCG_TIME_DEPENDENCY job?

PFCG_TIME_DEPENDENCY is a program used to do the user comparison. It will update the
user master records with new data.
If you schedule the report PFCG_TIME_DEPENDENCY daily before the start of business, the
authorization profiles in the user master will be updated and the users will have only the valid
roles.
It users the program RHAUTUPD_NEW.
81. How to perform a mass generation of profiles?
To perform a mass generation of profiles, use transaction code SUPC.
1. In role maintenance (transaction SUPC), choose Utilities, Mass Generation in the role
maintenance (transaction SUPC).
2. Specify the desired selection criteria.
To generate all profiles to be generated automatically (last checkbox), you can further restrict the
role selection in the next screen.
Source - help.sap.com
82. How to run a comparison for a group of roles?
To perform a user comparison, use transaction code PFUD.
83. How to lock/unlock a transaction code. Give some examples on the usage?
A transaction code can be locked using SM01 transaction code. Below are the steps:
1. Goto SM01 transaction code.
2. Enter the transaction code in the Search box which is available at the end of Tcode box.
3. Once the tcode is listed, select the check box, place the cursor in the transaction code box
and click Lock/Unlock button.
Alternative is to press the F2 key.
For eg: SCC5 is locked to further protect the system with Deleting the clients. Even though a
user has authorization to SCC5 transaction code, he will not be able to execute the tcode.
84. How a role is deleted in real-time scenarios?

A role(s) should be deleted in Development system, and further transported across the landscape.
You will not be able to delete the role in a production system directly, since the production
environment is freezed for changes.
Below are the steps to delete a role in real-time scenarios:
1.
2.
3.
4.
5.

Create a transport request.

Add the role in the transport request.
Delete the role.
Release the transport request.
Import the request in the other systems.

85. How to trace a user activity in SAP?

Audit logs for a user can be enabled using SM19 transaction code. Below are the steps:
1. Go to transaction SM19.
2. Select the Filter1 to activate.
3. Click checkbox of Filter 1.
4. Enter the Client and User names to be traced. (NOTE - A * value can be given to trace in all
the clients/for all the users.)
5. In the Audit classes section, click "on" all the auditing functions you need for this profile.
6. In the Events section, click the radio button to the left of the level of auditing you need.
7. Once you have entered all your trace information, click the Save picture- icon.
You will receive an Audit profile saved in the status bar at the bottom of the screen.
Please note that while the user trace has been saved, it is not yet active. To activate the user
trace, see the next sectionActivating a User Audit Profile.

86. How to read the audit logs for a particular user?

Below are the steps to read the audit logs:
1. Log on to any client in the appropriate SAP system.
2. Go to transaction SM20.
3. In the Selection, Audit classes, and Events to select sections of the Security Audit Log:
Local Analysis screen, provide your information to filter the a udit information. If you need to
trace the activities of a specific user, be sure to include that user's ID. Click the Re-read audit
log button.
4. The resulting list is displayed. This list can be printed using the usual methods.
87. What are the various reason codes in ST01?
Below are the various return codes:

RC 0 - Authorization check passed

RC 1 - No authorization
RC 2 - Too many parameters for auth check
RC 3 - Object not contained in user buffer
RC 4 - No profile contained in user buffer
RC 6 - Authorization check incorrect
RC 7,8,9 - Invalid user buffer
88. What are user groups? How to create the m?
One of the primary advantages of user groups is to sort the users into logical groups. This allows
users to be categorized based on functional areas/positions.
User Groups also allow segregation of user maintenance, this is especially useful in a large
organization as you can control a specific group of users and give authorization to administer
them.
The most important factor identified is that the lack of user groups is an indication that there may
be problems with the user build process. This is very "fuzzy" but is a bit of a warning flag. User
groups can be created using SUGR transaction code.
89. What is the diffe rence between user group in Logon data tab, and Groups tab?
Group for Authorization Check (User group in Logon Data tab):
If you assign a user to a user group for the authorization check on the Logon Data tab, you can
distribute user maintenance tasks among several user administrators. The system administrator
can assign the respective user administrator the right to create and change users in a group. Using
the authorization object User Master Maintenance:User Groups ( S_USER_GRP), you can assign
user groups to different administrators.
Users that are not assigned to any of the groups, can be maintained by all administrators.
General User Groups (Groups tab):
You use the division of users into user groups on the Groups tab primarily to group users for
mass maintenance (transaction SU10). No authorization check can be performed on the user
groups assigned to the users under the Groups tab.
90. How to assign parameters and what are they used for?
Parameters can be assigned to the users from SU01 transaction, Parameters tab. Parameter has
fields that a user wants to get auto filled when he open some transaction code. This field can be
filled with proposed values from SAP memory using a parameter ID.

For example, if a user only has authorization for co mpany code AU50 and he wants the company
code field to be auto-filled in every transaction. For this, a parameter is defined in the parameter
ID column. Fields that refer to the data element are automatically filled with the value 300 in all
subsequent screen templates.
NOTE - Users can also set their own parameters from transaction code SU3.

91. How to extract data from tables and what are the minimum authorizations
require d?
Data from tables can be extracted using SE16 or SE16N transaction code. To download the data,
a user should have authorization to S_GUI with activity 60.
92. How to determine the instance on which user has logged in?
To identify the instance on which user has logged in, go to AL08 transaction code and search for
the user ID.
93. What is an application instance and how different it is from the central instance?
Application instance is a collection of Dialog Work process which is maintain for the load
balancing for the End users.
However, a Central Instance is the combination of Database instance and Dispatcher and
Message Server, Enqeue Server. Note that both the instances will be running under the same
SID.
94. How to force logoff an user from the system?
To force logoff an user, perform the following steps:
1.
2.
3.

Goto SM04 transaction code.

Select the user from the list.
Goto User Menu, and select Log Off

However, make note that the user current data will not be saved, when you force log off. You
should be careful when using this option, especially in the production systems.
95. How to conve rt manually created profiles in to roles?
It is not recommended to convert profiles to roles manually and the best approach is to create the
roles from the scratch. However, if you wish to create roles from profiles, use SU25 transaction
code and select the option 6, which is highlighted below:

Once you execute, you will be prompted with the list of profiles and you can select the role and
click Optimized option and click when prompted to create a role.
The alternative procedure is to create a role and Insert a profile. Below are the steps:
1.
2.
3.
4.
5.
6.
7.

Create a role in PFCG transaction code.

Go to Authorizations tab.
Create a profile, and click Change Authorization data button.
Select "Do not select templates option".
Click Edit, Insert Authorization(s), from Profile option.
Select the profile that you want to insert.
Click check mark.

96. How to identify the changes done to a user/role in the system?

The Change Documents under SUIM transaction code helps you to quickly identify the various
changes made to Users & Roles:
You may also execute the reports RSUSR102 for change documents for Authorizations.
RSUSR100 for change documents for Users and RSUSR101 for change document for Profiles.
97. How to get the user ID list along with the mail IDs?
There is no standard report that gives you this information. You may join tables ADR6 and
USR21 by PERSNUMBER. Use SQVI transaction code, if you are allowed to do this, else you
may need to use MS Access to get the report by maintaining the relationship of PERSNUMBER.
98. How to restrict users to have access to their own spools?
Spool access is controlled with S_SPO_ACT authorization object. To restrict the access to users
own spools, you may use the special characters _USERS_
99. What transaction codes should be added in the COMMON role?
Common Role will have transaction codes which are required for every Dialog user in the SAP
system. Below are the list of commonly used transaction codes:
-

SU53
SMX
SP01
SP02
SU3
SU56
SBWP

Also, note that it contains commonly required authorization objects such as S_GUI, S_RFC, etc.,
100. How to re-generate SAP_ALL profile using SU21? And why it is required?
If you add any new authorization objects, it is recommended to re-generate the SAP_ALL
profile. Below are the steps to re- generate SAP_ALL:
1.
2.
3.

Goto SU21 transaction code.

Click "Regenerate SAP_ALL" button.
Select Yes when you are prompted to confirm the re-generation.

This will re-generate the SAP_ALL Profile.

101. How to maintain the company address?
Company address can be maintained in 2 ways:
-

Using transaction code SUCOMP

Goto SU01, Environment, Maintain company address:

Click Create button to create a new company.

102. Can we assign a multiple company addresses to a single user?
No. It's not possible. A user can be assigned only with 1 company address.
103. How can I change the existing company address?
To change the existing company address, follow the below steps:
1.
2.
3.

Goto Su01 transaction code

Enter the user name and click Edit
Choose one of the below buttons:

The Assign other company address will prompt a list of existing company addresses from which
the required company can be selected. However, the "Assign new company address..." button
will allow you to create new company address.
104. We are unable to modify the users thru SU01 transaction code, and experiencing
"company address locked" error. How to troubleshoot this issue?
This is an identified issue is SAP R/3 version 4.5 and 4.6C. SAP has released a source code
correction for this issue. Refer SAP note: 312714 - Unnecess. lock on company addr. in displ.
mode SU01 .
105. How to setup a company address as default?

To setup a default company code, perform the following:

1.
2.
3.
4.

Go to SUCOMP transaction code

Select the company address that you wish to set as default.
Click Edit.
Click Standard Address, Define.

106. Which table contains all the fields currently set as Organizational Levels in PFCG?
Table USORG holds the information of Org fields.
107. How should I grant PFCG display access and SU01 maintain access?
Assignment of roles to users in SU01, SU10, and PFCG transaction codes require authorization
to S_USER_GRP with Assign (22) activity and S_USER_AGR with Change (02) activity.
If Change activity is assigned, the user will get access to change roles too. To limit the
authorization to PFCG display, you have to set a switch in PRGN_CUST table. This will check
only S_USER_AGR activity 22 while assigning roles. Below are the steps:
1.
2.
3.
4.

Goto transaction code SM30.

Enter table name "PRGN_CUST"
Click Maintain
Add new entry 'ASSIGN_ROLE_AUTH'and value 'ASSIGN.

For further information, check SAP Note 312682 - Checks when assigning users to roles.
108. I have a role which was modified in production directly. Is there a possibility to
transport it to the Quality and Development environment?
Yes. You can perform a reverse transport by using the "Transport of Copies" option. Below are
the steps:
1.
2.
3.
4.
5.

Login to your production system

Goto SE09, Select Create Transport Request button.
Select "Transport of Copies" button.
Give short description and target system/client - Example - QAS.300
Edit the transport required and fill tab " objects" with Role name

Example:
ID: R3TR
Obj Type: ACGR
Obj Name: <Role name> which you wish to transport.
Function: *
6. Save it .

Now you can import it in the Development & Quality system.

109. While modifying the role in PFCG, a pop-up is displayed which says the role
modification can be done in DE language?
This issue is due to a program error. When you try to modify any existing role, the system may
prompt you to make changes only in German Language. If the Language DE is entered while
logging in, it will allow you to make changes. To resolve the issue, implement SAP Note
725040, and 854311.
110. We have maintained a list of forbidden passwords in USR40 table. However, the
system is still allowing us to setup an initial password from this list. How to troubleshoot?
This is not an issue and is by design. The administrators are allowed to set password combination
which are added in USR40. However, when user tries to change the password, it will check
USR40 table for the exception list.
Refer SAP note 2467 for more info about password policy.
111. User is not able to change his password after an upgrade.
Ans: This is an identified issue. The below recommended solution is from SAP note # 1487237:
1.
2.
3.
4.

Call transaction SE80

Display function group "SUU5"
Open "GUI Status" and double click on "PASSWORD"
Press button "Activate" (CTRL+F3)

Incase if the issue happens in CUA, refer the SAP Note 1166395 - CUA|SU01: Transfer of
password with table control actions.
112. I have duplicate transaction codes listed in my SAP menu. How can I eliminate the
duplicate tcodes?
Ans: To eliminate the duplicate tcodes in the SAP Easy access menu, include the below
parameters in SSM_CUST table:

CONDENSE_MENU (Refer SAP Note 203994) to Avoid Easy Access Redundancy

DELETE_DOUBLE_TCODES (Refer SAP Note 357693) to remove redundant tcodes
in Easy access control menu.

These two parameters will now show redundant tcodes in the SAP Easy Access menu.
113. I want to make sure that the transaction codes are not duplicated in a role. How can
we do it?

Ans: Add the below parameter in SSM_CUST table with value "Yes" to restricting adding
duplicate transaction codes in the roles:

CONDENSE_MENU_PFCG (Refer SAP Note 504006) to Avoid redundancy

maintaining roles in PFCG

However, note that if the role is created using a template or by adding a menu node from the
PFCG menu tab, it uses the area menus, which are independent and may contain certain
transaction codes multiple times. If the DELETE_DOUBLE_TCODES parameter is set to Yes,
these will not be redundant in the Easy Access Menu.
114. Most of the roles in my SAP system have blank entries in the Menu. What are these
and is it safe to re move the m?
This issue mostly happens in the following scenarios:
1. When the role is downloaded and uploaded from a seperate system.
2. The tcode is removed from the system.
When you upload a role from a different system, some of the transaction codes might not be
available in the target system. Thus, the menu returns a blank value with out the transaction
code.
This issue happens because the menu structure of roles is independent and the deletion of the
tcode was not reflected to the roles menu.
This entry cannot be removed directly from the standard authorization. Refer the below notes:

SAP note 1524185 - Empty <blank> entry in standard S_TCODE authorization in PFCG
causes yellow traffic light and
SAP note 113290 - The standard S_TCODE authorization cannot be updated manually
and implement the steps.