SAP Security Interview Questions

Q. Role Naming Procedures

I am trying to determine the best role naming procedures. We are doing a security set-up redesign
and would like to use “Generally Accepted Security Role Naming Practices.” We are a global company
with decentralized SAP set-up with SAP instances for each region.
A: The intent of developing a naming convention for SAP access is to facilitate long-term maintenance
of Security, enhance auditing features, and improve the periodic review of access. The following is a
proposal for the naming convention guidelines for Roles, Profiles and Authorizations. Note: Composite
Role naming conventions are not covered as they are NOT recommended for use.
Naming Conventions: Roles ‘Z’ or ‘Y’ is not needed as part of the naming convention. SAP Security
is Master Data, not configuration or repository object and therefore does not need the standard
development name space. The ‘:’ is the customer designation.
Role name template: xxxx;yyyy_Describe_org.
Designate xxxx as major company division, (i.e, Jones, Inc., Parts, etc.). : is the Customer Role
designation;
yyyy is the Functional area in SAP such as Financial Accounts Payable (FIAP) or Materials
Management Warehouse Maintenance (MMWM).
Under Describe give brief description of Role, i.e., INVOICE_PROCESSOR; Org is any major
organizational designations such as plant, sales org or warehouse.
Example: J:FIAP_INVOICE_PROCESSOR is Jones, Inc. Financial Accounts Payable Invoice
Processor for the company.
Jones, Inc. is the company, so there is no need to use the _org designation. If this role did ALL or
cross company, then a designation would be needed.
Note: If you set the configuration for Session Manager to sort the roles for display, they sort in
alphabetical order by technical name. Your generic System roles (Printing, RFC, GUI control, SU56,
SU53, SU3, SMX) should sort to the bottom; yyyy should be Cross Application, or XA.

Q. Display Only SM59

SM59 text mentions it can be used for Display/Maintain RFC Connections, how can you make this
transaction code display only?
A: SM59 is for Display AND Change. There is no display only version. Sorry, it can’t be done.
Q. APO Authorizations
Regarding APO authorizations, can you limit to display only in the product master using transaction
code /SAPAPO/MAT1?
A: For the /SAPAPO/MAT1, make sure you have only 03 on C_APO_PROD.

Q. Tcode /SAPAPO/SDP94
In the planning book screen, certain buttons are missing when using tcode /SAPAPO/SDP94. Neither
the “Selection Window” nor the “Display Dependant Objects” buttons are visible.
A: Maintain C_APO_FUN to have C_SELCTION, C_SELE and C_SELORG on field APO_FUNC and
the name of the planning area on APO_PAREA to make sure /SAPAPO/SDP94 is fully functional and
viewable.

Q. Comparing user assignments

How do you compare two user’s role assignments? (i.e., What roles is user FOO missing to have
exactly the same roles as user BAR?)
A: In tcode SUIM there is a report to compare users/ roles and selected output.
The best way to make user BAR have the same access as user FOO is to have one role with the
access and assign it to each of them once in tcode SU01. Ensure that this is the only role they have.
If this becomes too complicated, use a program to read in the AGR_USERS tables for two users, and
lay out the role assignments side by side showing where the role assignment gaps are.

Q. Table names
What is the table name which houses the full list of activities? (01 change, 02, 03 display, etc…)?
A: The table is TACT. Possible activities for one authorized object is: TACTZ.
The list of additional activities is extensive. Go to the profile generator/authorizations screen, pick up
any autho object and get to the selection screen for possible activities. Right click and you will see
“More values – F7” for a complete list of activities.
Note: May not work for all “activity” fields. In the field for F_REGU_BUK, for example, the values are
kept are in a pull-down menu in the transaction F110.

Q. Cost center field in SU01

What is the purpose of the cost center field in the SU01 user master record?
A: It is most likely used to allocate costs of system usage to cost centers. Some use it for internal
reporting. It is accessible in some of the ALV reports in SUIM.

Q. Security report scheduling

Are there any periodic security reports that need to be scheduled to monitor during maintenance?
A: Try running user compare – RHAUTUPD_NEW
SUIM table sync – SUSR_SYNC_USER_TABLES
Other valuable reports:
USTxx Sync to USRxxx (custom program)
RHPROFL0 (for security by position)
Lock/delete inactive users (custom program)
Delete orphaned authorizations/profile (custom program)
Delete orphaned address info.
RHAUTUPD_NEW
Critical User monitoring report and notification (custom program)

Q. Querying restricted roles

Is it possible to query all roles that have a particular Organizational Level Restriction? (e.g. Company
Code, Plant, Division, etc.?)
A: You can get all the roles that have an authorization for a particular object that contain a company
code or plant or other authorization value. Those reports are in transaction SUIM.

Q. Accidental deletions
Users in our system were deleted when they shouldn’t have been. To determine how this happened,
can I retrace the function or is it logged on a table?
A: Debug or use RSUSR100 to find the information.

Q. Accidental deletions 2
While working in development server, my session was deleted by another user. Is there a way to find
the user that deleted it, the system number and the related data?
A: Try using TX STAT (or STAD, depends on release) and look for someone who has used TX SM04.
With that, you can kill the session. If more than one user has used the same tcode at the given time,
SM21 has the entry logged for it.
You can find who ran SM04 and delete that user’s session.

Q. Conflicting combinations
How do you find the typical conflicting combinations of authorization objects in HR, like conflicting
tcodes, infotypes and clusters?
A: If you are looking for conflicts within HR, there aren’t many. Some companies use security
measures to limit payroll information, update disciplinary actions, promotion potential and medical to
specific individuals. It is not done with tcodes, but with limited Info types.
SAP HR is written as a central set of tcodes with access limited by data.
The main tcodes are PA40, PA30 and PA20, HR org management is the PA10, PA03, PA13 or the
POME and “run Payroll”.
Concentrate on the Info types not necessarily the tcodes not objects as they all use P_ORGIN (or
what you configure). The only anomaly is P_ABAP which can override P_ORGIN.

Q. The Parameters tab

What is the “Parameters” tab in the SU01 user maintenance screen for?
A: The “Parameters” tab allows users to pre-set entries in order to fill field values in tcodes without
having to re-key. Also used for “Set Preferences.”

Q. Org Level Tables

Is there a comprehensive list of all the Org Level Tables?
A: Try table AUTHX via SE16.
If it is not loaded or incomplete, use the underlying source structures in SE11, including structures:
AUTHA, AUTHB, AUTHC and a few others (search on AUTH*). Look for the Check table or value
tables. Note: If AUTHX is not loaded, there is a report to load it.

Q. Setting values in authorization objects

When setting values in an auth obj, is there a way to exclude a specific value without compromising
the access of the others?
Example: I’m trying to restrict S_TABU_DIS to allow certain people to see all the auth groups except
SS. If someone creates an auth group in the system, we want the people with this role to see the
added group without us going back into the role and adding the value via pfcg.
A: Set the values to be included – 00 to SR and ST to ZZ, this would exclude SS.

Q. Authorization reports
How are authorization reports generated? The reports should include activity by object and be
accessible to all users with access.
A: Run SUSR_SYNC_USER_TABLES and then try tcode SUIM/report RSUSR002. Enter your object
in Object 1 and press enter. Follow the prompts.

Q. Movement types
How do you restrict users on Movement types and certain storage locations in transaction MB1B? The
only object displayed in SU24 for MB1B, with a combination of Movement type and Storage location,
is M_MSEG_LGO. How do we enable the system to check this object in MB1B? Or, how can we
restrict users on a combination of Storage location and Movement type in transaction MB1B?
A: Storage location must be configured to check authorization on each storage location. SAP does
not do this by default so there is no ST01 trace of it until you configure it. This is done in the IMG
(tcode SPRO).
If you get the help documentation of M_MSEG_LGO (using SU21), there is a link with the correct
customizing tcode which turn on/off the authority check on it (under material management-stocks).
This works only for good movements, not for display stocks content.

Q. Login/disable_multi_gui_login
Will activating parameter login/disable_multi_gui_login affect workflow?
A: No, the key is the GUI in the parameter. Workflow does not initiate a GUI logon but a logon in the
“background” or via RFC to a non-GUI display session.

Q. Expert mode
What is the Expert mode in Profile generation? What are the options for its use?
A: Expert mode merges existing authorizations with new auths as they are added to the role. The
auths display tells you which authorization objects have been added or changed. This is a time-saver
in that it clearly lists changes and what to maintain.
Note: Always work in Expert mode.

Q. Accessing authorization objects

Is there a table where I can access the name of a particular Authorization Object? Possibly a SUIM
report?
A: Start with SU24; it will give the objects/transactions in pfcg use.
After SU24 there are tables USOBT_C and USOBX_C.
SU25, Step 1 is mandatory to initialize these tables. Note: Read Help carefully before executing SU25,
Step 1.

Q. Display transaction code in PFCG?

How do you display the transaction code in the Menu folder using PFCG?
A: With and existing role, the transactions may be entered straight into the S_TCODE auth object, not
the menu.
If the subfolder “Menu” in PFCG displays the list of transactions with only text appearing and not
transaction codes, the option needs to be changed.

Q. Explain what is SAP security?

SAP security is providing correct access to business users with respect to their authority or
responsibility and giving permission according to their roles.

Q. Explain what is “roles” in SAP security?

“Roles” is referred to a group of t-codes, which is assigned to execute particular business task. Each
role in SAP requires particular privileges to execute a function in SAP that is called
AUTHORIZATIONS.
Q. Explain how you can lock all the users at a time in SAP?
By executing EWZ5 t-code in SAP, all the user can be locked at the same time in SAP.

Check Out SAP Security Tutorials

Q. Mention what are the pre-requisites that should be taken before assigning Sap_all to a user
even there is an approval from authorization controllers?
Pre-requisites follows like
1. Enabling the audit log- using sm 19 tcode
2. Retrieving the audit log- using sm 20 tcode

Q. Explain what is authorization object and authorization object class?

1. Authorization Object:Authorization objects are groups of authorization field that regulates
particular activity. Authorization relates to a particular action while Authorization field relates for
security administrators to configure specific values in that particular action.
2. Authorization object class:Authorization object falls under authorization object classes, and they
are grouped by function area like HR, finance, accounting, etc.

Q. Explain how you can delete multiple roles from QA, DEV and Production System?
To delete multiple roles from QA, DEV and Production System, you have to follow below steps
1. Place the roles to be deleted in a transport (in dev)
2. Delete the roles
3. Push the transport through to QA and production
This will delete all the all roles

Q. Explain what things you have to take care before executing Run System Trace?
If you are tracing batch user ID or CPIC, then before executing the Run System Trace, you have to
ensure that the id should have been assigned to SAP_ALL and SAP_NEW. It enables the user to
execute the job without any authorization check failure.

Q. Mention what is the difference between USOBT_C and USOBX_C?

1. USOBT_C:This table consists the authorization proposal data which contains the authorization
data which are relevant for a transaction
2. USOBX_C:It tells which authorization check are to be executed within a transaction and which must
not

Q. Mention what is the maximum number of profiles in a role and maximum number of object
in a role?
Maximum number of profiles in a role is 312, and maximum number of object in a role is 150.
Q. What is the t-code used for locking the transaction from execution?
For locking the transaction from execution t-code SM01, is used.

Q. Mention what is the main difference between the derived role and a single role?
For the single role, we can add or delete the t-codes while for a derived role you cannot do that.

Q. Explain what is SOD in SAP Security?

SOD means Segregation of Duties; it is implemented in SAP in order to detect and prevent error or
fraud during the business transaction. For example, if a user or employee has the privilege to access
bank account detail and payment run, it might be possible that it can divert vendor payments to his
own account.

Q. Mention which t-codes are used to see the summary of the Authorization Object and Profile
details?
1. SU03: It gives an overview of an authorization object
2. SU02:It gives an overview of the profile details

Q. Explain what is User Buffer?

A user buffer consists of all authorizations of a user. User buffer can be executed by t-code SU56 and
user has its own user buffer. When the user does not have the necessary authorization or contains
too many entries in his user buffer, authorization check fails.

Q. By which parameter number of entries are controlled in the user buffer?

In user buffer number of entries are controlled by the profile
parameter “Auth/auth_number_in_userbuffer”.

Q. How many transactions codes can be assigned to a role?

To a role maximum of 14000 transaction codes can be assigned.

Q. Mention which table is used to store illegal passwords?

To store illegal passwords, table USR40 is used, it is used to store pattern of words which cannot be
used as a password.

Q. Explain what is PFCG_Time_Dependency?

PFCG_TIME_DEPENDENCY is a report that is used for user master comparison. It also clears up
the expired profiles from user master record. To directly execute this report PFUD transaction code
can also be used.

Q. Explain what does USER COMPARE do in SAP security?

In SAP security, USER COMPARE option will compare the user master record so that the produced
authorization profile can be entered into the user master record.
Q. Mention different tabs available in PFCG?
Some of the important tab available in PFCG includes
1. Description:The tab is used to describe the changes made like details related to the role, addition
or removal of t-codes, the authorization object, etc.
2. Menu:It is used for designing user menus like addition of t-codes
3. Authorization:Used for maintaining authorization data and authorization profile
4. User:It is used for adjusting user master records and for assigning users to the role

Q. Which t-code can be used to delete old security audit logs?

SM-18 t-code is used to delete the old security audit logs.

Q. Explain what reports or programs can be used to regenerate SAP_ALL profile?

To regenerate SAP_ALL profile, report AGR_REGENERATE_SAP_ALL can be used.

Q. Using which table transaction code text can be displayed?

Table TSTCT can be used to display transaction code text.

Q. Which transaction code is used to display the user buffer?

User buffer can be displayed by using transaction code AL08

Q. Mention what SAP table can be helpful in determining the single role that is assigned to a
given composite role?
Table AGR_AGRS will be helpful in determining the single role that is assigned to a given composite
role.

Q. What is the parameter in Security Audit Log (SM19) that decides the number of filters?
Parameter rsau/no_of_filters are used to decide the number of filters.

Q. How to create the user group in SAP system?

1. User group can be created by performing the below steps:
2. Execute the t-code SUGR
3. Enter the name of user group to be created in the textbox
4. Click on the create the button
5. Enter the description and click on save button

Q. How to find the Transport requests containing the specific role?

The list of Transport requests containing the specific role can be retrieved by performing below steps:
1. Execute the t-code SE03
2. Double click on option “Search for Objects in requests/Tasks”• under node “Objects in
Requests”• in left panel of screen. This will take us to new screen.
3. In object selection screen, enter the field value as ACGR and check the checkbox present at left
side.
4. Enter the role name for which we need the list of transport request.
5. In screen “Request/Task Selection”• screen (below section of the same screen), check the status
of the requests which we need in the list
6. Click on execute button

Q. How to check the transport requests created by other user?

The t-code SE10 provide the option to enter the user name. By using this facility, we can search the
transport requests created by other users.

Q. How to generate the list of roles having authorization objects with status as “maintained”•?
This list can be generated by using the table AGR_1251 as below:
Execute the t-code SE16
Enter the table name as AGR_1251 and hit enter button
Enter the field value as “G” in field “Object Status” and click on execute
The same table can be used to generate the list of roles with authorization objects having status
modified and manual with field values M and U respectively.

Q. How to find the email ids if given a list of users (say 100)?
The list of email ids for given users can be generated by performing the below steps:
1. Execute the t-code SE16
2. Enter the table name as USR21.
3. Upload the list of users using multiple selection option and execute. This will give us the list of users
and their respective person numbers
4. Extract this data to excel sheet
5. Now, go back to SE16 and enter table name ADR6
6. Upload the list of person number extracted from table USR21 and execute
7. Now, table ADR6 will give us the list of person numbers and their email ids.
8. Download the list in excel and perform V-look up in excel to map the email ids of users with their
SAP IDs

Q. How to find user defined, system default values for security parameters?
The values for parameters can be checked by using the t-code RSPFPAR. After executing the t-code,
given the parameter name and click on execute.
Q. How to assign the logical system to client?
Logical system can be assigned to client by using the t-code SCC4. We need to be very careful while
doing this change as it can affect the CUA (if configured).

Q. Which entities are not distributed while distributing the authorization data from master role
to derived roles?
During the distribution of authorization data from master role to derived roles, Organizational values
and user assignment are not distributed. The Org. values and user assignments are specific to
individual roles hence has no bearing on master-derived role relationship.
Explore SAP Security Sample Resumes! Download & Edit, Get Noticed by Top
Employers!Download Now!
Q. How to assign the multiple roles to more than 20 users in one shot in t-code SU10?
To perform this mass role assignment, we need to follow below steps in SU10:
1. In SU10 home screen, click on the button “Authorization Data”•
2. This will take to the new screen similar to screen in t-code SUIM -> User by complex search criteria.
Enter the search criteria for users needed to be changed in SU10 and execute the same
3. Once the list of users is reflected, click on “select all” button on left top corner of the list and click
on “Transfer”• button. This will take us back to SU10 screen with all the selected users in users
4. Now, click on select all button in SU10 home screen and then click on change button.
5. Above step will take us to the next screen where you can perform the role assignment as in normal
case of SU10 t-code

Q. What is the use of SU25 t-code?

The t-code SU25 is used to copy the data from tables USOBT and USOBX to tables USOBT_C and
USOBX_C. Generally, this t-code needs to be executed after the installation of system upgrade so
that the values in customer tables are updated accordingly.

Q. What is the use of authorization object S_TABU_LIN?

This authorization object is used to provide the access to tables on row level.

Q. What are the authorization groups and how to create them?

Authorization groups are the units comprising of tables for common functional area. Generally, each
table is assigned to a authorization group due to this reason we need to mention the value of
authorization group while restricting the access to table in authorization object S_TABU_DIS.
The authorization group can be created by using the t-code SE54. The assignment of tables to
authorization group can be checked by using table TDDAT.

Q. What is SOX (Sarbanes Oxley)?

Sarbanes-Oxley is a US law passed in 2002 to strengthen corporate governance and restore investor
confidence. Act was sponsored by US Senator Paul Sarbanes and US Representative Michael Oxley.
The Sarbanes-Oxley Act is legislation enacted in response to the high-profile Enron and WorldCom
financial scandals to protect shareholders and the general public from accounting errors and fraudulent
practices in the enterprise. Sarbanes-Oxley defines which records are to be stored and for how long.
The legislation not only affects the financial side of corporations, but also affects the IT departments
whose job it is to store a corporation’s electronic records. The Sarbanes-Oxley Act states that all
business records, including electronic records and electronic messages, must be saved for “not less
than five years”. The consequences for non-compliance are fines, imprisonment, or both. IT
departments are increasingly faced with the challenge of creating and maintaining a corporate records
archive in a cost-effective fashion that satisfies the requirements put forth by the legislation.
Organizations should be able to guarantee the integrity of some of their operations like PTP or OTC
which can have quiet a significant impact on the way the financial statements are projected if not
controlled.
Organizations today are thereby moving in direction of automating their softwares for SOX compliance.
A key factor towards achieving SOX compliance is to seperate the duties amongst individuals to such
an extent that no one person has the authorization to fulfill a complete cycle say procurement or sales.

Q. How to create a query in SAP R/3 system?

1. The query can be created and executed using the t-code SQVI:
2. Execute the t-code SQVI.
3. Enter the name of query to be created and click on create button.
4. Enter the Title and comments for query and select the data source such as table or table join.
5. Select the preferred view as Basis Mode or Layout Mode and click on continue button.
6. Above step will take us to the new screen, add the respective table on which we need to create a
query.
7. If Data source is selected as table join, select the respective tables as needed and joining fields.
8. Save and come to main screen. Here, you need to select the fields to be displayed in output and
their sequence.
9. The query can be created and executed using the t-code SQVI.

Q. What is the use of ST01? What are the return codes of t-code ST01
Transaction code ST01 is used to trace the user authorizations. This can be useful if we need to check
which all the authorizations have been checked in background when any t-code is being executed by
the business user.
0 – Authorization check passed
1 – No Authorization
2 – Too many parameters for authorization check
3 – Object not contained in user buffer
4 – No profile contained in user buffer
6 – Authorization check incorrect
7,8,9 – Invalid user buffer

Q. Please explain the personalization tab within a role?

Personalization is a way to save information that could be common to users, I meant to a user
role… E.g. you can create SAP queries and manage authorizations by user groups. Now this
information can be stored in the personalization tab of the role. (I supposed that it is a way for SAP to
address his ambiguity of its concept of user group and roles: is “usergroup” a grouping of people
sharing the same access or is it the role who is the grouping of people sharing the same access).

Q. Is there a table for authorizations where I can quickly see the values entered in a group of
fields?
In particular I am looking to find the field values for P_ORGIN across a number of authorization profiles,
without having to drill down on each profile and authorization. AGR_1251 will give you some
reasonable info.

Q. How can I do a mass delete of the roles without deleting the new roles ?
There is a SAP delivered report that you can copy, remove the system type check and run. To do a
landscape with delete, enter the roles to be deleted in a transport, run the delete program or manually
delete and then release the transport and import them into all clients and systems.
It is called: AGR_DELETE_ALL_ACTIVITY_GROUPS. To used it, you need to tweak/debug & replace
the code as it has a check that ensure it is deleting SAP delivered roles only. Once you get past that
little bit, it works well.

Q. Someone has deleted users in our system, and I am eager to find out who. Is there a table
where this is logged?
1. Debug or use RSUSR100 to find the info’s.
2. Run transaction SUIM and down its Change documents.

Q. How to insert missing authorization?

su53 is the best transaction with which we can find the missing authorizations.and we can insert those
missing authorization through pfcg.

Q. What is the difference between role and a profile?

Role and profile go hand in hand. Profile is bought in by a role. Role is used as a template, where you
can add T-codes, reports..Profile is one which gives the user authorization. When you create a role,
a profile is automatically created.
Q. What profile versions?
Profile versions are nothing but when u modifies a profile parameter through a RZ10 and generates a
new profile is created with a different version and it is stored in the database.

Q. What is the use of role templates?

User role templates are predefined activity groups in SAP consisting of transactions, reports and web
addresses.

Q. What is the different between single role & composite role?

A role is a container that collects the transaction and generates the associated profile. A composite
roles is a container which can collect several different roles

Q. Is it possible to change role template? How?

Yes, we can change a user role template. There are exactly three ways in which we can work with
user role templates
1. – we can use it as they are delivered in sap
2. – we can modify them as per our needs through pfcg
3. – we can create them from scratch.
For all the above specified we have to use pfcg transaction to maintain them.

Q. SAP Security T-codes?

Frequently used security T-codes
1. SU01 Create/ Change User SU01 Create/ Change User
2. PFCG Maintain Roles
3. SU10 Mass Changes
4. SU01D Display User
5. SUIM Reports
6. ST01 Trace
7. SU53 Authorization analysis

Q. How to create users?

Execute transaction SU01 and fill in all the field. When creating a new user, you must enter an initial
password for that user on the Logon data tab. All other data is optional. Click here for turotial on
creating sap user id.

Q. What is the difference between USOBX_C and USOBT_C?

The table USOBX_C defines which authorization checks are to be performed within a transaction and
which not (despite authority-check command programmed ). This table also determines which
authorization checks are maintained in the Profile Generator. The table USOBT_C defines for each
transaction and for each authorization object which default values an authorization created from the
authorization object should have in the Profile Generator.

Q. What authorization are required to create and maintain user master records?
The following authorization objects are required to create and maintain user master records:
1. S_USER_GRP: User Master Maintenance: Assign user groups
2. S_USER_PRO: User Master Maintenance: Assign authorization profile
3. S_USER_AUT: User Master Maintenance: Create and maintain authorizations

Q. List R/3 User Types

1. Dialog users are used for individual user. Check for expired/initial passwords Possible to change
your own password. Check for multiple dialog logon
2. A Service user – Only user administrators can change the password. No check for expired/initial
passwords. Multiple logon permitted
3. System users are not capable of interaction and are used to perform certain system activities, such
as background processing, ALE, Workflow, and so on.
4. A Reference user is, like a System user, a general, non-personally related, user. Additional
authorizations can be assigned within the system using a reference user. A reference user for
additional rights can be assigned for every user in the Roles tab.

Q. What is a derived role?

Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the
functions included (transactions, reports, Web links, and so on) from the role referenced. A role can
only inherit menus and functions if no transaction codes have been assigned to it before.
1. The higher-level role passes on its authorizations to the derived role as default values which can be
changed afterwards. Organizational level definitions are not passed on. They must be created anew
in the inheriting role. User assignments are not passed on either.
2. Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identical
menus and identical transactions) but have different characteristics with regard to the organizational
level.

Q. What is a composite role?

A composite role is a container which can collect several different roles. For reasons of clarity, it does
not make sense and is therefore not allowed to add composite roles to composite roles. Composite
roles are also called roles.
1. Composite roles do not contain authorization data. If you want to change the authorizations (that
are represented by a composite role), you must maintain the data for each role of the composite role.
2. Creating composite roles makes sense if some of your employees need authorizations from several
roles. Instead of adding each user separately to each role required, you can set up a composite role
and assign the users to that group.
3. The users assigned to a composite role are automatically assigned to the corresponding
(elementary) roles during comparison.

Q. What does user compare do?

If you are also using the role to generate authorization profiles, then you should note that the generated
profile is not entered in the user master record until the user master records have been compared.
You can automate this by scheduling report FCG_TIME_DEPENDENCY on.

Q. What is the difference between C (Check) and U (Unmentioned)?

Background: When defining authorizations using Profile Generator, the table USOBX_C defines which
authorization checks should occur within a transaction and which authorization checks should be
maintained in the PG. You determine the authorization checks that can be maintained in the PG using
Check Indicators. It is a Check Table for Table USOBT_C.
In USOBX_C there are 4 Check Indicators.
CM (Check/Maintain):
-An authority check is carried out against this object.
-The PG creates an authorization for this object and field values are displayed for changing.
-Default values for this authorization can be maintained.
C (Check):
-An authority check is carried out against this object.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization.
N (No check):
-The authority check against this object is disabled.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization.
U (Unmaintained):
-No check indicator is set.
-An authority check is always carried out against this object.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization.