SAP Security Roles Related Tables & Reports






Roles Related Tables:


Table Name
Short Text

AGR_1016
Name of the activity group profile

AGR_1016B
Name of the activity group profile

AGR_1250
Authorization data for the activity group

AGR_1251
Authorization data for the activity group

AGR_1252
Organizational elements for authorizations

AGR_1253
Authorization Data for Activity Group - Static Objects

AGR_AGRS
Roles in Composite Roles

AGR_AGRS2
Role definition

AGR_ATTS
Role attributes

AGR_BUFFI
Internet Links for a Role

AGR_BUFFI2
Internet links table - Customer version of SAP roles

AGR_BUFFI3
Internet links table - SAP versions of SAP Roles

AGR_CUSTOM
Role Customizing objects

AGR_DATEU
Personal settings for roles

AGR_DEFINE
Role definition

AGR_FAVOS
Personal settings for PFCG

AGR_FLAGS
Role attributes

AGR_FLAGSB
Role attributes

AGR_HIER
Table for Structure Information for Menu

AGR_HIER_BOR
Table for Object-Oriented Navigation (OBN)

AGR_HIER2
Menu structure information - Customer version of SAP roles
AGR_HIER3
Menu structure information - SAP version of SAP roles

AGR_HIERT
Role menu texts

AGR_HIERT2
Role menu texts - Customer version of SAP objects

AGR_HIERT3
Role menu texts - SAP Original

AGR_HPAGE
Role Home Page

AGR_HPAGET
Description of the Home Page for a Role

AGR_INFO
Filter Values from Generation Run

AGR_LOGSYS
Logical system

AGR_LSD
Role attributes

AGR_MAP_KNUMA
Conversion Table AG_GUID CRM <> KNUMA

AGR_MAPP
MiniApps in Role

AGR_MARK
Table for report SAPPROFC_NEW

AGR_MEM_INITIAL
Agreements: Buffer for Intial Upload

AGR_MINI
MiniApps in Role

AGR_MINI2
MiniApps in Role

AGR_MINIT
Role mini-appl texts

AGR_MINIT2
Role mini-application texts

AGR_NUM_2
Internal Counter for Assigning Profile Names

AGR_NUMBER
Internal Counter for Assigning Profile Names

AGR_OBJ
Assignment of Menu Nodes to Role

AGR_PROF
Profile name for role

AGR_REL_KNUMA_CM
Assignment: Agreement --> Campaign

AGR_SELECT
Assignment of roles to Tcodes

AGR_TCDTXT
Assignment of roles to Tcodes

AGR_TCODE3
Assignment of roles to Tcodes

AGR_TCODES
Assignment of roles to Tcodes

AGR_TEXTS
File Structure for Hierarchical Menu - Customer

AGR_TIME
Time Stamp for Role (Menu, Profile, Authorizations)

AGR_TIMEBD
Time Stamp for Role (Profile GenerComparison,ton) RFC Distribution)
AGR_USERSTIMEC
TimeAssignmentStamp offorrolesRoleto(UserusersAssignment)

AGR_USERT
Assignment of roles to users



                                     






PFCG Related Reports:

 SA38 or SE38


Name                                                          Description


PFCG_ADD_MINIAPP                                 Add a MiniApp

PFCG_AGRS_WITH_MANUAL_S_TCODE       List All Roles with Manual S_Tcode Authorization

PFCG_MASS_DOWNLOAD                         Bulk role download

PFCG_MASS_IMPORT                               Bulk role import

PFCG_MASS_TRANSPORT                         Mass transport of Roles

PFCG_MODAUTH                                     Program PFCG_MODAUTH

PFCG_ORGFIELD_CREATE                        Profile Generator: Create New Org. Level Field

PFCG_ORGFIELD_DELETE                        Profile Generator: Create New Org. Level Field

PFCG_ORGFIELD_UPGRADE                     Profile Generator: Modification after Upgrade for New Org. Level Fields

PFCG_REGENERATE_ACT_GROUPS           Generate Role Authorization Profiles

PFCG_REGENERATE_ALL_ACT_GROUPS    Generate all Role Authorization Profiless

PFCG_REGENERATE_INCONSISTENT        Program DSAPPROASDFASDF

PFCG_SET_ACTGROUP_TIMESTAMP         Program PFCG_SET_ACTGROUP_TIMESTAMP

PFCG_SET_PROFILE_NAMERANGE           Set Number Range for Profile Name Proposal

PFCG_START_PFCG                               Program to start Transaction PFCG

PFCG_TIME_DEPENDENCY                      Role Time dependency scheduling report

PFCG_UPDATE_ALL_ROLES                    Regenerate all Roles

SE37

PFCG_COPY_AGR_GET_NEW_NAMES      Copy composite Roles

PFCG_WRITE_DOCUMENT

PFCG_SET_WINDOW_WIDTH
























                            



Evalution of Authorizations (SU53) in SAP Security

Trouble shooting using SU53



Troubleshooting security issues is one of the daily tasks of any security administrator. The first method of investigating authorization failures is the ubiquitous SU53 transaction. It involves us asking the affected user to run the step(s) to replicate the issue and immediately on getting the error, execute /nsu53 through the command window.  The screen-shots below show the sequence of actions.
The user tries to create another user through SU01 and gets an authorization error

























The user gets a pop  up window with the message that he doesn’t have authorization to create user.




























Many times clicking the help button can provide important information about the background of the error.



To get the SU53 screen, we execute /nsu53 from the command window immediately after getting the error. The SU53 window shows the last check for an authorization which has returned a non zero value (authorization failure) for the user.





























The biggest limitation of SU53 is the fact that it only shows the last authorization failure of an user. In a typical transaction, there can be an entire sequence of authorization checks, any of which might fail. To view the entire sequence of authorization checks, we use the authorization trace tool (transaction ST01).

SAP Security Authorization Interview Questions

Hi All,

Here I am going to share some important interview questions in SAP Security & Authorizations.

SU25:-

1) How will you Initialize the SAP Security in your organization ?
2) What are the steps we have in SU25?
3) What is the purpose of SU25 in SAP Security?
4) What is  the relationship between USOBT ,USOBX tables And USOBT_C , USOBX_C Tables in SAP Security?
5) Why Should we  perform Initially fill the customer tables in SU25?


SU01:-

1) What are the types of users  in SAP System
2) In which scenario we will use these users and with Example for types of users?
3) What is the use of User group field under Logondata Tab?
4) Difference between Log on data user group and User group in SU01?
5) What is  the  use  of Parameters tab & Personalization tab?
6) What is the validity period  for your end users?
7)Authorization checks for the USER?
8) How will you delete the user?
9) How to Reset the password for the Mass users at a time?
8) How to lock/unlock the Mass users at a time in sap security?
**9) In which scenario you will go for Reference type user?
10)What is the purpose of Defaults tab?
11)Where we can add Reference type user id
12)How many  Max no.of profiles you can be Assigning for a particular user in SAP?
13)What is length of the User Buffer in SAP System?
**14)What are the mandatory fields to create user in SAP System?
15) What is the difference between Communication & System type Users in SAP?
16)What is the use of Licensing data Tab in SU01?
17)How will you  get URF in your organization?
18) How can you change Existing User id?

SU10,LSMW & SECATT SCRIPTING :-

1)How will you create 1000 users at a time in SAP system?
2)Explain LSMW Process? 
3)What is the difference between su10 and su01 ?
4)what is URF? 
5)When will you get creation of Mass users at a time in SAP system? 
6)In which scenario you will get Mass password reset for users in SAP?
7)Have you created  Mass Users using SECATT? If yes, tell me the  process?
8) While creating Mass users in SECATT what are the changes you need to do in SAP System?
9)What are the Advantages of creating Mass Users  using Scripts other than SU10?
10)What are the Advantages & Disadvantages of SU10?
11)How you Share System generated password for particular user?

User Related Tables (SE16):-
USR* tables

1)What is USR02?
2)Where you can  find the user lock status at table level and under which field ?
3)In which table we can find user license data at table level?
4)In  which table we can incorrect logon attempts for the user?
5)In which table you can find user buffer size?

6)Where can we find Alias name for the user at table level?
7)Where can we find user login sessions?
8)What is MODDA,MODBE,MODT fields and under which table we can find these fields?
9)Where can we find last missing Authorizations for the user at Table level?
10)Where you can find Email address of the user?


PFCG :-

1)Have you worked on profile generetor?
2)Have you worked on roles creation?how roles you created?
3)How will you  create roles in your organazition?naming convention in your organization?
4)Why derived roles?
5)Can we add composite roles to composite role?if no then why?
6)How many profiles we can add to a single user?
7)What is difference between profile and role?
8)Can we assign profiles directly to the users?If yes,How many profiles we assign to a single user?
9)What is auth.object?
10)Why should we generate a profile?
11)Which type of roles your organization is following?
12)What is the relation ship between PFCG and SU24
13)How will you make changes in derived roles?
14)Have you worked on Expert mode?
15)what  are the types of statuses you know in profile generetaor?
16)what are  the traffic signal you know in PFCG?what does it means?
17)Have you worked on SU22 Tcode?
18) What is the relation ship between SU22and PFCG?
19)Have you created Custom Authorization objects?

20)What are the system login parameters you will use as a administrator?

21)How will you find out the User Access related issues?
22)How to convert fields to organization values?
23)How to delete a role?
24)how to transport a role from Development to Production system?
25)How will you delete roles from the Production systems?
26)Why do single roles sometimes has more profile?
27) How will you delete all expired role assignments to multiple user ?
28)How to assign a single role to multiple users?
29)How will you delete multiple roles from SAP System at a time?
30)How to  give access for the Tables?