SAP Security Interview Questions

Last updated on Nov 22, 2023

Are you preparing for the SAP security interview? If so, this article will help you. In this article, we have listed out some of the most frequently asked interview questions. These questions will enhance your preparation. SAP systems are loaded with the essential information related to customers, financials, and organizational employees. A SAP security mechanism should be in place to prevent system risk. There are many opportunities here because there are very few qualified SAP security professionals in the industry. Read on for more information on the types of questions that may be asked during a SAP security interview. So, Let's get started with SAP Security Interview questions.

Most Frequently Asked SAP Security Interview Questions and Answers

What do you mean by SAP Security?

AnsThe SAP Security module prevents unauthorized use and access of SAP data and applications. SAP refers to Systems, Applications, and Products in data processing. It aims to give business users the right of access based on their authority or responsibility. Permission is granted in accordance with their roles within organizations or departments. It includes three areas:

Confidentiality: The information must not be disclosed without authorization.

Integrity: Data must not be changed without authorization.

Availability: Distributed denial of service attacks must not take place.

Become a SAP Security Certified professional by learning this HKR SAP Security Training !

Describe about SAP Security Roles

AnsRoles are simply transaction codes that are typically found in groups. These codes are provided for performing particular business assignments. So all those roles or t-codes need certain privileges for implementing any function when it comes to SAP security. And such special privileges are referred to as authorization.

What are the requirements for assigning Sap_all to a user even if there is approval from the authorization controllers?

AnsSome steps must be taken before giving or handing over SAP_all to all the users. Such measures are required even when they are approved by a person in authority. These requirements include the following:

  • The first step is to enable the audit log. It can be accomplished through a transactional code sm 19.
  • The second step includes extracting the audit log. It can be accomplished through a transactional code sm 20.

What is the transactional code that separates the execution of the transaction and locks any transaction?

AnsThe transactional code that is used for locking the transaction to execute is SM01.

How can we check table logs?

Ans. To verify Table logs, we must check whether the function “logging” is active for a certain table. Here, we can use the SE13 T-code, and in case the table is active for logging, we can verify the logs of the table with T-code SCU3.

How can we remove multiple roles in Dev, QA, and production system?

AnsFollowing are some of the steps to delete multiple roles in Dev, QA, and Production systems:

  • First, we need to put the roles that are to be deleted in transport.
  • Now delete the roles to be deleted.
  • Finally, it is necessary to send transport through production and quality assurance.

What are the different SAP Security layers?

AnsThe various SAP security layers include the following:

  • Integrity
  • Authentication
  • Obligation
  • Privacy
  • Authorization

What is the highest number of objects and profiles in roles?

AnsThe highest number of profiles a role can have is three hundred and twelve. The number of objects a role can have is one hundred and seventy.

What is SOD?

AnsSOD refers to the Segregation of Duties. It is implemented to identify and prevent errors or fraud through business transactions. Example: If a user/employee has the privilege of accessing the bank account details and payment cycle, it may be possible for them to divert payments from suppliers to their own account.

) What is a User Buffer?

AnsA user buffer is created when a user connects to the SAP system. It contains the permissions of that specific User. Each User is provided with their own user buffer. It is used to monitor. It indicates that no other action may be taken in the course of this transaction. It may be used for analyzing a specific user or resetting the buffer for that User. A user may display their own user buffer with the help of the SU56 t-code.

SAP Security Training

  • Master Your Craft
  • Lifetime LMS & Faculty Access
  • 24/7 online expert support
  • Real-world & Project Based Learning

) How do a single role and a derived role differ?

AnsThe main difference lies in how transaction codes are handled. When dealing with a single role, transactional codes may be easily added or deleted. But while dealing with the derived role, transactional codes cannot be added or deleted. That's the biggest difference between a single role and a derivative role.

) What is PFCG Time dependency?

AnsThe PFCG time dependency is a report that is normally used to compare the user master. The PFCG Time dependency also erases all profiles of the main record that appear to be of no use or have expired. PFUD is a transactional code which can be used to carry out this particular action.

) What should we do before running the Run System Trace?

AnsThere are some things to do prior to executing the Run system trace. If you must trace the CPIC or User ID before running the Run system, then make sure that the ID is either SAP_new or SAP_all. This must be done because it ensures that the work can be performed without any type of authorization check failure.

) Explain authorization object class and authorization object.

AnsAuthorization object class: Authorization object belongs to Authorization object classes. Authorization object classes are grouped by the functional areas like finance, HR, accounting, and so on.

Authorization object: They are the groups of authorized fields which will regulate a specific activity. Authorization is related to a specific action, whereas the Authorization field is related to security administrators for configuring a particular value in that specific action.

) What is the parameter that is used in the User buffer to control excess entries?

AnsThe user buffer examines the entries and should check the entries because they should not go beyond. The parameter that is used is auth/auth_number_in_userbuffer.

) How is USOBT_C different from USOBX_C?


  • USOBX_C: It indicates which authorization control should be carried out in a transaction and which should not be carried out in a transaction.
  • USOBT_C: This table contains the data relating to the proposed authorization that contains the appropriate authorization information for the transactioN.

) What are the various tabs available in PFCG?

AnsFollowing are some of the important tabs that are available in PFCG:

  • Description: It is used to describe changes made as role details, adding or removing t-codes, authorization objects, etc.
  • Menu: This is used to create user menus, such as adding t-codes.
  • Authorization: It is used to maintain authorization data as well as authorization profiles.
  • User: This is used to adjust user master records and to assign roles to the users.

) Describe a Composite Role?

AnsA composite role is a container that can gather many different roles. For more clarity, this makes no sense, and, as a result, composite roles cannot be added to composite roles. The Composite roles are also known as roles.

  • Composite roles are free of authorization data. If you would like to modify permissions (which are shown by a composite role), You need to keep the data up to date for every role related to the composite role.
  • It makes sense to create composite roles if any of the employees require multi-role permissions.
  • Rather than adding every User individually to every required role, you can configure a composite role and assign the users to that particular group.
  • Users assigned to the composite role are assigned automatically to the respective (basic) roles when comparing.

) How can we create a user group within SAP?

AnsBelow are the steps for creating a user group within the SAP system.

  • Use T-code SUGR and run it.
  • Enter the user group's name in the given text box. 
  • Once you have provided the name of the user group, click on the create button.
  • Then type the description and select the Save button.
  • As a result, the user group created in the SAP system is completed.

) What are the user lock values?

AnsThe user lock values are as follows: 

  • 00 indicates not locked
  • 32 indicates Locked by CUA central administrator
  • 64 indicates Locked by the system administrator
  • 128 indicates Locked following a connection failure.

) What are the transactional codes frequently used in SAP security?

AnsFollowing are the transactional codes that are frequently used in SAP security:

  • SU53 to authorize the analysis,
  • ST01 to trace,
  • SUIM to reports, 
  • SU01D to the display user, 
  • SU10 to bulk changes, 
  • PFCG for maintaining roles, and
  • SU01 to create or change the User.
HKR Trainings Logo

Subscribe to our YouTube channel to get new updates..!

) What do the USER COMPARE do when it comes to SAP security?

Ans. In SAP Security, the role of USER COMPARE is helpful to compare the client’s master records. Also, it is useful to build authorized profiles through these master records. 

) Can we change the Role Template?

AnsYes! User role templates can be changed. We can work with the user role templates in three ways. 

We are able to use it because they come with SAP. We can change them according to our requirements using pfcg. They can be created from scratch. For everything that is specified above, we must use pfcg transactions to keep them.

) What is the Personalization Tab in a role?

AnsPersonalization is one way of saving information that can be shared by the users. For example, create SAP Queries and control authorizations by the user groups. This data will be stored in the personalization tab of the role.

) Describe the role of the User Compare in SAP security.

AnsIn SAP security, the role of the user compare is that it assists in the comparing User's master records. This makes it easier to enter the allowed profile that is generated in the master records.

) What permissions are required for creating and maintaining user master records?

AnsSome of the following authorization objects are needed for creating and maintaining user master records:

S_USER_GRP: to assign user groups

S_USER_PRO: to assign authorization profile

S_USERR_AUT: for creating and maintaining authorizations.

) What does a derived role mean?

Ans: Derived roles inherited from the menu structure and included functions like transactions, reports, web links, etc., in the referenced role. Derived roles are defined as existing roles. A role may inherit menus and functions only if there is no previously assigned transaction code. 

The higher-level role transmits its permissions to the derived role as the default values that can be changed in the future. Definitions at the organization level are not shared. They have to be created again in the inheriting role. User assignments are also not passed. Derived roles are the best way to maintain roles which do not differ in the functionality while having different features as far as the organizational level is concerned.

) Describe the different types of users within SAP.

AnsSAP has five types of users. They are:

Dialog user: While dialog logon, the system will check the expired or initial passwords. The users may modify their passwords. Multiple dialog logons are verified and saved.

System User: They are non-interactive users, and they are used for performing certain system activities such as Background Processing, ALE, TMS, Workflow, and CUA.

Service Users: The User in the dialog is available for a larger number of users. Only the user admin has the option of changing the password. The system will not verify expired or initial passwords while logging in.

Reference user: It is similar to a system user. It includes a non-personal general user.

Communication user: It is utilized for communication without dialogue between systems.

) How can we insert a missing authorization into SAP?

Ans. To identify the (missing) lost authorization in SAP, the T-code SU53 is useful. Moreover, the PFCG transaction is useful to the user to put the code into the profile.v

) What is Profile Version in SAP system?

Ans: When you modify the existing setting with transaction code RZ10, the existing setting automatically refreshes the version of the same profile. It's repeated every time the profile is changed. And all of those profiles are stored in a database.

. What is meant by “Authorization” in SAP Security?

AnsAuthorization allows us to use certain functions within the SAP system. Each authorization specifies a value or a set of values for each authorization field that is part of the authorization object. Also, it is related to an authorization object.

. What is the transaction code to check the background jobs?

AnsThe transaction code SM37 is useful for checking the background jobs in the SAP Security system.

. What is the way to lock different users simultaneously in SAP Security?

AnsTo lock many users in the SAP security system at a time, we have to use the T-code SU10. We can enter the names of the users within the T-code SU10 and lock them directly.

. How can you remove all the audit logs of old security in SAP security?

Ans: The T-code SM18 is useful for removing the old security audit logs in SAP Security.

. How to access the Lock Management or manage lock entries in SAP Security?

AnsTo access lock management or to manage lock entries in SAP security, we use the transaction code SM12.

SAP Security Training

Weekday / Weekend Batches

. What do you mean by the USR40 table?

AnsThis table stores all illegal passwords that include a pattern of some words that are not useful for setting passwords.

. Which T-code is used in SAP to get the user list?

AnsWe use the t-code SM04/AL08 to get the user list.

. What is the number of fields an authorization object contains?

Ans: An authorization object in SAP security contains ten fields.

. What is meant by T-code in SAP?

AnsIn SAP, T-code refers to transaction code that helps to run a program within the SAP application.

. How many T-codes can be assigned for a specific SAP security role?

Ans: For a specific role in SAP, we can allocate around 14000 transaction codes (t-codes).

. Define the use of transaction code SU25?

Ans: The t-code SU25 is useful for copying data from one table to another.

. List out the types of users for background jobs.

AnsThere are two types of users for background jobs in SAP such as-

  • Communication User
  • System User

The communication user allows dialog-free communication between the systems.

The system user is useful for conducting background processing and interaction.

. How to troubleshoot an issue for a background user in SAP security?

Ans: Using the T-code ST01, we can troubleshoot an issue for a background user in SAP security.

. How to impose password rules in SAP security?

Ans: Using the profile parameter, we can impose password rules in SAP Security.

. Which transaction code will you use for creating Authorization Groups in SAP Security?

Ans: We use SU21 to create Authorization groups in SAP security.

. Name the T-code to find the Transport requests?

Ans: Using the t-code SE10, we can easily find the transport requests in SAP Security. You will get the option to enter the user name, allowing us to find the requests for transport made by other users.

. What is the use of T-code ST01?

Ans: We use the t-code ST01 to trace the authorizations of the users.

. Why use the authorization object S_TABU_LIN in SAP Security?

AnsWe can use this authorization object to manage the individual table’s access at the row level.

. Mention the important steps before assigning the Sap_all to the users, even if the authorities approve.

Ans: Even if the authorities approve, the following will be the necessary steps to take-

  • To authorize the audit log- we use t-code SM19.
  • To recover the audit log- we use t-code SM20.

. Name the SAP table used to identify the specific single roles assigned to each.

Ans: Table AGR AGRS is utilized when a single role has to be known.


All the above are some of the frequently asked interview questions in  SAP Security. They will help you to clear your interview easily. We hope you found this information helpful. If you find difficulty finding answers related to SAP Security, drop your query in the comment section. We would revert with the answer. Happy learning!

Define Role Template.

Ans. In SAP Security, role template refers to activity clusters that are fixed. Also, these clusters include various aspects such as web addresses, reports, transactions, etc.

About Author

Kavya works for HKR Trainings institute as a technical writer with diverse experience in many kinds of technology-related content development. She holds a graduate education in the Computer science and Engineering stream. She has cultivated strong technical skills from reading tech blogs and also doing a lot of research related to content. She manages to write great content in many fields like Programming & Frameworks, Enterprise Integration, Web Development, SAP, and Business Process Management (BPM). Connect her on LinkedIn and Twitter.

Upcoming SAP Security Training Online classes

Batch starts on 19th Jun 2024
Mon & Tue (5 Days) Weekday Timings - 08:30 AM IST
Batch starts on 23rd Jun 2024
Mon - Fri (18 Days) Weekend Timings - 10:30 AM IST
Batch starts on 27th Jun 2024
Mon & Tue (5 Days) Weekday Timings - 08:30 AM IST
To Top