SAP Security Interview Q contd(i)..


What is the difference between authorization user group and logon group?

Authorization user group is used for user management purpose. Each user group is managed by certain security administrators. Authorization object S_USER_GRP determines users of which user group can be administered by a certain user admin. Those users who are not assigned to any user group can be administered by all the security user admins.

Logon groups are generally created by SAP Basis Administrators and used for logon load balancing. These are logical groups of users. These users can be assigned to one or more SAP instances. When a Logon group is assigned to an SAP instance, all users belonging to that logon group would by default logon to that particular instance. Hence logon group helps in load balancing.

What steps are checked by the system when an interactive user executes a transaction code?

Various steps are checked when a user executes a transaction code:

(1) First it is checked whether the transaction is a valid transaction code. This is checked in TSTC table. If the tcode does not exists, the system gives the message that the transaction does not exist.

(2) If the tcode is a valid tcode, then the system checks whether the tcode is locked or unlocked. Field CINFO in TSTC is used to determine whether the transaction is locked or unlocked.

(3) The system then checks if the user has necessary tcode value maintained in authorization object S_TCODE in his/her user buffer. If the authorization object S_TCODE contains the required tcode, then the system checks whether any additional authorization check is assigned to the tcode via SE93. This value can be found on the initial screen of SE93 for that tcode or in TSTCA table.

(4) Further authorization check takes place based on the values present in the source code under “Authority-check” statement and the activity performed by the user.

How do we know who made changes to Table data and when?

If checkbox for table Log Changes is enabled, table DBTABLOG keeps all the log data for the related table.

What is a composite role?

A composite role is like a container which contains several single roles. They do not contain authorization data and the authorization needs to be maintained in each role of the composite role. A composite role cannot be added to a composite role. The users assigned to a composite role are automatically assigned the corresponding single roles.



More Interview Questions