SAP Security Interview Cheatsheet (Quick Revision Guide)

1. SAP Security Basics

  • SAP Security = User Access + Authorization Control.
  • Ensures:
    ✔ Controlled system access
    ✔ SOD compliance
    ✔ Role-based access
    ✔ Audit & governance

Core tools: SU01, SU10, SU24, SU22, PFCG, SU53, ST01.

2. User Administration

  • Create/Lock/Delete users (SU01)
  • Mass user changes (SU10)
  • User groups & roles
  • Password reset policies
  • User types:
    • Dialog
    • System
    • Communication
    • Service
    • Reference

3. Role Administration (PFCG)

  • Role = Menu + Authorizations + User assignment.
  • Types of roles:
    • Single role
    • Composite role
    • Derived role (child role)
  • Menu tabs:
    • Transaction codes
    • Reports
    • Web links
    • Authorization objects

Role maintenance steps:

  1. Add menu items
  2. Pull SU24 defaults
  3. Generate profile
  4. Assign users

4. Authorization Objects

  • Consist of fields
  • Authorization checked by ABAP code
  • Key fields: ACTVT (activities), P_ORGIN, P_GROUP, F_BKPF_BUK, S_TCODE
  • ACTVT values:
    • 01 → Create
    • 02 → Change
    • 03 → Display
    • 06 → Delete
    • 08 → Execute
    • 16 → Print

5. Key Security Transactions

  • SU01 – User maintenance
  • PFCG – Role maintenance
  • SU24 – Check indicators
  • SU53 – Missing authorization analysis
  • ST01 – Trace
  • SU22 – Maintain object defaults
  • SE93 – T-code assignment
  • SU10 – Mass maintenance

6. SOD (Segregation of Duties)

  • Ensures two conflicting activities are not given to one user.
  • Managed via:
    • GRC Access Control
    • Rule sets
    • Risk IDs
    • Mitigating controls
  • Common SOD conflicts:
    • Create vendor + Pay vendor
    • Create purchase order + Approve PO
    • Create FI document + Post payment

7. SAP GRC (Governance, Risk, Compliance)

Core modules:

  • ARA – Access Risk Analysis
  • ARM – Access Request Management
  • BRM – Business Role Management
  • EAM – Firefighter Access

Important concepts:

  • Risk analysis (user/role level)
  • Mitigation
  • Workflow approvals
  • Firefighter logs
  • Emergency access ID

8. SU24 / SU22 – Most Common Interview Topic

  • SU24 maintains default authorization objects for a tCode.
  • When added in PFCG, SU24 defaults populate:
    ✔ Checked objects
    ✔ Values
  • SU22 is SAP-delivered defaults (not editable).

Common Use: Fixing Authorization Sync issues.

9. Tracing Tools

  • SU53 – Shows missing object of the last failed check.
  • ST01 – Full authorization trace (SQL, RFC, Kernel checks).
  • SUIM – Reporting
    • Users by role
    • Roles by object
    • Object by fields

10. SAP Security Tables

  • USR02 – Passwords & user login data
  • AGR_USERS – User to role assignment
  • AGR_1251 – Authorization object values in roles
  • AGR_1016 – Menu entries
  • AGR_DEFINE – Role definition
  • USOBT_C / USOBX_C – SU24 custom tables

11. SAP Fiori & SAP Cloud Security (HOT TOPIC)

  • Fiori access depends on:
    1. Catalog
    2. Group
    3. Role
    4. OData service authorization
  • Authorization objects for Fiori:
    • /UI2/FLP
    • /UI2/PAGE
    • /IWBEP/* (Gateway)
    • S_SERVICE
  • Must activate services in /IWFND/MAINT_SERVICE

12. Structural Authorizations (HCM)

  • Used in HR Security
  • Object: P_ORGIN, P_ORGINCON, P_PERNR
  • Define access by:
    ✔ Personnel Area
    ✔ Employee Group
    ✔ Organizational Unit
  • Maintained via OOAC, OOSP

13. SAP RFC Security

  • Secure RFC connections:
    ✔ Strong passwords
    ✔ SNC encryption
    ✔ Trusted RFC setups
    ✔ Restrict RFC users
  • Use transaction: SM59
  • Avoid wide-open S_RFC authorizations.

14. Audit & Logging

  • Login logs (SM19/SM20)
  • Change logs (SCU3)
  • Table logging
  • Secure profile parameters:
    • login/min_password_lng
    • login/fails_to_user_lock
    • login/password_expiration_time
    • auth/number_in_userbuffer

15. SAP Security Best Practices

  • Follow Principle of Least Privilege
  • Use derived roles for plants/countries
  • Avoid manual object changes—use SU24
  • Avoid using SAP_ALL, SAP_NEW
  • Review access logs monthly
  • Maintain emergency access procedures

🔥 Most Asked Scenario-Based Questions (Be Ready!)

1️⃣ “User is facing authorization error — how do you troubleshoot?”

Steps:

  • Run SU53
  • Run ST01 trace
  • Identify missing objects
  • Adjust PFCG role
  • Regenerate profile

2️⃣ “Difference between composite role vs derived role?”

  • Composite Role = Group of single roles.
  • Derived Role = Child role that inherits menu from parent, but has different org values.

3️⃣ “How do you secure Fiori apps?”

  • Provide Catalog + Group
  • Assign PFCG role
  • Assign OData service authorization
  • Provide S_SERVICE access
  • Check /IWFND/CHECK_SRV

4️⃣ “User needs display-only access — how do you restrict?”

  • Restrict ACTVT field to 03
  • Remove modify/change activities (01, 02, 06)

5️⃣ “How do you identify SOD conflicts for users?”

Using GRC → ARA → SOD Matrix → Risk ID → Generate report.

6️⃣ “Difference between SU53 and ST01?”

  • SU53: Last failed check only
  • ST01: Complete trace (more accurate)

7️⃣ “User assigned role but tCode still not accessible?”

Possible issues:

  • Authorization object values missing
  • SU24 defaults wrong
  • Role not generated
  • Validity dates incorrect
  • Buffer not refreshed (/nSU56)

8️⃣ “How do you manage HR structural authorizations?”

  • Create structural profile
  • Assign via OOSP
  • Maintain evaluation paths
  • Test via P_ORGIN/P_ORGINCON

I share content relevant to Tech/Interview/Corporate/ & Anything Stuff !!

Do follow for more useful content : https://www.linkedin.com/in/vartika-gupta24/