What is private mode? When does user switch to user mode?

Private mode is a mode where the heap data is getting exclusively allocated by the
user and is no more shared across the system. This happens when your extended
memory is exhausted.
What is osp$ mean? What if user is given with this authorization?
OPS$ is the mechanism the <SID>adm users uses to connect to the database.
Why do you use DDIC user not SAP* for Support Packs and Spam?
Do _NOT_ use neither DDIC nor SAP* for applying support packages. Copy DDIC
to a separate user and use that user to apply them.
Can you kill a Job?
Yes - SM37 - select - kill
If you have a long running Job, how do you analyse?
Use transaction SE30.
How to uncar car/sar files in a single shot?
on Unix:
$ for i in *.SAR; do SAPCAR -xvf $i; done
When we should use Transactional RFC ?
A "transactional RFC" means, that either both parties agree that the data was correctly
transfered - or not. There is no "half data transfer".
What is the use of Trusted system. I know that there is no need of UID and PWD
to communicate with partner system. In what situation it is good to go for
Trusted system ?
E. g. if you have an R/3 system and a BW system and don't want to maintain
passwords. Same goes for CRM and a lot of other systems/applications.
Let me know if my understanding below is correct:
1) By default the RFC destination is synchronous

2) Asynchronous RFC is used incase if the system initiated the RFC call no need
to wait for the response before it proceeds to something else.
Yes - that's right.
But keep in mind, that it's not only a technical issue whether to switch to
asynchronous. The application must also be able to handle that correctly.
Which table contains the details related to Q defined in SPAM? Is there a way to
revert back the Q defined? If yes, How?
There is a "delete" button when you define the queue. If you already started the import
it's no more possible since the system will become inconsistent.
What is a developer key? and how to generate a developer key?
The developer key is a combination of you installation number, your license key (that
you get from http://service.sap.com/licensekey) and the user name. You need this for
each person that will make changes (Dictionary or programs) in the system.
What is XI3.0 ? EXPLAIN XI = Exchange Infrastructure - Part of Netweaver
2004.
SAP Exchange Infrastructure (SAP XI) is SAP's enterprise application integration
(EAI) software, a component of the NetWeaver product group used to facilitate the
exchange of information among a company's internal software and systems and those
of external parties. Like other NetWeaver components, SAP XI is compatible with
software products of other
companies.
SAP calls XI an integration broker because it mediates between entities with varying
requirements in terms of connectivity, format, and protocols. According to SAP, XI
reduces integration costs by providing a common repository for interfaces. The central
component of SAP XI is the SAP Integration Server, which facilitates interaction
between diverse operating systems and applications across internal and external
networked computer systems.
How to see when were the optimizer stats last time run? We are using win2k,
oracle 9, sapr346c.
Assumed DB=Oracle

Select any table lets take MARA here but you should do the same for MSEG and few
others to see whether the dates match or not.Run the following command on the
command prompt:select last_analyzed from dba_tables where table_name like '%MARA%';
This gives you a straight answer .Else you can always fish around in DB14 for seeing
when the optimzer stats were updated.
*-- Ankan

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -3

SAP SECURITY INTERVIEW QUESTIONS &

ANSWERS
Q) Where do all possible activities are stored?
A) In the table TACT
Q) Where do valid activities for each authorization Objects are stored?
A) In the table TACTZ
Q) How do I identify pre-defined roles and what is their use?
A) Pre-defined roles begin with the prefix SAP_. These roles are used as templates for creating
customized roles.
Q) Can we assign pre-defined roles to a user? If so, how?
A) No, never assign a role to a user. If at all you want to, then first make a copy of pre-defined role and
then add the user to the role.
Q) Is a role without Auth-profile considered as complete or not?
A) No
Q) What are the types of roles?
A) Roles are 2 types 1) Parental Role 2) Derived / Base Role
Q) What is the relationship between parent and derived roles?
A) In Parent role we maintain the list of Transaction Codes whereas in derived role we assign the parent
role name so that an inheritance hierarchy is being maintained and hence the transactions are
automatically pulled into derived roles.
Q) What are the total numbers of activities?
A) As per 4.7 total number of activities=168
01 99 = Activities
A1 VF = 69
Q) What is the default authorization object which is used to check for any role?
A) S_TCODE
Note:
1) We cannot edit S_TCODE object in a Role. The only way to add a transaction code is in parent role.
2) First time while creation of a new role, if any functional related Transactions are added in a role, and

then we have to maintain organization level in a popup.

3) Red color indicates missing organizational values
4) Yellow indicates missing field values and not organizational values.
Q) Why should we not add organizational values directly in a role without using org levels button?
A) Value maintenance using directly no longer changes values i.e. whenever we try to add a new value
and generate, an empty field appears i.e. when adjusting derived roles authorization value is overwritten.
Q) Why do I need to add a role to transport?
A) All the changes to the roles are done in development box and move to production. If I delete a role in
dev box, the same role has to be deleted in prod because these roles are finally used by the users in prod
box only. Hence the deleted role needs to be transported.
Go to PFCG select the role to be deleted. Keep the role in a transport by selecting transport role
button.
Q) Unlock a user or track why the user is being locked?
A) Go to SU01 -> Enter the user ID -> Log on data and check the user is locked.
Go to SUIM -> Change docs for user -> Enter the user name and execute
Q) Where do the default value in a Role comes from i.e. activities under auth object?
A) Tables USOBX_C and USOBT_C are the tables, that control the behavior of profile generator after the
trans has been selected.
Q) How do I deactivate authorization object globally?
A) Go to SU25 select step 5 deactivate authorization globally.
Q) What is single sign-on?
1) Single sign-on, through which we create credential. Third party tool Eg: Keon, later on logon to SAP
without entering any credentials.
2) We can even logon through internet using SSO.
3) SSO is represented in form of SNC (Secured Network Connection) string for the SNC String to be
activated we need to configure certain DLL files at OS files.
4) Once we confirm DLL files then we need to go to SAPGUI, select one server, go to properties
network and check the secure network settings and enter the SNC string.
Q) What are the Steps to Configure CUA?
CUA works with RFCs steps to config CUA.
1) Create logical systems to all the clients (using BD54/SALE)
2) Attach logical system to clients using SCC4
3) Create user CUA_SID in central system with 3 roles and create user CUA_SID_CLIENT
<number>/name in child system with 2 roles.
4) Create RFCS to child systems from central and central to child using SM59
5) Log on to central system using SCUA to config CUA (Central User Admin)
6) Enter the model view and enter all child system RFCs
Q) If all the users are locked mistakenly, how do we connect to SAP system?
A) Follow the steps
Step 1) Go to OS level and execute the following SQL scripts after connecting to Oracle DB
Select * from <Application Server name>.USR02 where bname=SAP*;
Delete from <Application Server name>.USR02 where bname=SAP*;
Step 2) Then Login using SAP* user
Step 3) Go to EWZ5 or SU10 transaction code and unlock all the users.

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -2

SAP SECURITY INTERVIEW QUESTIONS &

ANSWERS
1.Please explain the personalization tab within a role.
Personalization is a way to save information that could be common to users, I meant to
a user role... E.g. you can create SAP queries and manage authorizations by user
groups. Now this information can be stored in the personalization tab of the role. (I
supposed that it is a way for SAP to address his ambiguity of its concept of user group
and roles: is "usergroup" a grouping of people sharing the same access or is it the role
who is the grouping of people sharing the same access)
2.Is there a table for authorizations where I can quickly see the values entered in
a group of fields?
In particular I am looking to find the field values for P_ORGIN across a number of
authorization profiles, without having to drill down on each profile and authorization.
AGR_1251 will give you some reasonable info.
3.How can I do a mass delete of the roles without deleting the new roles ?
There is a SAP delivered report that you can copy, remove the system type check and
run. To do a landscape with delete, enter the roles to be deleted in a transport, run the
delete program or manually delete and then release the transport and import them into
all clients and systems.
It is called: AGR_DELETE_ALL_ACTIVITY_GROUPS.
To used it, you need to tweak/debug & replace the code as it has a check that ensure it
is deleting SAP delivered roles only. Once you get past that little bit, it works well.
4.Someone has deleted users in our system, and I am eager to find out who. Is
there a table where this is logged?
Debug or use RSUSR100 to find the info's.
Run transaction SUIM and down its Change documents.
5.How to insert missing authorization?
su53 is the best transaction with which we can find the missing authorizations.and we
can insert those missing authorization through pfcg.
6.What is the difference between role and a profile?
Role and profile go hand in hand. Profile is bought in by a role. Role is used as a
template, where you can add T-codes, reports..Profile is one which gives the user
authorization. When you create a role, a profile is automatically created.
7.What profile versions?
Profile versions are nothing but when u modifies a profile parameter through a RZ10
and generates a new profile is created with a different version and it is stored in the

database.
8.What is the use of role templates?
User role templates are predefined activity groups in SAP consisting of transactions,
reports and web addresses.
9.What is the different between single role & composite role?
A role is a container that collects the transaction and generates the associated profile.
A composite roles is a container which can collect several different roles
10.Is it possible to change role template? How?
Yes, we can change a user role template. There are exactly three ways in which we
can work with user role templates
- we can use it as they are delivered in sap
- we can modify them as per our needs through pfcg
- we can create them from scratch.
For all the above specified we have to use pfcg transaction to maintain them.

SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -1

SAP SECURITY INTERVIEW QUESTIONS &

ANSWERS
Q.SAP Security T-codes
A.Frequently used security T-codes
SU01 Create/ Change User SU01 Create/ Change User
PFCG Maintain Roles
SU10 Mass Changes
SU01D Display User
SUIM Reports
ST01 Trace
SU53 Authorization analysis
Q.How to create users?
A.Execute transaction SU01 and fill in all the field. When creating a new user, you must enter an initial
password for that user on the Logon data tab. All other data is optional. Click here for turotial on creating
sap user id.
Q.What is the difference between USOBX_C and USOBT_C?
A.The table USOBX_C defines which authorization checks are to be performed within a transaction and
which not (despite authority-check command programmed ). This table also determines which
authorization checks are maintained in the Profile Generator.
The table USOBT_C defines for each transaction and for each authorization object which default values
an authorization created from the authorization object should have in the Profile Generator.
Q.What authorization are required to create and maintain user master records?
A.The following authorization objects are required to create and maintain user master records:
S_USER_GRP: User Master Maintenance: Assign user groups
S_USER_PRO: User Master Maintenance: Assign authorization profile

S_USER_AUT: User Master Maintenance: Create and maintain authorizations

Q.List R/3 User Types
A.1.Dialog users are used for individual user. Check for expired/initial passwords Possible to change your
own password. Check for multiple dialog logon
2.A Service user - Only user administrators can change the password. No check for expired/initial
passwords. Multiple logon permitted
3.System users are not capable of interaction and are used to perform certain system activities, such as
background processing, ALE, Workflow, and so on.
4.A Reference user is, like a System user, a general, non-personally related, user. Additional
authorizations can be assigned within the system using a reference user. A reference user for additional
rights can be assigned for every user in the Roles tab.
Q What is a derived role?
A.Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the
functions included (transactions, reports, Web links, and so on) from the role referenced. A role can only
inherit menus and functions if no transaction codes have been assigned to it before.
The higher-level role passes on its authorizations to the derived role as default values which can be
changed afterwards. Organizational level definitions are not passed on. They must be created anew in
the inheriting role. User assignments are not passed on either.
Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identical
menus and identical transactions) but have different characteristics with regard to the organizational level.
Q.What is a composite role?
A.A composite role is a container which can collect several different roles. For reasons of clarity, it does
not make sense and is therefore not allowed to add composite roles to composite roles. Composite roles
are also called roles.
Composite roles do not contain authorization data. If you want to change the authorizations (that are
represented by a composite role), you must maintain the data for each role of the composite role.
Creating composite roles makes sense if some of your employees need authorizations from several
roles. Instead of adding each user separately to each role required, you can set up a composite role and
assign the users to that group.
The users assigned to a composite role are automatically assigned to the corresponding (elementary)
roles during comparison.
Q.What does user compare do?
A.If you are also using the role to generate authorization profiles, then you should note that the generated
profile is not entered in the user master record until the user master records have been compared. You
can automate this by scheduling report FCG_TIME_DEPENDENCY on.
Q.How do I change the name of master / parent role keeping the name of derived/child role same?
I would like to keep the name of derived /child role same and also the profile associated with the
child roles.
A.First copy the master role using PFCG to a role with new name you wish to have. Then you have to
generate the role. Now open each derived role and delete the menu. Once the menus are removed it will
let you put new inheritance. You can put the name of the new master role you created. This will help you
keep the same derived role name and also the same profile name. Once the new roles are done you can
transport it. The transport automatically includes the Parent roles.
Q.What is the difference between C (Check) and U (Unmentioned)?
A.Background:
When defining authorizations using Profile Generator, the table USOBX_C defines which authorization
checks should occur within a transaction and which authorization checks should be maintained in the PG.
You determine the authorization checks that can be maintained in the PG using Check Indicators. It is a
Check Table for Table USOBT_C.
In USOBX_C there are 4 Check Indicators.

CM (Check/Maintain)
-An authority check is carried out against this object.
-The PG creates an authorization for this object and field values are displayed for changing.
-Default values for this authorization can be maintained.
C (Check)
-An authority check is carried out against this object.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization.
N (No check)
-The authority check against this object is disabled.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization.
U (Unmaintained)
-No check indicator is set.
-An authority check is always carried out against this object.
-The PG does not create an authorization for this object, so field values are not displayed.
-No default values can be maintained for this authorization..
Q.What does user compare do?
A.Comparing the user master: This is basically updating profile information into user master record. So
that users are allowed to execute the transactions contained in the menu tree of their roles, their user
master record must contain the profile for the corresponding roles.
You can start the user compare process from within the Profile Generator (User tab and User compare
pushbutton). As a result of the comparison, the profile generated by the Profile Generator is entered into
the user master record. Never enter generated profiles directly into the user master record (using
transaction SU01, for example)! During the automatic user compare process (with report
pfcg_time_dependency, for example), generated profiles are removed from the user masters if they do
not belong to the roles that are assigned to the user.
If you assign roles to users for a limited period of time only, you must perform a comparison at the
beginning and at the end of the validity period. You are recommended to schedule the background job
pfcg_time_dependency in such cases
Q.Can wildcards be used in authorizations?
A.Authorization values may contain wildcards; however, the system ignores everything after the wildcard.
Therefore, A*B is the same as A*.
Q.What does the PFCG_TIME_DEPENDENCY clean up?
A.The 'PFCG_TIME_DEPENDENCY' background report only cleans up the profiles (that is, it does not
clean up the roles in the system). Alternatively, you may use transaction 'PFUD'.
Q.What happens to change documents when they are transported to the production system?
A.Change documents cannot be displayed in transaction 'SUIM' after they are transported to the
production system because we do not have the 'befor input' method for the transport. This means that if
changes are made, the 'USR10' table is filled with the current values and writes the old values to the
'USH10' table beforehand. The difference between both tables is then calculated and the value for the
change documents is determined as a result. However, this does not work when change documents are
transported to the production system. The 'USR10' table is automatically filled with the current values for
the transport and there is no option for filling the 'USH10' table in advance (for the history) because we do
not have a 'befor input' method to fill the 'USH10' table in advance for the transport.
Q.What is the difference between the table buffer and the user buffer?
A.The table buffers are in the shared memory. Buffering the tables increases performance when
accessing the data records contained in the table. Table buffers and table entries are ignored during
startup. A user buffer is a buffer from which the data of a user master record is loaded when the user logs
on. The user buffer has different setting options with regard to the 'auth/new_buffering' parameter.

Q.What does the Profile Generator do?

A.The Profile Generator creates roles. It is important that suitable user roles, and not profiles, are entered
manually in transaction 'SU01'. The system should enter the profiles for this user automatically.
Q.How many authorizations fit into a profile?
A.A maximum of 150 authorizations fit into a profile. If the number of authorizations exceeds this marker,
the Profile Generator will automatically create more profiles for the role. A profile name consists of twelve
(12) characters and the first ten (10) may be changed when generated for the first time.
Q.Authorization object needed for PFCG access
A.S_USER_AGR
ACT_GROUP= * (You can restrict by role, if proper naming convention is used)
ACTVT=01, 02, 03, 64 other fields below
01 Create or Generate
02 Change
03 Display
06 Delete
08 Display change documents
21 Transport
22 Enter, Include, Assign
36 Extended maintenance
59 Distribute
64 Generate
68 Model
78 Assign
79 Assign Role to Composite Role
DL Download
UL Upload
S_USER_GRP
CLASS=
ACTVT=22; 03
Other activity
01
Create or Generate
02
Change
03
Display
05
Lock
06
Delete
08
Display change documents
22
Enter, Include, Assign
24
Archive
68
Model
78
Assign
S_USER_TCD
TCD= * (Transaction in role)
S_USER_PRO
PROFILE= *
ACTVT=01, 06
Other activity
01
Create or Generate
02
Change
03
Display
06
Delete
07
Activate, generate
08
Display change documents
22
Enter, Include, Assign

24
Archive
S_TCODE
TCD=PFCG;

SAP DATABASE INTERVIEW QUESTIONS & ANSWERS -1

SAP DATABASE INTERVIEW QUESTIONS &

ANSWERS -1
(Q) what is the size of oracle data block ?
(A) 8 KB (fixed size)
(Q) What are the situations in which DBWO writes dirty blocks to disks ?
(A) If the number of scanned buffers reaches a certain thresh hold.
At a specific time that is when check point occurs.
(Q) What are the conditions in which log writer writes redo log buffer data to online redo log files ?
(A) There 4 conditions:
When transaction is committed.
For every three seconds.
When redo log is 1/3rd of full.
When DBWR is about to write modified buffers to disk and some of the corresponding redo records
have not at been written to online redo log i.e. write ahead logging.
(Q)What are the entries in co files ?
(A) Physical structure of database
State of database
Table space information
Names and location of data files and redo log files.
Current log sequence number
(Q) Why do I need SPFILE<SID>.ora even though I have init<SID>.ora ?
(A) From Oracle 9.i init<SID>.ora is replaced by SPfile<SID>.ora or SPfile.ora.
(Q) If a file is missing from the chain of offline Redo log files, then what well do ?
(A) We have to perform a restore and recovery of Database. Recovery is performed using the method
Point In Time by which all the Offline Redo log files older than the last one is used for recovery.
(Q) What are the causes for logical errors related to Database ?
(A) (i) Manually deleting parts of Database objects such as Rows in a table.
(ii) Manually dropping Database Objects.
(iii) Manually dropping Application Objects.
(Q) Is Point in Time Recovery a standard Solution for logical errors in production system ?
(A) NO
(Q) Where do we use the Point IN Time Recovery ?
(A) Point in Time is very critical in a system landscape with Data Dependencies between Systems.
(Q) How do we verify Consistency of Oracle Database ?
(A) By performing by a logical data check.
(Q) Why do we need to perform a logical check ?

(A) In order to verify corrupted Data blocks (Ora 1578)

(Q) Why do we need to perform a physical Data check ?
(A) To verify the tapes used for Database backup.
(Q) How often we perform Online Backup and Offline Backups ?
(A) Online Backup = Daily
Offline Backup = Once in a Week
(Q) How do we perform Backup of Offline Redo log files ?
(A) (i) Backup of every Offline Redo log files is taken TWICE on separate tapes before the files are
deleted from Archive Directory.
(ii) Perform additional Backups after each system upgrade and also if Database structure is Modified.
(Q) What are the tools used by Oracle Admin in an SAP System for Backups ?
(A) Database Backups = BRBACKUP
Offline Redo log files = BRARCHIVE
(Q) What are the occasions in which changes to Tile Structure of Database is made ?
(A) 1) When a Data file is added
2) When a Data file is moved to a Different Location.
3) When a Table Space and its Data files are reorganized.
(Q) What are the various Backup types ?
(A) There are 5 Backup types
1) Online Backup
2) Offline Backup
3) Complete Backup
4) Incremental Backup
5) Partial Backup
(Q) If the Corresponding Full Backup is already overwritten and can I use Incremental Backup ?
(A) NO, Incremental Backup is useless.
(Q) Can I perform a Backup of Individual data files using Incremental Backups ?
(A) NO
(Q) What are the various Backup strategies used in SAP ?
(A) There are 3 Backup strategies in SAP
i) Complete Backup:- Restore missing Database files from complete Backup, Restore Offline Redo
Log files writte during and after this Backup.
ii) Incremental Backup:- Restore missing Data files from last Full Backup, update them with restore
from last Incremental Backup.
iii)Partial Backup:- Replace complete backup with partial Backups , we need a longer time to perform a
recovery from media crash.
(Q) Can RMAN recover the Database automatically without Recovery catalog ?
(A) NO
(Q) Is whole Backup can be consider as level 0 Backup ?
(A) Whole backup is not level 0 Backup and cant be used as basis for Incremental Backup.
(Q) Why do we need to perform a preparatory run ?
(A) If Backup with RMAN is supposed to form sets then we need to run Preparatory run.
Preparatory run can be run from DB13 prepare for RMAN Backup.
No Backup is created during preparation run, only estimates Compression rate of BRTOOLS to

compress the files and to determine compressed and decompressed file sizes.
It is recommended to perform preparatory run per one Backup cycle.
(Q) What are the contents of tape lable after a tape is Initialized ?
(A) (i) Tape Name
(ii) Name of the Database
(iii) Time stamp of last backup recorded on the tape
(iv) Number of Backups performed with the tape
(Q) Before writing data to tape if the lable is Red to check the following
(A)(i) Tape Name
(ii) Tape Locked or Expired(Expire_period)
(iii) No. of times the tape already been read(Tape_use_count)
If Expiration_period = 0 days, the Volume is not locked at all and can be over written
If a lock occurs on a tape, it automatically expires at midnight.
(Q) What are the methods used by BRBACKUP and BRARCHIVE to check tape locks ?
(A) There are 2 types of locks
(i) Physical lock check: Physical lock check is done by checking tape label parameter Expir_period. If
the number of days passed since the tape was last used is less than value of parameter Expir_period,
then the tape is physically locked.
(ii) Logical lock check: This value is derived from the time stamp written to tables SDBAH, SDBAD
(Q) What are the various tape selection processes ?
(A) (i) Auto tape selection BRBACKUP and BRARCH
(ii) Manual selection by the Operator
(iii)By external tool
(Q) What is the option to select the tapes automatically by BRBACKUP and BRARCH ?
(A) Set the parameter Volume_Backup and Volume_archive to TAPE
(Q) What is the command to check which tape will be automatically selected ?
(A) BR Backup | BRARCHIVE Q | Query { check }
(Q) How do we switch off automatic tape Management ?
(A) By setting up the parameter(Volume Backup and Volume Archive) to the value SCRATCH
(Q) How do I turnoff the tape management performed by SAP tools ?
(A) Configure the parameter Backup_dev_type= UTIL_FILE
OR
UTIL_FILE_ONLINE and also configure BACKINT interface in init<SID>.sap
NOTE: BackINT Interface program is only supported for external Backup.
(Q) How do we verify Backups ?
(A) Verification of backups is of 2 types
(i) Tape Verification: The files are restored file by file and compared with original files to verify if the
backup is redable.
(ii) DB Block consistency: This checks the Database block by block using Oracle tool DBVERIFY to
identify and restore from bad blocks.
Backup PATH: BRTOOLS & Verification of DB Backup, Verification of Archive log BackupDBcopy
The option USE_DBV(DBVERIFY=NO), only tape is verified (If yes Tape verification + DB Block
Consistancy Check)
(Q) If SAP started and I am trying to switch to non-archive mode what will happen.
(A) It will show an error showing that SAP instance is running. Please showdown first or use force option.

(Q) If SAP is running and I try to shutdown the DB using BR tools what will happen.
(A) It through an error saying that SAP is running please shutdown the SAP first or force option and then
continue.
(Q) If table space is full then what are the possibility to extend the table spaces ?
(A) Option 1: Add another data file to table space
2: Existing data file can be manually resized
3: Properties of existing data file can be changed to auto extendable
(Q) What id the formula to increase the data files size ?
(A) Data file size = Expected DB/100
(Q) How many number of data files will be there by default ?
(A) Default there are 100 data files
(Q) What is the error related with table flow ?
(A) For table ORA1653, ORA1654 for indexes.
(Q) Create server parameter file from init<sid>.ora
(A) Login to oracle user (ora<sid>)