ATOS Interview Questions

1. What t-code is used for creating User Groups?

Ans: USGRP Creation of User Group: SQ03 is the T-code to create the User Group.

Give a name starts with Z & Infoset should be there & click CREATE & below is the next screen.

Give a User Group name & click SAVE or tick mark. Below screen will come.

On the above screen click LOCAL OBJECT & on the bottom left-hand corner you will see the message User Group saved.

Now in the screen of SQ03, press Assign Users and Infosets & the below screen comes.

Above is the next screen & in the blank fields just enter the USER names to handle the QUERY as given above & click ASSIGN INFOSETS to see the below screen.

Scroll down to Your Infoset then put a check mark & click save. A message appears User Group saved.

2. What are the critical Authorization objects you have worked with?
Ans: S_TCODE, S_TABU_DIS, S_TABU_LIN, S_TABU_LIN, S_PROGRAM, S_DEVELOP

3. What is the purpose of S_TABU_DIS?

Ans: S_TABU_DIS is the primary object that gets checked when you are trying to access tables in the database. Depending upon the Activity values given in S_TABU_DIS & S_TABU_CLI you will be able to Display or change the data in the tables. One of the Field of the object S_TABU_DIS is Authorization Group. Each table in SAP is assigned to a particular Authorizations Group. For example if a Display access is given to a user for a particular Auth. Group, theuser will be able to display all the tables assigned under that Auth. Group. You can get the list of all Auth Groups in T-code SE54 ---Difference Bewteen S_TABU_DIS and S_TABU_CLI S_TABU_DIS is used for the normal table maintenance. S_TABU_CLI is used for Cross Client table Maintenance. CLIIDMAINT is the only field under this object. If the value '' is given for the above field, then the Cross Client tables cannot be maintained. If a X value is given then the system allows to maintain Cross Client tables.

4. What is the purpose of Su24? Ans:

It is used to maintain all the OBJECTS that are CHECEKED for a execution of a transaction. The check indicators are maintained in SU24 and are stored into two CUSTOMER specific tables USOBX_C and USOBT_C The customer specific tables ensure that the values modified by the customer will not over write by the SAP proposed values during a future upgrade.

5. What are the different Check proposals we have in Su24?

Ans: The SU24 transaction is one of the most important transactions in security. Its used to maintain all the objects that are checked for the execution of a particular transaction. The check indicators as maintained in SU24 are stored in two customer specific tables USOBT_C and USOBX_C. The customer specific tables ensure that the values modified by a customer are not over-written by the SAP proposed values during a future upgrade. We can have a look at the SAP proposed values through the transaction SU22.

SU24 - Initial Screen Each object can have three different status as given in the screenshot below

SU24 - check indicators Do not check These objects are not checked during transaction execution. Authorization objects belong to Basis and HR components can not be marked as Do not checked. Check , Yes (Check/Maintain in previous releases) These objects are checked during transaction execution and also pulled into a role when the transaction is added to a role. We also have an option of maintaining default values of the authorization fields for these objects. For example, in the last post regarding role maintenance, we saw a number of authorizations which were pulled into the role with default values. These authorizations appear with status standard or maintained in role maintenance. Check, No (Check in previous releases) These objects are checked during transaction execution but are not pulled into the role even if the transaction is added to the menu.

Its important to note that the primary check for an authorization object during program execution happens at the code level. So adding a check in Su24 will have no impact to security unless the code is modified as well to include a check for the authorization object.

6. What is the report used for finding the passwords of Standard Users?
Ans: Use the report RSUSR003 to make sure that the user SAP* has been created in all clients and that the standard passwords have been changed for SAP*, DDIC (and also the older user SAPCPIC). SAPCPIC SAPCPIC is created as a communication user at the installation and is mostly used for EDI. The standard profile S_A.CPIC restricts the access to the use of RFC. This user is hard-coded into the

function module INIT_START_OF_EXTERNAL_PROGRAM together with a standard password. This needs to be considered in case of password changes for this user. The standard password for this user directly after the installation is ADMIN.

7. What type of user is used for FF id?

Ans: Service

8. Which background job will generate report in SPM?

Ans: Schedule in transaction SM36 a job to run the ABAP report /VIRSA/ZVFATBAK hourly. This report generates the SPM log report.

1. Adjust the time zone setting to be consistent with the location of the user running the background job. 2. Create a non SLD connection on the SPM Frontend. 3. Switch RFC account to a dialogue user 4. Confirm authorization object GRCFF_0001 exists for the RFC account.

9. What is Mitigation?
Ans: Whenever a User/Role has a SOD voilation/Risk and it is not possible to remove any authorization

form the user in such case Mitigation come up. Its a process where you accept the risk but lower its severity by assiginig monitoring on the User/Role having risk. Mitigation Control performs the following functions: - Identifies the Segregation of Duties (SoD) as a known Risk. - Establishes a period of time during which the Risk may exist (is monitored). - Associates a list of Monitors with the Control. Only Monitors associated with a Control definition may be selected when mitigating a Risk. Mitigation Controls can be assigned to Users, Roles, Profiles, or HR Objects to mitigate a Risk. Mitigation is a temporary 'after the event' control which the business process owner and (usually) internal audit have agreed is required as the SoD or critical permissions cannot practicably be cleared by changing accesses. Single roles should never need to be mitigated, composite roles may need to be if providing a user with all of their SAP transactions/permissions, the user and the composite will have the same access and, therefore, the same risks. The mitigation should never be considered as a permanent replacement to remediation which is why there is a time limit for each one. Before going to mitigation, review the supplied rule-set to ensure the objects and values are fully understood and correct, e.g. having FBL5N without FB02 access doesn't constitute a real risk with other transactions as it is only a view access but can be flagged as a major problem. Think about the issues rather than relying on a SAP delivered rule-set.

10. What are the different BG jobs in RAR? What is the purpose of each job?
ANS:

1. 2. 3. 4.

On the RAR screen, choose the Configuration tab. While in the Configuration tab, choose Background Job Schedule Job. In the User/Role/Profile Synchronization section , select Incremental for the Sync mode field

In the User/Role/Profile Synchronization section, select User Synchronization, Role Synchronization, and Profile Synchronization checkboxes. 5. Accept wildcard (*) values for each corresponding system.

6. On the Batch Risk Analysis section, make the following entries.

Fields Batch Mode Rule Set Report Type User Analysis Role Analysis Profile Analysis Values Incremental GLOBAL Select Permission Level Analysis Select the checkbox Select the checkbox Select the checkbox

7. On the Management Report section, select Management Reports. 8. Choose the Schedule button. 9. On the Schedule Risk Analysis screen, enter the following.
Fields Job Name Immediate Start Values Enter appropriate name for Job (for example, RAR_Background_Job_01) Select the radio button

10. Choose the Schedule button. 11. If successful, the following message displays Background job scheduled successfully, Job ID: XX.
Result To view the status of your background job:

1. Choose the Configuration tab. 2. Choose Background Job Search. 3. Enter the job # in the Job ID field and choose Search.
4. Check the status of your background job.

12. What do u do in Auditing?

Audit Trails
You have to log and save all sanctioned party list (SPL) screening activities to keep them accessible for official audits within the statutory retention period. SAP GRC Global Trade Services (SAP GRC GTS) logs the results at the legal regulation level. The logs enable you to keep a record of all the SPL screening your company has carried out, giving you an important source of documentation for legal purposes. You can archive these logs to reduce the load on your system and delete them from the tables once you have done this. The audit trail provides you with proof you need to present periodically to customs authorities, to demonstrate exactly which checks were performed, on which parties and when, and to show the results of these checks. The system logs every SPL screening activity of addresses and documents in the audit trail. This includes the results of screening external addresses from XML files or simulated screening activities. The audit trails for simulated screening activities let you retrieve the results of one-time checks at any time.

Features
You can use the following functions to select and display SPL screening logs for the partners and documents that have been screened: Audit Trail - Business Partner Audit Trail - Document Audit Trail for External Addresses You can separate these transactions by selecting either the business partners or the documents you want to archive in the selection screen. In addition, since SAP GRC GTS writes all changes to business partners and documents to the audit trail, you can archive data depending on the status of business partners or documents that may have been blocked by SPL checks and were released then manually, for example.

Activities
To start the audit trail features, go to the area menu for SAP GRC GTS and choose SAP Compliance Management Sanctioned Party List Screening . Then choose the desired tab page and click Audit Trail Display Audit Trail for Business Partners Display Audit Trail for Documents Display Audit Trail for External Addresses

In the screen that follows, you can enter restrictions for the data you want to display. For example, you can enter one particular legal regulation. You can also specify whether you want to select and display data that has already been archived, such as SPL master data, SPL audit trail, and SPL master data change documents. To do so, choose Also Select Archived Data. When you choose Execute, the system displays a results list of all the partners and documents the system checked against a particular legal regulation that you entered in the selection screen. You can display the following details for each entry in the results list: Business partner's address data Document data SPL data User data

Comments (if any) These functions allow you and the authorities to monitor the reasons for a user deciding to override a system decision to block a particular document or business partner. The users comments are also contained in the audit trail, which makes all your business processes transparent.

13. What do you know about BI Security?

Ans: SAP has the option to restrict access to BI reports by query name, by infoarea or at the infocube level. Infoarea is a grouping of infocubes in SAP BI. Infocube is the actual data used to create BI reports. Infoobject is the most granular level and denotes a field such as company code or plant etc. S_RS_COMP This is the most important authorization object in SAP BI. With this authorization object, you can control the different components of the query definition. A good example is that S_RS_COMP can be used to restrict users to create queries only in their application areas or only for their own infocubes.

S_RS_COMP1 This authorization object restricts queries to specific owners. This can be used to restrict which queries can be reviewed by a query owner based on the correct application area. S_RS_FOLD This authorization object can restrict users display access to a specific folder. This will prevent BI users to get access to other infoareas.

14. Where will you see table logs?

Ans: SCU3