SAP Security – Detailed Guide for

Freshers (0–1 Year)

1. User & Identity Management

This is the first area freshers work on daily.

●​ User Creation (SU01): Create new users with correct details (user ID, name, email,
roles).​

●​ User Modification (SU01): Update user details (department, email, validity dates).​

●​ User Lock/Unlock (SU01): Lock users who leave, unlock when requested.​

●​ Password Reset (SU01): Common service desk activity.​

●​ Mass User Changes (SU10): Perform changes for multiple users at once.​

●​ User Reporting (SUIM): Find out who has which roles, authorizations, or
transactions.​

●​ User Types:​

○​ Dialog (normal login)​

○​ Service (shared for background use, no dialog login)​

○​ System (used for RFC/system connections)​

 ○​ Communication (RFC/logon via external system)​

○​ Reference (supplementary roles, no direct login)​

2. Role & Authorization Management

The most important part of SAP Security, because access is always role-based.

●​ Role Assignment (SU01): Add/remove existing roles for users.​

●​ Role Types:​

○​ Single Role → contains authorizations directly.​

○​ Composite Role → collection of single roles.​

○​ Derived Role → inherits from a parent role.​

●​ Authorization Objects: Control what an action can do (e.g., display, create, delete).​

●​ T-codes:​

○​ PFCG: Role maintenance (for awareness; usually seniors design roles).​

○​ SU53: Shows last failed authorization (first check for user complaints).​

○​ ST01: Authorization trace to capture missing objects/values.​

○​ SUIM: Reports for users, roles, authorizations, transactions.​

●​ Common Tasks for Freshers:​

○​ Check SU53 when user reports “cannot access T-code.”​

 ○​ Run SUIM to verify if user has the role.​

○​ Forward to seniors if role design or transport is required.​

3. Monitoring & Troubleshooting

Freshers spend most of their time here handling tickets.

●​ SU53: First-level check for missing authorizations.​

●​ ST01: Detailed trace if SU53 does not show enough information.​

●​ SM20: Review security audit logs (check logins, failed attempts).​

●​ SM21: Review system logs for errors (awareness).​

●​ Daily Issues You May Handle:​

○​ User cannot log in → check if locked, expired, or wrong password.​

○​ User cannot access transaction → run SU53, check role assignment.​

○​ Unauthorized action → check missing authorization object.​

○​ Mass password resets or unlocks.​

4. System & Infrastructure Security (Awareness for

Freshers)

You don’t configure much here as a fresher, but you must know the basics.
 ●​ Client Concept: Multiple clients (100/200/800) in one SAP system.​

●​ Profile Parameters (RZ10/RZ11): Security settings like password rules, logon

restrictions.​

●​ RFC Security (SM59): System-to-system connection security.​

●​ SNC/SSL: Encryption of SAP communication.​

5. Compliance & GRC (Awareness for Freshers)

You should understand why security exists – to prevent risks.

●​ Segregation of Duties (SoD): One user should not perform conflicting tasks (e.g.,
creating a vendor and making payment).​

●​ Critical T-codes: SU01, PFCG, SE38, SE16N – highly sensitive transactions.​

●​ GRC (Governance, Risk, Compliance): A tool used to check SoD conflicts, monitor
risks, and provide firefighter IDs (temporary emergency access).​

●​ Firefighter ID (Concept): A special ID for emergency use, with logs reviewed later.​

6. Advanced Security & New Technologies (Awareness

for Freshers)

This is mostly future learning, but interviewers may test if you have basic awareness.

●​ SAP Fiori: Role design using catalogs, groups, and tiles.​

 ●​ SAP HANA Security: Privileges at database level.​

●​ SAP Cloud Security: SuccessFactors, Ariba, SAP BTP.​

●​ SSO (Single Sign-On): One login for multiple systems.​

●​ MFA (Multi-Factor Authentication): Extra security beyond password.​

Summary for Freshers

●​ Hands-on focus (daily work):​

1.​ User & Identity Management​

2.​ Role & Authorization Management​

3.​ Monitoring & Troubleshooting​

●​ Awareness only (for interviews):​

4. System Security​
5. Compliance & GRC​
6. Advanced Security​
Excellent. Here’s a Fresher-level SAP Security Interview Q&A set, divided into the 6 main
groups.​
I’ll keep the questions simple but detailed enough to match what interviewers expect from
someone starting out.

SAP Security Interview Questions

(Fresher-Level, 25–30 Q&A)

1. User & Identity Management

Q1. What are the different types of users in SAP?​

A:

●​ Dialog – for normal interactive logon.​

●​ Service – for anonymous logins, shared use, no password change enforcement.​

●​ System – for background processing and RFC communication.​

●​ Communication – for RFC or CPIC logins (non-dialog).​

●​ Reference – provides additional authorizations, cannot log in directly.​

Q2. How do you create a new user in SAP?​

A: Using transaction SU01. Enter user details (username, type, validity, roles, profiles,
password).

Q3. What is SU10 used for?​

A: Mass user maintenance (lock/unlock/reset/change multiple users at once).
Q4. How do you check which roles are assigned to a user?​
A: SU01 (Roles tab) or SUIM (user → roles report).

2. Role & Authorization Management

Q5. What are the different types of roles in SAP?​

A:

●​ Single role → contains transactions and authorization objects.​

●​ Composite role → bundle of multiple single roles.​

●​ Derived role → inherits properties from a parent role but with different organizational
values.​

Q6. What is PFCG used for?​

A: It is the Role Maintenance transaction, used to create, change, or delete roles.

Q7. How do you troubleshoot when a user says, “I cannot access a transaction
code”?​
A:

1.​ Run SU53 to check missing authorization.​

2.​ Use SUIM to verify role assignment.​

3.​ If still unclear, run ST01 trace for detailed analysis.​

Q8. What is an authorization object?​

A: It is a collection of fields that control access to actions (e.g., display, create, change,
delete). Example: F_BKPF_BUK (Company code in FI).

3. Monitoring & Troubleshooting

Q9. What is SU53 used for?​
A: To check the last failed authorization for a user.

Q10. What is ST01 used for?​

A: Authorization trace – it captures authorization checks in detail.

Q11. What is the difference between SU53 and ST01?​

A:

●​ SU53 → shows only the last failed authorization.​

●​ ST01 → provides a complete trace of authorizations during a transaction.​

Q12. What are SM20 and SM21 used for?​

A:

●​ SM20 → Security audit log (logon attempts, failed logins, sensitive actions).​

●​ SM21 → System log (errors, warnings, system events).​

Q13. A user says they are locked out. How do you fix this?​
A:

●​ Check SU01 to see if the user is locked.​

●​ Unlock the user and reset password if needed.​

4. System & Infrastructure Security (Awareness)

Q14. What is SNC in SAP?​

A: Secure Network Communication – used for encrypting communication between SAP
systems and clients.

Q15. What is the purpose of RZ10 and RZ11?​

A:
 ●​ RZ10 → Maintain profile parameters permanently.​

●​ RZ11 → Display/change profile parameters temporarily.​

Q16. What is an RFC connection in SAP?​

A: Remote Function Call – used to connect SAP systems or SAP with external systems
(SM59 for configuration).

5. Compliance & GRC (Awareness)

Q17. What is Segregation of Duties (SoD)?​

A: Ensuring one user does not perform conflicting tasks (e.g., creating a vendor and
approving payments).

Q18. What are critical T-codes in SAP?​

A: Examples:

●​ SU01 → User creation​

●​ PFCG → Role maintenance​

●​ SE38 → Execute ABAP programs​

●​ SE16N → Direct table access​

Q19. What is a Firefighter ID?​

A: A temporary, privileged ID used for emergency access. All actions performed are logged
and reviewed later.

Q20. What is GRC used for in SAP Security?​

A: Governance, Risk, and Compliance – mainly for SoD checks, risk analysis, access
requests, firefighter ID management.
6. Advanced Security & New Technologies (Awareness)

Q21. What is SAP Fiori?​

A: A modern SAP user interface. Access is controlled by catalogs, groups, and tiles instead
of classical roles.

Q22. What is SAP HANA Security?​

A: It deals with privileges (schema, object, system) at the database level for SAP HANA
systems.

Q23. What is SSO?​

A: Single Sign-On – allows users to log in once and access multiple SAP systems without
re-entering credentials.

Q24. What is MFA?​

A: Multi-Factor Authentication – requires more than one verification (e.g., password + OTP).

Q25. What is SAP BTP Security?​

A: Security concepts for SAP’s cloud platform (Business Technology Platform), including
OAuth2 and SAML2 authentication.

Summary for Freshers:

●​ Sections 1, 2, 3 → you must be able to answer confidently with examples.​

●​ Sections 4, 5, 6 → only awareness is expected; keep answers simple.​

Do you want me to now rate these 25 Q&A as per interview importance (High, Medium,
Low) so you know which ones to memorize first?