SAP Security Challenge – August 2018


Welcome to the SAP Security Challenge by Xiting. How much do you know about SAP Security? Do you know what you don’t know? To help you identify those areas, Xiting has launched the SAP Security Challenge with a monthly quiz to test your knowledge. Stay tuned and follow our blog to broaden your skillset.

We will publish a new quiz every first of the month, consisting of ten (10) questions. Participants can submit their answers anytime between the first and last day of the month. The winner will be announced on the first day of the following month via newsletter and on our blog. Each participant enters the draw to win a ticket. One correct answer gives you one ticket in the draw (e.g. 8 correct answers gives you 8 tickets). The more you know, the higher the chances to win.

July Challenge

In July’s challenge, we had 198 participants and an overall average of 5.7 correct answers. In total, only 5 participants were able to answer all questions correctly.

The Champion

We are very happy to announce that Chris L. is the lucky winner of the SAP Security challenge of July 2018. Chris answered 9 questions correctly and wins a copy of the SAP System Security Guide that was co-written by Alessandro Banzer, Xiting USA. Congratulations Chris.

Answers from July’s Challenge

What is the name of the newest SAP Security book that was co-authored by Xiting’s Alessandro Banzer?
Xiting’s Alessandro Banzer is a co-author of the SAP Press book SAP System Security Guide that can be pre-ordered here:

What is the name of the latest training course by SAP Education that talks about authorizations in S/4HANA?
With ADM945, SAP Education provides a training class that specifically talks about authorizations in S/4HANA, Fiori, etc. See more on:–authorization-concept-classroom-018-g-en/

What is the difference between S/4HANA and Suite on HANA?
SAP S/4HANA is SAP’s next-generation business suite that runs on a HANA database. Suite on HANA is an SAP ECC (or also called SAP ERP) running on a HANA database (instead of Oracle, MaxDB, DB2, etc).

Where do you find the information on what Fiori applications are available to replace a transaction in the backend?
In the SAP Fiori apps reference library

If you run FIORI on an embedded environment, whereas you have the front end and back end running on the same instance, do you still have to authorize the gateway services?
Regardless if you separate the front end from the back end or not, the end user still needs authorizations to the frontend and backend services. Specifically for the back end the user needs authorizations to the gateway services.

What is the best-practice approach when building end-user roles for Fiori?
SAP’s best-practice is to create a dedicated role for the back end and one for the front end. With that, regardless of your current architecture, you have the ability to move your role design to an architecture that has the front end and back end on a separate system.

In which table can you find the hash values for your services/components that are required in the S_START authorization?
In table USOBHASH, you can find the generated hash values to your services/components.

What are the least authorizations that a user needs to execute the Fiori launchpad? 
To use the Fiori launchpad, the end user requires certain authorizations. These include in the front end transaction /UI2/FLP, service /UI2/INTEROP and /UI2/PAGE_BUILDER_PERS, as well as gateway service ZINTEROP_0001 and ZPAGE_BUILDER_PERS_0001. In the back end function module /IWBEP/FM_MGW_HANDLE_REQUEST.

What’s the purpose of generating the hash values of services?
With generated hash values in table USOBHASH, you can a relationship between the hash value and the service/component. This is especially important when running an authorization trace (ST01/STAUTHTRACE) as you can then track back to a service.

Do all Fiori applications have an associated ODATA service?
Only the UI5 applications do have an ODATA service that must be authorized. Web dynpro and GUI transactions for HTML do not have an ODATA service.

August Challenge

SAP Security Challenge - August 2018

Complete our August Challenge and enter the draw to win a copy of the SAP System Security Guide. By completing the SAP Security Challenge, you agree to Xiting's Cookie and Privacy Policy.

Your name:
Your email:

Which authorization object gets checked when assigning roles, profiles, and systems to a user in the Central User Administration (CUA) to check the systems to which the user administrator can assign the users?

Which parameter and value allows to automatically refresh the user buffer when saving new role assignments in SU01?
A role can contain several profiles. In which of the following tables can you get an overview of the profiles?
In which table can you find multiple logons by a user?
After a release upgrade, you want to know which transaction codes replace an existing transaction. How do you proceed?
You want to allow certain users to only reset passwords for user maintenance but nothing else. How do you achieve that in SAP standard?
What do you correctly call authorizations for a HANA database?
What technology enables you to disable the passwords of dialog and technical users in an SAP ABAP system?
What protocol/technology enables digital signatures in SAP?
What's the name of the cryptographic library that SAP ships with the latest kernel?

We wish you the best of luck in the challenge.

Alessandro Banzer

Alessandro has worked in the field of IT since 2004, specializing in SAP in 2009 and working on global SAP projects in various roles since that date. Alessandro is an active contributor and moderator in the Governance, Risk and Compliance space on SAP SCN. Alessandro is in charge of Xiting's operations in the United States and a subject matter expert in SAP Access Control and SAP Security.