SAP Security Challenge – February 2018


Welcome to the SAP Security Challenge by Xiting. How much do you know about SAP Security? Do you know what you don’t know? To help you identify those areas, Xiting has launched the SAP Security Challenge with a monthly quiz to test your knowledge. Stay tuned and follow our blog to broaden your skillset.

We will publish a new quiz every first of the month, consisting of ten (10) questions. Participants can submit their answers anytime between the first and last day of the month. The winner will be announced on the first day of the following month via newsletter and on our blog. Each participant enters the draw to win a ticket. One correct answer gives you one ticket in the draw (e.g. 8 correct answers gives you 8 tickets). The more you know, the higher the chances to win.

January’s Challenge

In January’s challenge, we had 112 participants and an overall average of 7.1 correct answers. In total, 9 participants were able to answer all questions correctly.

January’s Champion

We are very happy to announce that Connie T. is the lucky winner of the SAP Security challenge of January 2018. Connie answered 9 questions correctly and wins a free ticket to the HANA, BI, Basis and Admin conference in Las Vegas. Congratulations, Connie.

Answers from January’s Challenge

Which SAP standard transaction can be used to mass maintain users?
Transaction SU10 allows mass maintenance of users.

Which of the following tables can help in determining the single roles which are assigned to a given composite role?
Table AGR_AGRS holds the relationship between composite and its singles roles.

Which transaction can be used to check the User Buffer?
Transaction SU56 allows an administrator to not only view his own authorizations that are loaded into the buffer but also for other users.

An SAP system knows five different types of users, which of them can be used for Dialog Logon? 
Dialog and Service users can be used for Dialog Logon.

In client 066 (EarlyWatch), what is the default password of user EARLYWATCH after installation?
The default password of EARLYWATCH in client 066 is SUPPORT. Make sure to change the password to protect your SAP system.

Which standard report can be used to check SAP default passwords of standard users?
The standard report RSUSR0003 displays standard users and its status across all clients in a system. It is important to execute this report in each system, as users are client dependent and hence different in each client and system.

What is the Code Version in SAP used for?
Passwords are stored as a hash value and not in cleartext. An algorithm generates the hash value from the cleartext password and stores its value in the USR02 table. The algorithm that generates that hash value is called code version.

Which standard transaction allows the maintenance of authorizations values (including organizational levels) of multiple roles?
Transaction PFCGMASSVAL allows the maintenance of authorizations values of multiple roles including the maintenance of organization levels and its field values.

What’s correct about client-dependent and client-independent tables?
Client-dependent tables contain data that a user creates in one client and that is not shared among other clients. An example of a client-dependent table is the user master data table USR02. Client-independent tables, on the other hand, contain data that is shared across all clients of a system (e.g. dictionary objects in table TADIR). To distinguish if a table is client-dependent or client-independent, field MANDT of type CLNT exists in client-dependent tables only.

Client-independent tables are protected with which authorization object?
Client-independent tables must be protected properly as maintenance can cause side-effects in other clients. Therefore, SAP implemented a supplementary authorization object (S_TABU_CLI) which is only checked when trying to maintain client-independent tables in addition to S_TABU_DIS and S_TABU_NAM.

February Challenge

SAP Security Challenge - February 2018

Complete our February Challenge and enter the draw to win the book Authorizations in SAP: 100 Things You Should Know About...



Your name:
Your email:
What should be changed in a derived role only?
Which user type should be used in RFC connections?
You want to avoid double TCODES. How do you do it?
In a CUA environment, in which transaction can you define that reference users are defined locally (directly in the child system)?
Jerry wants to see Tim's spools. What authorization does Jerry need for this?
How many authorization fields can an authorization object have at most?
In which transaction can you define authorization groups for document types?
What transaction can you use to create user-specific security policies?
User Tom reports a failed authorization check. In SU53, however, you cannot find Tom’s failed authorization check, even though he just got the message in the same client. What can be the issue?
What is the default number of stored authorization checks of SU53?

We wish you the best of luck in February’s challenge.

Jamsheed Bahser

Jam is a SAP Security Consultant at Xiting GmbH in Germany with a strong focus on the Xiting Authorizations Management Suite (XAMS).

Latest posts by Jamsheed Bahser (see all)