SAP Security Challenge – January 2018


Welcome to the SAP Security Challenge by Xiting. How much do you know about SAP Security? Do you know what you don’t know? To help you identify those areas, Xiting has launched the SAP Security Challenge with a monthly quiz to test your knowledge. Stay tuned and follow our blog to broaden your skillset.

We will publish a new quiz every first of the month, consisting of ten (10) questions. Participants can submit their answers anytime between the first and last day of the month. The winner will be announced on the first day of the following month via newsletter and on our blog.

December’s Challenge

In December’s challenge, we had 173 (256 in November) participants and an overall average of 5.86 (6.4 in November) correct answers. In total, 6 participants were able to answer all questions correctly and entered the draw to win the price.

December’s Champion

We are very happy to announce that Dinesh K. is the SAP Security Champion of December 2017. Dinesh answered all 10 questions correctly and wins the free ticket to the GRC Conference in Las Vegas. Congratulations, Dinesh. See you in Vegas.

Answers from Decembers’ Challenge

What is the default password of SAP Standard User DDIC?
The default password for standard user DDIC is 19920706. The standard user SAP* has 06071992 as default password in client 000/001/066, and PASS in any new client. These user IDs should be changed to prevent unwanted users from logging in with full authority. SAP* can be disabled; however, DDIC is needed for the system so it is important to change this password to a secure one.

A strict SAP Security Concept is required for which systems?
It is very important to implement a strict SAP Security concept for all systems. All of the SAP systems talk to each other using RFC interfaces and the weakest system in the chain is the most vulnerable. Therefore, it is very important to implement security measures also in development, test, and quality systems. As well as in non-productive clients like client 000 or 066 (Early Watch), as even these clients allow you to alter your production environment.

In PFCG, what does an authorization with a status of “Changed” mean?
The “Changed” status in PFCG shows the standard values proposed by SU24 that have been changed in the authorizations. This is the best-practice approach to updated authorizations in PFCG.

Approximately how many authorization objects are available in the current SAP NetWeaver 7.50 with ERP Enhancement Package 8?
The current SAP NetWeaver 7.50 with ERP Enhancement Package 8 has more than 3’700 authorization objects that can be authorized to users.

Since 2010, the SAP Security Patch Day is on the second __________ every month.
Security Patch Day is on the second Tuesday a month since 2010. It is very important to keep up with the security patches as the vulnerabilities are publicly known.

Which transaction can be used to maintain authorization groups?
To create table authorization groups you can use transaction SE54 and select ‘Authorization Groups’> Create/Change >New Entries.

What does table authorization group &NC& protect?
&NC& protects tables that are not assigned to an authorization group. When a user has access to standard table display/maintenance transactions (SM34, SM31, SM30, SE16, SE16N, SE11, SE17, etc), the system will make an authority-check against ‘&NC&’. If the table has not been assigned to a table group (S_TABU_DIS authorization group), then &NC& will be checked. Hence authorizing &NC& gives access to a large number of tables in an SAP system. It is not as powerful as *, however, protecting it properly is necessary.

How does S_TABU_NAM work?
With S_TABU_NAM, the system checks the view names or table names directly, so that an exact authorization check is possible. In the function module VIEW_AUTHORITY_CHECK, the system checks S_TABU_NAM only if the authorization check on S_TABU_DIS was unsuccessful.

In SU24, what does column TSTCA tell you about a transaction?
TSTCA is the table which tells you the minimum access required in order to view initial screen of the transaction. The authorization required is configured in transaction SE93. In SU24, the column “TSTCA” indicates which value is configured in SE93.

Which recommended value shall be set for profile parameter login/password_downwards_compatibility?
Passwords are stored in different tables within an SAP system. These include USR02, USH02, USH02_ARC_TMP, USRPWDHISTORY, VUSER001, VUSR02_PWD, etc. Protecting these tables is necessary. In addition, it is recommended to set parameter login/password_downwards_compatibility to 0. This restricts that passwords are downward compatible and forces the use of an iterated salted SHA1-hash (field PWDSALTEDHAS in table usr02). “Old” encryption methods can no longer be used (field BCODE: MD5, field PASSCODE: SHA1). Delete old password hashes via report CLEANUP_PASSWORD_HASH_VALUES.

January Challenge

SAP Security Challenge - January 2018

Complete our January Challenge and enter the draw to win a ticket to the SAP Insider HANA, Admin, Basis, and BI conference in Las Vegas. Find more details here.

Your name:
Your email:
I am not interested in the ticket - only the quiz
Which SAP standard transaction can be used to mass maintain users?
Which of the following tables can help in determining the single roles which are assigned to a given composite role?
Which transaction can be used to check the User Buffer?
An SAP system knows five different types of users, which of them can be used for Dialog Logon? (select all that apply)
In client 066 (EarlyWatch), what is the default password of user EARLYWATCH after installation?
Which standard report can be used to check SAP default passwords of standard users?
What is the Code Version in SAP used for?
Which standard transaction allows the maintenance of authorizations values (including organizational levels) of multiple roles?
What's correct about client-dependent and client-independent tables? (select all that's correct)
Client-independent tables are protected with which authorization object?

We wish you the best of luck in January’s challenge.

Alessandro Banzer

Alessandro has worked in the field of IT since 2004, specializing in SAP in 2009 and working on global SAP projects in various roles since that date. Alessandro is an active contributor and moderator in the Governance, Risk and Compliance space on SAP SCN. Alessandro is in charge of Xiting's operations in the United States and a subject matter expert in SAP Access Control and SAP Security.