SAP Security Challenge – January 2019


What better way to start off a new year than the Security Challenge. Get yourself ready for 2019 with our challenge. Find out how much do you know about SAP Security? Do you know what you don’t know? To help you identify those areas, Xiting has launched the SAP Security Challenge with a monthly quiz to test your knowledge. Stay tuned and follow our blog to broaden your skillset.

We will publish a new quiz every first of the month, consisting of multiple questions. Participants can submit their answers anytime between the first and last day of the month. The winner will be announced on the first day of the following month via newsletter and on our blog. Each participant enters the draw to win a ticket. One correct answer gives you one ticket in the draw (e.g. 6 correct answers gives you 6 tickets). The more you know, the higher the chances to win.

November Challenge

In November’s challenge (we are sorry for not having posted the December challenge), we had 156 participants and an overall average of 4.6 correct answers. In total, only 3 participants were able to answer all questions correctly.

The Champion

We are very happy to announce that Syed A. is the lucky winner of the SAP Security challenge of September 2018. Syed answered 2 questions correctly and wins a copy of the SAP System Security Guide co-authored by Xiting’s Alessandro Banzer. Congratulations, Syed.

Answers from November’s Challenge

With reference users, do the assigned roles to the reference user append or replace the roles of the dialog user?
Authorizations assigned to the reference users append the authorizations of the dialog user when assigned.

What’s the release cycle of S/4HANA?
The release cycle of SAP S/4HANA is defined as yearly in September. That’s why the release numbers are 1709, 1809, etc.

What types of application can be maintained in SU24?
You can maintain the authorization proposals for different types of applications that can be added through the role menu in PFCG. Types include Transactions, Web Dynpros, RFC Function Modules, etc.

What’s the recommended alternative to authorize generic table access instead of SE16 or other data browser transaction?
Parameter transaction allow to create access to specified tables. With parameter transactions, you can also maintain proper SU24 values through S_TABU_NAM (or S_TABU_DIS).

With parameter transactions for SE16/SM30, is it recommended to propose the table name or table authorization group through SU24 for S_TABU* objects?
With parameter transactions, you can maintain all the values required in SU24 which increases the security and maintainability of your roles with standard values.

Which transaction can be used to maintain SNC names for dialog user in batch mode?
With transaction SNC1, you can mass maintain SNC names for dialog users in batch mode.

With SNC, you can enforce SNC logon for your users. What scenarios are possible?
With profile parameter snc/permit_insecure_gui, you can define whether you want to enforce SNC logon for all users with value 1, or for individual users only with parameter U. Individual users can be enforced in SU01.

January Challenge

SAP Security Challenge - January 2019

Complete our January Challenge and enter the draw to win a copy of the SAP System Security Guide. By completing the SAP Security Challenge, you agree to Xiting's Cookie and Privacy Policy.

Your name:
Your email:
How do you create an authorization object?
From which table(s) do you extract user email addresses?
Which of the following are org fields in an SAP ECC system? (select all that apply)
What is the authorization object which gives developer debugging authorization?
In which transaction can you check lock entries?
When programming an AUTHORITY-CHECK statement where you don’t yet know the value which is going to be checked for a field; which of the following are correct approaches? (select all that apply)
You need to create a program which only one user should be able to use. How do you ideally authorize it?

We wish you the best of luck in the challenge.

Alessandro Banzer

Alessandro has worked in the field of IT since 2004, specializing in SAP in 2009 and working on global SAP projects in various roles since that date. Alessandro is an active contributor and moderator in the Governance, Risk and Compliance space on SAP SCN. Alessandro is in charge of Xiting's operations in the United States and a subject matter expert in SAP Access Control and SAP Security.