SAP Security Challenge – July 2018

by

Welcome to the SAP Security Challenge by Xiting. How much do you know about SAP Security? Do you know what you don’t know? To help you identify those areas, Xiting has launched the SAP Security Challenge with a monthly quiz to test your knowledge. Stay tuned and follow our blog to broaden your skillset.

We will publish a new quiz every first of the month, consisting of ten (10) questions. Participants can submit their answers anytime between the first and last day of the month. The winner will be announced on the first day of the following month via newsletter and on our blog. Each participant enters the draw to win a ticket. One correct answer gives you one ticket in the draw (e.g. 8 correct answers gives you 8 tickets). The more you know, the higher the chances to win.

June Challenge

In June’s challenge, we had 238 participants and an overall average of 6.8 correct answers. In total, 11 participants were able to answer all questions correctly.

The Champion

We are very happy to announce that Mary P. is the lucky winner of the SAP Security challenge of June 2018. Mary answered 8 questions correctly and wins the $50 gift card from Amazon. Congratulations Mary.

Answers from June’s Challenge

Which transaction allows you to display the User Buffer for your own user as well as for other users?
With transaction SU56, you can display the authorizations of any user.

Which SAP standard report can be used to analyze users and roles for segregation of duty conflicts as well as for critical authorizations?
With report RSUSR008_009_NEW, you can check for SOD conflicts and critical authorizations.

When users are locked they have a lock status. The lock status can be seen in table USR02 and field UFLAG. Which lock status are possible?
Any combination of 0, 32, 64 and 126 are possible. For example, a user can be locked due to too many failed login attempts (128) plus globally by the administrator (32). The cumulative value is 160. This is important as when a lock gets removed, for example with SAP Access Control (GRC) Password self-service which removes lock 128, the user still remains globally locked (32).

How many authorization fields can an authorization object have?
An authorization object can have up to 10 authorization fields.

In which transaction can you check the table logs?
You can check the table log in transaction SCU3. To activate table logging for a particular table, you can set the configuration through SE13.

How to smoothly remove duplicate role assignments with different start and end date from a user?
Report PRGN_COMPRESS_TIMES allows you to remove duplicate role assignments from the user master.

In which tables (and views) does the SAP system store the password hashes of a user? 
SAP stores the password hashes in different tables which can also be accessed via several views. Protecting those tables/views is important as password hashes can be cracked with brute force attacks outside the SAP system.

In which table can you maintain illegal passwords that cannot be used by your users?
You can maintain table USR40 with transaction SM30. In table USR40, you can maintain illegal passwords that are forbidden.

For RFC Redesigns, which tool SAP recommends to risk-free reauthorize your RFC users with SAP Note 1682316?
SAP Consulting Germany recommends in SAP Note 1682316 to utilize the Xiting Authorizations Management Suite (XAMS) to automate and simplify the RFC redesign project. The XAMS does not only save you time and money, it also takes away the risk when reauthorizing RFC interfaces.

In SAP NetWeaver 7.50, which transaction can be used to locally lock a transaction for a certain client only?
In SAP NW 7.5, SM01 is obsolete and SAP introduced SM01_DEV and SM01_CUS. SM01_CUS can be used to lock a transaction on a client level. SM01_DEV can be used to lock transactions system-wide.

July Challenge

SAP Security Challenge - July 2018

Complete our July Challenge and enter the draw to win a copy of the SAP System Security Guide. By completing the SAP Security Challenge, you agree to Xiting's Cookie and Privacy Policy.

Your name:
Your email:
What is the name of the newest SAP Security book that was co-authored by Xiting's Alessandro Banzer?
What is the name of the latest training course by SAP Education that talks about authorizations in S/4HANA?
What is the difference between S/4HANA and Suite on HANA?
Where do you find the information on what Fiori applications are available to replace a transaction in the backend?
If you run FIORI on an embedded environment, whereas you have the front end and back end running on the same instance, do you still have to authorize the gateway services?
What is the best-practice approach when building end-user roles for Fiori?
In which table can you find the hash values for your services/components that are required in the S_START authorization?
What are the least authorizations that a user needs to execute the Fiori launchpad? (select all that apply)
What's the purpose of generating the hash values of services?
Do all Fiori applications have an associated ODATA service?

We wish you the best of luck in the challenge.

Jamsheed Bahser

Jam is a SAP Security Consultant at Xiting GmbH in Germany with a strong focus on the Xiting Authorizations Management Suite (XAMS).

Latest posts by Jamsheed Bahser (see all)