SAP Security Challenge – June 2018


Welcome to the SAP Security Challenge by Xiting. How much do you know about SAP Security? Do you know what you don’t know? To help you identify those areas, Xiting has launched the SAP Security Challenge with a monthly quiz to test your knowledge. Stay tuned and follow our blog to broaden your skillset.

We will publish a new quiz every first of the month, consisting of ten (10) questions. Participants can submit their answers anytime between the first and last day of the month. The winner will be announced on the first day of the following month via newsletter and on our blog. Each participant enters the draw to win a ticket. One correct answer gives you one ticket in the draw (e.g. 8 correct answers gives you 8 tickets). The more you know, the higher the chances to win.

May Challenge

In May’s challenge, we had 212 participants and an overall average of 6.7 correct answers. In total, 15 participants were able to answer all questions correctly.

The Champion

We are very happy to announce that James J. is the lucky winner of the SAP Security challenge of May 2018. James answered 6 questions correctly and wins the $50 gift card from Amazon.

Answers from May’s Challenge

The user is on a different application server and you, therefore, do not see his failed authorization checks in SU53 and you want to switch to the same application server. How do you proceed?
The user’s SU53 display shows which application server is on. In transaction SM51, you can double-click on the application server of the user.

In which table can you see which tables are contained in a table group?
You can find the table group assignments in table TDDAT.

Which parameter defines the minimum number of characters that must be different in the new password compared to the old password?
Parameter login/min_password_diff defines how many different characters the new password must have compare to the old password. Use the report RSPARAM and search for login* parameters to see the current value of all the login parameters.

In which transaction can you search the content of a transport request for a particular role?
In transaction SE03 you can search for objects in a request/task and filter for the object ACGR (Role).

You want to schedule a background job under the name of the technical user ZXITING. What authorizations do you need for this?
You require S_BTCH_NAM with the respective value of the user in the BTCUNAME field.

You maintain the ACTVT 03 in the context of the FB03 in SU24. What kind of transport will you use to transport those changes?
SU24 values are client-independent and hence require a workbench transport.

In which table can you generally change messages from errors to warnings for specific users but not for others?
Table T100C controls the behavior of messages for users. You can maintain specific message through transaction OBA5.

Through which transaction can you adjust the settings in a CUA landscape so that local password changes are possible?
In transaction SCUM, you can define the behavior of fields in the user master record. You can define where a field can be maintained.

As of SAP Basis 7.50 SP03, what events can you log with the Security Audit Log (SAL)? (select all that apply)
With the Security Audit Log (SAL), you can record security-related activities in the system such as dialog and RFC logon attempts, transaction starts, changes to the user master, etc. As of SAP Basis 7.50 SP03, SAP delivers a new SAL with new transactions and capabilities. Xiting will blog about those changes in the next couple of weeks.

In the role authorizations in PFCG, what does the red light indicate?
The red light indicates that the org levels have not been maintained. Org levels need to be maintained centrally on the role level and not directly in the authorization object.


June Challenge

SAP Security Challenge - June 2018

Complete our June Challenge and enter the draw to win a $50 Amazon gift card. By completing the SAP Security Challenge, you agree to Xiting's Cookie and Privacy Policy.

Your name:
Your email:
Which transaction allows you to display the User Buffer for your own user as well as for other users?
Which SAP standard report can be used to analyze users and roles for segregation of duty conflicts as well as for critical authorizations?
When users are locked they have a lock status. The lock status can be seen in table USR02 and field UFLAG. Which lock status are possible? (select all that apply)
How many authorization fields can an authorization object have?
In which transaction can you check the table logs?
How to smoothly remove duplicate role assignments with different start and end date from a user?
In which tables (and views) does the SAP system store the password hashes of a user? (select all that apply)
In which table can you maintain illegal passwords that cannot be used by your users?
For RFC Redesigns, which tool SAP recommends to risk-free reauthorize your RFC users with SAP Note 1682316?
In SAP NetWeaver 7.50, which transaction can be used to locally lock a transaction for a certain client only?

We wish you the best of luck in the challenge.

Alessandro Banzer

Alessandro has worked in the field of IT since 2004, specializing in SAP in 2009 and working on global SAP projects in various roles since that date. Alessandro is an active contributor and moderator in the Governance, Risk and Compliance space on SAP SCN. Alessandro is in charge of Xiting's operations in the United States and a subject matter expert in SAP Access Control and SAP Security.

Latest posts by Alessandro Banzer (see all)