SAP Security Challenge – March 2018


Welcome to the SAP Security Challenge by Xiting. How much do you know about SAP Security? Do you know what you don’t know? To help you identify those areas, Xiting has launched the SAP Security Challenge with a monthly quiz to test your knowledge. Stay tuned and follow our blog to broaden your skillset.

We will publish a new quiz every first of the month, consisting of ten (10) questions. Participants can submit their answers anytime between the first and last day of the month. The winner will be announced on the first day of the following month via newsletter and on our blog. Each participant enters the draw to win a ticket. One correct answer gives you one ticket in the draw (e.g. 8 correct answers gives you 8 tickets). The more you know, the higher the chances to win.

February’s Challenge

In February’s challenge, we had 119 participants and an overall average of 6.4 correct answers. In total, 3 participants were able to answer all questions correctly.

The Champion

We are very happy to announce that Stacie P. is the lucky winner of the SAP Security challenge of February 2018. Stacie answered 7 questions correctly and wins a copy of the book Authorizations in SAP: 100 Things You Should Know About.

Answers from February’s Challenge

What should be changed in a derived role only?
In the best case, a derived role should only differ from the master role in terms of the org levels. Thus, the org level values can be changed in a derived role. From a purely technical point of view, it is also possible to change the authorization data in the derived role. However, this is not recommended because of inconsistencies between the master and the derived role.

Which user type should be used in RFC connections?
For RFC connections, a “System” type user should always be used.

You want to avoid double TCODES. How do you do it?
In table SSM_CUST, set the parameter DELETE_DOUBLE_TCODES to “YES” and you avoid Duplicate TCODES in your roles.

In a CUA environment, in which transaction can you define that reference users are defined locally (directly in the child system)?
The distribution parameters are defined in SCUM. In transaction SCUM, you can set the role assignment to reference users under the “Roles” tab.

Jerry wants to see Tim’s spools. What authorization does Jerry need for this?
In order for Jerry to be able to select jobs from other users, the basic requirement is S_ADMI_FCD with the value SP0R. To be able to select Tim’s spools, Jerry needs S_SPO_ACT for the action (SPOAUCTION) Base and DISP for the user (SPOAUTH) Tim.

How many authorization fields can an authorization object have at most?
An authorization object can have a maximum of 10 authorization fields.

In which transaction can you define authorization groups for document types?
You can define authorization groups for document types in transaction OBA7.

What transaction can you use to create user-specific security policies?
The SECPOL transaction can be used to define security policies for specific user groups.

User Tom reports a failed authorization check. In SU53, however, you cannot find Tom’s failed authorization check, even though he just got the message in the same client. What can be the issue?
The SU53 is instance specific. So, it is possible that you will not see any failed checks in SU53 for Tom, although an authority check failed. To avoid this, you can activate a system-wide trace in STAUTHTRACE.

What is the default number of stored authorization checks of SU53?
By default, the number of stored authorization checks in the SAP standard is limited to 100 per work process.

March Challenge

SAP Security Challenge - March 2018

Complete our March Challenge and enter the draw to win a $50 Amazon voucher.




Your name:
Your email:
You have upgraded your SAP system to a higher release and would like to adjust your authorizations. Which transaction do you work with in this case?
Which object ensures that the user can copy and paste within the SAP system?
You want to know a users' favorites. How do you proceed?
In which table can you adjust the parameter settings of Session Manager values?
Which authorization object controls the batch input authorizations?
With which main switch can you activate the check of structural authorizations in transaction OOAC?
Which background job can you schedule for user comparison?
Select the true statements that apply to enabler role (or also called value role) concepts?
With S/4HANA, SAP delivers a simplification list that tells you which transactions become obsolete, are being replaced, etc. How many pages long is the simplification list for the latest S/4HANA release 1709
With NetWeaver 7.50, what's the limit of profiles a user can have assigned?

We wish you the best of luck in March’s challenge.

Jamsheed Bahser

Jam is a SAP Security Consultant at Xiting GmbH in Germany with a strong focus on the Xiting Authorizations Management Suite (XAMS).

Latest posts by Jamsheed Bahser (see all)