SAP Security Challenge

SAP Security Challenge – May 2018


Welcome to the SAP Security Challenge by Xiting. How much do you know about SAP Security? Do you know what you don’t know? To help you identify those areas, Xiting has launched the SAP Security Challenge with a monthly quiz to test your knowledge. Stay tuned and follow our blog to broaden your skillset.

We will publish a new quiz every first of the month, consisting of ten (10) questions. Participants can submit their answers anytime between the first and last day of the month. The winner will be announced on the first day of the following month via newsletter and on our blog. Each participant enters the draw to win a ticket. One correct answer gives you one ticket in the draw (e.g. 8 correct answers gives you 8 tickets). The more you know, the higher the chances to win.

April Challenge

In April’s challenge, we had 192 participants and an overall average of 7.1 correct answers. In total, 7 participants were able to answer all questions correctly.

The Champion

We are very happy to announce that Matthew L. is the lucky winner of the SAP Security challenge of April 2018. Matthew answered 4 questions correctly and wins the $50 gift card from Amazon.

Answers from April’s Challenge

Which of the following tables can help in determining the single roles which are assigned to a given composite role?
With table AGR_AGRS, you can find all assignments to a composite role.

Which transaction can be used to see all available authorization objects?
You can see all available authorization objects in transaction SU21. In transcation SU20, you can find all the authorization fields.

Will table AGR_TCODES show manually inserted values for authorization object S_TCODE?
Manually inserted values in object S_TCODE will not be shown in table AGR_TCODES. AGR_TCODES only shows objects that are inserted through the role menu and hence pull authorization proposals.

In PFCG, what does an authorization with a status of “Changed” mean?
The status “Changed” means that the authorization values proposed by SU24 have been changed in the authorization. This status must be avoided as it breaks with the authorization proposals from SU24.

What is the sequence of an authorization check for a transaction?
When a user enters a transaction code, the first authorization checks are for S_TCODE and then TSTCA. If successful and the user is authorized to execute the transaction, further authorization checks in the program are being executed.

What is the purpose of transaction SE97?
In SE97, you can maintain the authorization check for another transaction that is executed via the CALL TRANSACTION statement. You can activate or deactivate an authorization check. It’s important to maintain the CALL TRANSACTIONS in SE97 to avoid unwanted behavior for called transactions.

In which transaction do you maintain variant transactions?
In transaction SHD0, you can create and maintain variant transaction. Variant transactions are especially helpful to remove unwanted buttons and options from standard transactions.

What authorization is required to debug ABAP code?
With S_DEVELOP and value DEBUG for field OBJTYPE you can debug ABAP code in the system. The activity 03 allows displaying the debugger. With activity 02, you can also manipulate the variables in the debugger and is hence considered highly critical.

Is it possible to deactivate the authorization check for object F_BKPF_BUK in a certain transaction, for example FK03?
Yes, you can deactivate the authorization check for objects that are not from basis or HR with the check indicator in SU24. If deactivated, the authorization check will be performed but will always pass regardless of the authorization of a user.

Which tables are behind transaction SU24? 
USOBT_C and USOBX_C contain the data behind transaction SU24. The table USOBX_C contains the check indicators of the authorization objects, while table USOBT_C contains the authorization objects including the authorization fields and values.

May Challenge

SAP Security Challenge - May 2018

Complete our May Challenge and enter the draw to win a $50 Amazon gift card.

Your name:
Your email:

The user is on a different application server and you, therefore, do not see his failed authorization checks in SU53 and you want to switch to the same application server. How do you proceed?

In which table can you see which tables are contained in a table group?

Which parameter defines the minimum number of characters that must be different in the new password compared to the old password?

In which transaction can you search the content of a transport request for a particular role?

You want to schedule a background job under the name of the technical user ZXITING. What authorizations do you need for this?

You maintain the ACTVT 03 in the context of the FB03 in SU24. What kind of transport will you use to transport those changes?

Through which transaction can you adjust the settings in a CUA landscape so that local password changes are possible?

As of SAP Basis 7.50 SP03, what events can you log with the Security Audit Log (SAL)? (select all that apply)

In which table can you generally change messages from errors to warnings for specific users but not for others?

In the role authorizations in PFCG, what does the red light indicate?

We wish you the best of luck in the challenge.

Alessandro Banzer

Alessandro has worked in the field of IT since 2004, specializing in SAP in 2009 and working on global SAP projects in various roles since that date. Alessandro is an active contributor and moderator in the Governance, Risk and Compliance space on SAP SCN. Alessandro is in charge of Xiting's operations in the United States and a subject matter expert in SAP Access Control and SAP Security.

Latest posts by Alessandro Banzer (see all)