SAP Security Challenge – October 2018


Welcome to the SAP Security Challenge by Xiting. How much do you know about SAP Security? Do you know what you don’t know? To help you identify those areas, Xiting has launched the SAP Security Challenge with a monthly quiz to test your knowledge. Stay tuned and follow our blog to broaden your skillset.

We will publish a new quiz every first of the month, consisting of ten (10) questions. Participants can submit their answers anytime between the first and last day of the month. The winner will be announced on the first day of the following month via newsletter and on our blog. Each participant enters the draw to win a ticket. One correct answer gives you one ticket in the draw (e.g. 8 correct answers gives you 8 tickets). The more you know, the higher the chances to win.

September Challenge

In August’s challenge, we had 123 participants and an overall average of 6.1 correct answers. In total, only 2 participants were able to answer all questions correctly.

The Champion

We are very happy to announce that Gabriel A. is the lucky winner of the SAP Security challenge of September 2018. Gabriel answered 5 questions correctly and wins a copy of the SAP System Security Guide co-authored by Xiting’s Alessandro Banzer. Congratulations, Gabriel.

Answers from September’s Challenge

What is the Fiori Launchpad Designer Used for?
The Fiori Launchpad Designer is used to create, configure, and customize catalogs, groups, and tiles.

For Fiori, the OData start authorization on the Front-End Server and the OData access authorization on the Back-End Server can include SU24 authorization defaults?
That’s true – the OData start authorization on the Front-End Server and the OData access authorization on the Back-End Server can include SU24 authorization defaults.

You can use the report to transfer the menu of an SAP Fiori front-end role to the role menu of an existing or new back-end role as a mass activity.

Can Legacy Fiori Apps also have SU24 Authorization Defaults?
Yes, Legacy Fiori Apps can also have SU24 Authorization Defaults which is the best-practice approach when building its roles.

You have multiple development clients for building roles which all transport into the same target client. Which two tables should you maintain to prevent profile collisions?
You have to maintain table USR_CUST param PRGN_PROF_PREFIX, as well as AGR_NUM_2 field AGR_NUM for the number range.

When importing a role with a profile that collides with a different role having the same profile name, what happens?
The role data (in the AGR* tables) is imported but the profile data (UST* tables) is not imported. So the role looks correct on the surface but behaves wrongly because of the authorizations.

If you maintain different personalizations in SU01 and PFCG, which one takes preference?
If you have different personalizations in SU01 and PFCG, SU01 will have priority.

Which are the public functions in SAP which can be executed without a valid user or password?
Function modules in the function group SRFC (e.g. technical pings) can be executed without a valid user or password.

Is it possible to delete user SAPCPIC?
Yes, you can delete user SAPCPIC but first check that the user is not making RFC calls. Until 4.5B, it was not even possible to change the password but the hard-coding was removed in later releases.

Which transactions are critical in a production system?
Transaction SP01 and SDH0 are considered critical in a productive environment since it allows to access spool of any users as well as to create screen variants.

October Challenge

SAP Security Challenge - October 2018

Complete our October Challenge and enter the draw to win a copy of the SAP System Security Guide. By completing the SAP Security Challenge, you agree to Xiting's Cookie and Privacy Policy.

Your name:
Your email:
What SAP application can protect users and businesses from many cybersecurity threats via the use of smart cards, two-factor and risk-based authentication, digital signatures, and encryption of communication channels to your SAP and non-SAP software landscapes?
What is the use of Transaction ABAPDOCU?
Where do you need to go in SAP to override an authority check?
Is it possible to integrate SAP S/4HANA into an existing SAP Business Suite landscape?
Why SAP Single Sign-On (SSO) can set the stage for a significantly higher level of data security? (select all that apply)
What are the advantages of the SAP Central User Administration (CUA)? (select all that apply)
The Audit Information System (AIS) is a checking tool for what? (select all that apply)
You want to use the Easy Access menu. Even if the menu is relatively small, it takes a long time to load. Why? (select all that apply)
Is it possible to delete client 066?
If a user requires more than 312 profiles, what are your options to assign more authorizations? (select all that apply)

We wish you the best of luck in the challenge.

Alessandro Banzer

Alessandro has worked in the field of IT since 2004, specializing in SAP in 2009 and working on global SAP projects in various roles since that date. Alessandro is an active contributor and moderator in the Governance, Risk and Compliance space on SAP SCN. Alessandro is in charge of Xiting's operations in the United States and a subject matter expert in SAP Access Control and SAP Security.