SAP Security Challenge – September 2018

by

Welcome to the SAP Security Challenge by Xiting. How much do you know about SAP Security? Do you know what you don’t know? To help you identify those areas, Xiting has launched the SAP Security Challenge with a monthly quiz to test your knowledge. Stay tuned and follow our blog to broaden your skillset.

We will publish a new quiz every first of the month, consisting of ten (10) questions. Participants can submit their answers anytime between the first and last day of the month. The winner will be announced on the first day of the following month via newsletter and on our blog. Each participant enters the draw to win a ticket. One correct answer gives you one ticket in the draw (e.g. 8 correct answers gives you 8 tickets). The more you know, the higher the chances to win.

August Challenge

In August’s challenge, we had 173 participants and an overall average of 5.9 correct answers. In total, 5 participants were able to answer all questions correctly.

The Champion

We are very happy to announce that Karla Z. is the lucky winner of the SAP Security challenge of August 2018. Karla answered 3 questions correctly and wins a copy of the SAP System Security Guide co-authored by Xiting’s Alessandro Banzer. Congratulations Karla.

Answers from August’s Challenge

Which authorization object gets checked when assigning roles, profiles, and systems to a user in the Central User Administration (CUA) to check the systems to which the user administrator can assign the users?
The system performs an authority check against object S_USER_SAS. You can deactivate the check with customizing option CHECK_S_USER_SAS in table PRGN_CUST through transaction SM30. For more information, see SAP note 513694.

Which parameter and value allows to automatically refresh the user buffer when saving new role assignments in SU01?
Setting the parameter auth\new_buffering to 4 allows for an immediate refresh of the user buffer at user comparison. In the latest releases, this is the default value pre-delivered by SAP. Please note, that changing this parameter to value 4 might have an impact on the runtime while saving a user with many role assignments as well as when running the PRFC_TIME_DEPENDENCY job. For more information, please refer to SAP Note 452904.

A role can contain several profiles. In which of the following tables can you get an overview of the profiles?
In table AGR_1016, you can get the list of all profiles that are generated for a role.

In which table can you find multiple logons by a user?
In table USR41_MLD, you can find the list of users with multiple logons.

After a release upgrade, you want to know which transaction codes replace an existing transaction. How do you proceed?
After a release upgrade, use step 2D in SU25 to find transactions that have been replaced. You can also use table PRGN_CORR2 to do the same analysis.

You want to allow certain users to only reset passwords for user maintenance but nothing else. How do you achieve that in SAP standard?
In SU01, it is not possible to restrict the authorizations to only reset passwords with authorization objects as Activity 05 works along with lock/unlock. Instead, you can create a transaction variant in SHD0 and remove the buttons that are not required (e.g. lock/unlock).

What do you correctly call authorizations for a HANA database?
Authorizations in a HANA database are called Privileges.

What technology enables you to disable the passwords of dialog and technical users in an SAP ABAP system?
With the Secure Network Communication (SNC), you can increase your security by deactivating passwords for dialog and technical users. At the same time, you increase productivity by enabling SAP Single Sing-On (SSO).

What protocol/technology enables digital signatures in SAP?
With Secure Store and Forward (SSF), you can enable digital signatures and secure re-authentication in SAP ABAP systems.

What’s the name of the cryptographic library that SAP ships with the latest kernel?
The cryptographic library that SAP ships with the kernel is called Common CryptoLib.

September Challenge

SAP Security Challenge - September 2018

Complete our September Challenge and enter the draw to win a copy of the SAP System Security Guide. By completing the SAP Security Challenge, you agree to Xiting's Cookie and Privacy Policy.

Your name:
Your email:
Which transactions are critical in a production system? (select all that apply)
What is the Fiori Launchpad Designer Used for? (select all that apply)
For Fiori, the OData start authorization on the Front-End Server and the OData access authorization on the Back-End Server can include SU24 authorization defaults?
What does report PRGN_CREATE_FIORI_BACKENDROLES do?
Can Legacy Fiori Apps also have SU24 Authorization Defaults?

You have multiple development clients for building roles which all transport into the same target client. Which two tables should you maintain to prevent profile collisions? (select the two that apply)

When importing a role with a profile that collides with a different role having the same profile name, what happens?
If you maintain different personalizations in SU01 and PFCG, which one takes preference?
Which are the public functions in SAP which can be executed without a valid user or password?

Is it possible to delete user SAPCPIC?

We wish you the best of luck in the challenge.

Alessandro Banzer

Alessandro has worked in the field of IT since 2004, specializing in SAP in 2009 and working on global SAP projects in various roles since that date. Alessandro is an active contributor and moderator in the Governance, Risk and Compliance space on SAP SCN. Alessandro is in charge of Xiting's operations in the United States and a subject matter expert in SAP Access Control and SAP Security.

Latest posts by Alessandro Banzer (see all)