ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.

com

What is Central User Administration used for?

A To administer password for SAP users centrally
B To maintain printer landscapes centrally
Answer: C
C To administer user master records centrally
D To create authorization profiles centrally

Persons: Important employees leaving the company,

dissatisfied or inexperienced employees. Hackers with
criminal intent.
What are the 3 main sources of risks? Technology: Processing errors (caused by applications or
operating systems), viruses, power supply interruption and
hardware failure.
Environment: Fire, flood, dust, earthquakes.

Organizational Measures: Training, internal security policy,

procedures, roles, responsibilities.
Measure for each source of risk. (Person, Technology, Technical Measures: Inclusion of electronics for checks
Environment) (routers). Access authorizations for systems and data.
Environmental measures protect physical system
components against natural sources of danger.

System Access Control

‐ Users must identify themselves in the system
‐ Configuration of system access control (such as pwd rules)
What is the difference between System Access Control and Access Control
Role based Access control? ‐ Access rights for functions and data granted explicitly using
authorization
‐ Authorization checks for Transaction/reports checks,
Program execution

Role Menu: Transaction, Reports, Weblinks combined in a

Menu
What are the 3 main components of a SAP role? Authorization: Access right for business function and data
User: Assignation User – Role necessary. With profile
generator or with SU01

1
Report that display all the role templates that are supplied by
RSUSR070
SAP

Project preparation: inclusion of all decision maker

Business blueprint: requirement determination
What are the 5 steps of the ASAP Methodology? Implementation: configuration and fine tuning
Final preparation: testing and training
Go live and support: start of production

Preparation: Set up a team, define communication process

Analysis and Conception: analyze process and determine
What are the 5 steps of the authorization concept role framework
conception? Implementation: Creation of roles
Quality assurance and Tests: positive and negative testing
Cutover: production start

Authorization object class: grouping of authorization object

Authorization object: group 1 to 10 authorization fields
Authorization field: smallest unit checked
What are the main components of the authorization Authorization: Instance of an authorization object
concept? Authorization profile: Group of instances (authorization)
Role: SAP user activities description, allow automatic
generation of profile
User: log to SAP with specific access

Authorization and authorization profiles: Do not start with

Y, Z, must not contain an underscore in the second position
How should be the naming convention for new
developments?
Authorization classes, object, fields are development object
and must start with Y and Z
 Table for all possible activities TACT

Step 1: Check if the user is authorized to start the

What are the 2 checks executed after a transaction start to transaction
ensure that the user has the appropriate authorization? Step 2: Check if an authorization object is assigned to the
transaction code

Table for transaction code / authorization object assignment TSTCA

ABAP object used to check the authorization object assigned

Authority‐check
to the transaction

0: The user has the authorization for the object and the fields
value
4: The user has the authorization for the object, but not for
Return codes after the authorization check with the ABAP
filed value
object authority‐check
12: The user has no authorization
16: No profile is entered in the user master record
Authorization object that defines the user groups for which
an administrator has authorization and the activities that are S_USER_GRP
allowed

Authorization that defines the authorization object name

and the authorization name for which an administrator has
S_USER_AUTH
authorization and the activities that are allowed.

Authorization Profile that defines the profile names for

which an administrator has authorization and the activities S_USER_PRO
that are allowed

Authorization that defines the roles names for which an

administrator is authorized and the activities that are S_USER_AGR
allowed

Authorization that defines the transactions that an

administrator may include in a role. S_USER_TCD
Authorization that defines which field values an
administrator may enter in roles for which authorization
S_USER_VAL
object and which fields.

Authorization that define which system a user administrator

S_USER_SYS
can access from the CUA

On the Address tab page: Last name field

Mandatory fields needed to create user master‐data
On the logon data tab page: Initial password

Dialog: For interactive user

System: For background processing and communication
within a System. No dialog possible, no change of password
Communication: For dialog‐free communication between
User type possible for user master data
systems. No dialog possible, no a change of password
Service: Dialog user available to anonymous group of users
Reference: For general, non‐person‐related users that allows
the assignment of additional, identical authorizations

Transaction for user mass changes SU10

 Basic maintenance (menus, profiles, and other objects)
Which are the two different maintenance views of the
Complete view (Organizational Management and workflow)
profile generator PFCG?

1. Define role name

2. Determine activities
3. Design user menus
4. Maintain authorization data
PFCG, which are the 7 activities to create a role?
5. Generate authorization profile
6. Assign users
7. User master record comparison

Selection criteria: authorizations grouped by object class.

Manual input: enter directly the name of the authorization,
5 Options available when manually inserting a new
if known
authorization?
Full authorization: fills all authorizations with the value*
PFCG ‐> Authorization tab ‐> Edit ‐> Insert authorization.
From profile: use authorizations from individual profiles
From template: use the SAP authorization templates

Yes, profile can only contain a certain number of

authorizations. It is therefore possible that one role has
Can a role have several profile generated?
several profiles. You can recognize these profiles from the
fact that their names are identical for the first 10 characters

1. As a background job: report pfcg_time_dependency

What are the 2 ways to assign roles to users for a limited
2. With the transaction PFUD (User master record
period of time with a user comparison?
reconciliation)
 During a user comparison, generated profiles are removed
Why should a generated profile never be entered directly from the user masters if they are not among the roles that
into the user master record (SU01)? are assigned to the user.

Customizing role: assign project or project view of the IMG

Composite role: group of roles
Derived role: menu identical but authorization different,
What are the 4 different types of roles? mainly organizational unit
Composite role: group of roles
Normal role

+ One work center

+ One composite role
+ One assignment
What are the pro and cons of composite roles?
+ One central menu
‐ They do not have any authorization data themselves

No.
For reasons of clarity, it does not make sense and is
Is it possible to add composite roles to composite roles?
therefore not possible to add composite roles to composite
roles

Re import: discard your settings and restructure the menu

Merge: Creates a delta between the actual situation and the
Composite role: What are the 2 possibilities if the composite situation as it ought to be. The delta describes the changes
role has been modified and you click on the refresh button? set:
‐ Reduction: transactions that no longer appears
‐ Extension: transaction which now additionally appear
 Derived roles: is the user assignment inherited? No, The user assignments are not inherited

1. Comparison from the imparting role (“Generate Derived

Derived roles: 2 ways to perform the comparison between role” button)
the roles? 2. Comparison from the derived role (“Transfer Data”
button)

No, The inherited menus cannot be changed in the derived

Derived roles: Can the inherited roles be changed?
roles

Green: All fields below this level have been filled with values
Yellow: There is at least one field (but no organizational
levels) below this level for which no data has been proposed
What is the meaning of the traffic lights Icons for the
or entered
authorization maintenance?
Red: There is at least one organizational level field below
this level for which no value has been maintained.

Standard: Unchanged from the SAP defaults.

Maintained: At least one field in the subordinate levels of
the hierarchy was empty by default and has since been filled
Changed: The proposed value for at least one field in the
What are the 4 status texts about authorizations
subordinate levels of the hierarchy has been changed from
maintenance?
the SAP default value.
Manual: You maintained at least one authorization in the
subordinate hierarchy levels manually
 Old: The comparison found that all field values in the
subordinate levels of the hierarchy are still current and that
no new authorizations have been added.
What are the 2 status texts about authorizations after a
New: The comparison found that at least one new
comparison?
authorization has been added to the subordinate levels of
the hierarchy. If you now click “New”, all new authorizations
in the subordinate levels are expanded.

1. Profile parameter auth/no_check_in_some_cases has the

value Y
What are the 2 required steps necessary for operating the 2. The default tables USOBX_C and USOBT_C are filled
profile generator? which control the behavior of the Profile Generator when a
transaction is selected in a role.

Transaction code to maintain profile parameters? RZ11

Which 2 tables control the behavior of the Profile Generator

USOBX_C and USOBT_C
after the transaction has been selected?

Which table defines which authorization checks are to be

USOBX
performed with a transaction and which not?
Which table defines for each transaction and for each
authorization object which default values an authorization
USOBT
created from the authorization object should have in the
Profile Generator?

Which transactions copies the SAP default table USOBX and

SU25
USOBT to the custom tables USOBX_C and USOBX_T?

Which transactions maintain the custom tables USOBX_C

SU24
and USOBX_T?

Check indicators determine if an authorization check will

What determine check indicators for transactions?
run within the transaction or not

N: No check. This indicator cannot be set for HR and Basis

authorization objects.
U: Unmaintained: A check is performed against the
corresponding authorization object in this transaction.
What are the 4 supported check indicators for transactions? C: Check: Maintenance in the Profile Generator is not
supported.
CM: Check/Maintain: For objects with this check indicator,
you can display and change the defaults of PFCG
 Migrate the report tree
Check the Profile Generation activation
What are the 4 activities required for an upgrade of the
Upgrade the roles and default tables (su25)
Profile Generator?
Conversion of manually created profiles to roles if
necessary (su25)

Source release did not use PFCG (it might have to be

activated)
Regardless of the release status, after an upgrade you will Source release used PFCG (This means that tables USOBT_C
have 2 possible statuses? What are they? and USOBX_C have to be updated as well as the existing
roles)

SAP_NEW
The SAP_NEW profile guarantees backward compatibility of
Which profile contains authorization for all new checks in
the authorizations if a new release or an update or
existing transaction?
authorization checks introduces checks for previously
unprotected functions.

System profile parameters

Which are the 2 ways to control the choice of user
passwords?
Invalid passwords can be entered in the table USR40

? denotes a single character

How entries in the Table USR40 (Invalid passwords) can be
* denotes a character string
made generically?
 Profile parameter: minimum length of the logon password login/min_password_lng

Profile parameter: Number of incorrect logon attempts

allowed with a user master record before the logon
login/fails_to_session_end
procedure is terminated

Profile parameter: Number of incorrect logon attempts

allowed with a user master record before the user master
login/fails_to_user_lock
record is locked. The lock is removed at midnight

Profile parameter: If the parameter is set to 1 (default), user

locks caused by incorrect logons during previous days are not
taken into consideration. If the value is set to 0, the lock is login/failed_user_auto_unlock
not removed

Profile parameter: The value 0 means that the user is not

forced to change the password. A value > 0 specifies the
number of days after which the user must change the logon login/password_expiration_time
password
Profile parameter: If this parameter is set to value 1, the
system blocks multiple SAP dialog logons (in the same client login/disable_multi_gui_login
and with the same user name)

Profile parameter: list containing the users who may log

login/multi_login_users
onto the system more than once is stored

Which is the only user in the SAP system for which no user
SAP*
master record is required (since it is defined in the code)?

What is the default password of the user SAP*? PASS

What is the default password of the user master record SAP*

06071992
after the installation of the client 000?
 set the system profile parameter
How can you deactivate the special properties of SAP*? login/no_automatic_user_sapstar to a value greater than
zero

Which special user is responsible for maintaining the ABAP

DDIC
Dictionary and the software logistics in the client 000?

Which special user is delivered in the client 066? EarlyWatch

What is the standard password of the user EarlyWatch? SUPPORT

Which authorization object checks the objects of an area

menu, since a transaction code is assigned to each S_TCODE
executables menu entry?
 No,
Are transactions called indirectly with the ABAP statement
If a transaction is called indirectly; that is, from another
CALL_TRANSACTION checked?
transaction, no authorization check is performed

How to ensure that the indirectly called transaction with the Use transaction SE97 to set the check indicator check in
ABAP statement CALL_TRANSACTION is subject to an tables TCDCOUPLES for the entry of the pair of calling and
authorization check? called transactions

S_TABU_DIS
Which authorization object defines which table contents The authorization object S_TABU_DIS controls only
may be maintained by which employees? complete accesses, which are made using standard table
maintenance

DICBERCLS: Authorization group for ABAP Dictionary objects

(only tables/views assigned to authorization group “V*”
Of which fields consist the authorization S_TABU_DIS? (DICBERCLS=V*) may be maintained.)
ACTVT: Activity (02, 03)

In which table is the assignment between the groups and the

TDDAT
ABAP dictionary objects (tables)?
Which authorization object grants authorization to maintain
cross‐client tables with the standard table maintenance S_TABU_CLI
transaction?

CLIIDMAINT
If the identifier X or * is set, cross‐client tables can be
Which field has the authorization object S_TABU_CLI?
maintained.

Which authorization object restricts a user’s access rights to

S_TABU_LIN
specific parts of a table?

Activity: 02 Add, change, delete, 03, only delete

Organizational criterion: Table key fields/row authorization,
such as organizational criteria
Which fields has the authorization object S_TABU_LIN? Attribute for organizational criterion: 1 to 8 attributes for
the organizational criterion, each attribute for a certain table
key field

Which authorization object check program (reports) use? S_PROGRAM

 Starting a program (SUBMIT)
What activities can be assigned to the authorization object Scheduling a program as a background job (BTCSUBMIT)
S_PROGRAMM? Variant maintenance (VARIANT)

Sharing the administrative tasks (user admin and

authorization admin, role maintenance, profile generation)
What is the principle of Treble control?
amongst three administrators is called the principle of treble
control

Technically, decentralization is implemented by grouping

users to form user groups. Each decentralized user
How is decentralized User Administration technically
administrator may only administer the users assigned to the
implemented?
user group for which he or she is responsible. Object
S_USER_GRP

User administrator
Which are the 3 different roles in decentralized User
Authorization data administrator
Administration?
Authorization profile administrator

With the authorization error analysis and transaction code

Which are the 2 ways in which we can determine the
SU53
required authorization, if we can not find documentation?
With the authorization trace ST01
Which transaction show which authorizations are currently in
the user buffer?
SU56

External auditing
Internal auditing
For what is the Audit Information System (AIS) a checking
System checks
tool?
Data protection

System auditing functions

What are the 2 main components of the AIS reporting tree? Business auditing functions

You should not immediately implement a result of a trace or

of transaction SU53 as new roles or profiles. First analyze the
What should you do before implementing a result of a trace system for existing settings. The Information System and
(ST01) or of transaction SU53? the Audit Info System are available to the administrator for
this purpose.

What is the transaction for the User Information system? SUIM

 User master records
Roles
Which authorization component can be transported? Authorization profiles
Check indicators

What is the transaction for local client copy? SCCL

SCC8 (exchanges of data with a data export at operating

system level)
What is the transaction for client copy between systems?
SCC9 (In a remote client copy, the data is copied over the
network and not as a file)

Only the complete user master and not individual users can
True
be copied?

After a transport of the user master record. Should a Yes,

comparison occur? Manually or with report the PFCG_Time_Dependancy
By default, authorization profiles are transported with role.
Set the PROFILE_TRANSPORT:=NO in Table PRGN_CUST
What should be set up in order to avoid it?

How can you protect the target system with an import lock The control table PRGN_CUST must contain the entry
in order to avoid transporting the user assignments to USER_REL_IMPORT:=NO.
roles?

If systems are assigned to a Central User Administration,

roles must be transported without user assignment since The control table PRGN_CUST must contain the entry
these assignments are made in and distributed from the USER_REL_IMPORT:=NO.
central system. How can you enforce it?

What is the advantage of the indirect role assignment As soon as an employee changes position, he or she also
through the organizational plan? loses the corresponding authorizations.

Organizational Unit: A functional unit in the company (Sales)

Position: staff assignments of an organizational unit (Sales
Manager Europe)
What are the different types of Organization plans objects? Job: jobs are general classifications of functions in a company
(sales manager)
Task: Description of an activity that is to be performed within
organizational units
 Create, transaction code: PPOCE
What are the transactions code for creating, editing and Change, transaction code: PPOME
display the organizational plan? Display, transaction code: PPOSE

The Organizational Structure window allows you to build up

and maintain the organizational structure
The Staff Assignments window allows you to identify the
What are the 3 main windows of the Organization plan
fundamental staffing details required for an org plan.
transaction?
The Task Profile window allows you to assign roles to jobs,
positions, organizational units, and holders of positions

To which object type are person assigned to in the Position

organizational plan? Holders are assigned to positions, not to jobs

Does the user assigned to a position then inherits all

Yes
authorization profiles of these roles?

No,
Roles cannot be inherited across organizational units.
Can roles be inherited across organizational unit? Positions belonging to an organizational unit cannot inherit
the roles assigned to a higher‐level organizational unit.
 The Person object type is maintained in the HR master data.
Persons are employees of the company.
What is the difference between a user and a person in the
Users, on the other hand, are not necessarily employees.
System?
Users have authorizations to access the SAP system.

ALE
CUA. On which technology concept is the authorization data
ALE means Application Link Enabling and permits you to
based?
build and operate distributed SAP links

 User master record data, such as the address,

logon data, user defaults and user parameters.
 The assignment of the user to roles or profiles
 The initial password: The initial password is
What can be distributed with the CUA?
distributed to the child systems as a default. The
passwords are distributed in coded form.
 The lock status of a user

Transaction to define child and central system in the CUA SALE

CUA: How are called communication partners that are

Logical systems
addressed in the ALE scenario with aliases?
CUA: How is the communication performed between the
Using RFC (Remote Function Call)
central system and the child system at network level?

CUA: In which transaction is the technical definition of the

SM59
RFC connection maintained?

CUA: With which transaction code is the distribution model

BD64
created, maintained and distributed?

With which transaction is the Central User Administration

SCUA
centrally activated?

With which transaction can you define weather each

individual component of a user master record should be SCUM
administered in the central or locally in the child system?
 Global, can only be maintained in the central system.
Default, a default value automatically distributed when it is
saved can be maintained when you create a user in the
CUA: What are the 5 field attributes that can be defined for central system. After distribution, the data is only maintained
each input field of user maintenance? locally in the child systems and cannot be returned.
Redistribution, maintained in both the central and the child
Local, can only be administered locally
Everywhere, change data locally and globally (usr locks only)

SCUG
CUA: With which transaction are existing user master records
This procedure can only be performed once for each child
migrated to the central system?
system

New user: not yet contained in the CUA

CUA: As user master records are migrated, they may already
Identical user: already in the CUA
exist or are completely new, with which properties can they
Different user: already in the CUA with a different first or last
be imported?
name

Integration of company data and applications

Optimal use of open standards
Four feature of the Enterprise Portal?
Conversion of unstructured data
Provision of Enterprise Portal content for users

Core functions written in Java. A J2EE runtime environment

is required (SAP J2EE Engine).
Open architecture. SOAP, UDDI, JCA, JAAS, LDAP, X.509,
Four technical aspects of the Enterprise Portal? XML, ICE are supported
Security functions including the full support of directory
services, digital certificates, and SSL
Mobile devices are supported