ADM950 – SAP Security consultant certification flashcards – julien.moix@gmail.
com
The security policies are created by the security
team in isolation from the business team.
False
Determine whether this statement is true or false.
SAP offers many types of systems and applications.
Each type of SAP system (mySAP CRM, SAP BW,
SAP R/3, mySAP SRM, SAP APO) is so varied that
the systems do not share security tools or security False
services.
Determine whether this statement is true or false
The following tools are available for conducting
thorough system security audits.
A Role maintenance tool
B System audit log
Answer: F
C CCMS security alert
D System trace tools
E Users and Authorizations information systems
F All of the above
The Audit Information System is intended for
False
external audits only.
All of the menu roles for the Audit Information
System start with . The authorization SAP_AUDITOR – SAP_CA_AUDITOR
roles start with .
1
Configuring the Audit Information System requires
False
downloading a specific support package.
To use the Audit Information System, you must use
Answer: False
transaction SECR.
The instance parameters that relate to the audit log
include rsau parameters? Answer: True
Determine whether this statement is true or false
The security audit log only logs user connections
made by RFC connections.
False
Determine whether this statement is true or false
Which of the following are benefits of creating a
custom t-code to link SE16 to a specific table?
A You no longer need to grant access to transaction code SE16.
B With your custom transaction code, you can look at any table. Answer: A, C, D
C With your custom transaction code, you can look only at the
table specified in the transaction code.
D Custom transaction codes can be easily created, without
requiring any programming.
Which authorization objects can you examine to
determine if security is administered centrally or
regionally?
A S_USER_GRP Answer: A, C
B S_TCD_GRP
C S_USER_AGR
D S_USER_ADD
Which of the authorization objects protect
transaction code execution?
A S_TCODE
Answer: A, B, C
B P_TCODE
C Q_TCODE
D X_TCODE
SAP recommends that each custom report and each
custom program be linked to a custom transaction
code. Answer: True
Determine whether this statement is true or false
S_PROGRAM is an authorization object that
protects program execution.
Answer: True
Determine whether this statement is true or false
is a program that assigns
Answer: RSCSAUTH
authorization groups to ABAP programs.
You should be careful with the authorization object
because it can enable someone to Answer: S_DEVELOP
enter DEBUG mode in production.
Once a user is changed, there is no way to see who
changed the user. Answer: False
Determine whether this statement is true or false
The Authorization Group field is used only for
protecting reports and tables. Answer: False
Determine whether this statement is true or false
Which of the following are logs that exist in an SAP
system? (More than one answer is correct).
A Webflowlogs
B Application logs Answer: A, B, C, D
C Change documents logs
D User and authorization change logs
E None of the above
SU24 must be set up before implementing any roles.
Answer: False (Optional feature)
Determine whether this statement is true or false
SU24 requires programming changes to make the
default values occur.
Answer: False
Determine whether this statement is true or false
The following logon parameters can be used to
ensure your system is adequately secured.
A logon/fails_to_user_lock
Answer: A, B, C
B logon/min_password_specials
C logon/min_password_diff
D logon/named_super_user
SAP recommends that you separate your
Answer: Devlopment – Production
system from your system.
Which of the following are security advantages to a
three-tier landscape?
A Ensure changes occur only on development system.
B Ensure changes occur only on your production system. Answer: A, C, D, E
C Developers do not have access to production data.
D You control when changes are moved into production.
E You can test changes in a QA system.
What type of approval does SAP recommend before
moving changes into production? SAP QA approval procedure that formalize the approval
and review workflow
SAP recommends a three-tier system landscape
including development, quality assurance, and
production. Answer: True
Determine whether this statement is true or false
Client change options should always be set to No
changes allowed. Answer: False
Determine whether this statement is true or false
SAP does not provide a QA approval procedure for
changes being moved into production. Answer: False
Determine whether this statement is true or false
The user ID used in the RFC destination should be a
dialog user.
Answer: False
Determine whether this statement is true or false
Authorization object is used to protect
Answer: S_BTCH_NAM
what names job steps are scheduled to run under.
User authentication (Password rules, Monitoring)
Authorization protection
6 aspects that might be considered in a security Auditing and logging (AIS, Security audit log, …)
policy Integrity protection
Privacy protection
Proof of obligation (non-repudiation)
Who is responsible for your IT security?
What needs to be protected?
Who is attacking?
7 questions that a security policy should address? What is the risk?
Which protection mechanisms are required?
Which procedures are to be enforced?
How much protection can you afford?
Audit Information System
Authorization Information System
6 tools available to help provide answers to the System Audit Log
questions that arise during a system security audit: Computer Center Management System Alerts
Trace tools
Role maintenance tool (PFCG)
menu
What are the 3 major components of the Role
authorizations
maintenance tool (PFCG)?
users
What are the 2 types of roles implementation Menu roles
strategy? Authorization roles
- system audit (general system, users and
authorizations, repository and tables)
What are the 2 major categories of the AIS
- business audit (accounting, customer, vendors, asset,
tax)
What was the transaction used by SAP in the past to In the past, the Audit Information System existed in a
access the AIS single transaction code, SECR
Menu roles (SAP_AUDITOR*) (only menu items; no
What are the two major groups of SAP Standards authorizations)
roles defined for the Audit Information System Authorization roles (SAP_CA_AUDITOR*) (only
authorizations, no menu items listed)
What is the SAP standard composite menu and
The menu roles: SAP_AUDITOR
authorization Role which contains every role in the
The authorization roles: SAP_CA_AUDITOR
AIS?
Copy the SAP roles to your own naming convention
Update the roles (as needed)
What are the 4 steps required to set-up the AIS
Create a user for the auditor
Assign the roles you created to the audit user
Which SAP Standard role allow you to set-up the
SAP_AUDITOR_ADMIN
AIS?
Security-related changes to the SAP system (changes
to user master records)
Higher level of transparency (successful and
What is the audit log’s main objective? (3 points)
unsuccessful logon attempts)
Enables the reconstruction of a series of events
(successful or unsuccessful transaction starts)
Successful and unsuccessful dialog logon attempts
Successful and unsuccessful RFC logon attempts
Remote function calls (RFCs) to function modules
Which 7 information types can be recorded with the
Successful and unsuccessful transaction starts
Security audit log? Successful and unsuccessful report starts
Changes to user master records
Changes to the audit configuration
SAP systems maintain their audit logs on a daily
basis. The system does not delete or overwrite audit
files from previous days; it keeps them until you SM18
manually delete them. Which transaction is used in
order to archive or delete the audit files?
You define the name and location of the files in a profile
How do you define the audit file name and location?
parameter, rsau/local/file.
Event identifier (a three-character code)
SAP user ID and client
What are the information (9) contained in an audit Terminal name, Transaction code
record Report name, Time and date when the event occurred
Process ID, Session number
Miscellaneous information
You define the maximum size of the audit file in the
How do you define the maximal size of the audit
profile parameter rsau/max_diskspace/local. The
file?
default value is 1 megabyte (MB) or 1000000bytes
What happened if the maximal size of the audit file If the maximum size is reached, the auditing process
is reached? stops.
Client, User,
Audit class: Dialog logon, RFC/CPIC logon, Remote
What are the 4 major filters available for the security function call (RFC), Transaction start, Report start, User
audit log? master change
Weight of events to audit: Audit only critical, Audit
important and critical, Audit all events (non-critical)
Create and save filters permanently in the database
(all the application servers use identical filters, define filters
only once, you must restart the instance, define different
What are the 2 main options to create and save profiles that you can alternatively activate)
audit filters?
Change filters dynamically (changes distributed to all
active application servers, do not have to restart the instance,
not saved for reuse after system stops/starts)
rsau/enable: enable the SAL
What are the profile parameters that you need to
rsau/local/file: file location
specify in order to create and save filters
rsau/max_diskspace/local: max space to allocate
permanently in the database?
rsau/selection_slots: number of filter to allow
What are the profile parameters that you need to rsau/local/file: file location
specify in order to change filters dynamically on rsau/max_diskspace/local: max space to allocate
one or more application servers? rsau/selection_slots: number of filter to allow
With which transaction can you assess the security
SM20 or SM20n
audit log?
Introductory information
What are the four main sections of the audit analysis Audit data
report? Statistical analysis
Contents
Performs detailed monitoring
Creates alerts and displays them with colour values
What are the 4 main functions of the Computing Provides analysis and auto-reaction methods (sms,
Center Management System (CCMS) monitor? emails with threshold )
Allows you to view current alerts and the history of
alerts
What is the transaction to access the CCMS alert
RZ20
monitor
S_TCODE used in every SAP system for every module
What are the 5 majors authorisation objects used to P_TCODE used for Human Resources
protect which transaction codes a user can access Q_TCODE used for Quality Maintenance
and for which product are they meant to be? I_TCODE used for Plant Maintenance
L_TCODE used for Warehouse Management
S_TABU_DIS is checked anytime someone looks at
Which authorithation object determines what table
data in a table directly (with one of these transactions:
someone can look at with the transactions SE16,
SE16/SE16N, SE17, SM30, SM31. or the
SE16N, or SE17; SM30 or SM31; and SE12
Implementation Guide).
When access is required, use transaction code SM30
Which transaction should be used when access to a
because an interface exist and no direct access to the
table and why?
table.
Activity and Authorization Group. The Authorization
What are the 2 fields of the authorization object
Group field is mapped to which tables a user can
S_TABU_DIS
access.
Which table maps the Authorization Group to a list
TDDAT
of tables?
Which authorization object control the authorization
the authorization object S_PROGRAM
to execute a program
User Action: start the program or schedule it to run in
batch mode or if you use variants.
Which fields use the authorization object
S_PROGRAM Authorization Group: which programs you can
execute.
For this authorization object to be effective, ABAP
What should be set up in order for the authorization
programs must have an authorization group assigned to
object S_PROGRAM to be effective?
them in the attributes of the program.
What program allows you to assign an authorization
group to all executable programs or to individual RSCSAUTH
programs or program group?
Authorization object: S_PROGRAM
What are the accesses required in order to run
User action: SUBMIT
transaction SA38?
Authorization group: No value required
- Include an Authorization Group on the program
for all custom reports/programs developed. Use
report RSCSAUTH to assign Authorization Group
2 options to secure the use of SA38 values to programs/reports
- Request all custom reports/programs to include at
least one AUTHORITY-CHECK inside the code.
Check access to tables
Check access to program
For what is the Authorization Group field used?
Used in varying ways throughout SAP applications, like
e.g. FS00
Which authorizations object do you use to grant S_DEVELOP is the general authorization object for
access to all ABAP Workbench components ABAP Workbench objects
ABAP development tools
ABAP Dictionary and Data Modeler
6 ABAP Workbench components that are protected Screen Painter and Menu Painter
with S_DEVELOP Function Builder
Repository Browser and Info System
SAP Smart Forms
Application logging
Logging workflow execution / webflow
Logging using change documents
What are the 6 types of logs?
Logging changes to table data
Logging changes made using transport system
Logging changes made to user and authorization
Which transactions are used to maintain and SLG1, display
analyze the application log? SLG0, define entries for your own application
The log traces application events and tasks, and
What does the application log trace? reports on their activity (for example, transfer of data
from SAP R/3 to SAP APO).
The webflow log (or workflow log) includes all activities
Which activities are logged in the webflow log?
that have occurred due to workflows executing.
Which transactions allow you to analyze the
SWI5, SWI2_FREQ and SWI1
webflow?
What is the transaction to view the change
SCDO
document for an object
Change document header
Change document item (old and new values of a field)
- U(pdate) . Data was changed.
What is the structure of the change document?
- I(nsert)
- D(elete) . Data was deleted
Change document number
MM04 for material changes and VD04 for customer
changes.
What are for example the transactions to review
change documents for MM and SD? Each application has its own transaction to review
change documents
Which transaction displays the table change log? SCU3
In which table are the table change logged? DBTABPRT
rec/client parameter: = ALL (logs all clients), = 000 [,...]
(logs the specified clients), = OFF (turns logging off).
What is the configuration required in order to use the
table change log? In the technical settings (use transaction SE13, SE12),
set the Log data changes flag for those tables that you
want to have logged.
A transport system log monitors all changes that are
What does the transport system log record?
migrated from development to production.
Which transactions allow you to view the transport
SE09 and SE10
system log?
User and authorization logs record all changes that
What does the user and authorization log records?
occur to users, authorizations, and profiles.
Which transaction allows you to read the HR
Reports logs in order to see each time the report is RPUPROTD (Log of report status)
started?
Correct authorization objects that are not linked to
3 situations where the security administrator might transaction codes correctly
want to use the transaction SU24 (maintain tables Correct authorization objects that have unacceptable
that assign which authorization objects go with default values
which transaction codes)? Change default values to ones that will always be
appropriate
1. Start transaction SE16.
How to find out who made a change with the 2. Enter USOTB_C in the Table Name field.
transaction su24? 3. Use values in the Modifier, ModDate, and ModTime
fields
CM = Check/Maintain
What are the 4 check indicators? C = Check
N = No Check
U = Unmaintained.
Authorization check is carried out against this object.
What are the properties of the check indicator CM = PFCG creates an authorization for this object
Check/Maintain Field values are displayed for changing.
Default values for this authorization can be maintained.
Authorization check is carried out against this object.
PFCG does not create an authorization for this object.
What are the properties of the check indicator C =
Field values are not displayed.
Check
No default values for this authorization can be
maintained.
Authorization check against this object is disabled.
PFCG does not create an authorization for this object.
What are the properties of the check indicator N =
Field values are not displayed.
No Check
No default values for this authorization can be
maintained.
No check indicator is set.
Authorization check is always carried out against this
What are the property of the check indicator U =
object.
Unmaintained
PFCG does not create an authorization for this object,
Field values are not displayed.
Authorization objects from the basis (S*) and Human
Can the checked for the authorization objects from
Resources management applications (P_*, PLOG)
the Basis (S*) and HR management (P_*, PLOG*)
cannot be excluded from checking because the field
be changed?
values for these objects must always get checked.
Overview of Users, Users, Roles, Profiles
Authorizations, Authorization object
What are the 10 components of the User information Transactions
system (SUIM)? Comparisons (of users)
Where-Used list (for authorization)
Change documents (for users, auth and profiles)
In a centralized security environment, one group is
responsible for all security tasks: creating users,
creating roles, and assigning roles to users.
What is the difference between centralized and
decentralized security administration? In a decentralized security environment, multiple groups
work on security (physical location, based on division,
based on product line, or based on company code).
User administrator (create user, assign roles)
What are the 3 different administrator types in a
Authorization administrator (create roles)
decentralized security administration?
Profile administrator (generate role).
Which authorization object is provided to create and
maintain users and assignments in a decentralized S_USER_GRP
fashion with user groups?
Which authorization object helps you to enforce the
role naming convention in restricting the allowed S_USER_AGR
roles names?
Which authorization object ensure that the
decentralized admin only add authorized t-codes to
roles S_USER_TCD
Which authorization object can be used to ensure
the security administrator only add value for a
specific company code? S_USER_VAL
Which authorization enforces that one person can
create the menu portion of the role, but someone S_USER_AUT
else updates the authorizations?
Which authorization object enforces that one person
can create the role, but another person must S_USER_PRO
generate the role?
What is the transaction for the system trace tool? ST01
SAP*
What are the 2 special users defined in client 000?
DIDIC
Define the profile parameter
logon/no_automatic_user_sapstar, with the value 0
How can you deactivate the user SAP*? Create a user master record for SAP*
Give this user no roles or profiles.
Give him a new password
In which client is the user Earlywatch delivered? Earlywatch is delivered in the client 066
What is the default password of the special user
SUPPORT
EarlyWatch?
To prohibit the use of a password, enter it in table
USR40. There are two wildcard characters:
How can you prohibit the use of certain passwords? ? stands for a single character
* stands for a sequence of any combination
characters of any length
Which transaction allows you to maintain the profile
RZ11
parameters?
logon/min_password_lng: min length
logon/min_password_digits: min number of digits
logon/min_password_letters: min number of letters
What are the 5 profiles parameters that enforce the
logon/min_password_specials: min number of special
minimum requirement that a password must fulfil?
characters
logon/min_password_diff: how many characters in the
new password must be different from the old password
logon/password_expiration_time
logon/password_max_new_valid: Validity period of
What are the 3 profiles parameters that enforce the
passwords for newly created users
validity period of a password?
logon/password_max_reset_valid: Defines the validity
period of reset passwords
logon/disable_multi_gui_logon: Controls the
deactivation of multiple dialog logons
What are the 3 profile parameters that enforce the logon/disable_multi_rfc_logon: Controls the
multi logon for a user? deactivation of multiple RFC logons
logon/multi_logon_users: List of excepted users
(multiple logon)
logon/fails_to_session_end: number of unsuccessful
logon attempts before the system does not allow any
more logon attempts
What are the 3 profile parameters that enforce the logon/fails_to_user_lock: number of unsuccessful
number of unsuccessful logon attempts? logon attempts before the system locks the user.
logon/failed_user_auto_unlock: Defines whether user
locks due to unsuccessful logon attempts should be
automatically removed at midnight
Which 2 profile parameter controls the deactivation logon/disable_password_logon
of password-based logon for users or for groups? logon/password_logon_usergroup
Which profile parameter specifies the default client
that is automatically filled in on the system logon logon/system_client
screen?
Which profile parameter specifies the exactness of
logon/update_logon_timestamp
the logon timestamp?
Which profile parameters specifies the number of
seconds until an inactive user is automatically rdisp/gui_auto_logout
logged out?
Changes take place in only one location
Developers do not have access to production data.
6 security advantages that a three-tier system Test in a QA system before they take effect in prod.
landscape can offer? Control the point in time when changes take effect
Reduce accidental or unauthorized changes
Keep a record of changes for auditing purposes
Which transaction allows you to see if the TMS
Quality Assurance approval procedure has been set STMS
up?
By request owner Default: inactive. Values of
S_CTS_ADMI: CTS_ADMFCT Value: TADM and TQAS
What are the 3 standards approval steps and their By user department. Inactive. Values of S_CTS_ADMI:
authorization object, value and default value? CTS_ADMFCT Value: QTEA or TADM and TQAS
By system administrator. Default: inactive. Values of
S_CTS_ADMI: CTS_ADMFCT Value: TADM and TQAS
Which transaction allows you to approve a transport
STMS
request?
At which level is it possible to enforce the changes? System and client level
Transport routes define where changes are made, and
What defines the transport routes? how the changes migrate through the system landscape
after they have been released.
In which transaction can you release the change
SE09 or SE10
request to transport?
1. Release the change request
2. Review the log files
3. Import the SAP system objects into the target system.
What are the 5 steps of a transport
4. Review the log files created by the Workbench
Organizer.
5. Test your imports thoroughly
Team members: Releasing their own
Project leader: Verifying the contents of a change
request prior to release
4 roles and responsibilities in the transport process
Transport administrator: Execute the transport tasks
Quality Assurance (QA) team: tests the entire
functionality and integration
- Link custom programs to custom transaction codes
- Include AUTHORITY-CHECK statements for all
3 security checks to consider before the
programs
development work are moved to production?
- Ensure proper controls are in place if this custom
program (or function module) accesses critical tables
S_TRANSPRT is the authorization object for the
Transport Organizer. Fields: Activity, Request type
What are the authorization object and their fields CUST: Customizing requests
that allow you to work with transport? DTRA: Workbench requests
TASK: Tasks (repair or correction
…
S_CTS_ADMI, field: CTS_ADMFCT
TABL: Maintain transport routes, call certain tools
Which authorization object and its field enforce the INIT: Set system change option
administration function in the change and transport IMPA: Import all transport requests
system? IMPS: Import individual requests
TADD: Perform an “add to buffer”
…
Quality Assurance (QA) team: not defined
What are the predefined authorizations in SAP Administrator (transport super user): S_CTS_ALL
systems that apply to the 5 various roles for the Project leader: S_CTS_PROJEC
transport process? Team members and developers: S_CTS_DEVELO
End users: S_CTS_SHOW
What is the table for maintaining system clients? T000
You can protect certain objects from being changed by
imports by defining a set of security-critical objects in
What do the values of the table TMSTCRI prevent?
table TMSTCRI. You are then warned of changes to
these objects in transport requests.
S_BTCH_JOB: Job Operations, Values DELE, RELE
(release), SHOW, PROT (Display job logs)
What are the four primary authorization objects used S_BTCH_NAM: protects what user IDs can execute
in background processing? S_BTCH_ADM: Value Y for the Background admin
S_RZL_ADM: Field Name, 01 (Create), 03 (Display) if
the background job executes an external cmd.
SM36: create background jobs.
What are the transactions to create and monitor
background jobs? SM37: monitor background jobs.
User ID is stable; the user never changes jobs
The password does not have to be reset.
4 reasons to use specific System user IDs for
No one can log on
background jobs
Facilitates security administration and maintenance of
background schedule.
Which authorizations are needed to allow a user to Give them S_TCODE with SM37 and SP02
have a look only at their spool request? No other authorization objects are required to view spool
Which SAP standard roles gives access required to
SAP_BC_BATCH_ADMIN
administer background jobs
ABAP program
What 3 kind of job steps can be executed when External command: from the operating system are
creating a background job? executed from SAP
External program: at the operating system (Ex: file read)
You must have activity 01 for the authorization object
Which 2 authorizations are needed in order to create
S_RZL_ADM (maintain) and access to S_LOG_COM
background job with external program job steps?
(execute)
Which authorization object define which printers you
S_SPO_DEV
can print to?
Which authorization object enforce actions you can
take with spool requests (Admin) and enforce
S_SPO_ACT
access to a spool request that does not belong to
you?
Which authorization object enforces administering
the spool system (Admin)? Values SP01, SP0R,
S_ADMI_FCD
SPAA, SPAB, SPAC, SPAD, SPAM, SPAR, SPTD,
SPTR
Which authorization object limit the number of pages
S_SPO_PAGE
a user can print to a specific printer?
What is the SAP standard role for spool
SAP_BC_SPOOL_ADMIN
administration?
- Database backup tools such as brbackup
- Operating system environment commands
4 examples of external commands executed within
- List directories and space available at the operating
SAP?
system
- Execute sap router
- External commands can be executed either with
What are the 3 ways to execute external - Transaction SM49 (SM69 to create)
commands? - ABAP programs
- In background job steps
How is the external command defined in the SAP An external command is an alias defined in the SAP
system? system that represents an operating system command.
What are the authorizations needed to create and SM69,
maintain an external command? S_RZL_ADM with the value 01,03(Activity field)
Command (name of external command)
What are the 3 different fields of the S_LOG_COM
Opsystem (operating system for the command)
authorization object?
Host (symbolic host name of target system)
Standard list download
What are the 2 ways in use to download lists?
Application-specific implementations for downloading
(Excel for ex)
Which authorization object protects the standard list
S_GUI
download?
Authorizations object S_DATASET. The minimum
Which authorization objects protect the file access? activities required are 33 (normal file read) and A6 (read
file with filter).
User IDs in RFC destinations should be set up as
What are the 2 user types that should be used for communication or system users:
RFC communication? €someone cannot log on with the userID
€the passwords normally do not expire
Which transaction lists each RFC destination and
RSRFCCHK
the user involved?
Which authorization object is checked when a user
object S_RFC
invokes a RFC?
- Type of RFC object to be protected
What are the 3 fields of the authorization object
- Name of RFC to be protected
S_RFC?
- Activity
Which profile parameter can you use in order to
auth/rfc_authority_check
specify the use of S_RFC?
How is the authentication done when an RFC When this RFC destination is invoked, the user ID that
destination has no user Id provided and the current will be used is the ID of the person who invoked this
user field is selected? RFC destination.
0 = No authorization check
1 = Authorization check active (no check for same user,
What are the values possibilities for the profile no check for same user context and SRFC-FUGR).
parameter auth/rfc_authority_check? 2 = Authorization check active (no check for SRFC-
FUGR)
9 = Authorization check active (SRFC-FUGR checked)
What is the default Communication RFC user set up
TMSADM
for the transport management?
How is the system called to set up a trusted
relationship and allow user logging based on this TMS Trusted Services
trusted relationship for transport?
Which authorization object gives access to many
S_ADMI_FCD
administration functions?