SAP Security Challenge – December 2017
Welcome to the SAP Security Challenge by Xiting. How much do you know about SAP Security? Do you know what you don’t know? To help you identify those areas, Xiting has launched the SAP Security Challenge with a monthly quiz to test your knowledge. Stay tuned and follow our blog to broaden your skillset.
We will publish a new quiz every first of the month, consisting of ten (10) questions. Participants can submit their answers anytime between the first and last day of the month. The winner will be announced on the first day of the following month via newsletter and on our blog.
In November’s challenge, we had 256 participants and an overall average of 6.4 correct answers. In total, 7 participants were able to answer all questions correctly and entered the draw to win the price.
We are very happy to announce that Paul O. is the SAP Security Champion of November 2017. Paul answered all 10 questions correctly and wins the $50 gift card from Amazon. Congratulations, Paul.
Answers from Novembers’ Challenge
Can SAP authorizations go beyond the transaction code level?
SAP Authorizations do not stop at the transaction level. Behind transactions are authorization objects and values.
When do you use table AGR_1251 and for what?
You can use AGR_1251 to view all authorization objects and their values in roles, as well as to find which values were inserted manually into a role. Deleted objects from a role cannot be seen in AGR_1251, only deactivated objects that were set to “INACTIVE” in the Profile Generator (PFCG).
Where can we find the user’s last logon details?
Last login date of a user can be found in table USR02 in field TRDAT and LTIME. TRDAT shows the last logon date and LTIME the last logon time.
Transaction __________ is used to maintain authorizations objects that are checked during the execution of a particular transaction code.
Transaction SU24 is used to customize the authorization values for a transaction, function module, etc. SU24 contains the customer values, whereas SU22 contains the pre-delivered rules from SAP.
Which tools are part of the initiative Compliant Identity and Role Management (CIRM) from SAP and its partner Xiting?
CIRM is a unique initiative between SAP and Xiting and covers the entire process in users and authorizations management lifecycle. CIRM ensures that users request access through a validated tool like SAP Identity Management (IDM) and checks requested authorizations for compliance in SAP Access Control (GRC). SAP Single Sign-On (SSO) guarantees seamless encryption and security when accessing the systems. Also, it is important to test and replicate all authorizations that exist in the SAP environment adequately. Authorization roles are the fundament when authorizing users in SAP systems. Therefore, it is highly important that roles are compliant with the actual rule set definitions. Ensuring such requirement is possible with tools like SAP Access Control (GRC), or the Xiting Authorizations Management Suite (XAMS), with its built-in risk analysis frameworks. Read more on our blog: CIRM: Compliant Identity and Role Management in Practice.
Which transaction do you use to lock or unlock transactions globally?
Transactions can be locked globally by using transaction SM01.
What’s the default password for SAP standard user SAP* in new clients (others than 000, 001, 066)?
The default password for SAP* in new clients is PASS. In client 000, 001 and 006 the password is 06071992. It is very important that SAP* is locked and the default password is changed. Also, make sure that the profile parameter login/no_automatic_user_sapstar is set to 1 so that automatic login of SAP* into the SAP System using password PASS won’t be allowed.
An RFC ABAP Type 3 connection is created between two systems using SM59. During an RFC call, what authorization object will definitely be checked in the target system?
The target system will make an authority check for the authorization object S_RFC.
How can we find “parameterized” transaction? For example: how can we find that SMY1 is a parameter transaction of SM34?
You can find parameterized transactions in table TSTCP with a filter on PARAM with /*, e.g. /*SM34.
What are the cons of indirect role assignments? In an indirect role assignment scenario, authorization roles (and profiles) are attached to positions, employees, or organizational units in the organization structure. The end user gains access through the assignment to the position in the HR organization.
The indirect assignment model is very inflexible since everyone assigned to a position gets the same authorization (differences in authorizations need to be addressed separately). Also, changes in organizational management will have an impact on end-user access. Additional training for administrators and approvers is required. Read our blog to get to learn more about indirect vs. direct assignments.
We wish you the best of luck in Decembers’ challenge.