SAP Security Challenge – July 2018
Welcome to the SAP Security Challenge by Xiting. How much do you know about SAP Security? Do you know what you don’t know? To help you identify those areas, Xiting has launched the SAP Security Challenge with a monthly quiz to test your knowledge. Stay tuned and follow our blog to broaden your skillset.
We will publish a new quiz every first of the month, consisting of ten (10) questions. Participants can submit their answers anytime between the first and last day of the month. The winner will be announced on the first day of the following month via newsletter and on our blog. Each participant enters the draw to win a ticket. One correct answer gives you one ticket in the draw (e.g. 8 correct answers gives you 8 tickets). The more you know, the higher the chances to win.
In June’s challenge, we had 238 participants and an overall average of 6.8 correct answers. In total, 11 participants were able to answer all questions correctly.
We are very happy to announce that Mary P. is the lucky winner of the SAP Security challenge of June 2018. Mary answered 8 questions correctly and wins the $50 gift card from Amazon. Congratulations Mary.
Answers from June’s Challenge
Which transaction allows you to display the User Buffer for your own user as well as for other users?
With transaction SU56, you can display the authorizations of any user.
Which SAP standard report can be used to analyze users and roles for segregation of duty conflicts as well as for critical authorizations?
With report RSUSR008_009_NEW, you can check for SOD conflicts and critical authorizations.
When users are locked they have a lock status. The lock status can be seen in table USR02 and field UFLAG. Which lock status are possible?
Any combination of 0, 32, 64 and 126 are possible. For example, a user can be locked due to too many failed login attempts (128) plus globally by the administrator (32). The cumulative value is 160. This is important as when a lock gets removed, for example with SAP Access Control (GRC) Password self-service which removes lock 128, the user still remains globally locked (32).
How many authorization fields can an authorization object have?
An authorization object can have up to 10 authorization fields.
In which transaction can you check the table logs?
You can check the table log in transaction SCU3. To activate table logging for a particular table, you can set the configuration through SE13.
How to smoothly remove duplicate role assignments with different start and end date from a user?
Report PRGN_COMPRESS_TIMES allows you to remove duplicate role assignments from the user master.
In which tables (and views) does the SAP system store the password hashes of a user?
SAP stores the password hashes in different tables which can also be accessed via several views. Protecting those tables/views is important as password hashes can be cracked with brute force attacks outside the SAP system.
In which table can you maintain illegal passwords that cannot be used by your users?
You can maintain table USR40 with transaction SM30. In table USR40, you can maintain illegal passwords that are forbidden.
For RFC Redesigns, which tool SAP recommends to risk-free reauthorize your RFC users with SAP Note 1682316?
SAP Consulting Germany recommends in SAP Note 1682316 to utilize the Xiting Authorizations Management Suite (XAMS) to automate and simplify the RFC redesign project. The XAMS does not only save you time and money, it also takes away the risk when reauthorizing RFC interfaces.
In SAP NetWeaver 7.50, which transaction can be used to locally lock a transaction for a certain client only?
In SAP NW 7.5, SM01 is obsolete and SAP introduced SM01_DEV and SM01_CUS. SM01_CUS can be used to lock a transaction on a client level. SM01_DEV can be used to lock transactions system-wide.
We wish you the best of luck in the challenge.