SAP Security Challenge – March 2018
Welcome to the SAP Security Challenge by Xiting. How much do you know about SAP Security? Do you know what you don’t know? To help you identify those areas, Xiting has launched the SAP Security Challenge with a monthly quiz to test your knowledge. Stay tuned and follow our blog to broaden your skillset.
We will publish a new quiz every first of the month, consisting of ten (10) questions. Participants can submit their answers anytime between the first and last day of the month. The winner will be announced on the first day of the following month via newsletter and on our blog. Each participant enters the draw to win a ticket. One correct answer gives you one ticket in the draw (e.g. 8 correct answers gives you 8 tickets). The more you know, the higher the chances to win.
In February’s challenge, we had 119 participants and an overall average of 6.4 correct answers. In total, 3 participants were able to answer all questions correctly.
We are very happy to announce that Stacie P. is the lucky winner of the SAP Security challenge of February 2018. Stacie answered 7 questions correctly and wins a copy of the book Authorizations in SAP: 100 Things You Should Know About.
Answers from February’s Challenge
What should be changed in a derived role only?
In the best case, a derived role should only differ from the master role in terms of the org levels. Thus, the org level values can be changed in a derived role. From a purely technical point of view, it is also possible to change the authorization data in the derived role. However, this is not recommended because of inconsistencies between the master and the derived role.
Which user type should be used in RFC connections?
For RFC connections, a “System” type user should always be used.
You want to avoid double TCODES. How do you do it?
In table SSM_CUST, set the parameter DELETE_DOUBLE_TCODES to “YES” and you avoid Duplicate TCODES in your roles.
In a CUA environment, in which transaction can you define that reference users are defined locally (directly in the child system)?
The distribution parameters are defined in SCUM. In transaction SCUM, you can set the role assignment to reference users under the “Roles” tab.
Jerry wants to see Tim’s spools. What authorization does Jerry need for this?
In order for Jerry to be able to select jobs from other users, the basic requirement is S_ADMI_FCD with the value SP0R. To be able to select Tim’s spools, Jerry needs S_SPO_ACT for the action (SPOAUCTION) Base and DISP for the user (SPOAUTH) Tim.
How many authorization fields can an authorization object have at most?
An authorization object can have a maximum of 10 authorization fields.
In which transaction can you define authorization groups for document types?
You can define authorization groups for document types in transaction OBA7.
What transaction can you use to create user-specific security policies?
The SECPOL transaction can be used to define security policies for specific user groups.
User Tom reports a failed authorization check. In SU53, however, you cannot find Tom’s failed authorization check, even though he just got the message in the same client. What can be the issue?
The SU53 is instance specific. So, it is possible that you will not see any failed checks in SU53 for Tom, although an authority check failed. To avoid this, you can activate a system-wide trace in STAUTHTRACE.
What is the default number of stored authorization checks of SU53?
By default, the number of stored authorization checks in the SAP standard is limited to 100 per work process.
We wish you the best of luck in March’s challenge.