ADM950 – SAP Security consultant certification flashcards – julien.moix@gmail.

com

The security policies are created by the security

team in isolation from the business team.
False
Determine whether this statement is true or false.

SAP offers many types of systems and applications.

Each type of SAP system (mySAP CRM, SAP BW,
SAP R/3, mySAP SRM, SAP APO) is so varied that
the systems do not share security tools or security False
services.

Determine whether this statement is true or false

The following tools are available for conducting

thorough system security audits.
A Role maintenance tool
B System audit log
Answer: F
C CCMS security alert
D System trace tools
E Users and Authorizations information systems
F All of the above

The Audit Information System is intended for

False
external audits only.

All of the menu roles for the Audit Information

System start with . The authorization SAP_AUDITOR – SAP_CA_AUDITOR
roles start with .

1
Configuring the Audit Information System requires
False
downloading a specific support package.

To use the Audit Information System, you must use

Answer: False
transaction SECR.

The instance parameters that relate to the audit log

include rsau parameters? Answer: True
Determine whether this statement is true or false

The security audit log only logs user connections

made by RFC connections.
False
Determine whether this statement is true or false

Which of the following are benefits of creating a

custom t-code to link SE16 to a specific table?
A You no longer need to grant access to transaction code SE16.
B With your custom transaction code, you can look at any table. Answer: A, C, D
C With your custom transaction code, you can look only at the
table specified in the transaction code.
D Custom transaction codes can be easily created, without
requiring any programming.
Which authorization objects can you examine to
determine if security is administered centrally or
regionally?
A S_USER_GRP Answer: A, C
B S_TCD_GRP
C S_USER_AGR
D S_USER_ADD

Which of the authorization objects protect

transaction code execution?
A S_TCODE
Answer: A, B, C
B P_TCODE
C Q_TCODE
D X_TCODE

SAP recommends that each custom report and each

custom program be linked to a custom transaction
code. Answer: True

Determine whether this statement is true or false

S_PROGRAM is an authorization object that

protects program execution.
Answer: True
Determine whether this statement is true or false

is a program that assigns

Answer: RSCSAUTH
authorization groups to ABAP programs.
You should be careful with the authorization object
because it can enable someone to Answer: S_DEVELOP
enter DEBUG mode in production.

Once a user is changed, there is no way to see who

changed the user. Answer: False
Determine whether this statement is true or false

The Authorization Group field is used only for

protecting reports and tables. Answer: False
Determine whether this statement is true or false

Which of the following are logs that exist in an SAP

system? (More than one answer is correct).
A Webflowlogs
B Application logs Answer: A, B, C, D
C Change documents logs
D User and authorization change logs
E None of the above

SU24 must be set up before implementing any roles.

Answer: False (Optional feature)
Determine whether this statement is true or false
SU24 requires programming changes to make the
default values occur.
Answer: False
Determine whether this statement is true or false

The following logon parameters can be used to

ensure your system is adequately secured.
A logon/fails_to_user_lock
Answer: A, B, C
B logon/min_password_specials
C logon/min_password_diff
D logon/named_super_user

SAP recommends that you separate your

Answer: Devlopment – Production
system from your system.

Which of the following are security advantages to a

three-tier landscape?
A Ensure changes occur only on development system.
B Ensure changes occur only on your production system. Answer: A, C, D, E
C Developers do not have access to production data.
D You control when changes are moved into production.
E You can test changes in a QA system.

What type of approval does SAP recommend before

moving changes into production? SAP QA approval procedure that formalize the approval
and review workflow
SAP recommends a three-tier system landscape
including development, quality assurance, and
production. Answer: True

Determine whether this statement is true or false

Client change options should always be set to No

changes allowed. Answer: False
Determine whether this statement is true or false

SAP does not provide a QA approval procedure for

changes being moved into production. Answer: False
Determine whether this statement is true or false

The user ID used in the RFC destination should be a

dialog user.
Answer: False
Determine whether this statement is true or false

Authorization object is used to protect

Answer: S_BTCH_NAM
what names job steps are scheduled to run under.
 User authentication (Password rules, Monitoring)
Authorization protection
6 aspects that might be considered in a security Auditing and logging (AIS, Security audit log, …)
policy Integrity protection
Privacy protection
Proof of obligation (non-repudiation)

Who is responsible for your IT security?

What needs to be protected?
Who is attacking?
7 questions that a security policy should address? What is the risk?
Which protection mechanisms are required?
Which procedures are to be enforced?
How much protection can you afford?

Audit Information System

Authorization Information System
6 tools available to help provide answers to the System Audit Log
questions that arise during a system security audit: Computer Center Management System Alerts
Trace tools
Role maintenance tool (PFCG)

menu
What are the 3 major components of the Role
authorizations
maintenance tool (PFCG)?
users

What are the 2 types of roles implementation Menu roles

strategy? Authorization roles
 - system audit (general system, users and
authorizations, repository and tables)
What are the 2 major categories of the AIS
- business audit (accounting, customer, vendors, asset,
tax)

What was the transaction used by SAP in the past to In the past, the Audit Information System existed in a
access the AIS single transaction code, SECR

Menu roles (SAP_AUDITOR*) (only menu items; no

What are the two major groups of SAP Standards authorizations)
roles defined for the Audit Information System Authorization roles (SAP_CA_AUDITOR*) (only
authorizations, no menu items listed)

What is the SAP standard composite menu and

The menu roles: SAP_AUDITOR
authorization Role which contains every role in the
The authorization roles: SAP_CA_AUDITOR
AIS?

Copy the SAP roles to your own naming convention

Update the roles (as needed)
What are the 4 steps required to set-up the AIS
Create a user for the auditor
Assign the roles you created to the audit user
Which SAP Standard role allow you to set-up the
SAP_AUDITOR_ADMIN
AIS?

Security-related changes to the SAP system (changes

to user master records)
Higher level of transparency (successful and
What is the audit log’s main objective? (3 points)
unsuccessful logon attempts)
Enables the reconstruction of a series of events
(successful or unsuccessful transaction starts)

Successful and unsuccessful dialog logon attempts

Successful and unsuccessful RFC logon attempts
Remote function calls (RFCs) to function modules
Which 7 information types can be recorded with the
Successful and unsuccessful transaction starts
Security audit log? Successful and unsuccessful report starts
Changes to user master records
Changes to the audit configuration

SAP systems maintain their audit logs on a daily

basis. The system does not delete or overwrite audit
files from previous days; it keeps them until you SM18
manually delete them. Which transaction is used in
order to archive or delete the audit files?

You define the name and location of the files in a profile

How do you define the audit file name and location?
parameter, rsau/local/file.
 Event identifier (a three-character code)
SAP user ID and client
What are the information (9) contained in an audit Terminal name, Transaction code
record Report name, Time and date when the event occurred
Process ID, Session number
Miscellaneous information

You define the maximum size of the audit file in the

How do you define the maximal size of the audit
profile parameter rsau/max_diskspace/local. The
file?
default value is 1 megabyte (MB) or 1000000bytes

What happened if the maximal size of the audit file If the maximum size is reached, the auditing process
is reached? stops.

Client, User,
Audit class: Dialog logon, RFC/CPIC logon, Remote
What are the 4 major filters available for the security function call (RFC), Transaction start, Report start, User
audit log? master change
Weight of events to audit: Audit only critical, Audit
important and critical, Audit all events (non-critical)

Create and save filters permanently in the database

(all the application servers use identical filters, define filters
only once, you must restart the instance, define different
What are the 2 main options to create and save profiles that you can alternatively activate)
audit filters?
Change filters dynamically (changes distributed to all
active application servers, do not have to restart the instance,
not saved for reuse after system stops/starts)
 rsau/enable: enable the SAL
What are the profile parameters that you need to
rsau/local/file: file location
specify in order to create and save filters
rsau/max_diskspace/local: max space to allocate
permanently in the database?
rsau/selection_slots: number of filter to allow

What are the profile parameters that you need to rsau/local/file: file location
specify in order to change filters dynamically on rsau/max_diskspace/local: max space to allocate
one or more application servers? rsau/selection_slots: number of filter to allow

With which transaction can you assess the security

SM20 or SM20n
audit log?

Introductory information
What are the four main sections of the audit analysis Audit data
report? Statistical analysis
Contents

Performs detailed monitoring

Creates alerts and displays them with colour values
What are the 4 main functions of the Computing Provides analysis and auto-reaction methods (sms,
Center Management System (CCMS) monitor? emails with threshold )
Allows you to view current alerts and the history of
alerts
What is the transaction to access the CCMS alert
RZ20
monitor

S_TCODE used in every SAP system for every module

What are the 5 majors authorisation objects used to P_TCODE used for Human Resources
protect which transaction codes a user can access Q_TCODE used for Quality Maintenance
and for which product are they meant to be? I_TCODE used for Plant Maintenance
L_TCODE used for Warehouse Management

S_TABU_DIS is checked anytime someone looks at

Which authorithation object determines what table
data in a table directly (with one of these transactions:
someone can look at with the transactions SE16,
SE16/SE16N, SE17, SM30, SM31. or the
SE16N, or SE17; SM30 or SM31; and SE12
Implementation Guide).

When access is required, use transaction code SM30

Which transaction should be used when access to a
because an interface exist and no direct access to the
table and why?
table.

Activity and Authorization Group. The Authorization

What are the 2 fields of the authorization object
Group field is mapped to which tables a user can
S_TABU_DIS
access.
Which table maps the Authorization Group to a list
TDDAT
of tables?

Which authorization object control the authorization

the authorization object S_PROGRAM
to execute a program

User Action: start the program or schedule it to run in

batch mode or if you use variants.
Which fields use the authorization object
S_PROGRAM Authorization Group: which programs you can
execute.

For this authorization object to be effective, ABAP

What should be set up in order for the authorization
programs must have an authorization group assigned to
object S_PROGRAM to be effective?
them in the attributes of the program.

What program allows you to assign an authorization

group to all executable programs or to individual RSCSAUTH
programs or program group?
 Authorization object: S_PROGRAM
What are the accesses required in order to run
User action: SUBMIT
transaction SA38?
Authorization group: No value required

- Include an Authorization Group on the program

for all custom reports/programs developed. Use
report RSCSAUTH to assign Authorization Group
2 options to secure the use of SA38 values to programs/reports

- Request all custom reports/programs to include at

least one AUTHORITY-CHECK inside the code.

Check access to tables

Check access to program
For what is the Authorization Group field used?
Used in varying ways throughout SAP applications, like
e.g. FS00

Which authorizations object do you use to grant S_DEVELOP is the general authorization object for
access to all ABAP Workbench components ABAP Workbench objects

ABAP development tools

ABAP Dictionary and Data Modeler
6 ABAP Workbench components that are protected Screen Painter and Menu Painter
with S_DEVELOP Function Builder
Repository Browser and Info System
SAP Smart Forms
 Application logging
Logging workflow execution / webflow
Logging using change documents
What are the 6 types of logs?
Logging changes to table data
Logging changes made using transport system
Logging changes made to user and authorization

Which transactions are used to maintain and SLG1, display

analyze the application log? SLG0, define entries for your own application

The log traces application events and tasks, and

What does the application log trace? reports on their activity (for example, transfer of data
from SAP R/3 to SAP APO).

The webflow log (or workflow log) includes all activities

Which activities are logged in the webflow log?
that have occurred due to workflows executing.

Which transactions allow you to analyze the

SWI5, SWI2_FREQ and SWI1
webflow?
What is the transaction to view the change
SCDO
document for an object

Change document header

Change document item (old and new values of a field)
- U(pdate) . Data was changed.
What is the structure of the change document?
- I(nsert)
- D(elete) . Data was deleted
Change document number

MM04 for material changes and VD04 for customer

changes.
What are for example the transactions to review
change documents for MM and SD? Each application has its own transaction to review
change documents

Which transaction displays the table change log? SCU3

In which table are the table change logged? DBTABPRT

 rec/client parameter: = ALL (logs all clients), = 000 [,...]
(logs the specified clients), = OFF (turns logging off).
What is the configuration required in order to use the
table change log? In the technical settings (use transaction SE13, SE12),
set the Log data changes flag for those tables that you
want to have logged.

A transport system log monitors all changes that are

What does the transport system log record?
migrated from development to production.

Which transactions allow you to view the transport

SE09 and SE10
system log?

User and authorization logs record all changes that

What does the user and authorization log records?
occur to users, authorizations, and profiles.

Which transaction allows you to read the HR

Reports logs in order to see each time the report is RPUPROTD (Log of report status)
started?
 Correct authorization objects that are not linked to
3 situations where the security administrator might transaction codes correctly
want to use the transaction SU24 (maintain tables Correct authorization objects that have unacceptable
that assign which authorization objects go with default values
which transaction codes)? Change default values to ones that will always be
appropriate

1. Start transaction SE16.

How to find out who made a change with the 2. Enter USOTB_C in the Table Name field.
transaction su24? 3. Use values in the Modifier, ModDate, and ModTime
fields

CM = Check/Maintain
What are the 4 check indicators? C = Check
N = No Check
U = Unmaintained.

Authorization check is carried out against this object.

What are the properties of the check indicator CM = PFCG creates an authorization for this object
Check/Maintain Field values are displayed for changing.
Default values for this authorization can be maintained.

Authorization check is carried out against this object.

PFCG does not create an authorization for this object.
What are the properties of the check indicator C =
Field values are not displayed.
Check
No default values for this authorization can be
maintained.
 Authorization check against this object is disabled.
PFCG does not create an authorization for this object.
What are the properties of the check indicator N =
Field values are not displayed.
No Check
No default values for this authorization can be
maintained.

No check indicator is set.

Authorization check is always carried out against this
What are the property of the check indicator U =
object.
Unmaintained
PFCG does not create an authorization for this object,
Field values are not displayed.

Authorization objects from the basis (S*) and Human

Can the checked for the authorization objects from
Resources management applications (P_*, PLOG)
the Basis (S*) and HR management (P_*, PLOG*)
cannot be excluded from checking because the field
be changed?
values for these objects must always get checked.

Overview of Users, Users, Roles, Profiles

Authorizations, Authorization object
What are the 10 components of the User information Transactions
system (SUIM)? Comparisons (of users)
Where-Used list (for authorization)
Change documents (for users, auth and profiles)

In a centralized security environment, one group is

responsible for all security tasks: creating users,
creating roles, and assigning roles to users.
What is the difference between centralized and
decentralized security administration? In a decentralized security environment, multiple groups
work on security (physical location, based on division,
based on product line, or based on company code).
 User administrator (create user, assign roles)
What are the 3 different administrator types in a
Authorization administrator (create roles)
decentralized security administration?
Profile administrator (generate role).

Which authorization object is provided to create and

maintain users and assignments in a decentralized S_USER_GRP
fashion with user groups?

Which authorization object helps you to enforce the

role naming convention in restricting the allowed S_USER_AGR
roles names?

Which authorization object ensure that the

decentralized admin only add authorized t-codes to
roles S_USER_TCD

Which authorization object can be used to ensure

the security administrator only add value for a
specific company code? S_USER_VAL
Which authorization enforces that one person can
create the menu portion of the role, but someone S_USER_AUT
else updates the authorizations?

Which authorization object enforces that one person

can create the role, but another person must S_USER_PRO
generate the role?

What is the transaction for the system trace tool? ST01

SAP*
What are the 2 special users defined in client 000?
DIDIC

Define the profile parameter

logon/no_automatic_user_sapstar, with the value 0
How can you deactivate the user SAP*? Create a user master record for SAP*
Give this user no roles or profiles.
Give him a new password
In which client is the user Earlywatch delivered? Earlywatch is delivered in the client 066

What is the default password of the special user

SUPPORT
EarlyWatch?

To prohibit the use of a password, enter it in table

USR40. There are two wildcard characters:
How can you prohibit the use of certain passwords? ? stands for a single character
* stands for a sequence of any combination
characters of any length

Which transaction allows you to maintain the profile

RZ11
parameters?

logon/min_password_lng: min length

logon/min_password_digits: min number of digits
logon/min_password_letters: min number of letters
What are the 5 profiles parameters that enforce the
logon/min_password_specials: min number of special
minimum requirement that a password must fulfil?
characters
logon/min_password_diff: how many characters in the
new password must be different from the old password
 logon/password_expiration_time
logon/password_max_new_valid: Validity period of
What are the 3 profiles parameters that enforce the
passwords for newly created users
validity period of a password?
logon/password_max_reset_valid: Defines the validity
period of reset passwords

logon/disable_multi_gui_logon: Controls the

deactivation of multiple dialog logons
What are the 3 profile parameters that enforce the logon/disable_multi_rfc_logon: Controls the
multi logon for a user? deactivation of multiple RFC logons
logon/multi_logon_users: List of excepted users
(multiple logon)

logon/fails_to_session_end: number of unsuccessful

logon attempts before the system does not allow any
more logon attempts
What are the 3 profile parameters that enforce the logon/fails_to_user_lock: number of unsuccessful
number of unsuccessful logon attempts? logon attempts before the system locks the user.
logon/failed_user_auto_unlock: Defines whether user
locks due to unsuccessful logon attempts should be
automatically removed at midnight

Which 2 profile parameter controls the deactivation logon/disable_password_logon

of password-based logon for users or for groups? logon/password_logon_usergroup

Which profile parameter specifies the default client

that is automatically filled in on the system logon logon/system_client
screen?
Which profile parameter specifies the exactness of
logon/update_logon_timestamp
the logon timestamp?

Which profile parameters specifies the number of

seconds until an inactive user is automatically rdisp/gui_auto_logout
logged out?

Changes take place in only one location

Developers do not have access to production data.
6 security advantages that a three-tier system Test in a QA system before they take effect in prod.
landscape can offer? Control the point in time when changes take effect
Reduce accidental or unauthorized changes
Keep a record of changes for auditing purposes

Which transaction allows you to see if the TMS

Quality Assurance approval procedure has been set STMS
up?

By request owner Default: inactive. Values of

S_CTS_ADMI: CTS_ADMFCT Value: TADM and TQAS
What are the 3 standards approval steps and their By user department. Inactive. Values of S_CTS_ADMI:
authorization object, value and default value? CTS_ADMFCT Value: QTEA or TADM and TQAS
By system administrator. Default: inactive. Values of
S_CTS_ADMI: CTS_ADMFCT Value: TADM and TQAS
Which transaction allows you to approve a transport
STMS
request?

At which level is it possible to enforce the changes? System and client level

Transport routes define where changes are made, and

What defines the transport routes? how the changes migrate through the system landscape
after they have been released.

In which transaction can you release the change

SE09 or SE10
request to transport?

1. Release the change request

2. Review the log files
3. Import the SAP system objects into the target system.
What are the 5 steps of a transport
4. Review the log files created by the Workbench
Organizer.
5. Test your imports thoroughly
 Team members: Releasing their own
Project leader: Verifying the contents of a change
request prior to release
4 roles and responsibilities in the transport process
Transport administrator: Execute the transport tasks
Quality Assurance (QA) team: tests the entire
functionality and integration

- Link custom programs to custom transaction codes

- Include AUTHORITY-CHECK statements for all
3 security checks to consider before the
programs
development work are moved to production?
- Ensure proper controls are in place if this custom
program (or function module) accesses critical tables

S_TRANSPRT is the authorization object for the

Transport Organizer. Fields: Activity, Request type
What are the authorization object and their fields CUST: Customizing requests
that allow you to work with transport? DTRA: Workbench requests
TASK: Tasks (repair or correction
…

S_CTS_ADMI, field: CTS_ADMFCT

TABL: Maintain transport routes, call certain tools
Which authorization object and its field enforce the INIT: Set system change option
administration function in the change and transport IMPA: Import all transport requests
system? IMPS: Import individual requests
TADD: Perform an “add to buffer”
…

Quality Assurance (QA) team: not defined

What are the predefined authorizations in SAP Administrator (transport super user): S_CTS_ALL
systems that apply to the 5 various roles for the Project leader: S_CTS_PROJEC
transport process? Team members and developers: S_CTS_DEVELO
End users: S_CTS_SHOW
What is the table for maintaining system clients? T000

You can protect certain objects from being changed by

imports by defining a set of security-critical objects in
What do the values of the table TMSTCRI prevent?
table TMSTCRI. You are then warned of changes to
these objects in transport requests.

S_BTCH_JOB: Job Operations, Values DELE, RELE

(release), SHOW, PROT (Display job logs)
What are the four primary authorization objects used S_BTCH_NAM: protects what user IDs can execute
in background processing? S_BTCH_ADM: Value Y for the Background admin
S_RZL_ADM: Field Name, 01 (Create), 03 (Display) if
the background job executes an external cmd.

SM36: create background jobs.

What are the transactions to create and monitor
background jobs? SM37: monitor background jobs.

User ID is stable; the user never changes jobs

The password does not have to be reset.
4 reasons to use specific System user IDs for
No one can log on
background jobs
Facilitates security administration and maintenance of
background schedule.
Which authorizations are needed to allow a user to Give them S_TCODE with SM37 and SP02
have a look only at their spool request? No other authorization objects are required to view spool

Which SAP standard roles gives access required to

SAP_BC_BATCH_ADMIN
administer background jobs

ABAP program
What 3 kind of job steps can be executed when External command: from the operating system are
creating a background job? executed from SAP
External program: at the operating system (Ex: file read)

You must have activity 01 for the authorization object

Which 2 authorizations are needed in order to create
S_RZL_ADM (maintain) and access to S_LOG_COM
background job with external program job steps?
(execute)

Which authorization object define which printers you

S_SPO_DEV
can print to?
Which authorization object enforce actions you can
take with spool requests (Admin) and enforce
S_SPO_ACT
access to a spool request that does not belong to
you?

Which authorization object enforces administering

the spool system (Admin)? Values SP01, SP0R,
S_ADMI_FCD
SPAA, SPAB, SPAC, SPAD, SPAM, SPAR, SPTD,
SPTR

Which authorization object limit the number of pages

S_SPO_PAGE
a user can print to a specific printer?

What is the SAP standard role for spool

SAP_BC_SPOOL_ADMIN
administration?

- Database backup tools such as brbackup

- Operating system environment commands
4 examples of external commands executed within
- List directories and space available at the operating
SAP?
system
- Execute sap router
 - External commands can be executed either with
What are the 3 ways to execute external - Transaction SM49 (SM69 to create)
commands? - ABAP programs
- In background job steps

How is the external command defined in the SAP An external command is an alias defined in the SAP
system? system that represents an operating system command.

What are the authorizations needed to create and SM69,

maintain an external command? S_RZL_ADM with the value 01,03(Activity field)

Command (name of external command)

What are the 3 different fields of the S_LOG_COM
Opsystem (operating system for the command)
authorization object?
Host (symbolic host name of target system)

Standard list download

What are the 2 ways in use to download lists?
Application-specific implementations for downloading
(Excel for ex)
Which authorization object protects the standard list
S_GUI
download?

Authorizations object S_DATASET. The minimum

Which authorization objects protect the file access? activities required are 33 (normal file read) and A6 (read
file with filter).

User IDs in RFC destinations should be set up as

What are the 2 user types that should be used for communication or system users:
RFC communication? €someone cannot log on with the userID
€the passwords normally do not expire

Which transaction lists each RFC destination and

RSRFCCHK
the user involved?

Which authorization object is checked when a user

object S_RFC
invokes a RFC?
 - Type of RFC object to be protected
What are the 3 fields of the authorization object
- Name of RFC to be protected
S_RFC?
- Activity

Which profile parameter can you use in order to

auth/rfc_authority_check
specify the use of S_RFC?

How is the authentication done when an RFC When this RFC destination is invoked, the user ID that
destination has no user Id provided and the current will be used is the ID of the person who invoked this
user field is selected? RFC destination.

0 = No authorization check
1 = Authorization check active (no check for same user,
What are the values possibilities for the profile no check for same user context and SRFC-FUGR).
parameter auth/rfc_authority_check? 2 = Authorization check active (no check for SRFC-
FUGR)
9 = Authorization check active (SRFC-FUGR checked)

What is the default Communication RFC user set up

TMSADM
for the transport management?
How is the system called to set up a trusted
relationship and allow user logging based on this TMS Trusted Services
trusted relationship for transport?

Which authorization object gives access to many

S_ADMI_FCD
administration functions?