ADM940 – SAP Security consultant certification flashcards –
[email protected]
What is Central User Administration used for? A To administer password for SAP users centrally B To maintain printer landscapes centrally C To administer user master records centrally D To create authorization profiles centrally
Answer: C
What are the 3 main sources of risks?
Persons: Important employees leaving the company, dissatisfied or inexperienced employees. Hackers with criminal intent. Technology: Processing errors (caused by applications or operating systems), viruses, power supply interruption and hardware failure. Environment: Fire, flood, dust, earthquakes.
Measure for each source of risk. (Person, Technology, Environment)
Organizational Measures: Training, internal security policy, procedures, roles, responsibilities. Technical Measures: Inclusion of electronics for checks (routers). Access authorizations for systems and data. Environmental measures protect physical system components against natural sources of danger.
What is the difference between System Access Control and Role based Access control?
System Access Control ‐ Users must identify themselves in the system ‐ Configuration of system access control (such as pwd rules) Access Control ‐ Access rights for functions and data granted explicitly using authorization ‐ Authorization checks for Transaction/reports checks, Program execution
What are the 3 main components of a SAP role?
Role Menu: Transaction, Reports, Weblinks combined in a Menu Authorization: Access right for business function and data User: Assignation User – Role necessary. With profile generator or with SU01
1
ADM940 – SAP Security consultant certification flashcards –
[email protected]
Report that display all the role templates that are supplied by SAP
RSUSR070
Project preparation: inclusion of all decision maker Business blueprint: requirement determination Implementation: configuration and fine tuning Final preparation: testing and training Go live and support: start of production
What are the 5 steps of the ASAP Methodology?
What are the 5 steps of the authorization concept conception?
Preparation: Set up a team, define communication process Analysis and Conception: analyze process and determine role framework Implementation: Creation of roles Quality assurance and Tests: positive and negative testing Cutover: production start
What are the main components of the authorization concept?
Authorization object class: grouping of authorization object Authorization object: group 1 to 10 authorization fields Authorization field: smallest unit checked Authorization: Instance of an authorization object Authorization profile: Group of instances (authorization) Role: SAP user activities description, allow automatic generation of profile User: log to SAP with specific access
How should be the naming convention for new developments?
Authorization and authorization profiles: Do not start with Y, Z, must not contain an underscore in the second position Authorization classes, object, fields are development object and must start with Y and Z
2
ADM940 – SAP Security consultant certification flashcards –
[email protected]
Table for all possible activities
TACT
Step 1: Check if the user is authorized to start the transaction Step 2: Check if an authorization object is assigned to the transaction code
What are the 2 checks executed after a transaction start to ensure that the user has the appropriate authorization?
Table for transaction code / authorization object assignment
TSTCA
ABAP object used to check the authorization object assigned to the transaction
Authority‐check
0: The user has the authorization for the object and the fields value 4: The user has the authorization for the object, but not for filed value 12: The user has no authorization 16: No profile is entered in the user master record
Return codes after the authorization check with the ABAP object authority‐check
3
ADM940 – SAP Security consultant certification flashcards –
[email protected]
Authorization object that defines the user groups for which an administrator has authorization and the activities that are allowed
S_USER_GRP
Authorization that defines the authorization object name and the authorization name for which an administrator has authorization and the activities that are allowed.
S_USER_AUTH
Authorization Profile that defines the profile names for which an administrator has authorization and the activities that are allowed
S_USER_PRO
Authorization that defines the roles names for which an administrator is authorized and the activities that are allowed
S_USER_AGR
Authorization that defines the transactions that an administrator may include in a role.
S_USER_TCD
4
ADM940 – SAP Security consultant certification flashcards –
[email protected]
Authorization that defines which field values an administrator may enter in roles for which authorization object and which fields.
S_USER_VAL
Authorization that define which system a user administrator can access from the CUA
S_USER_SYS
Mandatory fields needed to create user master‐data
On the Address tab page: Last name field On the logon data tab page: Initial password
User type possible for user master data
Dialog: For interactive user System: For background processing and communication within a System. No dialog possible, no change of password Communication: For dialog‐free communication between systems. No dialog possible, no a change of password Service: Dialog user available to anonymous group of users Reference: For general, non‐person‐related users that allows the assignment of additional, identical authorizations
Transaction for user mass changes
SU10
5
ADM940 – SAP Security consultant certification flashcards –
[email protected]
Basic maintenance (menus, profiles, and other objects) Complete view (Organizational Management and workflow)
Which are the two different maintenance views of the profile generator PFCG?
1. Define role name 2. Determine activities 3. Design user menus 4. Maintain authorization data 5. Generate authorization profile 6. Assign users 7. User master record comparison
PFCG, which are the 7 activities to create a role?
Selection criteria: authorizations grouped by object class. Manual input: enter directly the name of the authorization, if known Full authorization: fills all authorizations with the value* From profile: use authorizations from individual profiles From template: use the SAP authorization templates
5 Options available when manually inserting a new authorization? PFCG ‐> Authorization tab ‐> Edit ‐> Insert authorization.
Yes, profile can only contain a certain number of authorizations. It is therefore possible that one role has several profiles. You can recognize these profiles from the fact that their names are identical for the first 10 characters
Can a role have several profile generated?
1. As a background job: report pfcg_time_dependency 2. With the transaction PFUD (User master record reconciliation)
What are the 2 ways to assign roles to users for a limited period of time with a user comparison?
6
ADM940 – SAP Security consultant certification flashcards –
[email protected]
During a user comparison, generated profiles are removed from the user masters if they are not among the roles that are assigned to the user.
Why should a generated profile never be entered directly into the user master record (SU01)?
Customizing role: assign project or project view of the IMG Composite role: group of roles Derived role: menu identical but authorization different, mainly organizational unit Composite role: group of roles Normal role
What are the 4 different types of roles?
+ One work center + One composite role + One assignment + One central menu ‐ They do not have any authorization data themselves
What are the pro and cons of composite roles?
Is it possible to add composite roles to composite roles?
No. For reasons of clarity, it does not make sense and is therefore not possible to add composite roles to composite roles
Composite role: What are the 2 possibilities if the composite role has been modified and you click on the refresh button?
Re import: discard your settings and restructure the menu Merge: Creates a delta between the actual situation and the situation as it ought to be. The delta describes the changes set: ‐ Reduction: transactions that no longer appears ‐ Extension: transaction which now additionally appear
7
ADM940 – SAP Security consultant certification flashcards –
[email protected]
Derived roles: is the user assignment inherited?
No, The user assignments are not inherited
1. Comparison from the imparting role (“Generate Derived role” button) 2. Comparison from the derived role (“Transfer Data” button)
Derived roles: 2 ways to perform the comparison between the roles?
No, The inherited menus cannot be changed in the derived roles
Derived roles: Can the inherited roles be changed?
Green: All fields below this level have been filled with values Yellow: There is at least one field (but no organizational levels) below this level for which no data has been proposed or entered Red: There is at least one organizational level field below this level for which no value has been maintained.
What is the meaning of the traffic lights Icons for the authorization maintenance?
Standard: Unchanged from the SAP defaults. Maintained: At least one field in the subordinate levels of the hierarchy was empty by default and has since been filled Changed: The proposed value for at least one field in the subordinate levels of the hierarchy has been changed from the SAP default value. Manual: You maintained at least one authorization in the subordinate hierarchy levels manually
What are the 4 status texts about authorizations maintenance?
8
ADM940 – SAP Security consultant certification flashcards –
[email protected]
What are the 2 status texts about authorizations after a comparison?
Old: The comparison found that all field values in the subordinate levels of the hierarchy are still current and that no new authorizations have been added. New: The comparison found that at least one new authorization has been added to the subordinate levels of the hierarchy. If you now click “New”, all new authorizations in the subordinate levels are expanded.
What are the 2 required steps necessary for operating the profile generator?
1. Profile parameter auth/no_check_in_some_cases has the value Y 2. The default tables USOBX_C and USOBT_C are filled which control the behavior of the Profile Generator when a transaction is selected in a role.
Transaction code to maintain profile parameters?
RZ11
Which 2 tables control the behavior of the Profile Generator after the transaction has been selected?
USOBX_C and USOBT_C
Which table defines which authorization checks are to be performed with a transaction and which not?
USOBX
9
ADM940 – SAP Security consultant certification flashcards –
[email protected]
Which table defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator?
USOBT
Which transactions copies the SAP default table USOBX and USOBT to the custom tables USOBX_C and USOBX_T?
SU25
Which transactions maintain the custom tables USOBX_C and USOBX_T?
SU24
Check indicators determine if an authorization check will run within the transaction or not
What determine check indicators for transactions?
N: No check. This indicator cannot be set for HR and Basis authorization objects. U: Unmaintained: A check is performed against the corresponding authorization object in this transaction. C: Check: Maintenance in the Profile Generator is not supported. CM: Check/Maintain: For objects with this check indicator, you can display and change the defaults of PFCG
What are the 4 supported check indicators for transactions?
10
ADM940 – SAP Security consultant certification flashcards –
[email protected]
Migrate the report tree Check the Profile Generation activation Upgrade the roles and default tables (su25) Conversion of manually created profiles to roles if necessary (su25)
What are the 4 activities required for an upgrade of the Profile Generator?
Regardless of the release status, after an upgrade you will have 2 possible statuses? What are they?
Source release did not use PFCG (it might have to be activated) Source release used PFCG (This means that tables USOBT_C and USOBX_C have to be updated as well as the existing roles)
Which profile contains authorization for all new checks in existing transaction?
SAP_NEW The SAP_NEW profile guarantees backward compatibility of the authorizations if a new release or an update or authorization checks introduces checks for previously unprotected functions.
System profile parameters Invalid passwords can be entered in the table USR40
Which are the 2 ways to control the choice of user passwords?
? denotes a single character * denotes a character string
How entries in the Table USR40 (Invalid passwords) can be made generically?
11
ADM940 – SAP Security consultant certification flashcards –
[email protected]
Profile parameter: minimum length of the logon password
login/min_password_lng
Profile parameter: Number of incorrect logon attempts allowed with a user master record before the logon procedure is terminated
login/fails_to_session_end
Profile parameter: Number of incorrect logon attempts allowed with a user master record before the user master record is locked. The lock is removed at midnight
login/fails_to_user_lock
Profile parameter: If the parameter is set to 1 (default), user locks caused by incorrect logons during previous days are not taken into consideration. If the value is set to 0, the lock is not removed
login/failed_user_auto_unlock
Profile parameter: The value 0 means that the user is not forced to change the password. A value > 0 specifies the number of days after which the user must change the logon password
login/password_expiration_time
12
ADM940 – SAP Security consultant certification flashcards –
[email protected]
Profile parameter: If this parameter is set to value 1, the system blocks multiple SAP dialog logons (in the same client and with the same user name)
login/disable_multi_gui_login
Profile parameter: list containing the users who may log onto the system more than once is stored
login/multi_login_users
Which is the only user in the SAP system for which no user master record is required (since it is defined in the code)?
SAP*
What is the default password of the user SAP*?
PASS
What is the default password of the user master record SAP* after the installation of the client 000?
06071992
13
ADM940 – SAP Security consultant certification flashcards –
[email protected]
set the system profile parameter login/no_automatic_user_sapstar to a value greater than zero
How can you deactivate the special properties of SAP*?
Which special user is responsible for maintaining the ABAP Dictionary and the software logistics in the client 000?
DDIC
Which special user is delivered in the client 066?
EarlyWatch
What is the standard password of the user EarlyWatch?
SUPPORT
Which authorization object checks the objects of an area menu, since a transaction code is assigned to each executables menu entry?
S_TCODE
14
ADM940 – SAP Security consultant certification flashcards –
[email protected]
Are transactions called indirectly with the ABAP statement CALL_TRANSACTION checked?
No, If a transaction is called indirectly; that is, from another transaction, no authorization check is performed
How to ensure that the indirectly called transaction with the ABAP statement CALL_TRANSACTION is subject to an authorization check?
Use transaction SE97 to set the check indicator check in tables TCDCOUPLES for the entry of the pair of calling and called transactions
Which authorization object defines which table contents may be maintained by which employees?
S_TABU_DIS The authorization object S_TABU_DIS controls only complete accesses, which are made using standard table maintenance
Of which fields consist the authorization S_TABU_DIS?
DICBERCLS: Authorization group for ABAP Dictionary objects (only tables/views assigned to authorization group “V*” (DICBERCLS=V*) may be maintained.) ACTVT: Activity (02, 03)
In which table is the assignment between the groups and the ABAP dictionary objects (tables)?
TDDAT
15
ADM940 – SAP Security consultant certification flashcards –
[email protected]
Which authorization object grants authorization to maintain cross‐client tables with the standard table maintenance transaction?
S_TABU_CLI
CLIIDMAINT If the identifier X or * is set, cross‐client tables can be maintained.
Which field has the authorization object S_TABU_CLI?
Which authorization object restricts a user’s access rights to specific parts of a table?
S_TABU_LIN
Activity: 02 Add, change, delete, 03, only delete Organizational criterion: Table key fields/row authorization, such as organizational criteria Attribute for organizational criterion: 1 to 8 attributes for the organizational criterion, each attribute for a certain table key field
Which fields has the authorization object S_TABU_LIN?
Which authorization object check program (reports) use?
S_PROGRAM
16
ADM940 – SAP Security consultant certification flashcards –
[email protected]
Starting a program (SUBMIT) Scheduling a program as a background job (BTCSUBMIT) Variant maintenance (VARIANT)
What activities can be assigned to the authorization object S_PROGRAMM?
What is the principle of Treble control?
Sharing the administrative tasks (user admin and authorization admin, role maintenance, profile generation) amongst three administrators is called the principle of treble control
How is decentralized User Administration technically implemented?
Technically, decentralization is implemented by grouping users to form user groups. Each decentralized user administrator may only administer the users assigned to the user group for which he or she is responsible. Object S_USER_GRP
Which are the 3 different roles in decentralized User Administration?
User administrator Authorization data administrator Authorization profile administrator
With the authorization error analysis and transaction code SU53 With the authorization trace ST01
Which are the 2 ways in which we can determine the required authorization, if we can not find documentation?
17
ADM940 – SAP Security consultant certification flashcards –
[email protected]
Which transaction show which authorizations are currently in the user buffer?
SU56
External auditing Internal auditing System checks Data protection
For what is the Audit Information System (AIS) a checking tool?
System auditing functions Business auditing functions
What are the 2 main components of the AIS reporting tree?
You should not immediately implement a result of a trace or of transaction SU53 as new roles or profiles. First analyze the system for existing settings. The Information System and the Audit Info System are available to the administrator for this purpose.
What should you do before implementing a result of a trace (ST01) or of transaction SU53?
What is the transaction for the User Information system?
SUIM
18
ADM940 – SAP Security consultant certification flashcards –
[email protected]
User master records Roles Authorization profiles Check indicators
Which authorization component can be transported?
What is the transaction for local client copy?
SCCL
SCC8 (exchanges of data with a data export at operating system level) SCC9 (In a remote client copy, the data is copied over the network and not as a file)
What is the transaction for client copy between systems?
Only the complete user master and not individual users can be copied?
True
After a transport of the user master record. Should a comparison occur?
Yes, Manually or with report the PFCG_Time_Dependancy
19
ADM940 – SAP Security consultant certification flashcards –
[email protected]
By default, authorization profiles are transported with role. What should be set up in order to avoid it?
Set the PROFILE_TRANSPORT:=NO in Table PRGN_CUST
The control table PRGN_CUST must contain the entry USER_REL_IMPORT:=NO.
How can you protect the target system with an import lock in order to avoid transporting the user assignments to roles?
If systems are assigned to a Central User Administration, roles must be transported without user assignment since these assignments are made in and distributed from the central system. How can you enforce it?
The control table PRGN_CUST must contain the entry USER_REL_IMPORT:=NO.
What is the advantage of the indirect role assignment through the organizational plan?
As soon as an employee changes position, he or she also loses the corresponding authorizations.
What are the different types of Organization plans objects?
Organizational Unit: A functional unit in the company (Sales) Position: staff assignments of an organizational unit (Sales Manager Europe) Job: jobs are general classifications of functions in a company (sales manager) Task: Description of an activity that is to be performed within organizational units
20
ADM940 – SAP Security consultant certification flashcards –
[email protected]
Create, transaction code: PPOCE Change, transaction code: PPOME Display, transaction code: PPOSE
What are the transactions code for creating, editing and display the organizational plan?
The Organizational Structure window allows you to build up and maintain the organizational structure The Staff Assignments window allows you to identify the fundamental staffing details required for an org plan. The Task Profile window allows you to assign roles to jobs, positions, organizational units, and holders of positions
What are the 3 main windows of the Organization plan transaction?
To which object type are person assigned to in the organizational plan?
Position Holders are assigned to positions, not to jobs
Does the user assigned to a position then inherits all authorization profiles of these roles?
Yes
No, Roles cannot be inherited across organizational units. Positions belonging to an organizational unit cannot inherit the roles assigned to a higher‐level organizational unit.
Can roles be inherited across organizational unit?
21
ADM940 – SAP Security consultant certification flashcards –
[email protected]
The Person object type is maintained in the HR master data. Persons are employees of the company. Users, on the other hand, are not necessarily employees. Users have authorizations to access the SAP system.
What is the difference between a user and a person in the System?
ALE ALE means Application Link Enabling and permits you to build and operate distributed SAP links
CUA. On which technology concept is the authorization data based?
• • •
What can be distributed with the CUA?
•
User master record data, such as the address, logon data, user defaults and user parameters. The assignment of the user to roles or profiles The initial password: The initial password is distributed to the child systems as a default. The passwords are distributed in coded form. The lock status of a user
Transaction to define child and central system in the CUA
SALE
CUA: How are called communication partners that are addressed in the ALE scenario with aliases?
Logical systems
22
ADM940 – SAP Security consultant certification flashcards –
[email protected]
CUA: How is the communication performed between the central system and the child system at network level?
Using RFC (Remote Function Call)
CUA: In which transaction is the technical definition of the RFC connection maintained?
SM59
CUA: With which transaction code is the distribution model created, maintained and distributed?
BD64
With which transaction is the Central User Administration centrally activated?
SCUA
With which transaction can you define weather each individual component of a user master record should be administered in the central or locally in the child system?
SCUM
23
ADM940 – SAP Security consultant certification flashcards –
[email protected]
CUA: What are the 5 field attributes that can be defined for each input field of user maintenance?
Global, can only be maintained in the central system. Default, a default value automatically distributed when it is saved can be maintained when you create a user in the central system. After distribution, the data is only maintained locally in the child systems and cannot be returned. Redistribution, maintained in both the central and the child Local, can only be administered locally Everywhere, change data locally and globally (usr locks only)
CUA: With which transaction are existing user master records migrated to the central system?
SCUG This procedure can only be performed once for each child system
CUA: As user master records are migrated, they may already exist or are completely new, with which properties can they be imported?
New user: not yet contained in the CUA Identical user: already in the CUA Different user: already in the CUA with a different first or last name
Integration of company data and applications Optimal use of open standards Conversion of unstructured data Provision of Enterprise Portal content for users
Four feature of the Enterprise Portal?
Core functions written in Java. A J2EE runtime environment is required (SAP J2EE Engine). Open architecture. SOAP, UDDI, JCA, JAAS, LDAP, X.509, XML, ICE are supported Security functions including the full support of directory services, digital certificates, and SSL Mobile devices are supported
Four technical aspects of the Enterprise Portal?
24