ADM950-Flashcards.pdf

(1)

The security policies are created by the security team in isolation from the business team.

Determine whether this statement is true or false.

False

SAP offers many types of systems and applications. Each type of SAP system (mySAP CRM, SAP BW, SAP R/3, mySAP SRM, SAP APO) is so varied that the systems do not share security tools or security services.

Determine whether this statement is true or false

False

The following tools are available for conducting thorough system security audits.

A Role maintenance tool B System audit log C CCMS security alert D System trace tools

E Users and Authorizations information systems F All of the above

Answer: F

The Audit Information System is intended for

external audits only. False

All of the menu roles for the Audit Information System start with . The authorization roles start with .

(2)

Configuring the Audit Information System requires

downloading a specific support package. False

To use the Audit Information System, you must use

transaction SECR. Answer: False

The instance parameters that relate to the audit log include rsau parameters?

Answer: True

The security audit log only logs user connections made by RFC connections.

False

Which of the following are benefits of creating a custom t-code to link SE16 to a specific table?

A You no longer need to grant access to transaction code SE16. B With your custom transaction code, you can look at any table. C With your custom transaction code, you can look only at the table specified in the transaction code.

D Custom transaction codes can be easily created, without requiring any programming.

(3)

determine if security is administered centrally or regionally? A S_USER_GRP B S_TCD_GRP C S_USER_AGR D S_USER_ADD Answer: A, C

Which of the authorization objects protect transaction code execution?

A S_TCODE B P_TCODE C Q_TCODE D X_TCODE

Answer: A, B, C

SAP recommends that each custom report and each custom program be linked to a custom transaction code.

Answer: True

S_PROGRAM is an authorization object that protects program execution.

Answer: True

is a program that assigns

(4)

You should be careful with the authorization object because it can enable someone to enter DEBUG mode in production.

Answer: S_DEVELOP

Once a user is changed, there is no way to see who changed the user.

Answer: False

The Authorization Group field is used only for protecting reports and tables.

Answer: False

Which of the following are logs that exist in an SAP system? (More than one answer is correct).

A Webflowlogs B Application logs C Change documents logs

D User and authorization change logs E None of the above

Answer: A, B, C, D

SU24 must be set up before implementing any roles. Determine whether this statement is true or false

(5)

SU24 requires programming changes to make the default values occur.

Answer: False

The following logon parameters can be used to ensure your system is adequately secured.

A logon/fails_to_user_lock B logon/min_password_specials C logon/min_password_diff D logon/named_super_user

Answer: A, B, C

SAP recommends that you separate your

system from your system. Answer: Devlopment – Production

Which of the following are security advantages to a three-tier landscape?

A Ensure changes occur only on development system. B Ensure changes occur only on your production system. C Developers do not have access to production data. D You control when changes are moved into production. E You can test changes in a QA system.

Answer: A, C, D, E

What type of approval does SAP recommend before

moving changes into production? SAP QA approval procedure that formalize the approval and review workflow

(6)

SAP recommends a three-tier system landscape including development, quality assurance, and production.

Answer: True

Client change options should always be set to No changes allowed.

Answer: False

SAP does not provide a QA approval procedure for changes being moved into production.

Answer: False

The user ID used in the RFC destination should be a dialog user.

Answer: False

Authorization object is used to protect

(7)

6 aspects that might be considered in a security policy

User authentication (Password rules, Monitoring) Authorization protection

Auditing and logging (AIS, Security audit log, …) Integrity protection

Privacy protection

Proof of obligation (non-repudiation)

7 questions that a security policy should address?

Who is responsible for your IT security? What needs to be protected?

Who is attacking? What is the risk?

Which protection mechanisms are required? Which procedures are to be enforced? How much protection can you afford?

6 tools available to help provide answers to the questions that arise during a system security audit:

Audit Information System

Authorization Information System System Audit Log

Computer Center Management System Alerts Trace tools

Role maintenance tool (PFCG)

What are the 3 major components of the Role maintenance tool (PFCG)?

menu

authorizations users

What are the 2 types of roles implementation strategy?

Menu roles Authorization roles

(8)

What are the 2 major categories of the AIS

- system audit (general system, users and authorizations, repository and tables)

- business audit (accounting, customer, vendors, asset, tax)

What was the transaction used by SAP in the past to access the AIS

In the past, the Audit Information System existed in a single transaction code, SECR

What are the two major groups of SAP Standards roles defined for the Audit Information System

Menu roles (SAP_AUDITOR*) (only menu items; no authorizations)

Authorization roles (SAP_CA_AUDITOR*) (only authorizations, no menu items listed)

What is the SAP standard composite menu and authorization Role which contains every role in the AIS?

The menu roles: SAP_AUDITOR

The authorization roles: SAP_CA_AUDITOR

What are the 4 steps required to set-up the AIS

Copy the SAP roles to your own naming convention Update the roles (as needed)

Create a user for the auditor

(9)

Which SAP Standard role allow you to set-up the

AIS? SAP_AUDITOR_ADMIN

What is the audit log’s main objective? (3 points)

Security-related changes to the SAP system (changes

to user master records)

Higher level of transparency (successful and

unsuccessful logon attempts)

Enables the reconstruction of a series of events

(successful or unsuccessful transaction starts)

Which 7 information types can be recorded with the Security audit log?

Successful and unsuccessful dialog logon attempts Successful and unsuccessful RFC logon attempts Remote function calls (RFCs) to function modules Successful and unsuccessful transaction starts Successful and unsuccessful report starts Changes to user master records

Changes to the audit configuration

SAP systems maintain their audit logs on a daily basis. The system does not delete or overwrite audit files from previous days; it keeps them until you manually delete them. Which transaction is used in order to archive or delete the audit files?

SM18

How do you define the audit file name and location? You define the name and location of the files in a profile parameter, rsau/local/file.

(10)

What are the information (9) contained in an audit record

Event identifier (a three-character code) SAP user ID and client

Terminal name, Transaction code

Report name, Time and date when the event occurred Process ID, Session number

Miscellaneous information

How do you define the maximal size of the audit file?

You define the maximum size of the audit file in the profile parameter rsau/max_diskspace/local. The default value is 1 megabyte (MB) or 1000000bytes

What happened if the maximal size of the audit file is reached?

If the maximum size is reached, the auditing process stops.

What are the 4 major filters available for the security audit log?

Client, User,

Audit class: Dialog logon, RFC/CPIC logon, Remote

function call (RFC), Transaction start, Report start, User master change

Weight of events to audit: Audit only critical, Audit

important and critical, Audit all events (non-critical)

What are the 2 main options to create and save audit filters?

Create and save filters permanently in the database (all the application servers use identical filters, define filters only once, you must restart the instance, define different profiles that you can alternatively activate)

Change filters dynamically (changes distributed to all active application servers, do not have to restart the instance, not saved for reuse after system stops/starts)

(11)

What are the profile parameters that you need to specify in order to create and save filters

permanently in the database?

rsau/enable: enable the SAL rsau/local/file: file location

rsau/max_diskspace/local: max space to allocate rsau/selection_slots: number of filter to allow

What are the profile parameters that you need to specify in order to change filters dynamically on one or more application servers?

rsau/local/file: file location

rsau/max_diskspace/local: max space to allocate rsau/selection_slots: number of filter to allow

With which transaction can you assess the security

audit log? SM20 or SM20n

What are the four main sections of the audit analysis report?

Introductory information Audit data

Statistical analysis Contents

What are the 4 main functions of the Computing Center Management System (CCMS) monitor?

Performs detailed monitoring

Creates alerts and displays them with colour values

Provides analysis and auto-reaction methods (sms, emails with threshold )

Allows you to view current alerts and the history of alerts

(12)

What is the transaction to access the CCMS alert

monitor RZ20

What are the 5 majors authorisation objects used to protect which transaction codes a user can access and for which product are they meant to be?

S_TCODE used in every SAP system for every module P_TCODE used for Human Resources

Q_TCODE used for Quality Maintenance I_TCODE used for Plant Maintenance L_TCODE used for Warehouse Management

Which authorithation object determines what table someone can look at with the transactions SE16, SE16N, or SE17; SM30 or SM31; and SE12

S_TABU_DIS is checked anytime someone looks at

data in a table directly (with one of these transactions: SE16/SE16N, SE17, SM30, SM31. or the

Implementation Guide).

Which transaction should be used when access to a table and why?

When access is required, use transaction code SM30 because an interface exist and no direct access to the table.

What are the 2 fields of the authorization object S_TABU_DIS

Activity and Authorization Group. The Authorization

Group field is mapped to which tables a user can access.

(13)

Which table maps the Authorization Group to a list

of tables? TDDAT

Which authorization object control the authorization

to execute a program the authorization object S_PROGRAM

Which fields use the authorization object S_PROGRAM

User Action: start the program or schedule it to run in

batch mode or if you use variants.

Authorization Group: which programs you can

execute.

What should be set up in order for the authorization object S_PROGRAM to be effective?

For this authorization object to be effective, ABAP programs must have an authorization group assigned to them in the attributes of the program.

What program allows you to assign an authorization group to all executable programs or to individual programs or program group?

(14)

What are the accesses required in order to run transaction SA38?

Authorization object: S_PROGRAM User action: SUBMIT

Authorization group: No value required

2 options to secure the use of SA38

- Include an Authorization Group on the program

for all custom reports/programs developed. Use

report RSCSAUTH to assign Authorization Group

values to programs/reports

- Request all custom reports/programs to include at least one AUTHORITY-CHECK inside the code.

For what is the Authorization Group field used?

Check access to tables Check access to program

Used in varying ways throughout SAP applications, like e.g. FS00

Which authorizations object do you use to grant access to all ABAP Workbench components

S_DEVELOP is the general authorization object for

ABAP Workbench objects

6 ABAP Workbench components that are protected with S_DEVELOP

ABAP development tools

ABAP Dictionary and Data Modeler Screen Painter and Menu Painter Function Builder

Repository Browser and Info System SAP Smart Forms

(15)

What are the 6 types of logs?

Application logging

Logging workflow execution / webflow Logging using change documents Logging changes to table data

Logging changes made using transport system Logging changes made to user and authorization

Which transactions are used to maintain and analyze the application log?

SLG1, display

SLG0, define entries for your own application

What does the application log trace?

The log traces application events and tasks, and reports on their activity (for example, transfer of data from SAP R/3 to SAP APO).

Which activities are logged in the webflow log? The webflow log (or workflow log) includes all activities that have occurred due to workflows executing.

Which transactions allow you to analyze the

(16)

What is the transaction to view the change

document for an object SCDO

What is the structure of the change document?

Change document header

Change document item (old and new values of a field) - U(pdate) . Data was changed.

- I(nsert)

- D(elete) . Data was deleted Change document number

What are for example the transactions to review change documents for MM and SD?

MM04 for material changes and VD04 for customer changes.

Each application has its own transaction to review change documents

Which transaction displays the table change log? SCU3

(17)

What is the configuration required in order to use the table change log?

rec/client parameter: = ALL (logs all clients), = 000 [,...]

(logs the specified clients), = OFF (turns logging off). In the technical settings (use transaction SE13, SE12), set the Log data changes flag for those tables that you want to have logged.

What does the transport system log record? A transport system log monitors all changes that are migrated from development to production.

Which transactions allow you to view the transport

system log? SE09 and SE10

What does the user and authorization log records? User and authorization logs record all changes that occur to users, authorizations, and profiles.

Which transaction allows you to read the HR Reports logs in order to see each time the report is started?

(18)

3 situations where the security administrator might want to use the transaction SU24 (maintain tables that assign which authorization objects go with which transaction codes)?

Correct authorization objects that are not linked to

transaction codes correctly

Correct authorization objects that have unacceptable

default values

Change default values to ones that will always be

appropriate

How to find out who made a change with the transaction su24?

1. Start transaction SE16.

2. Enter USOTB_C in the Table Name field.

3. Use values in the Modifier, ModDate, and ModTime fields

What are the 4 check indicators? CM = Check/Maintain

C = Check N = No Check U = Unmaintained.

What are the properties of the check indicator CM =

Check/Maintain

Authorization check is carried out against this object. PFCG creates an authorization for this object

Field values are displayed for changing.

Default values for this authorization can be maintained.

What are the properties of the check indicator C =

Check

Authorization check is carried out against this object. PFCG does not create an authorization for this object. Field values are not displayed.

No default values for this authorization can be maintained.

(19)

What are the properties of the check indicator N =

No Check

Authorization check against this object is disabled. PFCG does not create an authorization for this object. Field values are not displayed.

No default values for this authorization can be maintained.

What are the property of the check indicator U =

Unmaintained

No check indicator is set.

Authorization check is always carried out against this object.

PFCG does not create an authorization for this object, Field values are not displayed.

Can the checked for the authorization objects from the Basis (S*) and HR management (P_*, PLOG*) be changed?

Authorization objects from the basis (S*) and Human Resources management applications (P_*, PLOG) cannot be excluded from checking because the field values for these objects must always get checked.

What are the 10 components of the User information system (SUIM)?

Overview of Users, Users, Roles, Profiles Authorizations, Authorization object Transactions

Comparisons (of users)

Where-Used list (for authorization)

Change documents (for users, auth and profiles)

What is the difference between centralized and decentralized security administration?

In a centralized security environment, one group is responsible for all security tasks: creating users, creating roles, and assigning roles to users.

In a decentralized security environment, multiple groups work on security (physical location, based on division, based on product line, or based on company code).

(20)

What are the 3 different administrator types in a decentralized security administration?

User administrator (create user, assign roles) Authorization administrator (create roles) Profile administrator (generate role).

Which authorization object is provided to create and maintain users and assignments in a decentralized fashion with user groups?

S_USER_GRP

Which authorization object helps you to enforce the role naming convention in restricting the allowed roles names?

S_USER_AGR

Which authorization object ensure that the

decentralized admin only add authorized t-codes to

roles S_USER_TCD

Which authorization object can be used to ensure the security administrator only add value for a

(21)

Which authorization enforces that one person can create the menu portion of the role, but someone else updates the authorizations?

S_USER_AUT

Which authorization object enforces that one person can create the role, but another person must

generate the role?

S_USER_PRO

What is the transaction for the system trace tool? ST01

What are the 2 special users defined in client 000?

SAP* DIDIC

How can you deactivate the user SAP*?

Define the profile parameter

logon/no_automatic_user_sapstar, with the value 0 Create a user master record for SAP*

Give this user no roles or profiles. Give him a new password

(22)

In which client is the user Earlywatch delivered? Earlywatch is delivered in the client 066

What is the default password of the special user

EarlyWatch? SUPPORT

How can you prohibit the use of certain passwords?

To prohibit the use of a password, enter it in table USR40. There are two wildcard characters:

? stands for a single character

* stands for a sequence of any combination

characters of any length

Which transaction allows you to maintain the profile

parameters? RZ11

What are the 5 profiles parameters that enforce the minimum requirement that a password must fulfil?

logon/min_password_lng: min length

logon/min_password_digits: min number of digits logon/min_password_letters: min number of letters logon/min_password_specials: min number of special

characters

logon/min_password_diff: how many characters in the

(23)

What are the 3 profiles parameters that enforce the validity period of a password?

logon/password_expiration_time

logon/password_max_new_valid: Validity period of

passwords for newly created users

logon/password_max_reset_valid: Defines the validity

period of reset passwords

What are the 3 profile parameters that enforce the multi logon for a user?

logon/disable_multi_gui_logon: Controls the

deactivation of multiple dialog logons

logon/disable_multi_rfc_logon: Controls the

deactivation of multiple RFC logons

logon/multi_logon_users: List of excepted users

(multiple logon)

What are the 3 profile parameters that enforce the number of unsuccessful logon attempts?

logon/fails_to_session_end: number of unsuccessful

logon attempts before the system does not allow any more logon attempts

logon/fails_to_user_lock: number of unsuccessful

logon attempts before the system locks the user.

logon/failed_user_auto_unlock: Defines whether user

locks due to unsuccessful logon attempts should be automatically removed at midnight

Which 2 profile parameter controls the deactivation of password-based logon for users or for groups?

logon/disable_password_logon logon/password_logon_usergroup

Which profile parameter specifies the default client that is automatically filled in on the system logon screen?

(24)

Which profile parameter specifies the exactness of

the logon timestamp? logon/update_logon_timestamp

Which profile parameters specifies the number of seconds until an inactive user is automatically logged out?

rdisp/gui_auto_logout

6 security advantages that a three-tier system landscape can offer?

Changes take place in only one location

Developers do not have access to production data.

Test in a QA system before they take effect in prod. Control the point in time when changes take effect Reduce accidental or unauthorized changes Keep a record of changes for auditing purposes

Which transaction allows you to see if the TMS Quality Assurance approval procedure has been set up?

STMS

What are the 3 standards approval steps and their authorization object, value and default value?

By request owner Default: inactive. Values of

S_CTS_ADMI: CTS_ADMFCT Value: TADM and TQAS

By user department. Inactive. Values of S_CTS_ADMI:

CTS_ADMFCT Value: QTEA or TADM and TQAS

By system administrator. Default: inactive. Values of

(25)

Which transaction allows you to approve a transport

request? STMS

At which level is it possible to enforce the changes? System and client level

What defines the transport routes?

Transport routes define where changes are made, and how the changes migrate through the system landscape after they have been released.

In which transaction can you release the change

request to transport? SE09 or SE10

What are the 5 steps of a transport

1. Release the change request 2. Review the log files

3. Import the SAP system objects into the target system. 4. Review the log files created by the Workbench Organizer.

(26)

4 roles and responsibilities in the transport process

Team members: Releasing their own

Project leader: Verifying the contents of a change

request prior to release

Transport administrator: Execute the transport tasks Quality Assurance (QA) team: tests the entire

functionality and integration

3 security checks to consider before the development work are moved to production?

- Link custom programs to custom transaction codes - Include AUTHORITY-CHECK statements for all programs

- Ensure proper controls are in place if this custom program (or function module) accesses critical tables

What are the authorization object and their fields that allow you to work with transport?

S_TRANSPRT is the authorization object for the

Transport Organizer. Fields: Activity, Request type

CUST: Customizing requests

DTRA: Workbench requests TASK: Tasks (repair or correction …

Which authorization object and its field enforce the administration function in the change and transport system?

S_CTS_ADMI, field: CTS_ADMFCT

TABL: Maintain transport routes, call certain tools INIT: Set system change option

IMPA: Import all transport requests IMPS: Import individual requests TADD: Perform an “add to buffer”

…

What are the predefined authorizations in SAP systems that apply to the 5 various roles for the transport process?

Quality Assurance (QA) team: not defined

Administrator (transport super user): S_CTS_ALL Project leader: S_CTS_PROJEC

Team members and developers: S_CTS_DEVELO End users: S_CTS_SHOW

(27)

What is the table for maintaining system clients? T000

What do the values of the table TMSTCRI prevent?

You can protect certain objects from being changed by imports by defining a set of security-critical objects in table TMSTCRI. You are then warned of changes to these objects in transport requests.

What are the four primary authorization objects used in background processing?

S_BTCH_JOB: Job Operations, Values DELE, RELE (release), SHOW, PROT (Display job logs)

S_BTCH_NAM: protects what user IDs can execute S_BTCH_ADM: Value Y for the Background admin S_RZL_ADM: Field Name, 01 (Create), 03 (Display) if the background job executes an external cmd.

What are the transactions to create and monitor background jobs?

SM36: create background jobs. SM37: monitor background jobs.

4 reasons to use specific System user IDs for background jobs

User ID is stable; the user never changes jobs The password does not have to be reset. No one can log on

Facilitates security administration and maintenance of background schedule.

(28)

Which authorizations are needed to allow a user to have a look only at their spool request?

Give them S_TCODE with SM37 and SP02

No other authorization objects are required to view spool

Which SAP standard roles gives access required to

administer background jobs SAP_BC_BATCH_ADMIN

What 3 kind of job steps can be executed when creating a background job?

ABAP program

External command: from the operating system are executed from SAP

External program: at the operating system (Ex: file read)

Which 2 authorizations are needed in order to create background job with external program job steps?

You must have activity 01 for the authorization object S_RZL_ADM (maintain) and access to S_LOG_COM (execute)

Which authorization object define which printers you

(29)

Which authorization object enforce actions you can take with spool requests (Admin) and enforce access to a spool request that does not belong to you?

S_SPO_ACT

Which authorization object enforces administering the spool system (Admin)? Values SP01, SP0R, SPAA, SPAB, SPAC, SPAD, SPAM, SPAR, SPTD, SPTR

S_ADMI_FCD

Which authorization object limit the number of pages

a user can print to a specific printer? S_SPO_PAGE

What is the SAP standard role for spool

administration? SAP_BC_SPOOL_ADMIN

4 examples of external commands executed within SAP?

- Database backup tools such as brbackup - Operating system environment commands

- List directories and space available at the operating system

(30)

What are the 3 ways to execute external commands?

- External commands can be executed either with - Transaction SM49 (SM69 to create)

- ABAP programs

- In background job steps

How is the external command defined in the SAP system?

An external command is an alias defined in the SAP system that represents an operating system command.

What are the authorizations needed to create and maintain an external command?

SM69,

S_RZL_ADM with the value 01,03(Activity field)

What are the 3 different fields of the S_LOG_COM authorization object?

Command (name of external command) Opsystem (operating system for the command) Host (symbolic host name of target system)

What are the 2 ways in use to download lists?

Standard list download

Application-specific implementations for downloading (Excel for ex)

(31)

Which authorization object protects the standard list

download? S_GUI

Which authorization objects protect the file access?

Authorizations object S_DATASET. The minimum activities required are 33 (normal file read) and A6 (read file with filter).

What are the 2 user types that should be used for RFC communication?

User IDs in RFC destinations should be set up as

communication or system users:

Æsomeone cannot log on with the userID Æthe passwords normally do not expire

Which transaction lists each RFC destination and

the user involved? RSRFCCHK

Which authorization object is checked when a user

(32)

What are the 3 fields of the authorization object S_RFC?

- Type of RFC object to be protected - Name of RFC to be protected - Activity

Which profile parameter can you use in order to

specify the use of S_RFC? auth/rfc_authority_check

How is the authentication done when an RFC destination has no user Id provided and the current user field is selected?

When this RFC destination is invoked, the user ID that will be used is the ID of the person who invoked this RFC destination.

What are the values possibilities for the profile parameter auth/rfc_authority_check?

0 = No authorization check

1 = Authorization check active (no check for same user, no check for same user context and SRFC-FUGR). 2 = Authorization check active (no check for SRFC-FUGR)

9 = Authorization check active (SRFC-FUGR checked)

What is the default Communication RFC user set up

(33)

How is the system called to set up a trusted relationship and allow user logging based on this trusted relationship for transport?

TMS Trusted Services

Which authorization object gives access to many