What is Central User Administration used for? A To administer password for SAP users centrally B To maintain printer landscapes centrally C To administer user master records centrally D To create authorization profiles centrally Answer: C What are the 3 main sources of risks? Persons: Important employees leaving the company, dissatisfied or inexperienced employees. Hackers with criminal intent. Technology: Processing errors (caused by applications or operating systems), viruses, power supply interruption and hardware failure. Environment: Fire, flood, dust, earthquakes. Measure for each source of risk. (Person, Technology, Environment) Organizational Measures: Training, internal security policy, procedures, roles, responsibilities. Technical Measures: Inclusion of electronics for checks (routers). Access authorizations for systems and data. Environmental measures protect physical system components against natural sources of danger. What is the difference between System Access Control and Role based Access control? System Access Control ‐ Users must identify themselves in the system ‐ Configuration of system access control (such as pwd rules) Access Control ‐ Access rights for functions and data granted explicitly using authorization ‐ Authorization checks for Transaction/reports checks, Program execution What are the 3 main components of a SAP role? Role Menu: Transaction, Reports, Weblinks combined in a Menu Authorization: Access right for business function and data User: Assignation User – Role necessary. With profile generator or with SU01
Report that display all the role templates that are supplied by SAP RSUSR070 What are the 5 steps of the ASAP Methodology? Project preparation: inclusion of all decision maker Business blueprint: requirement determination Implementation: configuration and fine tuning Final preparation: testing and training Go live and support: start of production What are the 5 steps of the authorization concept conception? Preparation: Set up a team, define communication process Analysis and Conception: analyze process and determine role framework Implementation: Creation of roles Quality assurance and Tests: positive and negative testing Cutover: production start What are the main components of the authorization concept? Authorization object class: grouping of authorization object Authorization object: group 1 to 10 authorization fields Authorization field: smallest unit checked Authorization: Instance of an authorization object Authorization profile: Group of instances (authorization) Role: SAP user activities description, allow automatic generation of profile User: log to SAP with specific access How should be the naming convention for new developments? Authorization and authorization profiles: Do not start with Y, Z, must not contain an underscore in the second position Authorization classes, object, fields are development object and must start with Y and Z
Table for all possible activities TACT What are the 2 checks executed after a transaction start to ensure that the user has the appropriate authorization? Step 1: Check if the user is authorized to start the transaction Step 2: Check if an authorization object is assigned to the transaction code Table for transaction code / authorization object assignment TSTCA ABAP object used to check the authorization object assigned to the transaction Authority‐check Return codes after the authorization check with the ABAP object authority‐check 0: The user has the authorization for the object and the fields value 4: The user has the authorization for the object, but not for filed value 12: The user has no authorization 16: No profile is entered in the user master record
Authorization object that defines the user groups for which an administrator has authorization and the activities that are allowed S_USER_GRP Authorization that defines the authorization object name and the authorization name for which an administrator has authorization and the activities that are allowed. S_USER_AUTH Authorization Profile that defines the profile names for which an administrator has authorization and the activities that are allowed S_USER_PRO Authorization that defines the roles names for which an administrator is authorized and the activities that are allowed S_USER_AGR Authorization that defines the transactions that an administrator may include in a role. S_USER_TCD
Authorization that defines which field values an administrator may enter in roles for which authorization object and which fields. S_USER_VAL Authorization that define which system a user administrator can access from the CUA S_USER_SYS Mandatory fields needed to create user master‐data On the Address tab page: Last name field On the logon data tab page: Initial password User type possible for user master data Dialog: For interactive user System: For background processing and communication within a System. No dialog possible, no change of password Communication: For dialog‐free communication between systems. No dialog possible, no a change of password Service: Dialog user available to anonymous group of users Reference: For general, non‐person‐related users that allows the assignment of additional, identical authorizations Transaction for user mass changes SU10
Which are the two different maintenance views of the profile generator PFCG? Basic maintenance (menus, profiles, and other objects) Complete view (Organizational Management and workflow) PFCG, which are the 7 activities to create a role? 1. Define role name 2. Determine activities 3. Design user menus 4. Maintain authorization data 5. Generate authorization profile 6. Assign users 7. User master record comparison 5 Options available when manually inserting a new authorization? PFCG ‐> Authorization tab ‐> Edit ‐> Insert authorization. Selection criteria: authorizations grouped by object class. Manual input: enter directly the name of the authorization, if known Full authorization: fills all authorizations with the value* From profile: use authorizations from individual profiles From template: use the SAP authorization templates Can a role have several profile generated? Yes, profile can only contain a certain number of authorizations. It is therefore possible that one role has several profiles. You can recognize these profiles from the fact that their names are identical for the first 10 characters What are the 2 ways to assign roles to users for a limited period of time with a user comparison? 1. As a background job: report pfcg_time_dependency 2. With the transaction PFUD (User master record reconciliation)
Why should a generated profile never be entered directly into the user master record (SU01)? During a user comparison, generated profiles are removed from the user masters if they are not among the roles that are assigned to the user. What are the 4 different types of roles? Customizing role: assign project or project view of the IMG Composite role: group of roles Derived role: menu identical but authorization different, mainly organizational unit Composite role: group of roles Normal role What are the pro and cons of composite roles? + One work center + One composite role + One assignment + One central menu ‐ They do not have any authorization data themselves Is it possible to add composite roles to composite roles? No. For reasons of clarity, it does not make sense and is therefore not possible to add composite roles to composite roles Composite role: What are the 2 possibilities if the composite role has been modified and you click on the refresh button? Re import: discard your settings and restructure the menu Merge: Creates a delta between the actual situation and the situation as it ought to be. The delta describes the changes set: ‐ Reduction: transactions that no longer appears ‐ Extension: transaction which now additionally appear
Derived roles: is the user assignment inherited? No, The user assignments are not inherited Derived roles: 2 ways to perform the comparison between the roles? 1. Comparison from the imparting role (“Generate Derived role” button) 2. Comparison from the derived role (“Transfer Data” button) Derived roles: Can the inherited roles be changed? No, The inherited menus cannot be changed in the derived roles What is the meaning of the traffic lights Icons for the authorization maintenance? Green: All fields below this level have been filled with values Yellow: There is at least one field (but no organizational levels) below this level for which no data has been proposed or entered Red: There is at least one organizational level field below this level for which no value has been maintained. What are the 4 status texts about authorizations maintenance? Standard: Unchanged from the SAP defaults. Maintained: At least one field in the subordinate levels of the hierarchy was empty by default and has since been filled Changed: The proposed value for at least one field in the subordinate levels of the hierarchy has been changed from the SAP default value. Manual: You maintained at least one authorization in the subordinate hierarchy levels manually
What are the 2 status texts about authorizations after a comparison? Old: The comparison found that all field values in the subordinate levels of the hierarchy are still current and that no new authorizations have been added. New: The comparison found that at least one new authorization has been added to the subordinate levels of the hierarchy. If you now click “New”, all new authorizations in the subordinate levels are expanded. What are the 2 required steps necessary for operating the profile generator? 1. Profile parameter auth/no_check_in_some_cases has the value Y 2. The default tables USOBX_C and USOBT_C are filled which control the behavior of the Profile Generator when a transaction is selected in a role. Transaction code to maintain profile parameters? RZ11 Which 2 tables control the behavior of the Profile Generator after the transaction has been selected? USOBX_C and USOBT_C Which table defines which authorization checks are to be performed with a transaction and which not? USOBX
Which table defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator? USOBT Which transactions copies the SAP default table USOBX and USOBT to the custom tables USOBX_C and USOBX_T? SU25 Which transactions maintain the custom tables USOBX_C and USOBX_T? SU24 What determine check indicators for transactions? Check indicators determine if an authorization check will run within the transaction or not What are the 4 supported check indicators for transactions? N: No check. This indicator cannot be set for HR and Basis authorization objects. U: Unmaintained: A check is performed against the corresponding authorization object in this transaction. C: Check: Maintenance in the Profile Generator is not supported. CM: Check/Maintain: For objects with this check indicator, you can display and change the defaults of PFCG
What are the 4 activities required for an upgrade of the Profile Generator? Migrate the report tree Check the Profile Generation activation Upgrade the roles and default tables (su25) Conversion of manually created profiles to roles if necessary (su25) Regardless of the release status, after an upgrade you will have 2 possible statuses? What are they? Source release did not use PFCG (it might have to be activated) Source release used PFCG (This means that tables USOBT_C and USOBX_C have to be updated as well as the existing roles) Which profile contains authorization for all new checks in existing transaction? SAP_NEW The SAP_NEW profile guarantees backward compatibility of the authorizations if a new release or an update or authorization checks introduces checks for previously unprotected functions. Which are the 2 ways to control the choice of user passwords? System profile parameters Invalid passwords can be entered in the table USR40 How entries in the Table USR40 (Invalid passwords) can be made generically? ? denotes a single character * denotes a character string
Profile parameter: minimum length of the logon password login/min_password_lng Profile parameter: Number of incorrect logon attempts allowed with a user master record before the logon procedure is terminated login/fails_to_session_end Profile parameter: Number of incorrect logon attempts allowed with a user master record before the user master record is locked. The lock is removed at midnight login/fails_to_user_lock Profile parameter: If the parameter is set to 1 (default), user locks caused by incorrect logons during previous days are not taken into consideration. If the value is set to 0, the lock is not removed login/failed_user_auto_unlock Profile parameter: The value 0 means that the user is not forced to change the password. A value > 0 specifies the number of days after which the user must change the logon password login/password_expiration_time
Profile parameter: If this parameter is set to value 1, the system blocks multiple SAP dialog logons (in the same client and with the same user name) login/disable_multi_gui_login Profile parameter: list containing the users who may log onto the system more than once is stored login/multi_login_users Which is the only user in the SAP system for which no user master record is required (since it is defined in the code)? SAP* What is the default password of the user SAP*? PASS What is the default password of the user master record SAP* after the installation of the client 000? 06071992
How can you deactivate the special properties of SAP*? set the system profile parameter login/no_automatic_user_sapstar to a value greater than zero Which special user is responsible for maintaining the ABAP Dictionary and the software logistics in the client 000? DDIC Which special user is delivered in the client 066? EarlyWatch What is the standard password of the user EarlyWatch? SUPPORT Which authorization object checks the objects of an area menu, since a transaction code is assigned to each executables menu entry? S_TCODE
Are transactions called indirectly with the ABAP statement CALL_TRANSACTION checked? No, If a transaction is called indirectly; that is, from another transaction, no authorization check is performed How to ensure that the indirectly called transaction with the ABAP statement CALL_TRANSACTION is subject to an authorization check? Use transaction SE97 to set the check indicator check in tables TCDCOUPLES for the entry of the pair of calling and called transactions Which authorization object defines which table contents may be maintained by which employees? S_TABU_DIS The authorization object S_TABU_DIS controls only complete accesses, which are made using standard table maintenance Of which fields consist the authorization S_TABU_DIS? DICBERCLS: Authorization group for ABAP Dictionary objects (only tables/views assigned to authorization group “V*” (DICBERCLS=V*) may be maintained.) ACTVT: Activity (02, 03) In which table is the assignment between the groups and the ABAP dictionary objects (tables)? TDDAT
Which authorization object grants authorization to maintain cross‐client tables with the standard table maintenance transaction? S_TABU_CLI Which field has the authorization object S_TABU_CLI? CLIIDMAINT If the identifier X or * is set, cross‐client tables can be maintained. Which authorization object restricts a user’s access rights to specific parts of a table? S_TABU_LIN Which fields has the authorization object S_TABU_LIN? Activity: 02 Add, change, delete, 03, only delete Organizational criterion: Table key fields/row authorization, such as organizational criteria Attribute for organizational criterion: 1 to 8 attributes for the organizational criterion, each attribute for a certain table key field Which authorization object check program (reports) use? S_PROGRAM
What activities can be assigned to the authorization object S_PROGRAMM? Starting a program (SUBMIT) Scheduling a program as a background job (BTCSUBMIT) Variant maintenance (VARIANT) What is the principle of Treble control? Sharing the administrative tasks (user admin and authorization admin, role maintenance, profile generation) amongst three administrators is called the principle of treble control How is decentralized User Administration technically implemented? Technically, decentralization is implemented by grouping users to form user groups. Each decentralized user administrator may only administer the users assigned to the user group for which he or she is responsible. Object S_USER_GRP Which are the 3 different roles in decentralized User Administration? User administrator Authorization data administrator Authorization profile administrator Which are the 2 ways in which we can determine the required authorization, if we can not find documentation? With the authorization error analysis and transaction code SU53 With the authorization trace ST01
Which transaction show which authorizations are currently in the user buffer? SU56 For what is the Audit Information System (AIS) a checking tool? External auditing Internal auditing System checks Data protection What are the 2 main components of the AIS reporting tree? System auditing functions Business auditing functions What should you do before implementing a result of a trace (ST01) or of transaction SU53? You should not immediately implement a result of a trace or of transaction SU53 as new roles or profiles. First analyze the system for existing settings. The Information System and the Audit Info System are available to the administrator for this purpose. What is the transaction for the User Information system? SUIM
Which authorization component can be transported? User master records Roles Authorization profiles Check indicators What is the transaction for local client copy? SCCL What is the transaction for client copy between systems? SCC8 (exchanges of data with a data export at operating system level) SCC9 (In a remote client copy, the data is copied over the network and not as a file) Only the complete user master and not individual users can be copied? True After a transport of the user master record. Should a comparison occur? Yes, Manually or with report the PFCG_Time_Dependancy
By default, authorization profiles are transported with role. What should be set up in order to avoid it? Set the PROFILE_TRANSPORT:=NO in Table PRGN_CUST How can you protect the target system with an import lock in order to avoid transporting the user assignments to roles? The control table PRGN_CUST must contain the entry USER_REL_IMPORT:=NO. If systems are assigned to a Central User Administration, roles must be transported without user assignment since these assignments are made in and distributed from the central system. How can you enforce it? The control table PRGN_CUST must contain the entry USER_REL_IMPORT:=NO. What is the advantage of the indirect role assignment through the organizational plan? As soon as an employee changes position, he or she also loses the corresponding authorizations. What are the different types of Organization plans objects? Organizational Unit: A functional unit in the company (Sales) Position: staff assignments of an organizational unit (Sales Manager Europe) Job: jobs are general classifications of functions in a company (sales manager) Task: Description of an activity that is to be performed within organizational units
What are the transactions code for creating, editing and display the organizational plan? Create, transaction code: PPOCE Change, transaction code: PPOME Display, transaction code: PPOSE What are the 3 main windows of the Organization plan transaction? The Organizational Structure window allows you to build up and maintain the organizational structure The Staff Assignments window allows you to identify the fundamental staffing details required for an org plan. The Task Profile window allows you to assign roles to jobs, positions, organizational units, and holders of positions To which object type are person assigned to in the organizational plan? Position Holders are assigned to positions, not to jobs Does the user assigned to a position then inherits all authorization profiles of these roles? Yes Can roles be inherited across organizational unit? No, Roles cannot be inherited across organizational units. Positions belonging to an organizational unit cannot inherit the roles assigned to a higher‐level organizational unit.
What is the difference between a user and a person in the System? The Person object type is maintained in the HR master data. Persons are employees of the company. Users, on the other hand, are not necessarily employees. Users have authorizations to access the SAP system. CUA. On which technology concept is the authorization data based? ALE ALE means Application Link Enabling and permits you to build and operate distributed SAP links What can be distributed with the CUA? • User master record data, such as the address, logon data, user defaults and user parameters. • The assignment of the user to roles or profiles • The initial password: The initial password is distributed to the child systems as a default. The passwords are distributed in coded form. • The lock status of a user Transaction to define child and central system in the CUA SALE CUA: How are called communication partners that are addressed in the ALE scenario with aliases? Logical systems
CUA: How is the communication performed between the central system and the child system at network level? Using RFC (Remote Function Call) CUA: In which transaction is the technical definition of the RFC connection maintained? SM59 CUA: With which transaction code is the distribution model created, maintained and distributed? BD64 With which transaction is the Central User Administration centrally activated? SCUA With which transaction can you define weather each individual component of a user master record should be administered in the central or locally in the child system? SCUM
CUA: What are the 5 field attributes that can be defined for each input field of user maintenance? Default, a default value automatically distributed when it is saved can be maintained when you create a user in the central system. After distribution, the data is only maintained locally in the child systems and cannot be returned. Redistribution, maintained in both the central and the child Local, can only be administered locally Everywhere, change data locally and globally (usr locks only) CUA: With which transaction are existing user master records migrated to the central system? SCUG This procedure can only be performed once for each child system CUA: As user master records are migrated, they may already exist or are completely new, with which properties can they be imported? New user: not yet contained in the CUA Identical user: already in the CUA Different user: already in the CUA with a different first or last name Four feature of the Enterprise Portal? Integration of company data and applications Optimal use of open standards Conversion of unstructured data Provision of Enterprise Portal content for users Four technical aspects of the Enterprise Portal? Core functions written in Java. A J2EE runtime environment is required (SAP J2EE Engine). Open architecture. SOAP, UDDI, JCA, JAAS, LDAP, X.509, XML, ICE are supported Security functions including the full support of directory services, digital certificates, and SSL Mobile devices are supported
