Академический Документы
Профессиональный Документы
Культура Документы
com
What is Central User Administration used for?
A To administer password for SAP users centrally
B To maintain printer landscapes centrally
Answer: C
C To administer user master records centrally
D To create authorization profiles centrally
Persons: Important employees leaving the company,
dissatisfied or inexperienced employees. Hackers with
criminal intent.
What are the 3 main sources of risks? Technology: Processing errors (caused by applications or
operating systems), viruses, power supply interruption and
hardware failure.
Environment: Fire, flood, dust, earthquakes.
Organizational Measures: Training, internal security policy,
procedures, roles, responsibilities.
Measure for each source of risk. (Person, Technology, Technical Measures: Inclusion of electronics for checks
Environment) (routers). Access authorizations for systems and data.
Environmental measures protect physical system
components against natural sources of danger.
System Access Control
‐ Users must identify themselves in the system
‐ Configuration of system access control (such as pwd rules)
What is the difference between System Access Control and Access Control
Role based Access control? ‐ Access rights for functions and data granted explicitly using
authorization
‐ Authorization checks for Transaction/reports checks,
Program execution
Role Menu: Transaction, Reports, Weblinks combined in a
Menu
What are the 3 main components of a SAP role? Authorization: Access right for business function and data
User: Assignation User – Role necessary. With profile
generator or with SU01
1
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
Report that display all the role templates that are supplied by
RSUSR070
SAP
Project preparation: inclusion of all decision maker
Business blueprint: requirement determination
What are the 5 steps of the ASAP Methodology? Implementation: configuration and fine tuning
Final preparation: testing and training
Go live and support: start of production
Preparation: Set up a team, define communication process
Analysis and Conception: analyze process and determine
What are the 5 steps of the authorization concept role framework
conception? Implementation: Creation of roles
Quality assurance and Tests: positive and negative testing
Cutover: production start
Authorization object class: grouping of authorization object
Authorization object: group 1 to 10 authorization fields
Authorization field: smallest unit checked
What are the main components of the authorization Authorization: Instance of an authorization object
concept? Authorization profile: Group of instances (authorization)
Role: SAP user activities description, allow automatic
generation of profile
User: log to SAP with specific access
Authorization and authorization profiles: Do not start with
Y, Z, must not contain an underscore in the second position
How should be the naming convention for new
developments?
Authorization classes, object, fields are development object
and must start with Y and Z
2
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
Table for all possible activities TACT
Step 1: Check if the user is authorized to start the
What are the 2 checks executed after a transaction start to transaction
ensure that the user has the appropriate authorization? Step 2: Check if an authorization object is assigned to the
transaction code
Table for transaction code / authorization object assignment TSTCA
ABAP object used to check the authorization object assigned
Authority‐check
to the transaction
0: The user has the authorization for the object and the fields
value
4: The user has the authorization for the object, but not for
Return codes after the authorization check with the ABAP
filed value
object authority‐check
12: The user has no authorization
16: No profile is entered in the user master record
3
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
Authorization object that defines the user groups for which
an administrator has authorization and the activities that are S_USER_GRP
allowed
Authorization that defines the authorization object name
and the authorization name for which an administrator has
S_USER_AUTH
authorization and the activities that are allowed.
Authorization Profile that defines the profile names for
which an administrator has authorization and the activities S_USER_PRO
that are allowed
Authorization that defines the roles names for which an
administrator is authorized and the activities that are S_USER_AGR
allowed
Authorization that defines the transactions that an
administrator may include in a role. S_USER_TCD
4
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
Authorization that defines which field values an
administrator may enter in roles for which authorization
S_USER_VAL
object and which fields.
Authorization that define which system a user administrator
S_USER_SYS
can access from the CUA
On the Address tab page: Last name field
Mandatory fields needed to create user master‐data
On the logon data tab page: Initial password
Dialog: For interactive user
System: For background processing and communication
within a System. No dialog possible, no change of password
Communication: For dialog‐free communication between
User type possible for user master data
systems. No dialog possible, no a change of password
Service: Dialog user available to anonymous group of users
Reference: For general, non‐person‐related users that allows
the assignment of additional, identical authorizations
Transaction for user mass changes SU10
5
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
Basic maintenance (menus, profiles, and other objects)
Which are the two different maintenance views of the
Complete view (Organizational Management and workflow)
profile generator PFCG?
1. Define role name
2. Determine activities
3. Design user menus
4. Maintain authorization data
PFCG, which are the 7 activities to create a role?
5. Generate authorization profile
6. Assign users
7. User master record comparison
Selection criteria: authorizations grouped by object class.
Manual input: enter directly the name of the authorization,
5 Options available when manually inserting a new
if known
authorization?
Full authorization: fills all authorizations with the value*
PFCG ‐> Authorization tab ‐> Edit ‐> Insert authorization.
From profile: use authorizations from individual profiles
From template: use the SAP authorization templates
Yes, profile can only contain a certain number of
authorizations. It is therefore possible that one role has
Can a role have several profile generated?
several profiles. You can recognize these profiles from the
fact that their names are identical for the first 10 characters
1. As a background job: report pfcg_time_dependency
What are the 2 ways to assign roles to users for a limited
2. With the transaction PFUD (User master record
period of time with a user comparison?
reconciliation)
6
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
During a user comparison, generated profiles are removed
Why should a generated profile never be entered directly from the user masters if they are not among the roles that
into the user master record (SU01)? are assigned to the user.
Customizing role: assign project or project view of the IMG
Composite role: group of roles
Derived role: menu identical but authorization different,
What are the 4 different types of roles? mainly organizational unit
Composite role: group of roles
Normal role
+ One work center
+ One composite role
+ One assignment
What are the pro and cons of composite roles?
+ One central menu
‐ They do not have any authorization data themselves
No.
For reasons of clarity, it does not make sense and is
Is it possible to add composite roles to composite roles?
therefore not possible to add composite roles to composite
roles
Re import: discard your settings and restructure the menu
Merge: Creates a delta between the actual situation and the
Composite role: What are the 2 possibilities if the composite situation as it ought to be. The delta describes the changes
role has been modified and you click on the refresh button? set:
‐ Reduction: transactions that no longer appears
‐ Extension: transaction which now additionally appear
7
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
Derived roles: is the user assignment inherited? No, The user assignments are not inherited
1. Comparison from the imparting role (“Generate Derived
Derived roles: 2 ways to perform the comparison between role” button)
the roles? 2. Comparison from the derived role (“Transfer Data”
button)
No, The inherited menus cannot be changed in the derived
Derived roles: Can the inherited roles be changed?
roles
Green: All fields below this level have been filled with values
Yellow: There is at least one field (but no organizational
levels) below this level for which no data has been proposed
What is the meaning of the traffic lights Icons for the
or entered
authorization maintenance?
Red: There is at least one organizational level field below
this level for which no value has been maintained.
Standard: Unchanged from the SAP defaults.
Maintained: At least one field in the subordinate levels of
the hierarchy was empty by default and has since been filled
Changed: The proposed value for at least one field in the
What are the 4 status texts about authorizations
subordinate levels of the hierarchy has been changed from
maintenance?
the SAP default value.
Manual: You maintained at least one authorization in the
subordinate hierarchy levels manually
8
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
Old: The comparison found that all field values in the
subordinate levels of the hierarchy are still current and that
no new authorizations have been added.
What are the 2 status texts about authorizations after a
New: The comparison found that at least one new
comparison?
authorization has been added to the subordinate levels of
the hierarchy. If you now click “New”, all new authorizations
in the subordinate levels are expanded.
1. Profile parameter auth/no_check_in_some_cases has the
value Y
What are the 2 required steps necessary for operating the 2. The default tables USOBX_C and USOBT_C are filled
profile generator? which control the behavior of the Profile Generator when a
transaction is selected in a role.
Transaction code to maintain profile parameters? RZ11
Which 2 tables control the behavior of the Profile Generator
USOBX_C and USOBT_C
after the transaction has been selected?
Which table defines which authorization checks are to be
USOBX
performed with a transaction and which not?
9
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
Which table defines for each transaction and for each
authorization object which default values an authorization
USOBT
created from the authorization object should have in the
Profile Generator?
Which transactions copies the SAP default table USOBX and
SU25
USOBT to the custom tables USOBX_C and USOBX_T?
Which transactions maintain the custom tables USOBX_C
SU24
and USOBX_T?
Check indicators determine if an authorization check will
What determine check indicators for transactions?
run within the transaction or not
N: No check. This indicator cannot be set for HR and Basis
authorization objects.
U: Unmaintained: A check is performed against the
corresponding authorization object in this transaction.
What are the 4 supported check indicators for transactions? C: Check: Maintenance in the Profile Generator is not
supported.
CM: Check/Maintain: For objects with this check indicator,
you can display and change the defaults of PFCG
10
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
Migrate the report tree
Check the Profile Generation activation
What are the 4 activities required for an upgrade of the
Upgrade the roles and default tables (su25)
Profile Generator?
Conversion of manually created profiles to roles if
necessary (su25)
Source release did not use PFCG (it might have to be
activated)
Regardless of the release status, after an upgrade you will Source release used PFCG (This means that tables USOBT_C
have 2 possible statuses? What are they? and USOBX_C have to be updated as well as the existing
roles)
SAP_NEW
The SAP_NEW profile guarantees backward compatibility of
Which profile contains authorization for all new checks in
the authorizations if a new release or an update or
existing transaction?
authorization checks introduces checks for previously
unprotected functions.
System profile parameters
Which are the 2 ways to control the choice of user
passwords?
Invalid passwords can be entered in the table USR40
? denotes a single character
How entries in the Table USR40 (Invalid passwords) can be
* denotes a character string
made generically?
11
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
Profile parameter: minimum length of the logon password login/min_password_lng
Profile parameter: Number of incorrect logon attempts
allowed with a user master record before the logon
login/fails_to_session_end
procedure is terminated
Profile parameter: Number of incorrect logon attempts
allowed with a user master record before the user master
login/fails_to_user_lock
record is locked. The lock is removed at midnight
Profile parameter: If the parameter is set to 1 (default), user
locks caused by incorrect logons during previous days are not
taken into consideration. If the value is set to 0, the lock is login/failed_user_auto_unlock
not removed
Profile parameter: The value 0 means that the user is not
forced to change the password. A value > 0 specifies the
number of days after which the user must change the logon login/password_expiration_time
password
12
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
Profile parameter: If this parameter is set to value 1, the
system blocks multiple SAP dialog logons (in the same client login/disable_multi_gui_login
and with the same user name)
Profile parameter: list containing the users who may log
login/multi_login_users
onto the system more than once is stored
Which is the only user in the SAP system for which no user
SAP*
master record is required (since it is defined in the code)?
What is the default password of the user SAP*? PASS
What is the default password of the user master record SAP*
06071992
after the installation of the client 000?
13
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
set the system profile parameter
How can you deactivate the special properties of SAP*? login/no_automatic_user_sapstar to a value greater than
zero
Which special user is responsible for maintaining the ABAP
DDIC
Dictionary and the software logistics in the client 000?
Which special user is delivered in the client 066? EarlyWatch
What is the standard password of the user EarlyWatch? SUPPORT
Which authorization object checks the objects of an area
menu, since a transaction code is assigned to each S_TCODE
executables menu entry?
14
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
No,
Are transactions called indirectly with the ABAP statement
If a transaction is called indirectly; that is, from another
CALL_TRANSACTION checked?
transaction, no authorization check is performed
How to ensure that the indirectly called transaction with the Use transaction SE97 to set the check indicator check in
ABAP statement CALL_TRANSACTION is subject to an tables TCDCOUPLES for the entry of the pair of calling and
authorization check? called transactions
S_TABU_DIS
Which authorization object defines which table contents The authorization object S_TABU_DIS controls only
may be maintained by which employees? complete accesses, which are made using standard table
maintenance
DICBERCLS: Authorization group for ABAP Dictionary objects
(only tables/views assigned to authorization group “V*”
Of which fields consist the authorization S_TABU_DIS? (DICBERCLS=V*) may be maintained.)
ACTVT: Activity (02, 03)
In which table is the assignment between the groups and the
TDDAT
ABAP dictionary objects (tables)?
15
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
Which authorization object grants authorization to maintain
cross‐client tables with the standard table maintenance S_TABU_CLI
transaction?
CLIIDMAINT
If the identifier X or * is set, cross‐client tables can be
Which field has the authorization object S_TABU_CLI?
maintained.
Which authorization object restricts a user’s access rights to
S_TABU_LIN
specific parts of a table?
Activity: 02 Add, change, delete, 03, only delete
Organizational criterion: Table key fields/row authorization,
such as organizational criteria
Which fields has the authorization object S_TABU_LIN? Attribute for organizational criterion: 1 to 8 attributes for
the organizational criterion, each attribute for a certain table
key field
Which authorization object check program (reports) use? S_PROGRAM
16
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
Starting a program (SUBMIT)
What activities can be assigned to the authorization object Scheduling a program as a background job (BTCSUBMIT)
S_PROGRAMM? Variant maintenance (VARIANT)
Sharing the administrative tasks (user admin and
authorization admin, role maintenance, profile generation)
What is the principle of Treble control?
amongst three administrators is called the principle of treble
control
Technically, decentralization is implemented by grouping
users to form user groups. Each decentralized user
How is decentralized User Administration technically
administrator may only administer the users assigned to the
implemented?
user group for which he or she is responsible. Object
S_USER_GRP
User administrator
Which are the 3 different roles in decentralized User
Authorization data administrator
Administration?
Authorization profile administrator
With the authorization error analysis and transaction code
Which are the 2 ways in which we can determine the
SU53
required authorization, if we can not find documentation?
With the authorization trace ST01
17
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
Which transaction show which authorizations are currently in
the user buffer?
SU56
External auditing
Internal auditing
For what is the Audit Information System (AIS) a checking
System checks
tool?
Data protection
System auditing functions
What are the 2 main components of the AIS reporting tree? Business auditing functions
You should not immediately implement a result of a trace or
of transaction SU53 as new roles or profiles. First analyze the
What should you do before implementing a result of a trace system for existing settings. The Information System and
(ST01) or of transaction SU53? the Audit Info System are available to the administrator for
this purpose.
What is the transaction for the User Information system? SUIM
18
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
User master records
Roles
Which authorization component can be transported? Authorization profiles
Check indicators
What is the transaction for local client copy? SCCL
SCC8 (exchanges of data with a data export at operating
system level)
What is the transaction for client copy between systems?
SCC9 (In a remote client copy, the data is copied over the
network and not as a file)
Only the complete user master and not individual users can
True
be copied?
After a transport of the user master record. Should a Yes,
comparison occur? Manually or with report the PFCG_Time_Dependancy
19
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
By default, authorization profiles are transported with role.
Set the PROFILE_TRANSPORT:=NO in Table PRGN_CUST
What should be set up in order to avoid it?
How can you protect the target system with an import lock The control table PRGN_CUST must contain the entry
in order to avoid transporting the user assignments to USER_REL_IMPORT:=NO.
roles?
If systems are assigned to a Central User Administration,
roles must be transported without user assignment since The control table PRGN_CUST must contain the entry
these assignments are made in and distributed from the USER_REL_IMPORT:=NO.
central system. How can you enforce it?
What is the advantage of the indirect role assignment As soon as an employee changes position, he or she also
through the organizational plan? loses the corresponding authorizations.
Organizational Unit: A functional unit in the company (Sales)
Position: staff assignments of an organizational unit (Sales
Manager Europe)
What are the different types of Organization plans objects? Job: jobs are general classifications of functions in a company
(sales manager)
Task: Description of an activity that is to be performed within
organizational units
20
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
Create, transaction code: PPOCE
What are the transactions code for creating, editing and Change, transaction code: PPOME
display the organizational plan? Display, transaction code: PPOSE
The Organizational Structure window allows you to build up
and maintain the organizational structure
The Staff Assignments window allows you to identify the
What are the 3 main windows of the Organization plan
fundamental staffing details required for an org plan.
transaction?
The Task Profile window allows you to assign roles to jobs,
positions, organizational units, and holders of positions
To which object type are person assigned to in the Position
organizational plan? Holders are assigned to positions, not to jobs
Does the user assigned to a position then inherits all
Yes
authorization profiles of these roles?
No,
Roles cannot be inherited across organizational units.
Can roles be inherited across organizational unit? Positions belonging to an organizational unit cannot inherit
the roles assigned to a higher‐level organizational unit.
21
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
The Person object type is maintained in the HR master data.
Persons are employees of the company.
What is the difference between a user and a person in the
Users, on the other hand, are not necessarily employees.
System?
Users have authorizations to access the SAP system.
ALE
CUA. On which technology concept is the authorization data
ALE means Application Link Enabling and permits you to
based?
build and operate distributed SAP links
• User master record data, such as the address,
logon data, user defaults and user parameters.
• The assignment of the user to roles or profiles
• The initial password: The initial password is
What can be distributed with the CUA?
distributed to the child systems as a default. The
passwords are distributed in coded form.
• The lock status of a user
Transaction to define child and central system in the CUA SALE
CUA: How are called communication partners that are
Logical systems
addressed in the ALE scenario with aliases?
22
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
CUA: How is the communication performed between the
Using RFC (Remote Function Call)
central system and the child system at network level?
CUA: In which transaction is the technical definition of the
SM59
RFC connection maintained?
CUA: With which transaction code is the distribution model
BD64
created, maintained and distributed?
With which transaction is the Central User Administration
SCUA
centrally activated?
With which transaction can you define weather each
individual component of a user master record should be SCUM
administered in the central or locally in the child system?
23
ADM940 – SAP Security consultant certification flashcards – julien.moix@gmail.com
Global, can only be maintained in the central system.
Default, a default value automatically distributed when it is
saved can be maintained when you create a user in the
CUA: What are the 5 field attributes that can be defined for central system. After distribution, the data is only maintained
each input field of user maintenance? locally in the child systems and cannot be returned.
Redistribution, maintained in both the central and the child
Local, can only be administered locally
Everywhere, change data locally and globally (usr locks only)
SCUG
CUA: With which transaction are existing user master records
This procedure can only be performed once for each child
migrated to the central system?
system
New user: not yet contained in the CUA
CUA: As user master records are migrated, they may already
Identical user: already in the CUA
exist or are completely new, with which properties can they
Different user: already in the CUA with a different first or last
be imported?
name
Integration of company data and applications
Optimal use of open standards
Four feature of the Enterprise Portal?
Conversion of unstructured data
Provision of Enterprise Portal content for users
Core functions written in Java. A J2EE runtime environment
is required (SAP J2EE Engine).
Open architecture. SOAP, UDDI, JCA, JAAS, LDAP, X.509,
Four technical aspects of the Enterprise Portal? XML, ICE are supported
Security functions including the full support of directory
services, digital certificates, and SSL
Mobile devices are supported
24