59 Replies Latest reply: Jun 15, 2012 6:55 PM by dhinesh Subrahmanyam RSS

Security interview questions - some fun to tickle your brain.

Julius von dem Bussche
Currently Being Moderated

Hello gurus,

 

I know that posting interview question series are not allowed if the person has not put in any effort, but I have and folks seem to want to practice a bit sometimes so I take the liberty of creating a central one.

 

Tackle one or all of them to test your knowledge.

 

There are no model answers.

 

If you want to suggest additional ones, then please contact me.

 

The rules

Flaming of answers is allowed.

Funny answers earn a beer (or cup of tea).

There are no points.

 

1)     When PFCG proposes 3 activities but you only want 2, how do you fix this?

 

2)     What is the use of transaction PFUD at midnight?

 

3)     Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes?

 

4)     How are web services represented in authorizations of users who are not logged on?

 

5)     How do you force a user to change their password and on which grounds would you do so?

 

6)     What is the difference between SU24 and SU22? What is "orginal data" in SU22 context?

 

7)     When an authorization check on S_BTCH_JOB fails, what happens?

 

8)     Can you have more than one set of org-level values in one role?

 

9)     Should RFC users have SAP_NEW and why?

 

10)     What is an X-glueb command and where do you use it in SAP security?

 

11)      What is the disadvantage of searching for AUTHORITY-CHECK statements in ABAP OO coding and how does SU53 deal with this?

 

12)      In which tables can you make customizing settings for the security administration and name one example of such a setting which is usefull but not SAP default?

 

13)     Can you use the information in SM20N to build roles and how?

 

14)     If the system raises a message that authorizations are missing but you have SAP_ALL, what do you do?

 

15)     Name any one security related SAP note and explain it's purpose or solution.

 

16)     What are the two primary differences between a SAML token profile and a SAP logon ticket?

 

17) Where do you configure the local and global settings of the CUA and what are the consequences of inconsistent settings?

 

18)            If you have users in different systems with different user ID's for the same person, what are your options to manage their authorizations centrally?

 

19)            Explain the use of the TMSSUP* RFC destinations and the importance of the domain controller?

 

20)            Why should you delete SAP_NEW profile and which transaction should you use before doing so?

 

To be continued...

  • Re: Security interview questions - some fun.
    Julius von dem Bussche
    Currently Being Moderated

    Continued:

     

    21)  What is meant by the last sentence in SAP Note 587410 and how do you restrict it?

     

    22)  A key-user in the finance department is also an ABAP developer. What do you do?

     

    23) A new ABAP developer short dumps regularly in production while reading business data. What do you do?

     

    24)   You are confident with SAP standard, but there are also custom and partner products in your system. How do you check them for "low brainer" security issues?

     

    25)  How do you remove a developer's access and developer keys from a system? What else would you check for?

     

    26)  How do you transport user groups from transaction SUGR? Does this impact the "Groups" tab in SU01 and if so, then what should you check beforehand?

     

      27) When you record a transport request in PFCG for a role and then change the role before releasing the transport request, does the transport include the changes or not? Is the answer documented anywhere in the system?

     

    28)   Describe a scenario under which you would update a SAP table directly, and which precautions you would take?

     

    29)  Is there a difference between transactions SE09 and SE10 and what is the use of any differences?

     

    30) The visibility of tabs in the Solution Manager "work centers" seems to follow it's own logic for different users with the same roles and menus in the work centers differ from user to user. The ST01 trace only shows S_GUI as being checked. How do you proceed to restore your sanity?

     

    31) Users can access functionality they are authorized for or even not authorized for, but they do not have any transaction code authorizations (S_TCODE) to start the tcodes which are known to perform these tasks. How do you go about analyzing the access and what are the dangers involved in removing the application authorizations ofa single role if the user does not have the SAP standard transaction code anyway?

     

    32) You need to clean up users and authorizations in clients '001' and '066' of a production system, but have no valid user credentials for these "old" clients. The production client '100' has high availability requirements. How do you solve the problem?

     

    • Re: Security interview questions - some fun.
      Julius von dem Bussche
      Currently Being Moderated

      Dummy post 2 for subsequent questions...

    • Re: Security interview questions - some fun.
      Arpan Paik
      Currently Being Moderated

      Well Earning beer seems to be more and more harder as new qtn banks coming in way....But I found @23 very interesting and these could be the possible solution from my end.

       

      guide the user/lock the user/delete the user/bomb the user/dump the user from office......so on until dump stops in his name....well HIS name as this user cannot be SHE ;-)......

       

      By the way its Sunday and accidentally if my wife get access to this post this day will be Monday in front of boss like feeling...By folks....

    • Re: Security interview questions - some fun.
      Andreas Wiegenstein
      Currently Being Moderated

      Nice questions, Julius

       

      Here are some answers:

       

      @ 22 (A key-user in the finance department is also an ABAP developer. What do you do?)

       

      a) Explain to him/her that this position requires that his/her code must be peer reviewed for security reasons. This alone will discourage most people from doing "bad things" in their code.

       

      b) Enforce this policy: Have his/her ABAP code peer-reviewed

       

      @ 23 (A new ABAP developer short dumps regularly in production while reading business data. What do you do?)

       

      If it is really the developer that short dumps, you should have him/her drug-tested

       

      If it is the application that short dumps, you should check the developeru2019s coding for constructs like

       

      IF SY-UNAME = 'NAME_OF_THE_SHORT_DUMPER'.
      * Code that produces short dumps
      ENDIF.

       

      @ 24 (You are confident with SAP standard, but there are also custom and partner products in your system. How do you check them for "low brainer" security issues?)

       

      a) Define security requirements for (3rd party) business applications and secure coding guidelines for internal development (code checks without requirements will only lead to lengthy discussions)

      b) Run a static code analysis tool (that enforces your security requirements) against the custom and 3rd party applications

       

      Cheers,

      Andreas

      • Re: Security interview questions - some fun.
        Julius von dem Bussche
        Currently Being Moderated

        @ 23:  More common causes (in my experience) for short-dumps in target systems is faulty or obsolete config in the source system or source coding - and the developer clicks on things "just to see what happens" or "what the select-options are". Too late...

         

        One which might interest you is:  SY-XFORM = 'XAB_READ' called successfully, but what is it?

         

        Regarding sy-uname, question 14 will interest you as well.

         

        Thanks for contributing to the SDN Security forum,

        Julius

         

        ps: For others who don't  know, Andreas Wiegenstein is the developer of the [CodeProfiler|http://virtualforge.de/vcodeprofiler.php] and author of SAPress books on secure ABAP programming. For advanced security requirements I can recommend it, but you still need someone to interpret the results and fix the code.

         

        Disclaimer: CodeProfiler is licensed and not without cost implications to make this initial investment to know what is going on in your code. SAP uses it to analyze their own code.

         

        Edited by: Julius Bussche on Apr 13, 2010 9:37 PM

  • Re: Security interview questions - some fun.
    Currently Being Moderated

    i can answer most, but as you said not to float, kindly suggest , should send mail?

     

    Thanks,

    Prasant K Paichha

  • Re: Security interview questions - some fun.
    Arpan Paik
    Currently Being Moderated

    @1 copy....inactive,,,

    @2 midnight - time to do right thing for coming day...

    @3....

    @4....

     

    I am at home today....not sure why I did not went office today....Entire day was so boring....I was having no wish to make any post today...But when question comes about earning beer so I could not resist myself from post,,,,

     

    Ohhh....week end is coming.....

  • Re: Security interview questions - some fun.
    Michael Jaynes
    Currently Being Moderated

    I have one year experience in SAP Security and only two in Basis, so flame on......... I swear I didn't use google or any of my systems for reference!<br><br>

     

    1) When PFCG proposes 3 activities but you only want 2, how do you fix this? Best answer is to modify your su24 data. <br><br>

     

    2) What is the use of transaction PFUD at midnight? removes invalid profiles from user records <br><br>

     

    3)Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes? PFUD is not needed and the user needs to log off and back on again <br><br>

     

    4)How are web services represented in authorizations of users who are not logged on? ?? <br><br>

     

    5)How do you force a user to change their password and on which grounds would you do so? SU01 -> Logon Data tab -> Deactivate password. I am not sure what grounds this would be necessary. I have never had to use it. <br><br>

     

    6)What is the difference between SU24 and SU22? What is "orginal data" in SU22 context? SU22 you maintain authorization objects???? Su24 you maintain which authorization objects are checked in transactions and maintain the authorization proposals. <br><br>

     

    7)When an authorization check on S_BTCH_JOB fails, what happens? "You do not have authorization to perform whatever operation you are trying to perform." message. HAHA <br><br>

     

    8)Can you have more than one set of org-level values in one role? I might be misinterpreting this question. But yes. Depending on the transactions inserted into the role menu, you could have more than one org level to maintain. Purchasing Org and Plant, Sales Org and Sales Division..... <br><br>

     

    9)Should RFC users have SAP_NEW and why? No. Just insert the transactions and necessary authorization objects into a role. S_RFC for one. <br><br>

     

    10) What is an X-glueb command and where do you use it in SAP security? ??? <br><br>

     

    11) What is the disadvantage of searching for AUTHORITY-CHECK statements in ABAP OO coding and how does SU53 deal with this? Disadvantage? I can think of an advantage. My ABAPer shows me his programs and we work out what authority checks should be performed. <br><br>

     

    12) In which tables can you make customizing settings for the security administration and name one example of such a setting which is usefull but not SAP default? ??? <br><br>

     

    13) Can you use the information in SM20N to build roles and how? You could, I guess. Not a good practice though. Build roles based on business processes. <br><br>

     

    14) If the system raises a message that authorizations are missing but you have SAP_ALL, what do you do? Regenerate SAP_ALL which reconciles new authorization objects from SAP_NEW <br><br>

     

    15) Name any one security related SAP note and explain it's purpose or solution. Don't know the number off hand, but I was looking at it yesterday. Program Z_DEL_AGR to allow deletion of more than one role at a time. There is no mechanism in SAP to achieve this currently. <br><br>

     

    16) What are the two primary difference between a SAML token profile and a Logon ticket in SAP? ??? I know what these are but have no experience with it. <br><br>

    • Re: Security interview questions - some fun.
      Guru Prasad Dwivedi
      Currently Being Moderated

      @5) How do you force a user to change their password and on which grounds would you do so?

      If we will go throug SU01 -> Logon Data tab -> Deactivate password, then if user will try to log in system will show message "You have no password you can not log on using password"

      Ans@5) Try to login by user's ID (of course you do not know the password of user put any password ) do not press enter press on "New Password" button. "User Name and password do not match" system will show this message. When user will try to log in then at that time system will asked to user to changed the password.

  • Re: Security interview questions - some fun.
    Alex Ayers
    Currently Being Moderated

    15 - reference to the unexpurgated version of note 60233 will get muchos kudos

  • Re: Security interview questions - some fun.
    John Navarro
    Currently Being Moderated

    All these questions are SCUM   It's Friday I just want my beer.

  • Re: Security interview questions - some fun to tickle your brain.
    Baskar Ramakrishnan
    Currently Being Moderated

    How will you create a developer key and OSS ID in SAP Service Market Place

  • Re: Security interview questions - some fun to tickle your brain.
    Srinidhi Kotakonda
    Currently Being Moderated

    1) When PFCG proposes 3 activities but you only want 2, how do you fix this?

    Ans:  Changes in Su24

     

    2) What is the use of transaction PFUD at midnight?

    It is used to ensure that valid authorization profiles are contained in user master record. we need to run PFCG_TIME_DEPENDENCY as a background job periodically

     

    3) Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes?

    NO, PFUD is not needed. and user doesnu2019t need to login & log off.

     

    4) How are web services represented in authorizations of users who are not logged on?

     

     

    5) How do you force a user to change their password and on which grounds would you do so?

    user forced to change their password in every 90 / 60 days. This can be achieved by setting the profile parameters

     

    6) What is the difference between SU24 and SU22? What is "orginal data" in SU22 context?

    SU22 displays and updates the values in tables USOBT and USOBX, while SU24 does the same in tables USOBT_C and USOBX_C.

    The _C stands for Customer

     

     

    7) When an authorization check on S_BTCH_JOB fails, what happens?

    Ans: User will not be able to release or delete other user jobs

     

    8) Can you have more than one set of org-level values in one role?

     

    9) Should RFC users have SAP_NEW and why?

    Yes, during implementation & upgrades RFC users needs SAP_NEW.

    SAP_NEW is a SAP standard Profile which is usually assigned to system users temporarily during an upgrade to ensure that the activities and operations of SAP users is not hindered, during the Upgrade. It contains all the necessary objects and transactions for the users to continue their work during the upgrade. It should be withdrawn once all upgrade activities is completed, and replaced with the now modified Roles as it has extensive authorizations than required

     

    10) What is an X-glueb command and where do you use it in SAP security?

     

    11) What is the disadvantage of searching for AUTHORITY-CHECK statements in ABAP OO coding and how does SU53 deal with this?

     

    12) In which tables can you make customizing settings for the security administration and name one example of such a setting which is usefull but not SAP default?

    ANS: Lock the sys against importing user assignments. SM30->PRGN_CUST->User_rel_import = No

     

    Thanks,

    Sri

     

    Edited by: sri on Jun 16, 2010 11:25 PM

    • Re: Security interview questions - some fun to tickle your brain.
      Srinidhi Kotakonda
      Currently Being Moderated

      Cont..

       

      13) Can you use the information in SM20N to build roles and how?

      Ans: When you are able to get usage history of transaction thru SM20N, why not use the information for re designing of roles

       

      14) If the system raises a message that authorizations are missing but you have SAP_ALL, what do you do?

      Ans: When you get message auth are missing then add the SAP_NEW profile to the user.

      When new objects are added to the pre-upgrade SAP_ALL, it needs to be regenerated: the system first deletes the authorizations of SAP_ALL to regenerate it with all the new ones. However, as RSUSR406 contains authority-checks, you should ensure that you have only a PFCG role authorized for profile generation and not only SAP_ALL when doing this, or alternately use report AGR_REGENERATE_SAP_ALL.

       

      - Transport an object to the system. During import, the system will automatically regenerate SAP_ALL, unless SAP note 439753 is applied (Bernhard recently mentioned that in another thread).

       

      - Implement SAP note 1064621 from a different client.

       

      15) Name any one security related SAP note and explain it's purpose or solution.

       

      16) What are the two primary differences between a SAML token profile and a SAP logon ticket?

       

      17) Where do you configure the local and global settings of the CUA and what are the consequences of inconsistent settings?

      Ans: In SCUM filed attribute settings.

      Eg: In logon data if I have set all the fields to GLOBAL, in the child systems Password reset button will be missing

      Right settings: set the initial password as everywhere

       

      18) If you have users in different systems with different user ID's for the same person, what are your options to manage their authorizations centrally?

       

      19) Explain the use of the TMSSUP* RFC destinations and the importance of the domain controller?

       

       

      Thanks,

      Sri

      • Re: Security interview questions - some fun to tickle your brain.
        Srinidhi Kotakonda
        Currently Being Moderated

        cont

         

         

        20) Why should you delete SAP_NEW profile and which transaction should you use before doing so?

        25) How do you remove a developer's access and developer keys from a system? What else would you check for?

        Ans:  Which role grant access to S_TABU_DIS / S_DEVELOP / S_PROGRAM

        Which users have access to the roles that include S_TABU_DIS

        Do the users also have tcodes that enables direct access Se38,SA38

        For users who have S_TABU_DIS in combination with table

        access transaction, which table can the user access

        Developer key: pull out the report who has access to  Production developer key using u201CDevaccessu201D

        What else would you check for?

        Check whether user is able to open the system with SCC4 & Se06

         

        26) How do you transport user groups from transaction SUGR? Does this impact the "Groups" tab in SU01 and if so, then what should you check beforehand?

        Ans:  in my experience user GROUPS cannot be transported. Rather you created them locally in each client

         

        27) When you record a transport request in PFCG for a role and then change the role before releasing the transport request, does the transport include the changes or not? Is the answer documented anywhere in the system?

        Ans: As you have not released the role. You can do n-number of changes.

        Please note that Creation of transport request is just Adding the transportable,

        Where as once the transport is released, the data or roles associated with the transport is being placed(downloaded) in Data and Co-files.So, further if we do changes, that wills be not over-written

         

        Thanks,

        Sri

        • Re: Security interview questions - some fun to tickle your brain.
          Julius von dem Bussche
          Currently Being Moderated

          There are a number of obscurities which an interviewer might want to take a closer look into the understanding of, which is the intention of these questions.

           

          > Where as once the transport is released, the data or roles associated with the transport is being placed(downloaded) in Data and Co-files

          This is certainly one of them. Role transports behave differently to workbench and customizing requests at the profile level, but not at the role data level.

           

          Take a carefull read through SAP note 571276.

           

          Cheers,

          Julius

          • Re: Security interview questions - some fun to tickle your brain.
            Arunachalam Ramanathan
            Currently Being Moderated

            1) When PFCG proposes 3 activities but you only want 2, how do you fix this?

             

            *Fix the values in SU24*

             

            2) What is the use of transaction PFUD at midnight?

             

            PFUD - User Master Data Reconciliation - Used to update the role information in User Master Record table.

             

            3) Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes?

             

            No. PFUD or user log off and relogin is not required if a new role is added to the user. if any modification is done to the existing role which user already has then it is required for the user to log off and relogin.

             

            5) How do you force a user to change their password and on which grounds would you do so?

             

            Using User Parameters by setting the validity days for the password.

             

            6) What is the difference between SU24 and SU22? What is "orginal data" in SU22 context?

             

            SU24 and SU22 are used to maintain authorization objects.

             

            SU22 has some additional features where we can make changes to the authorization objects specific to our customized menu.

             

            SU22 has additional restrictions where we can filter using Original System, Package Name, Person Responsible. If we a set of customized transactions and captured those in a package eg: Z123 we can filter using the criteria and make changes only to the transactions which are under Z123 package.

             

            SU24 has the option of searching using authorization objects and the transaction codes which are calling the authorization objects.

             

            Both of them have their own functionality.

             

            7) When an authorization check on S_BTCH_JOB fails, what happens?

             

            Background Job will not run. The job will result in authorization error.

             

            8) Can you have more than one set of org-level values in one role?

             

            No

             

            9) Should RFC users have SAP_NEW and why?

             

            RFC users should not have SAP_NEW if  the authorization object values are filled using SU25 properly. They might require when we perform upgrades.

             

            12) In which tables can you make customizing settings for the security administration and name one example of such a setting which is usefull but not SAP default?

             

            There are many customizing settings which we need to perform when we are in the process of securing the system and they are identified by the customer. Some of the SAP customizing settings are listed in table PRGN_CUST.

             

            Edited by: Arunachalam Ramanathan on Jun 23, 2010 8:47 PM

             

            Edited by: Julius Bussche on Jun 28, 2010 7:52 PM

            Fixed formatting and split post (see next)

            • Re: Security interview questions - some fun to tickle your brain.
              Arunachalam Ramanathan
              Currently Being Moderated

              Continued...

               

              13) Can you use the information in SM20N to build roles and how?

              SM20N is used for Security Audit Log Analysis and we can use it to identify the authorization failure of transactions for user and check if the user requires the same which can be used for role creation upon business owner approval. ideally we do not use the information in SM20N for role creation, we use the information for audit analysis.

               

              14) If the system raises a message that authorizations are missing but you have SAP_ALL, what do you do?

              There are series of troubleshooting steps we do and one of them is Turn on the trace and identify where it fails.

               

              15) Name any one security related SAP note and explain it's purpose or solution.

              Note 318615 - Documentation on Security - See SAP Service Marketplace Note 23611 - Collective Note: Security in SAP Products The above notes talk about the documentation for Security.

               

              21) What is meant by the last sentence in SAP Note 587410 and how do you restrict it?

              It means that if given debugging should be given along with Display access so that the developers can do the debugging.

               

              22) A key-user in the finance department is also an ABAP developer. What do you do?

              Give him access to Finance in Production and ABAP access in Development and Testing Access to other user to test the functionality of changes done by the user in Test System. Have a two level check.

               

              23) A new ABAP developer short dumps regularly in production while reading business data. What do you do?

              Perform a series of troubleshooting steps. Identify whether the dump is using a standard t code or a custom t code. Analyze the system logs and ABAP Run time error to find the root cause of the dumps.

               

              24) You are confident with SAP standard, but there are also custom and partner products in your system. How do you check them for "low brainer" security issues?

              Identify the business process and purpose of third party products and how are they connected to the system. Identify the interfaces and connections and simulate the security issues in quality system before connecting to production

               

              25) How do you remove a developer's access and developer keys from a system? What else would you check for?

              Delete the Developer in the table - DEVACCESS.

               

              27) When you record a transport request in PFCG for a role and then change the role before releasing the transport request, does the transport include the changes or not? Is the answer documented anywhere in the system?

              It includes all the changes performed on the role before the transport request is released.

               

              28) Describe a scenario under which you would update a SAP table directly, and which precautions you would take?

              There are many scenarios where we update SAP tables directly if it is really required to like custom program created to update SAP table which is used for interfacing or upload and download. The precaution should be taken that there are no inconsistency in the system or database due to update.

               

              Edited by: Arunachalam Ramanathan on Jun 23, 2010 8:47 PM

               

              Edited by: Julius Bussche on Jun 28, 2010 7:48 PM

              Formatting fixed.

  • Re: Security interview questions - some fun to tickle your brain.
    Waldon Smith
    Currently Being Moderated

    I am very interested in the answer to question 8) One with some meat would be great.

  • Re: Security interview questions - some fun to tickle your brain.
    Santi Obejero
    Currently Being Moderated

    Hi Julius,

     

    May i ask for a compilation of answers for those questions.

     

    Can you create a separate reply for answers.

     

    So the future readers of this thread wont be navigating in all of the pages of this thread?

     

    Thanks a lot. I found this thread very interesting. Thanks in advance.

     

    Hoping for your quick reply..

  • Re: Security interview questions - some fun to tickle your brain.
    Patric Holier
    Currently Being Moderated

    Hi

     

    This topic help me a lot in developing my project. I will contribute more when I finished it.

  • Re: Security interview questions - some fun to tickle your brain.
    sslrenewals ssl
    Currently Being Moderated

    Nice article that you have shared. i would just say that for getting high rankings you just

     

    need to do quality work for your site.

  • Re: Security interview questions - some fun to tickle your brain.
    dhinesh Subrahmanyam
    Currently Being Moderated

    Hi,

    Interesting and very helpful discussion,  Jullius,  Thank you very much,

     

    I have a question.

     

    without implementing badi or any coding.. using business role and authorizations.. can we restrict the user from editing only parties ivolved in an IBASE and allow other objects.....

     

    can this be implemented using PFCG or ACE..

     

    Thanks

Actions