Continued:
21) What is meant by the last sentence in SAP Note 587410 and how do you restrict it?
22) A key-user in the finance department is also an ABAP developer. What do you do?
23) A new ABAP developer short dumps regularly in production while reading business data. What do you do?
24) You are confident with SAP standard, but there are also custom and partner products in your system. How do you check them for "low brainer" security issues?
25) How do you remove a developer's access and developer keys from a system? What else would you check for?
26) How do you transport user groups from transaction SUGR? Does this impact the "Groups" tab in SU01 and if so, then what should you check beforehand?
27) When you record a transport request in PFCG for a role and then change the role before releasing the transport request, does the transport include the changes or not? Is the answer documented anywhere in the system?
28) Describe a scenario under which you would update a SAP table directly, and which precautions you would take?
29) Is there a difference between transactions SE09 and SE10 and what is the use of any differences?
30) The visibility of tabs in the Solution Manager "work centers" seems to follow it's own logic for different users with the same roles and menus in the work centers differ from user to user. The ST01 trace only shows S_GUI as being checked. How do you proceed to restore your sanity?
31) Users can access functionality they are authorized for or even not authorized for, but they do not have any transaction code authorizations (S_TCODE) to start the tcodes which are known to perform these tasks. How do you go about analyzing the access and what are the dangers involved in removing the application authorizations ofa single role if the user does not have the SAP standard transaction code anyway?
32) You need to clean up users and authorizations in clients '001' and '066' of a production system, but have no valid user credentials for these "old" clients. The production client '100' has high availability requirements. How do you solve the problem?
Hi Julius,
The question bank gives an idea of the breadth and depth of your knowledge 
One question which i'm trying to find an aswer to is (as much because of customer requirements as also curiousity)
8) Can you have more than one set of org-level values in one role? If so how?
if you have any suggestions for this one please let me know.
Thanks
Vijaya
@ Vijaya: If you can find a 2nd Org. Level button then let us know.
@ Arpan: Enjoy the weekend and your beer.
@ Prasant: Your user ID has been deleted.
@ Michael: Let's put it this way - your answer to question 10 is very close.
@ Alex: Version 27 fix 2 of Ora-1555 errors, step # 8, sir (this will also be usefull for Arpan
Cheers.
Julius
Well Earning beer seems to be more and more harder as new qtn banks coming in way....But I found @23 very interesting and these could be the possible solution from my end.
guide the user/lock the user/delete the user/bomb the user/dump the user from office......so on until dump stops in his name....well HIS name as this user cannot be SHE ;-)......
By the way its Sunday and accidentally if my wife get access to this post this day will be Monday in front of boss like feeling...By folks....
Nice questions, Julius
Here are some answers:
@ 22 (A key-user in the finance department is also an ABAP developer. What do you do?)
a) Explain to him/her that this position requires that his/her code must be peer reviewed for security reasons. This alone will discourage most people from doing "bad things" in their code.
b) Enforce this policy: Have his/her ABAP code peer-reviewed
@ 23 (A new ABAP developer short dumps regularly in production while reading business data. What do you do?)
If it is really the developer that short dumps, you should have him/her drug-tested 
If it is the application that short dumps, you should check the developeru2019s coding for constructs like
IF SY-UNAME = 'NAME_OF_THE_SHORT_DUMPER'. * Code that produces short dumps ENDIF.
@ 24 (You are confident with SAP standard, but there are also custom and partner products in your system. How do you check them for "low brainer" security issues?)
a) Define security requirements for (3rd party) business applications and secure coding guidelines for internal development (code checks without requirements will only lead to lengthy discussions)
b) Run a static code analysis tool (that enforces your security requirements) against the custom and 3rd party applications
Cheers,
Andreas
@ 23: More common causes (in my experience) for short-dumps in target systems is faulty or obsolete config in the source system or source coding - and the developer clicks on things "just to see what happens" or "what the select-options are". Too late...
One which might interest you is: SY-XFORM = 'XAB_READ' called successfully, but what is it?
Regarding sy-uname, question 14 will interest you as well.
Thanks for contributing to the SDN Security forum,
Julius
ps: For others who don't know, Andreas Wiegenstein is the developer of the [CodeProfiler|http://virtualforge.de/vcodeprofiler.php] and author of SAPress books on secure ABAP programming. For advanced security requirements I can recommend it, but you still need someone to interpret the results and fix the code.
Disclaimer: CodeProfiler is licensed and not without cost implications to make this initial investment to know what is going on in your code. SAP uses it to analyze their own code.
Edited by: Julius Bussche on Apr 13, 2010 9:37 PM
i can answer most, but as you said not to float, kindly suggest , should send mail?
Thanks,
Prasant K Paichha
I am sure that Klinndk12 could have asked you most of them as well...
Cheers,
Julius
@1 copy....inactive,,,
@2 midnight - time to do right thing for coming day...
@3....
@4....
I am at home today....not sure why I did not went office today....Entire day was so boring....I was having no wish to make any post today...But when question comes about earning beer so I could not resist myself from post,,,,
Ohhh....week end is coming.....
I have one year experience in SAP Security and only two in Basis, so flame on......... I swear I didn't use google or any of my systems for reference!<br><br>
1) When PFCG proposes 3 activities but you only want 2, how do you fix this? Best answer is to modify your su24 data. <br><br>
2) What is the use of transaction PFUD at midnight? removes invalid profiles from user records <br><br>
3)Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes? PFUD is not needed and the user needs to log off and back on again <br><br>
4)How are web services represented in authorizations of users who are not logged on? ?? <br><br>
5)How do you force a user to change their password and on which grounds would you do so? SU01 -> Logon Data tab -> Deactivate password. I am not sure what grounds this would be necessary. I have never had to use it. <br><br>
6)What is the difference between SU24 and SU22? What is "orginal data" in SU22 context? SU22 you maintain authorization objects???? Su24 you maintain which authorization objects are checked in transactions and maintain the authorization proposals. <br><br>
7)When an authorization check on S_BTCH_JOB fails, what happens? "You do not have authorization to perform whatever operation you are trying to perform." message. HAHA <br><br>
8)Can you have more than one set of org-level values in one role? I might be misinterpreting this question. But yes. Depending on the transactions inserted into the role menu, you could have more than one org level to maintain. Purchasing Org and Plant, Sales Org and Sales Division..... <br><br>
9)Should RFC users have SAP_NEW and why? No. Just insert the transactions and necessary authorization objects into a role. S_RFC for one. <br><br>
10) What is an X-glueb command and where do you use it in SAP security? ??? <br><br>
11) What is the disadvantage of searching for AUTHORITY-CHECK statements in ABAP OO coding and how does SU53 deal with this? Disadvantage? I can think of an advantage. My ABAPer shows me his programs and we work out what authority checks should be performed. <br><br>
12) In which tables can you make customizing settings for the security administration and name one example of such a setting which is usefull but not SAP default? ??? <br><br>
13) Can you use the information in SM20N to build roles and how? You could, I guess. Not a good practice though. Build roles based on business processes. <br><br>
14) If the system raises a message that authorizations are missing but you have SAP_ALL, what do you do? Regenerate SAP_ALL which reconciles new authorization objects from SAP_NEW <br><br>
15) Name any one security related SAP note and explain it's purpose or solution. Don't know the number off hand, but I was looking at it yesterday. Program Z_DEL_AGR to allow deletion of more than one role at a time. There is no mechanism in SAP to achieve this currently. <br><br>
16) What are the two primary difference between a SAML token profile and a Logon ticket in SAP? ??? I know what these are but have no experience with it. <br><br>
@5) How do you force a user to change their password and on which grounds would you do so?
If we will go throug SU01 -> Logon Data tab -> Deactivate password, then if user will try to log in system will show message "You have no password you can not log on using password"
Ans@5) Try to login by user's ID (of course you do not know the password of user put any password ) do not press enter press on "New Password" button. "User Name and password do not match" system will show this message. When user will try to log in then at that time system will asked to user to changed the password.
15 - reference to the unexpurgated version of note 60233 will get muchos kudos
All these questions are SCUM It's Friday I just want my beer.
I added question 17 for you
Question 18 is a "by-product" of it.
How will you create a developer key and OSS ID in SAP Service Market Place
Hi Baskar,
I added # 25 for you, but gave it a little tweak.
Cheers,
Julius
22) Marry her!
23) Turn out the lights on the toilet
I said "business data", not "newspaper"...
Juluis...Your questions continues to be wonderful....can read ...for eternity ...but cannot answer !! do this dear friend...write teh answers too with just hints
its week end......
Hi GG,
The intention is to ask questions which generate a discussion, to see how deep the persons knowledge and experience is.
There are no model answers (much like your questions..
Cheers,
Julius
Hi,
I have one which I had to solve today. I just find a workaround. How can you maintain authorization objects for your custom web dynpro applications in SU22?
Cheers
This is "original data" refered to in question # 6, right --> the auth/authorization_trace parameter.
I would not class that as a workaround though, so perhaps you meant something else?
Cheers,
Julius
Edited by: Julius Bussche on May 28, 2010 8:36 PM
5 --> 6 corrected
You mean probably question 6. Anyway, thanks I knew that I was missing something. I couldn't find how to force SAP system to create a record for our WD applications in table usobhash. I found a bunch of FMs with names like AUTH_TRACE* but most of them are not called from any ABAP program (now I know why). One of the FMs is AUTH_TRACE_WRITE_USOBHASH which creates a record. So I wrote a simple program which uses this FM to create required entries for selected WD applications. That's why I called it workaround. Thanks once again.
Cheers
Hi Martin,
Thanks, I corrected the number.
If you activate the parameter then there are gemstones waiting for you in table USOB_AUTHVALTRC as well.
Tip: Use it in a "clean" QAS client and download or just maintain DEV in parrallel, otherwise it will drive you crazy
Cheers,
Julius
Edited by: Julius Bussche on May 29, 2010 8:32 PM
@12 PRGN_CUST - we can maintain parameter ASSIGN_ROLE_AUTH = Assign
Regards,
Prasad
Yep, that is a good one!
There are also a few which are not listed in the F4 Search Help but can be usefull. Have you come accross any of them yet?
Cheers,
Julius
Hmm...I have seen complete list of parameters in PRGN_CUST by F4...are there any more other than those? Can you name a few?
Regards,
Prasad
>
Prasad Musale wrote:
> Hmm...I have seen complete list of parameters in PRGN_CUST by F4...are there any more other than those? Can you name a few?
>
A nice example is the solution described in [SAP Note 915488|https://service.sap.com/sap/support/notes/915488] .
On the surphase it is a pity this is not available in the F4 Search Help actually or even defaulted to a reasonable value, because the alternative (and default) is often deleting the PW wizard value and hitting "backspace" to select something which looks cryptic, but is still repetitive.... But there is a reason why it is not - which Frank Buchholz has hinted at already.
If you set the maximum values stricter than the minimum requirements of the system, the what should it do?
Cheers,
Julius
Wow...looks like a hidden jewels. Thanks Julius.
Note 915488 suggests that profile parameters supersede customizing switches. Hence if we set maximum password length switch value less than minimum password length profile parameter, system will ignore customizing switch value.
I used to hit backspace for generated passwords. I wan't able to catch Frank's hint. Could you please elaborate?
Best Regards,
Prasad
Try spot the hint...
All useful parameters for customers in PRGN_CUST and SSM_CUST have at least a short text which you get using the value help. (There might exist more parameters but without a short text we can assume that this parameter should not be used.) Usually customers can concentrate on these parameters which have a link to a SAP note as part of the short text.
You must first check your release and minimum-parameters to ensure they do not conflict and all programs are respecting these parameters when generating a password - at which time I guess it might be added to the F4 help.
Cheers,
Julius
1) When PFCG proposes 3 activities but you only want 2, how do you fix this?
a) If this is very special for this role within your company: Deactivate this standard authorization data in the role and enter the required authorization data manually.
b) If this is special for this transaction within your company: Update the SU24 data first, and than regenerate the authorization data in the role using PFCG.
c) If this is always the case for all customers: Tell SAP about this using a ticket and continue with b).
2) What is the use of transaction PFUD at midnight?
The background job which gets scheduled using PFUD adjusts the non time depandant profile assignments with the time dependant role assignments right after midnight. You use it if you either work with time dependant role assignments in SU01 (or SU10) or if you use indirect role assignments by HR org. which are time dependant, too.
3) Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes?
SU01 performs all required steps for the current day, therefore you do not need to execute PFUD.
The user need to logoff and on again after changes of role assignments or profile assignments.
5) How do you force a user to change their password and on which grounds would you do so?
Using the profile parameter login/password_compliance_to_current_policy you force users to change their password to match the password policy. Setting the profile parameter login/password_expiration_time temporarly to a short period forces password changes, too.
6) What is the difference between SU24 and SU22? What is "orginal data" in SU22 context?
SU22 is used by SAP to create authorization proposals. SU24 is used by customers to adjust these authorization proposals from SAP.
8) Can you have more than one set of org-level values in one role?
No, you have to work with independant roles if you need separate set of org-level values.
9) Should RFC users have SAP_NEW and why?
Like all users RFC users should get SAP_NEW right after an upgrade. However, you assign SAP_NEW only for the short time until you have finished the task to copy the authorizations of SAP_NEW into the roles which are assigned to your users. In case of RFC users it might be the case that a new version of the corresponding role for the RFC user has been delivered by SAP. Check the release notes to get notice about changes like this.
12) In which tables can you make customizing settings for the security administration and name one example of such a setting which is usefull but not SAP default?
All useful parameters for customers in PRGN_CUST and SSM_CUST have at least a short text which you get using the value help. (There might exist more parameters but without a short text we can assume that this parameter should not be used.) Usually customers can concentrate on these parameters which have a link to a SAP note as part of the short text.
14) If the system raises a message that authorizations are missing but you have SAP_ALL, what do you do?
In most cases you have trouble with an old version of the user buffer for authorizations. See profile parameter auth/new_buffering to switch to the newest versionof the user buffer. In addition, there exist a small set of authorizations which are not part of SAP_ALL, e.g. the authorization for S_RFCACL.
>
Shekar.J. wrote:
> Frank Buchholz wrote:
> 3) Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes?
>
> SU01 performs all required steps for the current day, therefore you do not need to execute PFUD.
> The user need to logoff and on again after changes of role assignments or profile assignments.
.
Frank,
correct me if i am wrong in my understanding but, I suppose what you mentioned above is correct in principle but not always the absolute truth. If we increase the user buffer size and in parallel manage such that the users do not exceed the number of authorizations defined in the profile parameter auth/auth_number_in_userbuffer, i should still be ok without logging off and logging in again, am i right?
You are right, the requirement to logoff and logon again is not the absolute truth. However, for most practical usage ist a good rule (and the size of the user buffer does not matter anymore with a high value of parameter auth/new_buffering).
Here's a more precices modification: Changes which have an effect on the list of authorizations of a user (like new or deleted roles or profiles) require logoff and logon. Changes which affect the content of already assigned authorizations are active immediatly (like changes of authorization data whithin a role or a profile in most cases).
Frank
>
>
> You are right, the requirement to logoff and logon again is not the absolute truth. However, for most practical usage ist a good rule (and the size of the user buffer does not matter anymore with a high value of parameter auth/new_buffering).
>
> Here's a more precices modification: Changes which have an effect on the list of authorizations of a user (like new or deleted roles or profiles) require logoff and logon. Changes which affect the content of already assigned authorizations are active immediatly (like changes of authorization data whithin a role or a profile in most cases).
>
> Frank
I dont 100% agree with the above statement, it is not true for role additions. but, yeah, i do agree to what you said about a good thing to do (logging of and logging on), by the way i made a correction to my post, but by the time i checked my post, the system and made a correction - you already had 3 posts
infact, over a period of time i did notice that Business users did not necessarily have to log off and log on although the transactional authorizations given to users by means of new role additions or Changes in values to existing roles are made.
But there have been times when system related objects (particulary from the BC* classes) are added / modified, the system doesnt tend to pick them up, you are forced to log off and log on for the changes to take effect. I cannot pin point and make a strong statement on all BC objects, but i think S_WFAR_OBJ was one and if i remember correctly logging off and on is applicable for changes on S_ADMI_FCD and S_CTS_ADMI
> but i think S_WFAR_OBJ was one
This is a tricky object and depends on the design of your archive. SU24 is near impossible to maintain consistently for it.
What often happens is a large number of manual inserts into the roles of value sets for the object - it has 5 field if I remember correctly.
When you reach the max limit of 99 authorizations per generated profile and the object doesn't have an org. field in it, the system generates a second "sub-profile" for the role to add another 99 authorizations to.
As this is a different profile, PFUD is needed in PFCG. Only changing the role data and regenerating is not enough because the authorization values in UST12 will not be known, yet.
Most things sort themselves out shortly after midlight..
Cheers,
Julius
I added another "nut cracker" question (# 30). Take a shot at it..
Unrelated to above:
>> but i think S_WFAR_OBJ was one
>This is a tricky object and depends on the design of your archive. SU24 is near impossible to maintain consistently for it.
Little tip: Create symbolic tcodes in SE93 and maintain all values from there as "standard" for the respective series of org. roles with the tcode as an "authorization default".
Cheers,
Julius
You need to read the question carefully It refers to SU01 context where the buffer is updated immediately when assigning a new profile or role (with new authorizations available).
But you are correct: there is a special case also in SU01 where the user who is already logged on must first logoff and then log on again after saving and PFUD must have been performed (or after-import-events) even when auth/new_buffering = 4... --> assigning a reference user.
Cheers,
Julius
Edited by: Julius Bussche on Jun 9, 2010 7:54 AM
Julius,
I suppose there was a problem with the SDN portal yesterday, I was givena an error message for all the attempts i made to post , but this morning i see that 8-10 posts with the same content have been updated (looks quite silly ) Can we have them deleted just keeping the last update?
Thanks
I've deleted the duplicate postings created by the SDN server.
There is also a caching problem at the moment, so it might only be a "visibility" problem.
Cheers,
Julius
>
Frank Buchholz wrote:
> 3) Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes?
>
> SU01 performs all required steps for the current day, therefore you do not need to execute PFUD.
> The user need to logoff and on again after changes of role assignments or profile assignments.
.
Frank,
correct me if i am wrong in my understanding but, I suppose what you mentioned above is correct in principle but not always the absolute truth. If we increase the user buffer size and in parallel manage such that the users do not exceed the number of authorizations defined in the profile parameter auth/auth_number_in_userbuffer, i should still be ok without logging off and logging in again, am i right?
I could be wrong with my profile parameter, i think it should auth/new_buffering which draws details from the table USRBF2
Edited by: Shekar.J on Jun 8, 2010 2:23 PM
Prasant,
You are my hero! Everyday I will aim to achieve greatness like you have!
His interview ended [here|[Windows 7] SAP gui 7.10 crashes in BD87 while accessing IDOC; when he posted with the wrong ID but was not fast enough to edit the answer...
Cheers,
Julius
Log on to SAP service marketplace with your s-user > Keys and requests>SSCR
@Baskar
Developer key:-
SAP Portal> Keys & requests>SSCR keys> Register Developer> user id with installation number of sap development
OSS ID :-
SAP Portal--> Data Administartion --> user dta -->Request new users --Fill in all details and dont forget to assign Authorizations ..:)
1) When PFCG proposes 3 activities but you only want 2, how do you fix this?
Ans: Changes in Su24
2) What is the use of transaction PFUD at midnight?
It is used to ensure that valid authorization profiles are contained in user master record. we need to run PFCG_TIME_DEPENDENCY as a background job periodically
3) Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes?
NO, PFUD is not needed. and user doesnu2019t need to login & log off.
4) How are web services represented in authorizations of users who are not logged on?
5) How do you force a user to change their password and on which grounds would you do so?
user forced to change their password in every 90 / 60 days. This can be achieved by setting the profile parameters
6) What is the difference between SU24 and SU22? What is "orginal data" in SU22 context?
SU22 displays and updates the values in tables USOBT and USOBX, while SU24 does the same in tables USOBT_C and USOBX_C.
The _C stands for Customer
7) When an authorization check on S_BTCH_JOB fails, what happens?
Ans: User will not be able to release or delete other user jobs
8) Can you have more than one set of org-level values in one role?
9) Should RFC users have SAP_NEW and why?
Yes, during implementation & upgrades RFC users needs SAP_NEW.
SAP_NEW is a SAP standard Profile which is usually assigned to system users temporarily during an upgrade to ensure that the activities and operations of SAP users is not hindered, during the Upgrade. It contains all the necessary objects and transactions for the users to continue their work during the upgrade. It should be withdrawn once all upgrade activities is completed, and replaced with the now modified Roles as it has extensive authorizations than required
10) What is an X-glueb command and where do you use it in SAP security?
11) What is the disadvantage of searching for AUTHORITY-CHECK statements in ABAP OO coding and how does SU53 deal with this?
12) In which tables can you make customizing settings for the security administration and name one example of such a setting which is usefull but not SAP default?
ANS: Lock the sys against importing user assignments. SM30->PRGN_CUST->User_rel_import = No
Thanks,
Sri
Edited by: sri on Jun 16, 2010 11:25 PM
Cont..
13) Can you use the information in SM20N to build roles and how?
Ans: When you are able to get usage history of transaction thru SM20N, why not use the information for re designing of roles
14) If the system raises a message that authorizations are missing but you have SAP_ALL, what do you do?
Ans: When you get message auth are missing then add the SAP_NEW profile to the user.
When new objects are added to the pre-upgrade SAP_ALL, it needs to be regenerated: the system first deletes the authorizations of SAP_ALL to regenerate it with all the new ones. However, as RSUSR406 contains authority-checks, you should ensure that you have only a PFCG role authorized for profile generation and not only SAP_ALL when doing this, or alternately use report AGR_REGENERATE_SAP_ALL.
- Transport an object to the system. During import, the system will automatically regenerate SAP_ALL, unless SAP note 439753 is applied (Bernhard recently mentioned that in another thread).
- Implement SAP note 1064621 from a different client.
15) Name any one security related SAP note and explain it's purpose or solution.
16) What are the two primary differences between a SAML token profile and a SAP logon ticket?
17) Where do you configure the local and global settings of the CUA and what are the consequences of inconsistent settings?
Ans: In SCUM filed attribute settings.
Eg: In logon data if I have set all the fields to GLOBAL, in the child systems Password reset button will be missing
Right settings: set the initial password as everywhere
18) If you have users in different systems with different user ID's for the same person, what are your options to manage their authorizations centrally?
19) Explain the use of the TMSSUP* RFC destinations and the importance of the domain controller?
Thanks,
Sri
cont
20) Why should you delete SAP_NEW profile and which transaction should you use before doing so?
25) How do you remove a developer's access and developer keys from a system? What else would you check for?
Ans: Which role grant access to S_TABU_DIS / S_DEVELOP / S_PROGRAM
Which users have access to the roles that include S_TABU_DIS
Do the users also have tcodes that enables direct access Se38,SA38
For users who have S_TABU_DIS in combination with table
access transaction, which table can the user access
Developer key: pull out the report who has access to Production developer key using u201CDevaccessu201D
What else would you check for?
Check whether user is able to open the system with SCC4 & Se06
26) How do you transport user groups from transaction SUGR? Does this impact the "Groups" tab in SU01 and if so, then what should you check beforehand?
Ans: in my experience user GROUPS cannot be transported. Rather you created them locally in each client
27) When you record a transport request in PFCG for a role and then change the role before releasing the transport request, does the transport include the changes or not? Is the answer documented anywhere in the system?
Ans: As you have not released the role. You can do n-number of changes.
Please note that Creation of transport request is just Adding the transportable,
Where as once the transport is released, the data or roles associated with the transport is being placed(downloaded) in Data and Co-files.So, further if we do changes, that wills be not over-written
Thanks,
Sri
There are a number of obscurities which an interviewer might want to take a closer look into the understanding of, which is the intention of these questions.
> Where as once the transport is released, the data or roles associated with the transport is being placed(downloaded) in Data and Co-files
This is certainly one of them. Role transports behave differently to workbench and customizing requests at the profile level, but not at the role data level.
Take a carefull read through SAP note 571276.
Cheers,
Julius
1) When PFCG proposes 3 activities but you only want 2, how do you fix this?
*Fix the values in SU24*
2) What is the use of transaction PFUD at midnight?
PFUD - User Master Data Reconciliation - Used to update the role information in User Master Record table.
3) Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes?
No. PFUD or user log off and relogin is not required if a new role is added to the user. if any modification is done to the existing role which user already has then it is required for the user to log off and relogin.
5) How do you force a user to change their password and on which grounds would you do so?
Using User Parameters by setting the validity days for the password.
6) What is the difference between SU24 and SU22? What is "orginal data" in SU22 context?
SU24 and SU22 are used to maintain authorization objects.
SU22 has some additional features where we can make changes to the authorization objects specific to our customized menu.
SU22 has additional restrictions where we can filter using Original System, Package Name, Person Responsible. If we a set of customized transactions and captured those in a package eg: Z123 we can filter using the criteria and make changes only to the transactions which are under Z123 package.
SU24 has the option of searching using authorization objects and the transaction codes which are calling the authorization objects.
Both of them have their own functionality.
7) When an authorization check on S_BTCH_JOB fails, what happens?
Background Job will not run. The job will result in authorization error.
8) Can you have more than one set of org-level values in one role?
No
9) Should RFC users have SAP_NEW and why?
RFC users should not have SAP_NEW if the authorization object values are filled using SU25 properly. They might require when we perform upgrades.
12) In which tables can you make customizing settings for the security administration and name one example of such a setting which is usefull but not SAP default?
There are many customizing settings which we need to perform when we are in the process of securing the system and they are identified by the customer. Some of the SAP customizing settings are listed in table PRGN_CUST.
Edited by: Arunachalam Ramanathan on Jun 23, 2010 8:47 PM
Edited by: Julius Bussche on Jun 28, 2010 7:52 PM
Fixed formatting and split post (see next)
Continued...
13) Can you use the information in SM20N to build roles and how?
SM20N is used for Security Audit Log Analysis and we can use it to identify the authorization failure of transactions for user and check if the user requires the same which can be used for role creation upon business owner approval. ideally we do not use the information in SM20N for role creation, we use the information for audit analysis.
14) If the system raises a message that authorizations are missing but you have SAP_ALL, what do you do?
There are series of troubleshooting steps we do and one of them is Turn on the trace and identify where it fails.
15) Name any one security related SAP note and explain it's purpose or solution.
Note 318615 - Documentation on Security - See SAP Service Marketplace Note 23611 - Collective Note: Security in SAP Products The above notes talk about the documentation for Security.
21) What is meant by the last sentence in SAP Note 587410 and how do you restrict it?
It means that if given debugging should be given along with Display access so that the developers can do the debugging.
22) A key-user in the finance department is also an ABAP developer. What do you do?
Give him access to Finance in Production and ABAP access in Development and Testing Access to other user to test the functionality of changes done by the user in Test System. Have a two level check.
23) A new ABAP developer short dumps regularly in production while reading business data. What do you do?
Perform a series of troubleshooting steps. Identify whether the dump is using a standard t code or a custom t code. Analyze the system logs and ABAP Run time error to find the root cause of the dumps.
24) You are confident with SAP standard, but there are also custom and partner products in your system. How do you check them for "low brainer" security issues?
Identify the business process and purpose of third party products and how are they connected to the system. Identify the interfaces and connections and simulate the security issues in quality system before connecting to production
25) How do you remove a developer's access and developer keys from a system? What else would you check for?
Delete the Developer in the table - DEVACCESS.
27) When you record a transport request in PFCG for a role and then change the role before releasing the transport request, does the transport include the changes or not? Is the answer documented anywhere in the system?
It includes all the changes performed on the role before the transport request is released.
28) Describe a scenario under which you would update a SAP table directly, and which precautions you would take?
There are many scenarios where we update SAP tables directly if it is really required to like custom program created to update SAP table which is used for interfacing or upload and download. The precaution should be taken that there are no inconsistency in the system or database due to update.
Edited by: Arunachalam Ramanathan on Jun 23, 2010 8:47 PM
Edited by: Julius Bussche on Jun 28, 2010 7:48 PM
Formatting fixed.
I am very interested in the answer to question 8) One with some meat would be great.
For a vanilla interview just say "no".
To test your interviewer say "it depends"
There are several ways of doing this: in PFCG, programatically, using assertions, using SU24 for context specific exclusions of checks, etc.
However, they all deviate from consistent, auditable and maintainable concepts unless it applies to all users - which is more often than not unrealistic.
Cheers,
Julius
Hi Julius,
May i ask for a compilation of answers for those questions.
Can you create a separate reply for answers.
So the future readers of this thread wont be navigating in all of the pages of this thread?
Thanks a lot. I found this thread very interesting. Thanks in advance.
Hoping for your quick reply..
@ Santi: No, there are no perfect answers - only yours (see question by George G).
@ patricholier: Good luck with your project. Pity that you can only answer these after the project.
@ guruprasaddwivedi: Interesting theory. Thanks for sharing the same and revering back.
@ sslrenewals: Yes quality is important and lets itself shown in sustainability of the solution if you stick around for long enough to see the consequences.
Cheers,
Julius
Hi
This topic help me a lot in developing my project. I will contribute more when I finished it.
Nice article that you have shared. i would just say that for getting high rankings you just
need to do quality work for your site.
Hi,
Interesting and very helpful discussion, Jullius, Thank you very much,
I have a question.
without implementing badi or any coding.. using business role and authorizations.. can we restrict the user from editing only parties ivolved in an IBASE and allow other objects.....
can this be implemented using PFCG or ACE..
Thanks
