SAP Security Challenge – August 2018

Security Challenge Alessandro Banzer

Welcome to the SAP Security Challenge by Xiting. How much do you know about SAP Security? Do you know what you don’t know? To help you identify those areas, Xiting has launched the SAP Security Challenge with a monthly quiz to test your knowledge. Stay tuned and follow our blog to broaden your skillset.

We will publish a new quiz every first of the month, consisting of ten (10) questions. Participants can submit their answers anytime between the first and last day of the month. The winner will be announced on the first day of the following month via newsletter and on our blog. Each participant enters the draw to win a ticket. One correct answer gives you one ticket in the draw (e.g. 8 correct answers gives you 8 tickets). The more you know, the higher the chances to win.

July Challenge

In July’s challenge, we had 198 participants and an overall average of 5.7 correct answers. In total, only 5 participants were able to answer all questions correctly.

The Champion

We are very happy to announce that Chris L. is the lucky winner of the SAP Security challenge of July 2018. Chris answered 9 questions correctly and wins a copy of the SAP System Security Guide that was co-written by Alessandro Banzer, Xiting USA. Congratulations Chris.

Answers from July’s Challenge

What is the name of the newest SAP Security book that was co-authored by Xiting’s Alessandro Banzer?
Xiting’s Alessandro Banzer is a co-author of the SAP Press book SAP System Security Guide that can be pre-ordered here: https://bit.ly/2uRIfJo

What is the name of the latest training course by SAP Education that talks about authorizations in S/4HANA?
With ADM945, SAP Education provides a training class that specifically talks about authorizations in S/4HANA, Fiori, etc. See more on: https://training.sap.com/course/adm945-sap-s4hana–authorization-concept-classroom-018-g-en/

What is the difference between S/4HANA and Suite on HANA?
SAP S/4HANA is SAP’s next-generation business suite that runs on a HANA database. Suite on HANA is an SAP ECC (or also called SAP ERP) running on a HANA database (instead of Oracle, MaxDB, DB2, etc).

Where do you find the information on what Fiori applications are available to replace a transaction in the backend?
In the SAP Fiori apps reference library

If you run FIORI on an embedded environment, whereas you have the front end and back end running on the same instance, do you still have to authorize the gateway services?
Regardless if you separate the front end from the back end or not, the end user still needs authorizations to the frontend and backend services. Specifically for the back end the user needs authorizations to the gateway services.

What is the best-practice approach when building end-user roles for Fiori?
SAP’s best-practice is to create a dedicated role for the back end and one for the front end. With that, regardless of your current architecture, you have the ability to move your role design to an architecture that has the front end and back end on a separate system.

In which table can you find the hash values for your services/components that are required in the S_START authorization?
In table USOBHASH, you can find the generated hash values to your services/components.

What are the least authorizations that a user needs to execute the Fiori launchpad? 
To use the Fiori launchpad, the end user requires certain authorizations. These include in the front end transaction /UI2/FLP, service /UI2/INTEROP and /UI2/PAGE_BUILDER_PERS, as well as gateway service ZINTEROP_0001 and ZPAGE_BUILDER_PERS_0001. In the back end function module /IWBEP/FM_MGW_HANDLE_REQUEST.

What’s the purpose of generating the hash values of services?
With generated hash values in table USOBHASH, you can a relationship between the hash value and the service/component. This is especially important when running an authorization trace (ST01/STAUTHTRACE) as you can then track back to a service.

Do all Fiori applications have an associated ODATA service?
Only the UI5 applications do have an ODATA service that must be authorized. Web dynpro and GUI transactions for HTML do not have an ODATA service.

August Challenge

[qsm quiz=10]

We wish you the best of luck in the challenge.

Contact

Get in touch with us!

Do you have questions about our products?

+41 43 422 8803
[email protected]
+49 7656 8999 002
[email protected]
+1 855 594 84 64
[email protected]
+44 1454 838 785
[email protected]
Contact
Webinars

Attend our live webinars and learn more from our experts about SAP authorizations, XAMS, SAP IDM and many other topics in the context of SAP security.

Register now