SAP Security Challenge – October 2018

Welcome to the SAP Security Challenge by Xiting. How much do you know about SAP Security? Do you know what you don’t know? To help you identify those areas, Xiting has launched the SAP Security Challenge with a monthly quiz to test your knowledge. Stay tuned and follow our blog to broaden your skillset.

We will publish a new quiz every first of the month, consisting of ten (10) questions. Participants can submit their answers anytime between the first and last day of the month. The winner will be announced on the first day of the following month via newsletter and on our blog. Each participant enters the draw to win a ticket. One correct answer gives you one ticket in the draw (e.g. 8 correct answers gives you 8 tickets). The more you know, the higher the chances to win.

September Challenge

In August’s challenge, we had 123 participants and an overall average of 6.1 correct answers. In total, only 2 participants were able to answer all questions correctly.

The Champion

We are very happy to announce that Gabriel A. is the lucky winner of the SAP Security challenge of September 2018. Gabriel answered 5 questions correctly and wins a copy of the SAP System Security Guide co-authored by Xiting’s Alessandro Banzer. Congratulations, Gabriel.

Answers from September’s Challenge

What is the Fiori Launchpad Designer Used for?
The Fiori Launchpad Designer is used to create, configure, and customize catalogs, groups, and tiles.

For Fiori, the OData start authorization on the Front-End Server and the OData access authorization on the Back-End Server can include SU24 authorization defaults?
That’s true – the OData start authorization on the Front-End Server and the OData access authorization on the Back-End Server can include SU24 authorization defaults.

What does report PRGN_CREATE_FIORI_BACKENDROLES do?
You can use the report to transfer the menu of an SAP Fiori front-end role to the role menu of an existing or new back-end role as a mass activity.

Can Legacy Fiori Apps also have SU24 Authorization Defaults?
Yes, Legacy Fiori Apps can also have SU24 Authorization Defaults which is the best-practice approach when building its roles.

You have multiple development clients for building roles which all transport into the same target client. Which two tables should you maintain to prevent profile collisions?
You have to maintain table USR_CUST param PRGN_PROF_PREFIX, as well as AGR_NUM_2 field AGR_NUM for the number range.

When importing a role with a profile that collides with a different role having the same profile name, what happens?
The role data (in the AGR* tables) is imported but the profile data (UST* tables) is not imported. So the role looks correct on the surface but behaves wrongly because of the authorizations.

If you maintain different personalizations in SU01 and PFCG, which one takes preference?
If you have different personalizations in SU01 and PFCG, SU01 will have priority.

Which are the public functions in SAP which can be executed without a valid user or password?
Function modules in the function group SRFC (e.g. technical pings) can be executed without a valid user or password.

Is it possible to delete user SAPCPIC?
Yes, you can delete user SAPCPIC but first check that the user is not making RFC calls. Until 4.5B, it was not even possible to change the password but the hard-coding was removed in later releases.

Which transactions are critical in a production system?
Transaction SP01 and SDH0 are considered critical in a productive environment since it allows to access spool of any users as well as to create screen variants.

October Challenge

[qsm quiz=12]

We wish you the best of luck in the challenge.