How do you check that only appropriate users have access to sensitive data in the production system?
Confirm that the user group SUPER is assigned to all administrators using the transaction SUGR
Search for sensitive transactions calls by business users in the security audit log using transaction SM20
Search for roles containing critical authorization objects assigned to users in the production system using transaction SUIM
Check if SAP standard roles are assigned in production systems
Who can implement the recommended security measures after a security check session is complete?
The customer`s auditor
SAP Active Global Support (AGS)
The project Manager
SAP Consulting
The customer’s security team
What tools allow to create, modify and remove users and assign authorizations in SAP and non-SAP systems?
SAP NetWeaver Identity Management (IdM)
SAP GRC Access Control module Access Request Management (ARQ)
SAP Central User Management ( CUA)
SAP Solution Manager
When ABAP is used as a data store for the user management engine (UME), what Java objects are mapped to ABAP…?
Groups
Actions
Roles
Users
What are the requirements of a mutual trust relationship between two SAP Systems? Note: There are two correct answers to this question.
Each system must have its timeout mechanism set to inactive
Each system must have the same security level requirements
Each system must disable modifications to the system ID, system number and destination name
Each system must be defined in the corresponding partner system
What can user type SYSTEM be used for?
For background processing
To receive additional authorizations
For dialog-free communication
For a dialog logon
What is the SAProuter for? Note: There are two correct answers to this question.
Controlling and logging connections to SAP systems
Replacing the corporate firewall
Load balancing for better network performance
Granting access to only selected SAP router and systems
How can you assign roles to a user in a back-end system using SAP NetWeaver Identity Management?
A. Assign by associating the users with the variable MISKEY
B. Assign as tasks that includes roles
C. Assign as privileges with the attribute MXREF_MX_PRIVILEGE
D. Assign by starting the SU01 transaction from the Identity Management Control
What information is stored in the SAP logon ticket? Note: There are three correct answers to this question.
Validity period
Issuing system
Receiver system public key
User password
User ID
Which of the following checks are performed by SAP Early Watch Alert (EWA)? The are 3 correct answers
Performance check
Configuration check
Communication posts check
SAProutlab check
Landscape check
In what table are the relationships between transaction codes and start authorization objects stored?
TSTCT
TOBU
USOBX
TSTCA
What are some of the steps required to configure secure socket layer (SSL) for the SAP Web Dispatcher?
Create entrees with deny (D) at the end of SAProutlab file
Create a personal security environment
Restart the SAP Web Dispatcher after configuration
Restart the SAP backend server after changing the SAP Web Dispatcher
For what reasons do you install the SAP NetWeaver single sign-on (SSO) components?
Secure Login Library is used as a cryptographic library for SAP Netweaver as ABAP
Secure Login Server is used as a central service to provide X 509 user certificates
Secure Login Client is used as a server application that provides security tokens
Secure Login Library is used as a cryptographic library for SAP Netweaver as Java
How does the security policy profile in the user management engine (UME) behave using basic authentication?
For the “default” security policy profile, it is possible to log on to AS Java and a password change is forced
For the “unknown” security policy profile, the log on to AS Java depends on AS ABAP user type
For the “internal service user” security policy profile, it is possible to log on to AS Java
For the “technical user” security policy profile, a password change is forced
What are some of the uses for secure network communication (SNC)?
Encrypting a LDAP connection to a LDAP directory
Protecting the integrity of transmitted data
Encrypting a HTTP connection between web browser and application gateway
Providing cryptographically strong mutual authentication
Which login module flag has the following behaviour? “If the authentication is successful, control returns to the application, otherwise the authentication proceeds…”
Required
Optional
Requisite
Sufficient
What are the capabilities of SAP Web Dispatcher? Note: There are three correct answers to this question.
Re- encrypts secure sockets layer (SSL) encrypted requirements
Enables deep packet inspection of TCP/IP traffic
Filters URLs of http/https requests
Replaces a firewall
Enable load balanced
Which setup steps in an SAP Human Capital Managements (HCM) system to transfer data to an SAP NetWeaver?
Maintain attribute mapping
Import the staging area template
Create an identify store for data staging
Create the export query
What type of personal security environment (PSE) is used by default on an ABAP server acting as a client in a secure sockets…?
Standard SSL client PSE
Anonymous SSL client PSE
Individual SSL client PSE
System SSL client PSE
Which algorithms are used in symmetric key encryption? Note: There are three correct answers to this question.
Digital Encryption Standard (DES)
RSA
International Data Encryption Algorithm (DEA)
(D-H)
Advanced Encryption Standard (AES)
Which of the following is management required to do under section 404 of the Starbanes-Oxley Act?
Conduct internal survey of security procedures
Document the design of significant controls
Identify resulting issues and monitor remediation
Enforce internal audit recommendations
Perform an evaluation of control design and effectiveness
What are the functions of the SAP NetWeaver Identify Management (IdM) dispatcher? Note: There are three correct answers to this question.
Writing data to external repositories
Updating the identify stores
Monitoring the execution queues
Evaluating task and workflow expressions
Starting a runtime engine when a job or a task is to be executed
How do you create a connector to an SAP back-end system using SAP Netweaver Identify Management (IdM)?
Implement a central user management system and create an RFC connection
Create roles in the target system using an initial load job
Create a repository containing access data to the target system
Create a computing centre management system (CCMS) job in the back-end system
What object is used to grant administration rights to users administrators in a child system from the Central User Administration?
S_USER_GRP
S_USER_AGR
S_USER_SYS
S_USER_SAS
What is SAProuter used for? Note: There are two correct answers to this question.
To route HTTP protocols inside a customer network
To grant access to encrypted connections from a known partner
To route SMTP protocols inside a customer network
To grant access only to other selected SAProuters
How does the system parameter “login/disable_multi_gui_login” with value =1 affect a service user?
Only profiles can be assigned to the service users
A check for password expiration is always performed for the service user at logon
Multiple logons are allowed for the service users
A password is always required for the service user
Which of the following is a signature algorithm?
Message Digest Algorithm (MDA)
US Secure Hash Algorithm (SHA)
International Data Encryption Algorithm (IDEA)
Where is the user-relevant data stored when an SAP System is connected to an LDAP server? Note: There are two correct answers to this question.
In AS Java the user-relevant data is stored both in the AS Java and on the LDAP Server
In AS Java the user-relevant data is stored on the LDAP server
In AS ABAP the user-relevant data is stored only in the LDAP server
In AS ABAP the user-relevant data is stored both in the AS ABAP and on the LDAP
How can a critical table containing sensitive data be protected using the authentication object S_TABU_DIS?
The tables containing sensitive data have to be named using the authorization object S_TABU_NAM for all responsible administrator
The tables containing sensitive data have to be associated with table groups in table TBRG
Authorization table groups containing tables with sensitive data have to be declined in table TDDAT and these must be omitted for…
The field DICBERCLS of the authorization object has to enumerate all table names of the tables containing sensitive data
What can SAP Systems use to communicate with another SAP systems or a non-SAP system using a Remote Function Call (RFC)?
Hypertext Transfer Protocol (HTTP)
Simple mail Transfer Protocol (SMTP)
Application Programming Interface (API)
Hypertext Transfer Protocol Secure (HTTPS)
In which project phase do you determine the structure of the role design?
Preparation
Implementation
Analysis and conception
Quality assurance and tests
What data sources does the user management engine (UME) support?
Directory service using LDAP
ABAP based repository
Internal system database
Universal description, Discovery and Integration (UDDI) provider
Database management system (DEMS) provider
What data store is used to show the implemented SAP Notes in the Security Optimization Service?
ABAP_TRANSPORTS
ABAP_NOTES
RSECNOTE
SECSNOTE
How can you build access rights for security administrators, IT administrators, master data administrators and auditors for business…?
a. Analyse business needs b. Check SAP delivered roles c. Generate profiles for SAP roles d. Assign these roles accordingly
a. Analyse business needs b. Check SAP delivered roles c. Create custom roles d. Assign these roles accordingly
a. Check SAP delivered roles b. Add rights into SAP delivered roles c. Generate profiles for SAP roles d. Assign these roles accordingly
a. Analyse business needs b. Create roles without extended access c. Generate profiles for the custom roles d. Assign these roles accordingly
Which of the following are value-added features of the Virtual Directory Server (VDS)? Note: There are three correct answers to this question.
Attribute Mapping
Filtering
User provisioning
Value conversion
Approvals workflow
Your customer is using the GRC Access control module Emergency Access Management (EAM). Which user receives a session protocol after a firefighter super user session has ended?
EAM controller
Super user auditor
EAM administrator
Security audit log reviewer
How do you secure access to custom data? Note: There are three correct answers to this question.
Lock transaction SE 16N to prevent access to custom data
Assign authorization for transaction SA38 to users who have access to custom data
Ensure that proper controls are in place if custom programs or function modules access critical tables
Include AUTHORITY-CHECK statements for all custom programs that access custom data
Link custom programs to custom transactions codes
For what can you use Assertion tickets?
For system-to-system communication with 1 to n recipients
For system-to-system communication using RFC or HTTP
For system-to-system communication with 1 to n recipients where immediate consumption is needed
For system communication using cross-system single sign-on (SSO)
What are the SAP best practices to build SAP ABAP access rights to differentiate between administrators such as the IT administrators?
Create roles based on traces made with STATUTHRACE and assign them to the appropriate users
Generate profiles for SAP delivered roles and assign them to the appropriate users
Define the transactions administrators should be able to use, create appropriate PFCG roles and assign those roles to the…
Assign SAP delivered profiles to the appropriate users
What are some components of the Virtual Directory Server (VDS)?
Overload control and request prioritizing
Extensible transformation framework
In-memory cache
Identify store
Abstraction layer
What functions of the Virtual Directory Server (VDS) secure access to data in VDS repository?
Attribute filtering
Value mapping
Data join
Logging
Namespace conversion
What is the user management engine (UME) property “connection pooling” used for?
To create a new connection to the LDAP directory server for each request
To improve performance of requests to the LDAP directory server
To avoid unauthorized request to the LDAP directory server
To share server resources among requesting LDAP clients
What is the default SSL Port Number of the ABAP Internet Communication Manager (ICM) if the instance number of the …?
3334
33443
3333
44333
Why do you use table logging?
To log changes in application data
To log changes in master data
To log changes in customizing tables
To log changes in table technical settings
How is a support user password communicated securely to SAP support?
Written in an encrypted email to the support employee with an sap.com email address
By enabling the Early Watch user and setting the password to SUPPORT
Included in the support message with the username
Delivered via the secure store in the SAP Service Marketplace
The following shows an example of the command line entry to star the Microsoft Windows SAP GUI. Sapgui.exe.host1 01 SNC_PARTNERNAME = “p.CN=sap01.host1, OU=TEST01, O=myCompany, C=US…” What SNC_QOP parameter value does the client sent to the server to achieve the maximum level of protection?
8
9
12
1
Which of the following threats modify the IP address of the source of the TCP/IP packet?
Structured Query Language (SQL) injection
Cross-site scripting (XSS)
Spoofing
Message flooding
What services does the SAP NetWeaver Identity Management (IdM) identify Centre Provide?
Exposure of the identify store
External communication
Provisioning
Data synchronization
Which of the following categories of Remote Function Call (RFC) communication use the SAP Gateway?
Started RFC server program
Gateway security program
ABAP RFC
Registered RFC server program
RFC client program
You have to setup a Remote Function Call (RFC) connection between a SAP ERP system and a central SAP NetWeaver. What user type do you use to secure these activities?
System
Dating
Communication
Service
The Emergency Access Management (EAM) administrator of an SAP system wants to create a support user account. How can a support user be enable to access a firefighter ID with support authorizations? Note: There are three correct answers to this question.
The firefighter controller assigns the support user to the firefighter ID
The EAM owner of the firefighter ID maintains the association to the responsible support user
The EAM firefighter ID user has to be assigned to the role Z_SAP_GRAC_SPM_FFID
The EAM administrator has to provide the password to the end user for the firefighter ID users who is responsible for…
The roles Z_SAP_GRC_FN_BASE and Z_SAP_GRC_FN_BUSINESS_USER must be assigned to the support user…
What security-related functions does SAP Web Dispatcher support? Note: There are two correct answers to this question.
Intrusion prevention
Packet filter
Reverse proxy
Application-level gateway
Using the hybrid encryption method, which of the following is safely transmitted only once between the communication partners?
Private key
Public key
Secret key
Private/Public key pair
What tasks do you perform in the business blueprint phase to define the authorization concept for an AS ABAP- based systems? Note: There are two correct answers to this question.
Select the internal and external members of the project team
Build a project plan to implement an authorization concept
Determine the business requirements for the customer doing the implementation
Define the authorization concept for how roles should be built
To be compliant with regulations such as Sarbanes Oxley, you want to check your authorization assignments against defined… How does SAP recommend you find violations to SoDs in SAP systems?
Use report RSUSR0008_009_NEW appropriate variant
Use SAP governance, risk and compliance with a configured SoD matrix
Use transaction SUIM
Use STAUTHTRACE
You download and upload PFCG roles between SAP ABAP systems. After assigning these roles in the destination system to… How can you prevent this situation? Note: There are two correct answers to this question.
Check user profiles after upload in the destination system
Assign roles and reconcile the user master data after the upload
Generate profiles of the roles immediately after the upload
Change number range for transports in the destination system
Which of the following are the default components of a distinguished name (DN)? Note: There are three correct answers to this question.
Organization unit
Country
Position
Job
State
In SAP NetWeaver Application Server Java, where do you configure additional posts for SSL, before you can start using…?
In the Certification Authority (CA) inventory
In the Internet Communications Manager (ICM)
In the table STRUSTSSL
In the table USREXTID
What must you do to secure the Microsoft Windows client environment for the SAPGUI user interface?
Replace the saprules.xml file in the installation directory
Make special permissions to files in the installation directory available to the end user
Protect the registry key by disallowing user access to the reedit program
Save the SAPGUI client user security rules file “saprules.xml” in the directory %APPDATA%/SAP/Common
Use the SNC Client Encryption software for the SAPGUI
What authorization object is checked when a user selects an ABAP Web Dynpro application to execute?
S_PROGRAM
S_START
S_SERVICE
S_TCODE
What are some of the users for secure network communication (SNC)? Note: There are two correct answers to this question.
What elements are included in the Personal Security Environment (PSE)? Note: There are three correct answers to this question.
The certificates of trusted certificate authorities
The private key
The password hash of the user account
The public key certificate
The secure network communication name of the user
What activity is performed to manage SAP user licenses?
Run the RSURS200 report to viewer users by logon date and password change
Execute the AL08 transaction for an overview of active users
Run the RSURS002 report to view users by complex selection criteria
Run the RFALD006_BCE report to view the number of user master records
64. Which of the following tools can be used in SAP Solution Manager to view the health and status of management…?
SAP Security Optimization Service
SAP User information System
SAP Security Audit Log
SAP Computing Centre Management System
SAP Early Watch Alert
Why do you use the SAP User Information System? Note: There are three correct answers to this question.
To display the transactions contained in roles
To compare users across SAP systems
To list the users logged on to the SAP systems
To report authorization errors
To compare roles within an SAP system
What is the correct sequence of steps to enable secure network communication (SNC) on SAP NetWeaver AS..?
a. Create on import SNC personal security environment (PSE) b. Establish trust relationship c. Set SNC profile parameters d. Create credentials e. Install SAP Cryptographic library f. Restart Application Server Java
a. Install SAP Cryptographic library b. Create on import SNC personal security environment (PSE) c. Create credentials d. Establish trust relationship e. Set SNC profile parameters f. Restart Application Server Java
a. Set SNC profile parameters b. Establish trust relationship c. Create credentials d. Install SAP Cryptographic library e. Create on import SNC personal security environment (PSE) f. Restart Application Server Java
a. Install SAP Cryptographic library b. Create credentials c. Create on import SNC personal security environment (PSE) d. Set SNC profile parameters e. Establish trust relationship f. Restart Application Server Java
What features are common to both virtual directory and synchronization methodology? Note: There are two correct answers to this question.
Enabling multiple access points to data
Modifying name spaces
Preventing LDAP access to data
Manipulating attribute values
What does authorization object S_SPO_ACT with value _USER_ allow?
Grants access to all spool requests in the current client
Grants access to your own spool requests
Grants access to named user requests
Grants access to all spool requests in all clients
What are the benefits of the Audit Information System (AIS) to companies? Note: There are three correct answers to this question.
Offers two types of audit reports: system and business
Roles are built from modes in the implementation guide (IMG)
Report selection variables are configured quickly during setup
In used by both internal and external auditors
Starts with aa single transaction code SECR
You have sensitive roles created in SAP ERP systems. What can you do to restrict the assignment of these roles to only the appropriate users? Note: There are two correct answers to this question.
Use transaction SUIM to check the assignment of sensitive roles to users
Implement and use the Access request Management module of SAP Governance Risk and Compliance
Create appropriate roles and assign these roles to the right users to protect the assignment
Configure the audit system to check the usage of sensitive actions
You have to setup a Remote Function Call (RFC) connection between a SAP ERP system and a central SAP Netweaver… What user type do you use to secure these activities?
Dialog
What are the sequence steps to determine the authorizations for users using the PFCG role administration tool?
a. Update the user master records b. Edit and generate authorization profiles c. Assign transactions to job descriptions d. Maintain roles using role maintenance e. Assign user
a. Assign user b. Maintain roles using role maintenance c. Assign transactions to job descriptions d. Edit and generate authorization profiles e. Update the user master records
a. Assign transactions to job descriptions b. Maintain roles using role maintenance c. Edit and generate authorization profiles d. Assign user e. Update the user master records
a. Assign transactions to job descriptions b. Maintain roles using role maintenance c. Assign user d. Update the user master records e. Edit and generate authorization profiles
How do you analyse when and by whom profiles where assigned or deleted?
Open the role and review the users tab in the transaction PFCG
Run the RSUSR100 report with appropriate filters
Start the SM20 transaction to view the security audit log
Review the tab profiles in the transaction SU01
At what levels of authorization do you differentiate access right within AS ABAP roles? Note: There are two correct answers to this question.
Transaction
User parameter
User type
Authorization object
What are the goals of SAP Governance Risk Compliance (GRC) Global Trade Services? Note: There are three correct answers to this question.
Increase margin contribution
Optimize the cross-border supply chain
Automate manual tasks
Better management of global trade operations
Ensure ongoing compliance
What can you find in the SAP Solution Manager System Recommendations? Note: There are two correct answers to this question.
HotNews
Relevant operating system updates
Correction notes for ABAP and Java
Customer support messages
What is mandatory to establish a connection with SAP Support?
A domain reverse to establish proxy must be mentioned in the SAP Support ticket
SAP service Marketplace system ID must be associated with the support employee
The S-User ID and the password of the requestor must be mentioned in the SAP Support ticket
The SAProuter must be configured in the customer’s Solution Manager.
What does the sap security optimization service deliver? (3)
Analyses security vulnerabilities within an enterprise `s SAP Landscape to ensure optimal protection against intrusions
Analysis your operating system database and entire SAP system to ensure optimal performance and reliability
Check the SAP systems and SAP middleware components against defined configurations
Prioritices and delivers results with recommendations to resolve identified vulnerabilities
Modifies system parameters to resolve security issues.
What user type is recommended for Remote Call Function (RFC) communication in a central user administration (CUA) environment?
Reference
Which component are requires to perform changes via the transport system in a secure way? (2)
Basis administrator authorizations are assigned to customize the production system
S_TRANSPRT authorization object is needed by the transport administrator
Developer authorizations must be assigned in production environment
TMSADM is needed as the Remote Function Call (RFC) user
