ADM950 Flashcards Jmx

  • View
    49

  • Download
    3

Embed Size (px)

DESCRIPTION

SAP Security2 doc

Transcript

ADM950SAPSecurityconsultantcertificationflashcardsjulien.moix@gmail.com

The security policies are created by the security team in isolation from the business team. Determine whether this statement is true or false.

False

SAP offers many types of systems and applications. Each type of SAP system (mySAP CRM, SAP BW, SAP R/3, mySAP SRM, SAP APO) is so varied that the systems do not share security tools or security services. Determine whether this statement is true or false The following tools are available for conducting thorough system security audits.A Role maintenance tool B System audit log C CCMS security alert D System trace tools E Users and Authorizations information systems F All of the above

False

Answer: F

The Audit Information System is intended for external audits only.

False

All of the menu roles for the Audit Information System start with . The authorization roles start with .

SAP_AUDITOR SAP_CA_AUDITOR

1

ADM950SAPSecurityconsultantcertificationflashcardsjulien.moix@gmail.com

Configuring the Audit Information System requires downloading a specific support package.

False

To use the Audit Information System, you must use transaction SECR.

Answer: False

The instance parameters that relate to the audit log include rsau parameters? Determine whether this statement is true or false

Answer: True

The security audit log only logs user connections made by RFC connections. Determine whether this statement is true or false

False

Which of the following are benefits of creating a custom t-code to link SE16 to a specific table?A You no longer need to grant access to transaction code SE16. B With your custom transaction code, you can look at any table. C With your custom transaction code, you can look only at the table specified in the transaction code. D Custom transaction codes can be easily created, without requiring any programming.

Answer: A, C, D

2

ADM950SAPSecurityconsultantcertificationflashcardsjulien.moix@gmail.comWhich authorization objects can you examine to determine if security is administered centrally or regionally? A S_USER_GRP B S_TCD_GRP C S_USER_AGR D S_USER_ADD

Answer: A, C

Which of the authorization objects protect transaction code execution? A S_TCODE B P_TCODE C Q_TCODE D X_TCODE

Answer: A, B, C

SAP recommends that each custom report and each custom program be linked to a custom transaction code. Determine whether this statement is true or false

Answer: True

S_PROGRAM is an authorization object that protects program execution. Determine whether this statement is true or false

Answer: True

is a program that assigns authorization groups to ABAP programs.

Answer: RSCSAUTH

3

ADM950SAPSecurityconsultantcertificationflashcardsjulien.moix@gmail.com

You should be careful with the authorization object because it can enable someone to enter DEBUG mode in production.

Answer: S_DEVELOP

Once a user is changed, there is no way to see who changed the user. Determine whether this statement is true or false

Answer: False

The Authorization Group field is used only for protecting reports and tables. Determine whether this statement is true or false

Answer: False

Which of the following are logs that exist in an SAP system? (More than one answer is correct).A Webflowlogs B Application logs C Change documents logs D User and authorization change logs E None of the above

Answer: A, B, C, D

SU24 must be set up before implementing any roles. Answer: False (Optional feature) Determine whether this statement is true or false

4

ADM950SAPSecurityconsultantcertificationflashcardsjulien.moix@gmail.com

SU24 requires programming changes to make the default values occur. Determine whether this statement is true or false

Answer: False

The following logon parameters can be used to ensure your system is adequately secured. A logon/fails_to_user_lock B logon/min_password_specials C logon/min_password_diff D logon/named_super_user

Answer: A, B, C

SAP recommends that you separate your system from your system.

Answer: Devlopment Production

Which of the following are security advantages to a three-tier landscape?A Ensure changes occur only on development system. B Ensure changes occur only on your production system. C Developers do not have access to production data. D You control when changes are moved into production. E You can test changes in a QA system.

Answer: A, C, D, E

What type of approval does SAP recommend before moving changes into production?

SAP QA approval procedure that formalize the approval and review workflow

5

ADM950SAPSecurityconsultantcertificationflashcardsjulien.moix@gmail.com

SAP recommends a three-tier system landscape including development, quality assurance, and production. Determine whether this statement is true or false

Answer: True

Client change options should always be set to No changes allowed. Determine whether this statement is true or false

Answer: False

SAP does not provide a QA approval procedure for changes being moved into production. Determine whether this statement is true or false

Answer: False

The user ID used in the RFC destination should be a dialog user. Determine whether this statement is true or false

Answer: False

Authorization object is used to protect what names job steps are scheduled to run under.

Answer: S_BTCH_NAM

6

ADM950SAPSecurityconsultantcertificationflashcardsjulien.moix@gmail.comUser authentication (Password rules, Monitoring) Authorization protection Auditing and logging (AIS, Security audit log, ) Integrity protection Privacy protection Proof of obligation (non-repudiation)

6 aspects that might be considered in a security policy

7 questions that a security policy should address?

Who is responsible for your IT security? What needs to be protected? Who is attacking? What is the risk? Which protection mechanisms are required? Which procedures are to be enforced? How much protection can you afford?

6 tools available to help provide answers to the questions that arise during a system security audit:

Audit Information System Authorization Information System System Audit Log Computer Center Management System Alerts Trace tools Role maintenance tool (PFCG)

menu What are the 3 major components of the Role maintenance tool (PFCG)? authorizations users

What are the 2 types of roles implementation strategy?

Menu roles Authorization roles

7

ADM950SAPSecurityconsultantcertificationflashcardsjulien.moix@gmail.com

What are the 2 major categories of the AIS

- system audit (general system, users and authorizations, repository and tables) - business audit (accounting, customer, vendors, asset, tax)

What was the transaction used by SAP in the past to access the AIS

In the past, the Audit Information System existed in a single transaction code, SECR

What are the two major groups of SAP Standards roles defined for the Audit Information System

Menu roles (SAP_AUDITOR*) (only menu items; no authorizations) Authorization roles (SAP_CA_AUDITOR*) (only authorizations, no menu items listed)

What is the SAP standard composite menu and authorization Role which contains every role in the AIS?

The menu roles: SAP_AUDITOR The authorization roles: SAP_CA_AUDITOR

What are the 4 steps required to set-up the AIS

Copy the SAP roles to your own naming convention Update the roles (as needed) Create a user for the auditor Assign the roles you created to the audit user

8

ADM950SAPSecurityconsultantcertificationflashcardsjulien.moix@gmail.com

Which SAP Standard role allow you to set-up the AIS?

SAP_AUDITOR_ADMIN

What is the audit logs main objective? (3 points)

Security-related changes to the SAP system (changes to user master records) Higher level of transparency (successful and unsuccessful logon attempts) Enables the reconstruction of a series of events (successful or unsuccessful transaction starts)

Which 7 information types can be recorded with the Security audit log?

Successful and unsuccessful dialog logon attempts Successful and unsuccessful RFC logon attempts Remote function calls (RFCs) to function modules Successful and unsuccessful transaction starts Successful and unsuccessful report starts Changes to user master records Changes to the audit configuration

SAP systems maintain their audit logs on a daily basis. The system does not delete or overwrite audit files from previous days; it keeps them until you manually delete them. Which transaction is used in order to archive or delete the audit files?

SM18

How do you define the audit file name and location?

You define the name and location of the files in a profile parameter, rsau/local/file.

9

ADM950SAPSecurityconsultantcertificationflashcardsjulien.moix@gmail.comEvent identifier (a three-character code) SAP user ID and client Terminal name, Transaction code Report name, Time and date when the event occurred Process ID, Session number Miscellaneous information

What are the information (9) contained in an audit record

How do you define the maximal size of the audit file?

You define the maximum size of the audit file in the profile parameter rsau/max_diskspace/local. The default value is 1 megabyte (MB) or 1000000bytes

What happened if the maximal size of the audit file is reached?

If the maximum s