The security policies are created by the security team in isolation from the business team. Determine whether this statement is true or false.
SAP offers many types of systems and applications. Each type of SAP system (mySAP CRM, SAP BW, SAP R/3, mySAP SRM, SAP APO) is so varied that the systems do not share security tools or security services. Determine whether this statement is true or false The following tools are available for conducting thorough system security audits.A Role maintenance tool B System audit log C CCMS security alert D System trace tools E Users and Authorizations information systems F All of the above
The Audit Information System is intended for external audits only.
All of the menu roles for the Audit Information System start with . The authorization roles start with .
Configuring the Audit Information System requires downloading a specific support package.
To use the Audit Information System, you must use transaction SECR.
The instance parameters that relate to the audit log include rsau parameters? Determine whether this statement is true or false
The security audit log only logs user connections made by RFC connections. Determine whether this statement is true or false
Which of the following are benefits of creating a custom t-code to link SE16 to a specific table?A You no longer need to grant access to transaction code SE16. B With your custom transaction code, you can look at any table. C With your custom transaction code, you can look only at the table specified in the transaction code. D Custom transaction codes can be easily created, without requiring any programming.
Answer: A, C, D
ADM950SAPSecurityconsultantcertificationflashcardsjulien.firstname.lastname@example.orgWhich authorization objects can you examine to determine if security is administered centrally or regionally? A S_USER_GRP B S_TCD_GRP C S_USER_AGR D S_USER_ADD
Answer: A, C
Which of the authorization objects protect transaction code execution? A S_TCODE B P_TCODE C Q_TCODE D X_TCODE
Answer: A, B, C
SAP recommends that each custom report and each custom program be linked to a custom transaction code. Determine whether this statement is true or false
S_PROGRAM is an authorization object that protects program execution. Determine whether this statement is true or false
is a program that assigns authorization groups to ABAP programs.
You should be careful with the authorization object because it can enable someone to enter DEBUG mode in production.
Once a user is changed, there is no way to see who changed the user. Determine whether this statement is true or false
The Authorization Group field is used only for protecting reports and tables. Determine whether this statement is true or false
Which of the following are logs that exist in an SAP system? (More than one answer is correct).A Webflowlogs B Application logs C Change documents logs D User and authorization change logs E None of the above
Answer: A, B, C, D
SU24 must be set up before implementing any roles. Answer: False (Optional feature) Determine whether this statement is true or false
SU24 requires programming changes to make the default values occur. Determine whether this statement is true or false
The following logon parameters can be used to ensure your system is adequately secured. A logon/fails_to_user_lock B logon/min_password_specials C logon/min_password_diff D logon/named_super_user
Answer: A, B, C
SAP recommends that you separate your system from your system.
Answer: Devlopment Production
Which of the following are security advantages to a three-tier landscape?A Ensure changes occur only on development system. B Ensure changes occur only on your production system. C Developers do not have access to production data. D You control when changes are moved into production. E You can test changes in a QA system.
Answer: A, C, D, E
What type of approval does SAP recommend before moving changes into production?
SAP QA approval procedure that formalize the approval and review workflow
SAP recommends a three-tier system landscape including development, quality assurance, and production. Determine whether this statement is true or false
Client change options should always be set to No changes allowed. Determine whether this statement is true or false
SAP does not provide a QA approval procedure for changes being moved into production. Determine whether this statement is true or false
The user ID used in the RFC destination should be a dialog user. Determine whether this statement is true or false
Authorization object is used to protect what names job steps are scheduled to run under.
ADM950SAPSecurityconsultantcertificationflashcardsjulien.email@example.comUser authentication (Password rules, Monitoring) Authorization protection Auditing and logging (AIS, Security audit log, ) Integrity protection Privacy protection Proof of obligation (non-repudiation)
6 aspects that might be considered in a security policy
7 questions that a security policy should address?
Who is responsible for your IT security? What needs to be protected? Who is attacking? What is the risk? Which protection mechanisms are required? Which procedures are to be enforced? How much protection can you afford?
6 tools available to help provide answers to the questions that arise during a system security audit:
Audit Information System Authorization Information System System Audit Log Computer Center Management System Alerts Trace tools Role maintenance tool (PFCG)
menu What are the 3 major components of the Role maintenance tool (PFCG)? authorizations users
What are the 2 types of roles implementation strategy?
Menu roles Authorization roles
What are the 2 major categories of the AIS
- system audit (general system, users and authorizations, repository and tables) - business audit (accounting, customer, vendors, asset, tax)
What was the transaction used by SAP in the past to access the AIS
In the past, the Audit Information System existed in a single transaction code, SECR
What are the two major groups of SAP Standards roles defined for the Audit Information System
Menu roles (SAP_AUDITOR*) (only menu items; no authorizations) Authorization roles (SAP_CA_AUDITOR*) (only authorizations, no menu items listed)
What is the SAP standard composite menu and authorization Role which contains every role in the AIS?
The menu roles: SAP_AUDITOR The authorization roles: SAP_CA_AUDITOR
What are the 4 steps required to set-up the AIS
Copy the SAP roles to your own naming convention Update the roles (as needed) Create a user for the auditor Assign the roles you created to the audit user
Which SAP Standard role allow you to set-up the AIS?
What is the audit logs main objective? (3 points)
Security-related changes to the SAP system (changes to user master records) Higher level of transparency (successful and unsuccessful logon attempts) Enables the reconstruction of a series of events (successful or unsuccessful transaction starts)
Which 7 information types can be recorded with the Security audit log?
Successful and unsuccessful dialog logon attempts Successful and unsuccessful RFC logon attempts Remote function calls (RFCs) to function modules Successful and unsuccessful transaction starts Successful and unsuccessful report starts Changes to user master records Changes to the audit configuration
SAP systems maintain their audit logs on a daily basis. The system does not delete or overwrite audit files from previous days; it keeps them until you manually delete them. Which transaction is used in order to archive or delete the audit files?
How do you define the audit file name and location?
You define the name and location of the files in a profile parameter, rsau/local/file.
ADM950SAPSecurityconsultantcertificationflashcardsjulien.firstname.lastname@example.orgEvent identifier (a three-character code) SAP user ID and client Terminal name, Transaction code Report name, Time and date when the event occurred Process ID, Session number Miscellaneous information
What are the information (9) contained in an audit record
How do you define the maximal size of the audit file?
You define the maximum size of the audit file in the profile parameter rsau/max_diskspace/local. The default value is 1 megabyte (MB) or 1000000bytes
What happened if the maximal size of the audit file is reached?
If the maximum s