Interested in SAP Security Interview Questions? Click here for Free Sample Questions with explanations
These questions are similar to the ones asked in the actual Test.
How should I know? I know, because I have recently certified with the latest version of the Security Professional Certification test.
Before you start here are some Key features of the Security Professional Certification Exam
– The exam is Computer based and you have three Hours to answer 80 Questions.
– The Questions are (mostly) multiple choice type and there is NO penalty for an incorrect answer.
– Some of the Questions have more than one correct answers. You must get ALL the options correct for you to be awarded points.
– The Official Pass percentage is 65% (But this can vary). You will be told the exact passing percentage before you begin your test.
Q1. The AS ABAP categorizes users into several types for different purposes. Which of the following are NOT valid user types in AS ABAP.
The following User Types exist in the AS ABAP system.
User Type Purpose
Dialog Individual, interactive system access.
System Background processing and communication within a system (such as RFC users for ALE, Workflow, TMS, and CUA).
Communication Dialog-free communication for external RFC calls.
Service Dialog user available to a larger, anonymous group of users.
Reference General, non-person related users that allows the assignment of additional identical authorizations, such as for Internet users created with transaction SU01. No logon is possible.
Q2. Security Java security roles on the AS Java can be defined either globally or locally. Which of the following are globally defined security roles in AS Java?
Answer: a, b, d
The following standard roles exist.
All Security role used as a sum of all roles defined on the AS Java.
Administrators This role has unrestricted administrative permissions over the applications and services on the AS Java.
Guests This role has read-only permissions on the AS Java.
KeystoreViewCreator This role has permissions to only create new keystore views. By default only the Administrators user group is mapped to this role.
Q3. The ABAP authorization concept protects transactions, programs, and services in SAP systems from unauthorized access.
Which of the following statements are False?
a) Business objects or transactions are protected by authorization objects
b) The authorizations are combined in an authorization profile that is associated with a role.
c) Authorization Changes only take effect when the user next logs on to the system.
d) Aggregated Profile Consists of any number of authorization profiles.
e) The objects (such as authorizations, profiles, user master records, or roles) are assigned independent of client.
To access business objects or execute SAP transactions, a user requires corresponding authorizations, as business objects or transactions are protected by authorization objects. The authorizations represent instances of generic authorization objects and are defined depending on the activity and responsibilities of the employee.
The authorizations are combined in an authorization profile that is associated with a role. The user administrators then assign the corresponding roles using the user master record, so that the user can use the appropriate transactions for his or her tasks.
The following diagram shows the authorization components and their relationships.
Composite profile consists of any number of authorization profiles.
Authorizations allow you to specify any number of single values or value ranges for a field of an authorization object. You can also allow all values, or allow an empty field as a permissible value.
If you change authorizations, all users whose authorization profile contains these authorizations are affected.
As a system administrator, you can edit authorizations in the following ways:
● You can extend and change the SAP defaults with role administration.
● You can change authorizations manually. These changes take effect for the relevant users as soon as you activate the authorization.
The programmer of a function decides whether, where and how authorizations are to be checked. The program determines whether the user has sufficient authorization for a particular activity. To do this, it compares the field values specified in the program with the values contained in the authorizations of the user master record.
The objects (such as authorizations, profiles, user master records, or roles) are assigned per client.
If you develop your own transactions or programs, you must add authorizations to your developments yourself (see Authorization Checks in Your Own Developments).
Q4. The AS ABAP communicates with its communication partners using various protocols. Each of these protocols use a specific security mechanism.
Which of the following protocols are matched up correctly with the security mechanism?
a) DIAG – SSL
b) RFC – SSL
c) HTTP – SNC
d) LDAP – SSL
AS ABAP Protocols are as below:
Protocol Security Mechanism
Q5. Functions in the SLD are protected from unauthorized access. For this purpose, you can find several AS Java security roles and User Management Engine (UME) actions that are assigned to different SLD functions.
Before you can use SLD, you have to map these roles and actions to individual users or user groups.
Which of the following user groups, exist in the standard system, and are matched correctly to the permissions they carry?
a) SAP_SLD_GUEST – Read access to SLD Data
b) SAP_SLD_DEVELOPER – Create, modify, and dlete CIM instances of the Name Reservation subset (includes all read permissions)
c) SAP_SLD_DATA_CONSUMER – Data consumer without access to the SLD UK
d) SAP_SLD_ADMINISTRATOR – Administrative tasks (Includes all other roles)
Answer: a, b, d
The following User groups exist in the system:
SAP_SLD_GUEST Read access to SLD dataUME Role/User Group Permissions
SAP_SLD_GUEST Read access to SLD data
SAP_SLD_SUPPORT Read-only access to all SLD data and UIs, including the Administration area (used for SAP support)
SAP_SLD_CONFIGURATOR Create, modify, and delete CIM instances of the Landscape Description and Name Reservation subsets (includes all read permissions).
SAP_SLD_DATA_SUPPLIER Create, modify, and delete CIM instances of the Landscape Description subset as a data supplier without access to the SLD UI.
SAP_SLD_DEVELOPER Create, modify, and delete CIM instances of the Name Reservation subset (includes all read permissions).
SAP_SLD_ORGANIZER Create, modify, and delete all types of CIM instances (includes all read permissions).
SAP_SLD_ADMINISTRATOR Administrative tasks (includes all other roles)
Q6. With reference to the LDAP directory, and the UME, which of the following are true?
a) The LDAP directory can either be connected as a read-only data source or as a writeable data source
b) The UME can support Users as a tree or a Flat hierarchy
c) The Distinguished Names (DNs) of user and group objects must not be longer than 240 characters.
d) If you are using an LDAP directory with a deep hierarchy, you can assign users or groups as members of another group using the UME user administration tools.
Answer: a, b, c
User Management Engine (UME) can use an LDAP directory as its data source for user management data.
The LDAP directory can either be connected as a read-only data source or as a writeable data source.
Some of the Key features of the LDAP directory are:
● The LDAP directory has a hierarchy of users and groups that is supported by UME. The hierarchies supported by UME are:
○ Groups as tree
○ Flat hierarchy
● The administrator of the LDAP directory must create a user that UME can use to connect to the LDAP server. This user should have read and search permissions for all branches of the LDAP directory. If UME also needs to write to the LDAP directory, the user must additionally have create and change authorizations.
● The Distinguished Names (DNs) of user and group objects must not be longer than 240 characters.
● You should not create groups with the names of the default groups, that is Everyone, Authenticated Users, and Anonymous Users. If you create a group with one of these names through the native user interface of your LDAP directory, you will not get an error message, and your user management will no longer function correctly.
If you try to create a group with one of these names through the user management administration console, you will get an error message.
● Similarly, you should not create users with the same user ID as one of the service users used internally.
The service users adhere to the naming convention XXX_service, where XXX is the name of the corresponding application. Again, if you use the native user interface of your LDAP directory, you will not get a message, and your user management will no longer function correctly.
● If user management is set up with write access to an LDAP directory, the following restriction applies:
When assigning members to a group that is stored in the LDAP directory, you can only assign users or groups that are also stored in the LDAP directory. You cannot assign users or groups from the database to groups from the LDAP directory.
You can, however, assign users and groups stored in the LDAP directory to a group in the database.
● If you are using an LDAP directory with a deep hierarchy, you cannot assign users or groups as members of another group using the UME user administration tools.
Even if you use the native tools of the LDAP directory, you should not move users or groups to a different location in the directory.
This is because the unique ID that the UME uses to uniquely identify the user or group contains the Distinguished Name of the user or group. If the user or group is moved to a different group in the LDAP directory, the Distinguished Name changes and, as a result, the unique ID changes as well. Any information about roles that were assigned to the user or group are lost.
Q7. You have a mixed system landscape including both SAP and non-SAP systems, or you have an existing corporate LDAP directory in your system landscape.
User management data is stored in a combination of an LDAP server and a database.
Which of the following data is written to and read from the LDAP server?
a) Additional data (for example, information about when a user was last changed)
b) Other principal types (for example, roles)
c) Groups (displayname, description, uniquename, and the group members)
d) User accounts (logonid, password, ID of the assigned user)
Answer: c, d
The following data is written to and read from the LDAP server:
● Users (displayname, lastname, fax, email, title, department, description, mobile, telephone, streetaddress. uniquename, and group membership – and any other attributes defined through attribute mapping)
● User accounts (logonid, password, ID of the assigned user)
● Groups (displayname, description, uniquename, and the group members)
The following data is written to and read from the database:
● Additional data (for example, information about when a user was last changed)
● Other principal types (for example, roles)
● Additional attributes (for example, attributes not covered by the standard object classes of the LDAP server)
Q8. The LDAP Connector is called using ABAP functions and communicates with the directory server using the Lightweight Directory Access Protocol (LDAP).
The connection with the directory server can be created with various analysis methods, such as simple binding or anonymously.
The above statement is:
The LDAP Connector is a software component that controls the access request of the SAP system to a directory server.
The LDAP Connector is called using ABAP functions and communicates with the directory server using the Lightweight Directory Access Protocol (LDAP).
The connection with the directory server can be created with various analysis methods, such as simple binding (user ID and password) or anonymously (guest account with no password).
Q9. The User Management Engine (UME) allows you to define a security policy. With reference to this, which of the following statements are true?
a) The number of failed logon attempts after which a user is locked, is defined in the security policy.
b) The UME security policy is independent of the security policy of the UME data source
c) You can define a security policy for the UME that is the same or stronger than the corresponding security policy in the backend system.
Answer: a, b, c
The User Management Engine (UME) allows you to define a security policy that controls aspects such as the length and content of user passwords and user IDs, the validity length of user passwords, or the number of failed logon attempts after which a user is locked.
The UME checks for compliance to this policy when users log on to the J2EE Engine, when users register themselves using the self-registration features of the UME, when users or administrators change user passwords in the J2EE Engine, or when administrators create new users on the J2EE Engine. If the security policy is not adhered to, the UME provides detailed error messages.
The UME security policy is independent of the security policy of the UME data source, in particular if the UME uses ABAP user management or an LDAP directory as a data source. It does not take into account any special features of the data source’s security policy.
This means that if the data source has defined its own security policy, there is no standard interface to pass on any error messages received from the data source to the UME user in the same level of detail and in the correct language. The user only receives a very generic error message.
For example, the UME security policy specifies a minimum password length of 6 whereas the ABAP user management defines a minimum password length of 8. When an administrator creates a user and defines a password of length 6 for the user, the password adheres to the UME policy but not to the ABAP policy.
As a result, the administrator gets a generic error message saying that the password is invalid, but not specifying why it is invalid.
There are two options to configure the security policy of the UME, both with different implications:
1. You define a security policy for the UME that is the same or stronger than the corresponding security policy in the backend system.
Result: Users and administrators receive detailed error messages.
Implication: Error tracing is easier because you only need to look in the log files of the UME. Only in very rare cases will you need to look in the log files of the data source (ABAP or LDAP)
Disadvantage: If the backend system can be accessed directly (for example an ABAP system) or serves as data source for other systems using a UME with different security policy settings, users or administrators might get different reactions for different access paths if the security policy is not the same.
2. You define a very relaxed security policy for the UME.
Result: The UME security policy is so relaxed that any violations against the security policy will take place in the data source. The UME does not pass on the error messages from the backend in full detail and as a result users and administrators receive generic error messages.
Implication: Users are confused as to how they violated the security policy. Error tracing becomes more difficult because you need to look in two locations, both in the UME log files and in the backend log files.
Q10. What are the best practices for establishing a connection type ‘ Establishing Trust for Server-Side authentication’ ?
a) Generate the key pair on the server component.
b) Use a public-key certificate that is signed and issued by a CA
c) Make sure the client components trust the issuing CA.
d) It is necessary for the server to verify the identity of the client component
Answer: a, b, c
SSL Scenario : Establishing Trust for Server-Side Authentication
In this case, the client component needs to verify the identity of the server component, however, it is not necessary for the server to verify the identity of the client component.
To establish the trust relationship for this type of connection when using either of the security products provided by SAP, the following are recommended:
• Generate the key pair on the server component.
• Use a public-key certificate that is signed and issued by a CA. In this way, it is easier to establish trust on the client components.
If you use a self-signed certificate for SSL, then each client has to import the server’s public-key certificate to establish the trust relationship.
• Make sure the client components trust the issuing CA. Most Web browsers are provided with a list of well-known CAs, however, if you are working with other client components, you must import the CA’s root certificate on this component.
Q11. The SAP Cryptographic Library is the default security product delivered by SAP for performing encryption functions in SAP systems.
With reference to the SAP Cryptographic Library, which of the following are true?
a) You can only use the SAP Cryptographic Library for SNC between server components
b) The server must possess a public and private key pair and public-key certificate, which is stored in the server’s Personal Security Environment (PSE).
c) SAP Cryptographic Library can be used for SNC between server components as well as front end components.
d) At run-time, the server must have active credentials.
Answer: a, b, c
The SAP Cryptographic Library is the default security product delivered by SAP for performing encryption functions in SAP systems. For example, you can use it for providing Secure Network Communications (SNC) between various SAP server components or for using the Secure Sockets Layer (SSL) protocol with the AS ABAP.
You can only use the SAP Cryptographic Library for SNC between server components. If you want to use SNC for front-end components (for example, SAP GUI for Windows), then you must purchase an SNC certified partner product.
When using the SAP Cryptographic Library for SNC, the following information is necessary for the communication infrastructure:
• The server and its communication partners must be configured for using SNC.
• The server must possess a public and private key pair and public-key certificate, which is stored in the server’s Personal Security Environment (PSE). Although you may obtain a certificate from a trusted Certification Authority (CA), for easier administration we recommend using a certificate that is signed by the server itself (self-signed). This documentation refers only to configuring the server when using a self-signed certificate.
• At run-time, the server must have active credentials. This is accomplished by using the configuration tool to “open” the server’s PSE.
• The server must be able to verify its communication partner’s identity. This is accomplished by importing the partner’s public-key certificate into the server’s own certificate list. As an alternative, you can use the same PSE for all server components.
More Questions? Have a look at: