Get started Bring yourself up to speed with our introductory content.

Quiz: SAP security best practices

Learn best practices for SAP security and how to bulletproof your system in this new quiz from Test yourself on security and all related topics, like passwords, authorizations, user IDs, defaults and transactions.

February is security month on Take this SAP security quiz to determine how knowledgeable you are about securing your SAP system and apps and whether you need to hone your security skills.

Take the quiz today. Then send us an e-mail with your score to be entered to win SAP Planning: Best Practices in Implementation.
Good luck!

How to take the quiz:

- After reading the question, note the letter of your answer.
NOTE: Some questions may have more than one appropriate answer!
- Check your answers by clicking the link to the answer key at the end of the quiz.
- To learn more about a topic and the correct response to the question, open the link that follows the response on the answer page.

Are you ready? Let's see how you score!


1. Say you have a transaction code that must be locked down so no one can use it. How can you lock and unlock this transaction?

a) Use R3trans and tp utilities with tp unlck and tp lock at the operating system.
b) Use transaction sm01 to find the transaction and lock/unlock it.
c) Run report rslocktrans from se38 and enter the variant value for the desired transaction and the lock/unlock checkbox.
d) Always use the ABAP workbench to lock transactions.

2. How do you set up and use system auditing of transactions? 

a) Enter the filter criteria in sm19 and activate the trace. Read results with sm20.
b) Use SQLplus to query the history table and select data based on user ID.
c) Use pa20 to get the personnel number of an employee and then search usr01 for transactional history.
d) You must install the ST-PI add on software to allow transactional auditing.

3. In newer versions of SAP, Central User Administration (CUA) is active by default for distribution of user IDs and roles amongst remote systems.

a) True
b) False

4. How can you broadcast a message to all users of the SAP system?


a) SAPmail has functions to display system messages to broadcast all users.
b) Transaction sm02 will provide text boxes to submit a system-wide message.
c) This must be set up as a profile parameter (login/messagecreate=true). Once the value is set, users can send it with the options under menu path system->status.
d) Only users with SAP_ALL authorizations can broadcast from transaction sm03.

5. What SAP default user is installed with SAP and how can you disable this user to prevent security holes?

a) SAP* -- Set the profile parameter login/no_automatic_user_sapstar to a value greater than zero.
b) SAP* and DDIC -- Use transaction su01 to delete the user IDs.
c) SAP* This user can't be disabled as it is the backdoor for SAP to log in to your system.
d) Use SQLplus to delete the user IDs DDIC and SAP*.

6. What are the SAP default usernames and passwords?

b) DDIC= 19920706, SAP*=PASS
c) DDIC= change at login ,SAP*== change at login

7. What fundamental authorization object is to be used as the first line of defense in checking authorization for a transaction code?

a) S_tcode
b) Auth_init_check
c) Init_tcode_check
d) A_tcode

8. When a user is denied authorization when trying to access SAP information, what transaction will provide the name of the authorization object that caused denial to the transaction?

a) Transaction suim. Reports run from this transaction and it displays the objects along with the transaction under the user's dropdown.
b) Transaction su53. Run transaction su53 as the unauthorized user immediately after the authorization failure is displayed.
c) Transaction se38. Run report rsdispusrauth to show the authorizations needed for each transaction. Then add those to the user ID's role.
d) Transaction pfgg. If you're using CUA, you must log in to the system where the failure occurred and check transaction pfcg against the user ID for the authorization object shown in the associated short dump.

9. Once you have verified that a role is missing an authorization, how can you check the role to validate and update the current actions that are allowed?

a) Use the role mapper utilities to see if a user is part of the correct group.
b) In transaction su01, add sap_new profile to the user ID and have them log out and log back in.
c) Use transaction PFCG to check the role to be added or altered for that user ID and turn on technical names to view detailed data on the authorization object.
d) You must create a new role for that user so they can access the desired data.

10. What tables make up the majority of the user master records? (Hint: If I wanted to find user master data, what table names can I search in se16 to validate user data on specific keys?)


a) Us*
b) Psapuser
c) User master records are keyed from several different tables so unlike other SAP master records, user master is unique.
d) Sapr3.userdata

11. What does the term "technical names on" refer to? 

a) This is the list of names of Basis users -- it can be displayed if you get the prompt: "Contact your system administrator".
b) This is a profile-generator menu option that puts the technical name of the authorization object next to the long text, so the required authorization name can easily be identified.
c) This is a parameter that needs to be set to on for Early Watch Reports and Alerts.
d) This is a reference that was used for viewing ABAP security codes in older versions of SAP (prior to version 4.6x).

12. When displaying SAP content using a Web browser, what is an effective way to ensure that data is protected from hackers?

a) Use Secure Sockets Layer (SSL)
b) Use an intermediate server to act as a proxy for your Web content.
c) A and B.
d) None of the above.

13. What table names contain profile change history?

a) usr10, usr12
b) ush10, ush12
c) sapr3.usr01, sapr3.usr10

14. What is the best way to list all profile parameters that pertain to login sensitive rules and policies (ie. Login/password_expiration_time)?

a) Run report rsparam from sa38 and select the checkbox for the unsubstitued values. Then search report for keyword "login." This will display the login parameters for the system.
b) Use transaction rz10 to display all parameters.
c) From the operating system, view all parameters from the profile directory.

15. If you forget your password and can't get into your system, what back door can you use to reset it?

a) Delete SAP* from DB using SQLplus and then login as SAP* again with password=pass if SAP* is allowed.
b) You will need to open a message with OSS and they can provide you with a user name and password that can be used once to gain access.
c) You can login to a different client number and change the password from there.



Dig Deeper on SAP security