Security interview questions - some fun to tickle ...

Former Member · ‎03-25-2010

Hello gurus,

I know that posting interview question series are not allowed if the person has not put in any effort, but I have and folks seem to want to practice a bit sometimes so I take the liberty of creating a central one.

Tackle one or all of them to test your knowledge.

There are no model answers.

If you want to suggest additional ones, then please contact me.

The rules

Flaming of answers is allowed.

Funny answers earn a beer (or cup of tea).

There are no points.

 1)	When PFCG proposes 3 activities but you only want 2, how do you fix this?

 2)	What is the use of transaction PFUD at midnight?

 3)	Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes?

 4)	How are web services represented in authorizations of users who are not logged on?

 5)	How do you force a user to change their password and on which grounds would you do so?

 6)	What is the difference between SU24 and SU22? What is "orginal data" in SU22 context?

 7)	When an authorization check on S_BTCH_JOB fails, what happens?

 8)	Can you have more than one set of org-level values in one role?

 9)	Should RFC users have SAP_NEW and why?

 10)	What is an X-glueb command and where do you use it in SAP security?

 11) 	What is the disadvantage of searching for AUTHORITY-CHECK statements in ABAP OO coding and how does SU53 deal with this?

 12) 	In which tables can you make customizing settings for the security administration and name one example of such a setting which is usefull but not SAP default?

 13)	Can you use the information in SM20N to build roles and how?

 14)	If the system raises a message that authorizations are missing but you have SAP_ALL, what do you do?

 15)	Name any one security related SAP note and explain it's purpose or solution.

 16)	What are the two primary differences between a SAML token profile and a SAP logon ticket?

 17) Where do you configure the local and global settings of the CUA and what are the consequences of inconsistent settings?

18)            If you have users in different systems with different user ID's for the same person, what are your options to manage their authorizations centrally?

 19)            Explain the use of the TMSSUP* RFC destinations and the importance of the domain controller?

20)            Why should you delete SAP_NEW profile and which transaction should you use before doing so?

To be continued...

Former Member · ‎03-25-2010

Continued:

 21)  What is meant by the last sentence in SAP Note 587410 and how do you restrict it?

 22)  A key-user in the finance department is also an ABAP developer. What do you do?

 23) A new ABAP developer short dumps regularly in production while reading business data. What do you do?

 24)   You are confident with SAP standard, but there are also custom and partner products in your system. How do you check them for "low brainer" security issues?

 25)  How do you remove a developer's access and developer keys from a system? What else would you check for?

 26)  How do you transport user groups from transaction SUGR? Does this impact the "Groups" tab in SU01 and if so, then what should you check beforehand?

  27) When you record a transport request in PFCG for a role and then change the role before releasing the transport request, does the transport include the changes or not? Is the answer documented anywhere in the system?

 28)   Describe a scenario under which you would update a SAP table directly, and which precautions you would take?

 29)  Is there a difference between transactions SE09 and SE10 and what is the use of any differences?

 30) The visibility of tabs in the Solution Manager "work centers" seems to follow it's own logic for different users with the same roles and menus in the work centers differ from user to user. The ST01 trace only shows S_GUI as being checked. How do you proceed to restore your sanity?

 31) Users can access functionality they are authorized for or even not authorized for, but they do not have any transaction code authorizations (S_TCODE) to start the tcodes which are known to perform these tasks. How do you go about analyzing the access and what are the dangers involved in removing the application authorizations ofa single role if the user does not have the SAP standard transaction code anyway?

 32) You need to clean up users and authorizations in clients '001' and '066' of a production system, but have no valid user credentials for these "old" clients. The production client '100' has high availability requirements. How do you solve the problem?

Former Member · ‎03-25-2010

Dummy post 2 for subsequent questions...

Former Member · ‎03-26-2010

Hi Julius,

The question bank gives an idea of the breadth and depth of your knowledge

One question which i'm trying to find an aswer to is (as much because of customer requirements as also curiousity)

😎 Can you have more than one set of org-level values in one role? If so how?

if you have any suggestions for this one please let me know.

Thanks

Vijaya

Former Member · ‎03-26-2010

@ Vijaya: If you can find a 2nd Org. Level button then let us know.

@ Arpan: Enjoy the weekend and your beer.

@ Prasant: Your user ID has been deleted.

@ Michael: Let's put it this way - your answer to question 10 is very close.

@ Alex: Version 27 fix 2 of Ora-1555 errors, step # 8, sir (this will also be usefull for Arpan

Cheers.

Julius

arpan_paik · ‎03-28-2010

Well Earning beer seems to be more and more harder as new qtn banks coming in way....But I found @23 very interesting and these could be the possible solution from my end.

guide the user/lock the user/delete the user/bomb the user/dump the user from office......so on until dump stops in his name....well HIS name as this user cannot be SHE ;-)......

By the way its Sunday and accidentally if my wife get access to this post this day will be Monday in front of boss like feeling...By folks....

Former Member · ‎04-13-2010

Nice questions, Julius

Here are some answers:

@ 22 (A key-user in the finance department is also an ABAP developer. What do you do?)

a) Explain to him/her that this position requires that his/her code must be peer reviewed for security reasons. This alone will discourage most people from doing "bad things" in their code.

b) Enforce this policy: Have his/her ABAP code peer-reviewed

@ 23 (A new ABAP developer short dumps regularly in production while reading business data. What do you do?)

If it is really the developer that short dumps, you should have him/her drug-tested

If it is the application that short dumps, you should check the developeru2019s coding for constructs like

IF SY-UNAME = 'NAME_OF_THE_SHORT_DUMPER'.
* Code that produces short dumps
ENDIF.

@ 24 (You are confident with SAP standard, but there are also custom and partner products in your system. How do you check them for "low brainer" security issues?)

a) Define security requirements for (3rd party) business applications and secure coding guidelines for internal development (code checks without requirements will only lead to lengthy discussions)

b) Run a static code analysis tool (that enforces your security requirements) against the custom and 3rd party applications

Cheers,

Andreas

Former Member · ‎04-13-2010

@ 23: More common causes (in my experience) for short-dumps in target systems is faulty or obsolete config in the source system or source coding - and the developer clicks on things "just to see what happens" or "what the select-options are". Too late...

One which might interest you is:

Regarding sy-uname, question 14 will interest you as well.

Thanks for contributing to the SDN Security forum,

Julius

ps: For others who don't know, Andreas Wiegenstein is the developer of the [CodeProfiler|http://virtualforge.de/vcodeprofiler.php] and author of SAPress books on secure ABAP programming. For advanced security requirements I can recommend it, but you still need someone to interpret the results and fix the code.

Disclaimer: CodeProfiler is licensed and not without cost implications to make this initial investment to know what is going on in your code. SAP uses it to analyze their own code.

Edited by: Julius Bussche on Apr 13, 2010 9:37 PM

Former Member · ‎03-26-2010

i can answer most, but as you said not to float, kindly suggest , should send mail?

Thanks,

Prasant K Paichha

Former Member · ‎03-26-2010

I am sure that Klinndk12 could have asked you most of them as well...

Cheers,

Julius

arpan_paik · ‎03-26-2010

@1 copy....inactive,,,

@2 midnight - time to do right thing for coming day...

@3....

@4....

I am at home today....not sure why I did not went office today....Entire day was so boring....I was having no wish to make any post today...But when question comes about earning beer so I could not resist myself from post,,,,

Ohhh....week end is coming.....

Former Member · ‎03-26-2010

I have one year experience in SAP Security and only two in Basis, so flame on......... I swear I didn't use google or any of my systems for reference!

1) When PFCG proposes 3 activities but you only want 2, how do you fix this? Best answer is to modify your su24 data.

2) What is the use of transaction PFUD at midnight? removes invalid profiles from user records

3)Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes? PFUD is not needed and the user needs to log off and back on again

4)How are web services represented in authorizations of users who are not logged on? ??

5)How do you force a user to change their password and on which grounds would you do so? SU01 -> Logon Data tab -> Deactivate password. I am not sure what grounds this would be necessary. I have never had to use it.

6)What is the difference between SU24 and SU22? What is "orginal data" in SU22 context? SU22 you maintain authorization objects???? Su24 you maintain which authorization objects are checked in transactions and maintain the authorization proposals.

7)When an authorization check on S_BTCH_JOB fails, what happens? "You do not have authorization to perform whatever operation you are trying to perform." message. HAHA

8)Can you have more than one set of org-level values in one role? I might be misinterpreting this question. But yes. Depending on the transactions inserted into the role menu, you could have more than one org level to maintain. Purchasing Org and Plant, Sales Org and Sales Division.....

9)Should RFC users have SAP_NEW and why? No. Just insert the transactions and necessary authorization objects into a role. S_RFC for one.

10) What is an X-glueb command and where do you use it in SAP security? ???

11) What is the disadvantage of searching for AUTHORITY-CHECK statements in ABAP OO coding and how does SU53 deal with this? Disadvantage? I can think of an advantage. My ABAPer shows me his programs and we work out what authority checks should be performed.

12) In which tables can you make customizing settings for the security administration and name one example of such a setting which is usefull but not SAP default? ???

13) Can you use the information in SM20N to build roles and how? You could, I guess. Not a good practice though. Build roles based on business processes.

14) If the system raises a message that authorizations are missing but you have SAP_ALL, what do you do? Regenerate SAP_ALL which reconciles new authorization objects from SAP_NEW

15) Name any one security related SAP note and explain it's purpose or solution. Don't know the number off hand, but I was looking at it yesterday. Program Z_DEL_AGR to allow deletion of more than one role at a time. There is no mechanism in SAP to achieve this currently.

16) What are the two primary difference between a SAML token profile and a Logon ticket in SAP? ??? I know what these are but have no experience with it.

Former Member · ‎04-24-2011

@5) How do you force a user to change their password and on which grounds would you do so?

If we will go throug SU01 -> Logon Data tab -> Deactivate password, then if user will try to log in system will show message "You have no password you can not log on using password"

Ans@5) Try to login by user's ID (of course you do not know the password of user put any password ) do not press enter press on "New Password" button. "User Name and password do not match" system will show this message. When user will try to log in then at that time system will asked to user to changed the password.

Former Member · ‎03-26-2010

15 - reference to the unexpurgated version of note 60233 will get muchos kudos

Former Member · ‎03-26-2010

All these questions are SCUM It's Friday I just want my beer.

Former Member · ‎03-27-2010

I added question 17 for you

Question 18 is a "by-product" of it.

Former Member · ‎03-30-2010

How will you create a developer key and OSS ID in SAP Service Market Place

Former Member · ‎03-30-2010

Hi Baskar,

I added # 25 for you, but gave it a little tweak.

Cheers,

Julius

l_borsboom · ‎04-12-2010

22) Marry her!

23) Turn out the lights on the toilet

Former Member · ‎04-12-2010

I said "business data", not "newspaper"...

former_member186750 · ‎04-14-2010

Prasant,

You are my hero! Everyday I will aim to achieve greatness like you have!

Former Member · ‎04-14-2010

His interview ended [here|; when he posted with the wrong ID but was not fast enough to edit the answer...

Cheers,

Julius

Former Member · ‎05-05-2010

Log on to SAP service marketplace with your s-user ~~> Keys and requests~~>SSCR

Former Member · ‎05-06-2010

@Baskar

Developer key:-

SAP Portal~~> Keys & requests~~>SSCR keys~~> Register Developer~~> user id with installation number of sap development

OSS ID :-

SAP Portal--> Data Administartion --> user dta -->Request new users --Fill in all details and dont forget to assign Authorizations ..:)

Former Member · ‎05-11-2010

Juluis...Your questions continues to be wonderful....can read ...for eternity ...but cannot answer !! do this dear friend...write teh answers too with just hints

its week end......

Former Member · ‎05-22-2010

Hi GG,

The intention is to ask questions which generate a discussion, to see how deep the persons knowledge and experience is.

There are no model answers (much like your questions..

Cheers,

Julius

martin_voros · ‎05-27-2010

Hi,

I have one which I had to solve today. I just find a workaround. How can you maintain authorization objects for your custom web dynpro applications in SU22?

Cheers

Former Member · ‎05-27-2010

This is "original data" refered to in question # 6, right --> the auth/authorization_trace parameter.

I would not class that as a workaround though, so perhaps you meant something else?

Cheers,

Julius

Edited by: Julius Bussche on May 28, 2010 8:36 PM

5 --> 6 corrected

martin_voros · ‎05-28-2010

You mean probably question 6. Anyway, thanks I knew that I was missing something. I couldn't find how to force SAP system to create a record for our WD applications in table usobhash. I found a bunch of FMs with names like AUTH_TRACE* but most of them are not called from any ABAP program (now I know why). One of the FMs is AUTH_TRACE_WRITE_USOBHASH which creates a record. So I wrote a simple program which uses this FM to create required entries for selected WD applications. That's why I called it workaround. Thanks once again.

Cheers

Former Member · ‎05-28-2010

Hi Martin,

Thanks, I corrected the number.

If you activate the parameter then there are gemstones waiting for you in table USOB_AUTHVALTRC as well.

Tip: Use it in a "clean" QAS client and download or just maintain DEV in parrallel, otherwise it will drive you crazy

Cheers,

Julius

Edited by: Julius Bussche on May 29, 2010 8:32 PM

Former Member · ‎06-04-2010

@12 PRGN_CUST - we can maintain parameter ASSIGN_ROLE_AUTH = Assign

Regards,

Prasad

Former Member · ‎06-06-2010

Yep, that is a good one!

There are also a few which are not listed in the F4 Search Help but can be usefull. Have you come accross any of them yet?

Cheers,

Julius

Former Member · ‎06-07-2010

Hmm...I have seen complete list of parameters in PRGN_CUST by F4...are there any more other than those? Can you name a few?

Regards,

Prasad

Frank_Buchholz · ‎06-07-2010

1) When PFCG proposes 3 activities but you only want 2, how do you fix this?

a) If this is very special for this role within your company: Deactivate this standard authorization data in the role and enter the required authorization data manually.

b) If this is special for this transaction within your company: Update the SU24 data first, and than regenerate the authorization data in the role using PFCG.

c) If this is always the case for all customers: Tell SAP about this using a ticket and continue with b).

2) What is the use of transaction PFUD at midnight?

The background job which gets scheduled using PFUD adjusts the non time depandant profile assignments with the time dependant role assignments right after midnight. You use it if you either work with time dependant role assignments in SU01 (or SU10) or if you use indirect role assignments by HR org. which are time dependant, too.

3) Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes?

SU01 performs all required steps for the current day, therefore you do not need to execute PFUD.

The user need to logoff and on again after changes of role assignments or profile assignments.

5) How do you force a user to change their password and on which grounds would you do so?

Using the profile parameter login/password_compliance_to_current_policy you force users to change their password to match the password policy. Setting the profile parameter login/password_expiration_time temporarly to a short period forces password changes, too.

Frank_Buchholz · ‎06-07-2010

6) What is the difference between SU24 and SU22? What is "orginal data" in SU22 context?

SU22 is used by SAP to create authorization proposals. SU24 is used by customers to adjust these authorization proposals from SAP.

😎 Can you have more than one set of org-level values in one role?

No, you have to work with independant roles if you need separate set of org-level values.

9) Should RFC users have SAP_NEW and why?

Like all users RFC users should get SAP_NEW right after an upgrade. However, you assign SAP_NEW only for the short time until you have finished the task to copy the authorizations of SAP_NEW into the roles which are assigned to your users. In case of RFC users it might be the case that a new version of the corresponding role for the RFC user has been delivered by SAP. Check the release notes to get notice about changes like this.

12) In which tables can you make customizing settings for the security administration and name one example of such a setting which is usefull but not SAP default?

All useful parameters for customers in PRGN_CUST and SSM_CUST have at least a short text which you get using the value help. (There might exist more parameters but without a short text we can assume that this parameter should not be used.) Usually customers can concentrate on these parameters which have a link to a SAP note as part of the short text.

14) If the system raises a message that authorizations are missing but you have SAP_ALL, what do you do?

In most cases you have trouble with an old version of the user buffer for authorizations. See profile parameter auth/new_buffering to switch to the newest versionof the user buffer. In addition, there exist a small set of authorizations which are not part of SAP_ALL, e.g. the authorization for S_RFCACL.

Former Member · ‎06-08-2010

>


> 3) Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes?
> 
> SU01 performs all required steps for the current day, therefore you do not need to execute PFUD.
> The user need to logoff and on again after changes of role assignments or profile assignments.
.

Frank,

correct me if i am wrong in my understanding but, I suppose what you mentioned above is correct in principle but not always the absolute truth. If we increase the user buffer size and in parallel manage such that the users do not exceed the number of authorizations defined in the profile parameter auth/auth_number_in_userbuffer, i should still be ok without logging off and logging in again, am i right?

I could be wrong with my profile parameter, i think it should auth/new_buffering which draws details from the table USRBF2

Edited by: Shekar.J on Jun 8, 2010 2:23 PM

Frank_Buchholz · ‎06-08-2010

>


> Frank Buchholz wrote:
> 3) Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes?
> 
> SU01 performs all required steps for the current day, therefore you do not need to execute PFUD.
> The user need to logoff and on again after changes of role assignments or profile assignments.
.
Frank,
correct me if i am wrong in my understanding but, I suppose what you mentioned above  is correct in principle but not always the absolute truth. If we increase the user buffer size and in parallel manage such that the users do not exceed the number of authorizations defined in the profile parameter auth/auth_number_in_userbuffer, i should still be ok without logging off and logging in again, am i right?

You are right, the requirement to logoff and logon again is not the absolute truth. However, for most practical usage ist a good rule (and the size of the user buffer does not matter anymore with a high value of parameter auth/new_buffering).

Here's a more precices modification: Changes which have an effect on the list of authorizations of a user (like new or deleted roles or profiles) require logoff and logon. Changes which affect the content of already assigned authorizations are active immediatly (like changes of authorization data whithin a role or a profile in most cases).

Frank

Former Member · ‎06-08-2010

>


> 
> You are right, the requirement to logoff and logon again is not the absolute truth. However, for most practical usage ist a good rule (and the size of the user buffer does not matter anymore with a high value of parameter auth/new_buffering). 
> 
> Here's a more precices modification: Changes which have an effect on the list of authorizations of a user (like new or deleted roles or profiles) require logoff and logon. Changes which affect the content of already assigned authorizations are active immediatly (like changes of authorization data whithin a role or a profile in most cases).    
> 
> Frank

I dont 100% agree with the above statement, it is not true for role additions. but, yeah, i do agree to what you said about a good thing to do (logging of and logging on), by the way i made a correction to my post, but by the time i checked my post, the system and made a correction - you already had 3 posts

infact, over a period of time i did notice that Business users did not necessarily have to log off and log on although the transactional authorizations given to users by means of new role additions or Changes in values to existing roles are made.

But there have been times when system related objects (particulary from the BC* classes) are added / modified, the system doesnt tend to pick them up, you are forced to log off and log on for the changes to take effect. I cannot pin point and make a strong statement on all BC objects, but i think S_WFAR_OBJ was one and if i remember correctly logging off and on is applicable for changes on S_ADMI_FCD and S_CTS_ADMI

Former Member · ‎06-08-2010

You need to read the question carefully It refers to SU01 context where the buffer is updated immediately when assigning a new profile or role (with new authorizations available).

But you are correct: there is a special case also in SU01 where the user who is already logged on must first logoff and then log on again after saving and PFUD must have been performed (or after-import-events) even when auth/new_buffering = 4... --> assigning a reference user.

Cheers,

Julius

Edited by: Julius Bussche on Jun 9, 2010 7:54 AM

Former Member · ‎06-09-2010

Julius,

I suppose there was a problem with the SDN portal yesterday, I was givena an error message for all the attempts i made to post , but this morning i see that 8-10 posts with the same content have been updated (looks quite silly ) Can we have them deleted just keeping the last update?

Thanks

Security interview questions - some fun to tickle your brain.