System Security Architect

Employee X works in ABC Company and meets Employee Y who works in PQR Company. They discussed some internal issues of ABC Company. Which threat does employee X pose to ABC Company?. Spoofing. Code injection. Social engineering. Authorization misuse.

_________ is a process to modify the Internet Protocol (IP) address of the source of the Transmission Control Protocol/Internet Protocol (TCP/IP) packet. Structured Query Language (SQL) injection. Cross Site Scripting (XSS). Spoofing. Message flooding.

Which of the following are key elements of a successful access governance strategy? (4 answers). User provisioning. Social engineering. Access review. Role maintenance. Risk Analysis.

Which of the following are the goals of SAP UI development? (2 answers). Reduce training and support costs by using role-based screens. Improve data correctness. Improve user productivity and automate day-to-day tasks. Reduce legal issues and establish trust relationships with business partners.

Identify the user types that enable dialogue-free data transfer between systems. (2 answers). Reference user. Service user. Communications user. System user.

An authorization is always associated with exactly one authorization object and contains value for the fields in the authorization object. True. False.

You can set the number of failed logon attempts after which the SAP GUI is terminated using the login/fails_to_user_lock parameter. True. False.

Separating UI from business logic allows changes to UI without the need for development privileges in the back end. True. False.

Access to SAP Fiori Launchpad and specific Fiori Tiles are determined by Fiori Catalogs and Fiori Groups. True. False.

Which of the following are the service providers in an open architecture of Application Server Java (AS Java)? (3 answers). Database Management System (DBMS) provider. Access control list (ACL). Universal Description, Discovery, and Integration (UDDI) provider. User Management Engine (UME) provider.

Which of the following functions are provided as a part of SAP Code Vulnerability Analysis (CVA)? (3 answers). Execute vulnerability checks on custom code during the development process. Dedicated access to SAP code analysis experts. Provide extensive document to support a rapid response to security issues and incidents. Capture manual and automated check executions.

SAP Access Governance tools and services can be integrated with SAP Enterprise Risk and Compliance solutions. True. False.

Risk Analysis and Remediation supports risk analysis for single and cross system risk classifications. True. False.

SAP Access Control provides which of the following certification reviews? (3 answers). Access Alert Analysis. Role Certification. User Access Review. SOD Review.

Which of the following are features of SAP Identity Management? (2 answers). SAP IdM integrates different databases of SAP and non-SAP systems. SAP IdM manages the complete user lifecycle while providing centralized management of access privileges across all of the business applications of an organization. SAP IdM is a Lightweight Directory Access Protocol (LDAP) connector. SAP IdM offers identity management capabilities for heterogeneous system landscape (SAP and non-SAP software).

Compliant Identity and Access Management is achieved when SAP Identity Management is integrated with Risk Analysis and Remediation function in SAP Access Control. True. False.

The SAP Cloud Platform Identity Authentication service provides which of the following capabilities? (3 answers). Two-factor authentication based on one-time passwords. Single-sign-on functions from anywhere on any device (Web and desktop SSO). Mitigation of access risks. Usage reporting capabilities.

SAP Cloud Identity Access Governance offers similar functionalities to those offered in SAP Access Control, but in a service based delivery model. True. False.

HTTP is a stateless protocol. Which of the following represents persistence mechanisms for retaining the state? (3 answers). Session cookie. SAP GUI ID. URL rewriting. Client IP address.

Connections that use SAP protocols such as RFC, DIAG, and HTTP, use SNC for encryption. True. False.

SAP Single Sign-On is a family of client-side and server-side components which enable single sign-on to SAP and non-SAP products and applications across network domains. True. False.

The Secure Sockets Layer (SSL) can be used to authenticate the users and encrypt the information exchanged during the transfer. True. False.

Secure Login for SAP SSO provides support for which of the following capabilities? Choose all that apply. X.509 Digital Certificates. Risk-based authentication using access policies. Kerberos/SPNEGO. Encryption of data communications for SAP GUI.

Which of the following statements are correct regarding the SAP Business Technology Platform (SAP BTP)? (3 answers). SAP BTP is an open platform-as-a-service (PaaS). SAP BTP delivers in-memory capabilities. SAP BTP offers SAP GUI enabled transactions. SAP BTP offers mobile enabled cloud applications.

Which of the following are examples of SAP Business Technology Platform (SAP BTP) scenarios? (3 answers). Data Archiving. Integration. Data Value. Extensibility.

Which of the following are examples of SAP Business Technology Platform (SAP BTP) functionality sections? (2 answers). Database & Data Management. Application Development & Integration. Application Performance Monitoring. Database & Operating System Management.

Which of the following are examples of SAP BTP Platform users? (3 answers). Global Account Administrator. Central User Administrator. SAP Fiori Member. Subaccount Administrator. Org Member.

Role Collections consist of multiple individual roles. True. False.

Which of the following tasks is the SAP Cloud Identity Authentication Service (IAS) responsible for? (2 answers). Authentication. Encryption. Single Sign-On. Trust configuration.

Which of the following tools enable you to uncover missing security configurations?. System recommendations. Early Watch Alert. Configuration validation. SAP Security Optimization Service.

In SAP Security Optimization Services (SAP SOS), the previously implemented SAP Notes can be viewed in the ___________ data store. ABAP_NOTES. SNOTE. Performance Notes. Correction Notes.

Which of the following are principles of the GDPR? (3 answers). Accuracy. Data Services. Purpose Limitation. Integrity and Confidentiality.

Who is responsible for determining the purpose and means for which an individual's personal data is to be processed?. The data subject. The data control authority. The data processor. The data controller.

Under the GDPR, an individual has an absolute right to have their personal data deleted. True. False.

What is Central User Administration used for?. To administer passwords for SAP users centrally. To maintain the printer landscapes centrally. To administer user master records centrally. To create authorization profiles centrally.

Which clients can be used for SAP Fiori? (2 answers). Web Browser. SAP Logon. SAP Easy Access. SAP Business Client.

Which are subtypes of SAPUI5 Fiori Apps? (3 answers). Transactional Apps. Legacy Apps. Analytical Apps. Object Pages. Contextual Search.

The SAP Fiori Launchpad itself is also a type of SAPUI5 Fiori application. It is installed with the central UI component (SAP_UI). True. False.

To start the apps, users require the start authorizations for the model provider of the activated OData services. True. False.

The SAP Fiori launchpad content manager allows you to make only client-specific changes. True. False.

On the front-end server, users are provided with UI access to apps and the start authorizations for the activated OData services used by the apps. True. False.

Which authorizations for the SAP Fiori launchpad are required by end users?. Authorizations to the run the SAP Fiori launchpad. Authorizations to run the SAP Fiori launchpad designer. Authorizations to run the SAP Fiori launchpad content manager.

To which entity can you assign SAP Fiori pages?. Business Role. Business Catalog. SAP Fiori Space.

ABAP CDS Views are developed using transaction SE80. True. False.

Which are the advantages of modelled authorizations based on CDS views? Choose all that apply. Transparency. Consistency. Performance.

Which issues can be displayed in the launchpad content manager? (3 answers). Reference lost to back-end catalogue. Reference lost. Configuration error. Missing authorization.

Which tasks are part of the task list for activating SAP Fiori content by selected business roles? (2 answers). Activate all the associated Fiori apps. Create the SAP Fiori tile catalogs. Create the SAP Fiori tile groups. Generate the business role with default authorizations.

Which are criteria for startable applications in the Search for Applications in Role Menu report? Choose all that apply. The roles contain all the start authorizations. Start authorizations are contained in the current profile of the role. There is no application start lock.

The authorization trace on the front-end server shows the start authorizations for the OData services and the RFC authorizations that are checked. True. False.

Which tasks are performed by the SAP Fiori administrator?. Maintain SAP Fiori launchpad. Maintain business environment. Develop OData services. Create SAP Fiori roles.

Which component is used to connect the Fiori UI components on SAP Business Technology Platform to the respective back-end system?.

Which service on the SAP Business Technology Platform enables the usage of the central launchpad?.

SAP S/4HANA Cloud customers use transaction PFCG to maintain authorizations. True. False.

Which of the following are goals for system security? Choose all that apply. Non-repudiation. Confidentiality. Resource availability.

A secure operations strategy should address the areas of security compliance, secure operations, secure setup, secure code, and infrastructure security. True. False.

Which of the following are key elements of an effective Access Governance strategy? (3 answers). User access reviews. Monitoring transaction response time. Monitoring transaction usage. Risk analysis.

Your Access Governance strategy only applies to on-premises deployments of SAP solutions. True. False.

What steps must a system auditor complete when setting up the AIS?. Assign the roles that you created to the audit user. Create a user for the auditor. Copy the SAP roles to your own naming convention. Update the roles.

Which of the following are menu roles supporting system audit in AIS?. SAP_CA_AUDITOR_SYSTEM. SAP_AUDITOR_SA. SAP_AUDITOR_SA_CCM_USR. SAP_CA_AUDITOR_USER. SAP_AUDITOR_SA_CUS_TOL.

What are the main areas in which you can perform an audit using the system audit roles in AIS? (3 answers). General system. Users and authorization. Operating system. Repository and tables.

When no default value is assigned to the authorization field of an authorization object in SU24, the status of the authorization in the Profile Generator is displayed in red. True. False.

For which of the following tasks is it appropriate to use transaction SU24? (3 answers). To correct authorization objects that have unacceptable default values. To assign an authorization group to a transaction. To change default values so that they are appropriate for all the roles that use the same transaction. To correct authorization objects that are not linked to the transaction codes correctly.

Which of the following reports can be found in the User Information System?. User overview. Authorizations. Audit logs. Change documents.

DDIC is the maintenance user for the ABAP Dictionary and software logistics. True. False.

Which of the following are characteristics of the default super user SAP*?. To secure SAP* against unauthorized use, delete the user from transaction SU01. SAP* is not subject to authorization checks. SAP* has the password PASS. SAP* is programmed in the system kernel.

What information can be recorded in the security audit log? (3 answers). Remote Function Calls (RFCs) to function modules. Changes to profile parameters. Changes in user master records. Changes to the audit configuration.

Which of the following can you specify in the security audit filter selection criteria? (4 answers). Client. User. User Group. Audit Class. Events.

The application log traces application events and tasks, and reports on the activities. If there is a failure in the application, the application log provides detailed error messages. True. False.

The workflow log includes all activities due to the execution of the workflow. It includes each step in the workflow, the user who executed the step, the action that occurred, and the time frame in which the execution took place. The administrator must ensure that there are no old and incomplete workflows. True. False.

Which of the following do you need to set up if you want to log changes to tables? (2 answers). Configure the profile parameter rec/client. Select the Log Data Changes checkbox for the table you want to log. Set up change documents. Configure system auditing.

A change document tracks changes to an SAP object. Which of the following information can be found in a change document item? (3 answers). Change flag. Old value. New value. Authorization flag.

Change documents record the changes that occur to users, authorizations, and profiles. True. False.

Which of the following can be used to monitor and log read access to classified or sensitive data?. Change documents. Audit Information Cockpit. Read access logging. System audit.

Which of the following authorization objects can be used in background processing?. S_BTCH_JOB. S_BTCH_NAM. S_ADMI_FCD. S_SPO_DEV.

Which of the following authorization objects is required to execute external commands?. S_BTCH_ADM. S_ADMI_FCD. S_EXT_ADM. S_LOG_COM.

To properly secure external access to your SAP Applications the system administrator should understand which of the following? Select all that apply. Which remote functions are needed for productive operations. Which internal stake holders are the most important. How to restrict access to remote functions that are not needed. How to secure access to remote functions using the RFC interface.

SAP Unified Connectivity incorporates an additional layer of access checks independent of the standard authorizations provided via the S_RFC authorization object. True. False.

SAP UCON check prohibits internal calls within the same client and system. True. False.

Which of the following systems are included in a three-tier system landscape?. Development system. Quality Assurance (QA) system. Customizing system. Production system.

From an audit perspective, you should set the system change options to Not Modifiable in all systems except the development system. True. False.

Which of the following actions are advisable for ABAP programs and tables before you transport them into a production system?. Link custom programs or table access using custom transaction codes. Include Authority-Check statements for all ABAP programs for which custom transactions cannot provide sufficient protection. Restrict general access to transactions SA38 and SE16. Maintain user group to control user access to critical programs and tables.

___________ is the authorization object for the Transport Organizer. S_TRANSPRT. S_CTS_ADMI. S_CTS_PROJEC. S_TABU_CLI.

You can protect certain objects from being changed by imports by defining a set of security-critical objects in the TMSTCRI table. True. False.

The SAP code vulnerability analyzer scans a company's custom code during the development process but is not integrated with the ABAP Test Cockpit. True. False.

SAP code vulnerability analyzer ensures that development and testing teams have access to which of the following technical capabilities? Select all that apply. Integration into standard ABAP development infrastructure (ABAP Test Cockpit). Automatically detect weaknesses in your ABAP source code. Access extensive documentation to avoid and remediate issues in custom code.

Which of the following tools does SAP recommend for use to identify security related notes that a customer should implement in their SAP system?. Note Assistant. Note Browser. RSECNOTE. Note Checker. None of the above.

SAP Solution Manager provides which tool to recommend SAP Notes that should be considered for implementation in a customer's SAP system?. Configuration validation. RSECNOTE. Software Update Manager. System Recommendations.

What is a Hot News SAP note?. A critical SAP note related to changes in legal requirements. An important SAP Note in the Security category. An important SAP Note in the performance category. None of the above.

SAP Notes with priority 1 (Very High) and which can help with avoiding data loss or a system crash are classified as which type of SAP Note?. Performance. Hot News. Legal Change. Security.

What is required for the processing of personal data?. Processing purpose. Legal grounds for the processing. All of the above. Nothing.

Technical security measures have nothing to do with data privacy requirements. True. False.

SAP Information Lifecycle Management fulfills which of the following data privacy requirements?. Access restriction to personal data. Blocking and deletion of personal data. Transparency over the processing of personal data. Information to be provided.

Which of the following HR-relevant step-stones are relevant for the Identity Lifecycle Management?. Parental leave. Change of department. On-boarding. All the above.

Which of the following user types can be used to log in to an SAP S/4HANA system?. Dialog A. Communication C. System B. All user types except Reference L.

Consistently aligned naming conventions are not important and do not need to be followed for user creation. True. False.

Emergency users with broad authorizations should be used daily. True. False.

With the business partner integration, which of the following maintenance sources can be used for the management of the user's personal data? (2 answers). Human Resources (HR). Retention Periods (ILM). User Management (US).

In the case of an employee's long absence, which of the following technical measures must be performed for the user ID?. Admin lock and deletion of all roles. Just the deletion of all roles. Immediate user deletion. None of the above.

When creating a user ID for an auditor, which of the following must be considered?. User ID with user validity. Role assignment with role validity. User ID and role validity, as well as blocking and deletion after the end of the lifecycle. Nothing.

Personal data can be processed within a system even when there is no applicable processing purpose anymore. True. False.

When a user ID is deleted in SU01 and transferred to the blocked area in SU06, all personal data connected to this user ID is immediately deleted. True. False.

Which of the following users should have access to the transaction code SU06?. All employees / users. No one. A restricted group of employees. All employees from the Logistics department.

SAP HANA is an in-memory platform, which is used for performing real-time analytics, and for developing and deploying real-time applications. True. False.

You want system settings to be set so that users are only able to view and perform actions required to fulfill their tasks. Which security function provides this?. Authentication. Authorization. Audit logging. Encryption.

Which of the following are part the implementation scenario for a native two-tier application?. Client. XS Application Server. SAP ABAP Application Server. BI Server. SAP HANA.

In SAP HANA, user management can be delegated to an ABAP system. True. False.

SAP HANA only allows a user to log on using a user and password as the authentication method. True. False.

SAP HANA includes a specific functionality: Audit Log, to track the activities performed by the users. True. False.

In SAP HANA, which two of the following types of user exist? (2 answers). Power users. Standard users. Technical users. Restricted users.

User groups are used to control data access (authorizations). True. False.

Which of the following options can be used for user management in SAP HANA? (3 answers). SAP HANA Cockpit. DBA Cockpit. SQL command. SAP Netweaver IDM.

The owner of an object is the user who creates the object. True. False.

Which of the following privilege types exist in SAP HANA? (4 answers). Object. Role. System. Group. Package. Analytic.

A role cannot be granted to another role. True. False.

Catalog roles are owned by the database user who creates them. True. False.

In an MTA, you create a role containing a system privilege. Which of the following alternative actions will allow you to build the application without errors? (2 answers). Grant the system privilege to the ##OO user of the generated HDI container. Include the system privilege in a n .hdbgrants file within the application. Grant the system privilege to the _SYS_DI_OO_DEFAULTS role.

In an MTA, you want to create an HDI role that grants select privileges to a database table located in a schema in a different SAP HANA Database. What do you use, in XSA, to access the remote database?. A SAP HANA service. A user-defined service. A Connectivity service. A Destination. A Route.

The SYSTEM user is required to update the SAP HANA database. True. False.

Which privilege do you need to deactivate the SYSTEM user?. TRUST ADMIN. ALTER. USER ADMIN. UPDATE.

Which of the following authentication mechanisms are supported in SAP HANA? (4 answers). Kerberos. Enterprise Single Sign-On Engine. SAML. SAP Logon and assertion tickets. Basic authentication (user/password).

Are all the authentication mechanisms enabled by default in SAP HANA?. True. False.

In an SAP HANA system, the SYSTEM user is shared across all the tenant databases to allow shared system administration. True. False.

Which SQL Statement is possible in a cross-database connection?. SELECT. INSERT. UPDATE. DELETE.

Which privilege allows you to manage authorization traces?. USER ADMIN. ROLE ADMIN. TRACE ADMIN. RESOURCE ADMIN.

Information about users and authorizations is stored in database views that are accessible for reporting. True. False.

SAP HANA cockpit provides a graphical feature to help troubleshoot authorization errors. True. False.

Which of the following actions are audited by default in SAP HANA?. Changes to system configuration. Deletion of audit entries from the audit trail. Installation of SAP HANA license. Changes to system configuration. Creation, modification, or deletion of audit policies.

The auditing feature of the SAP HANA database allows you to solve authorization problems. True. False.

When the audit trail is written to an internal SAP HANA table, the entries are automatically deleted by default when they are one year old. True. False.

Where can you maintain the list of non-allowed passwords in SAP Netweaver AS for ABAP?. Transaction SM63 for table USR40. Transaction SM30 for table MARA. Transaction SM30 for table USR40. Transaction SE45 for table USR42.

Which protocols can be secured with Secure Network Communications? (2 answers). DIAG. SOAP. RFC. HTTP.

Which of the following password rules in Application Server ABAP (AS ABAP) are defined by the customer? (2 answers). First three characters may not be identical. Minimum length. First character cannot be ! or ?. Special characters and digits.

In Application Server ABAP (AS ABAP) and Application Server Java (AS Java) based systems, several standard users, with preconfigured authorizations, are available directly after installation. True. False.

When using HTTP security sessions how frequently does the system check for expired sessions?. Every 5 seconds. Every 30 seconds. Every 60 seconds. Every 240 seconds.

Logon tickets are stored as a non-persistent session cookie in the Web browser. True. False.

A logon ticket used for authentication contains which of the following data? (4 answers). User ID. Password. ID of the issuing system. Digital signature of the issuing system. Validity period.

Which of the following authentication mechanisms are used in SAP NetWeaver? Select all that apply. User ID and password. Secure Network Communications (SNC). Secure Socket Layer (SSL) and X.509 client certificates. Java Authentication and Authorization Service (JAAS). Security Assertion Markup Language (SAML). Simple Object Access Protocol (SOAP). SAP logon tickets.

Which connector in IPS should be used if you would like to create and maintain business partners in SAP S/4HANA on-premise?. ABAP connector. S/4HANA on-premises. SuccessFactors.

What is the cardinality of the relation between business partner and SU01 user?. 1:n. n:m. 1:1.

Which of the following systems are supported for HR integration with S/4HANA? (2 answers). S/4HANA Cloud. SuccessFactors. HCM. Identity Management.

Which of the following protocols are available within IAS for authentication to third-party applications/systems? (2 answers). SCIM. SAML. OpenID Connect. REST.

Which of the following is NOT a valid way of creating users in IAS?. Self-registration. OData interfaces. SCIM.

For which operation is IAS responsible? (2 answers). Authentication. Provisioning. SSO.

Which of the following communication protocols are supported by SAP Cloud Connector? Choose all that apply. LDAP. HTTP. HTTPs.

Which of the following SAP products are involved in the hybrid scenario?. SuccessFactors, Identity Authentication, and IdM. S/4HANA on-premise, IPS, and IAS. SuccessFactors, IPS, and IdM.

What can be provisioned with IPS using SCIM? Choose all that apply. Groups. Assignments. User Attributes. Users.

Which items are part of a role template? (2 answers). Role collections. Scopes. Attributes.

Which security product from the SAP portfolio is purely Cloud based? (2 answers). SAP Cloud Platform Authentication Service. SAP Cloud Platform Provisioning Service. SAP IdM.

What are the three main components of the digital enterprise according to SAP?. The Intelligent Suite, the Cloud Platform, and the Intelligent Technologies. The Intelligent Suite, the Digital Platform, and the Intelligent Technologies. Artificial Intelligence, Internet Of Things, and Machine Learning.