Certification Questions

C_SEC_2405
SAP Security Administrator Questions

Total Questions - 160

Question: 1

Where is the application log information (SLG1) saved?

1.) In the Database

2.) In the location specified by the rsau/local/file parameter
3.) In the Directory specified by DIR_LOGGING parameter
4.) In the Directory specified by DIR_TRANS parameter

Correct Answer: 1

Question: 2

Which ABAP transaction codes are relevant for SNC parameter configuration? (2 correct)

1.) SNCWIZARD
2.) STRUST
3.) SNCCONFIG
4.) SNCO

Correct Answer: 1,3

Question: 3

Which of the following describe SAP Fiori Tile Target Mapping? (2 correct)

1.) It represents visual part of tile

2.) It defines the target application which is launched.
3.) It is define within an SAP Tile Group
4.) It is part of the SAP Fiori Launchpad configuration

Correct Answer: 2,4

Question: 4

Which of the following objects allows you to restrict which users can distribute a role to
another system using an RFC destination?

1.) S_USER_AGR
2.) S_USER_SYS
3.) S_USER_AUT
4.) S_USER_STA
 Correct Answer: 2

Question: 5

What is the purpose of SAP Notes listed by SAP Solution Manager System
Recommendations? (2 correct)

1.) To recommend SAP Hot News Notes (priority 1 and 2)

2.) To recommend Legal Change Notes related to SAP innovations
3.) To recommend Performance Notes to improve system response
4.) To recommend SAP security Notes for evaluation

Correct Answer: 3,4

Question: 6

Which of the following accurately describes the role/profile SAP_NEW? (2 correct)

1.) The SAP_NEW must be generated in accordance with the system environment using
the report REGENERATE_SAP_NEW
2.) The profile SAP_NEW provides authorizations to all new objects and objects change by
release
3.) The role SAP_NEW does not guarantee backward capability for all scenarios
4.) Organizational levels to be maintained in profile SAP_NEW

Correct Answer: 1,2

Question: 7

Which of the following transaction allow you to customize or configure SAP Fiori Catalogs
and Groups? (2 correct)

1.) /UI2/FLPD_CUST
2.) /UI2/FLPCM_CUT
3.) /UI2/FLPD_CONF
4.) /UI2/FLPCM_CONF

Correct Answer: 1,3

Question: 8
Your system is configured to prohibit a user from logging on multiple times to the system
with the same User ID in violation of your SAP licensing agreement. However, certain
users need to be exempt from this limitation. Which instance parameter can you configure
to allow small group of user to bypass the limitations of multiple logins?

1.) login/disable_multi_rfc_login
2.) login/disable_multi_gui_lgoin
3.) Login/server_logon_restriction
4.) Login/ multi_login_users

Correct Answer: 4

Question: 9

Which archiving object can you use for archiving change documents related to changes
with authorizations assigned to user?

1.) US_PROF
2.) US_AUTH
3.) US_PASS
4.) US_USER

Correct Answer: 4

Question: 10

You are Configuring authorizations to secure access to table data using transaction SM31
and you encounter authorization object S_TABU_DIS and field DICBERCLS. How can this
field be use to secure access?

1.) It allows you to specify access to tables associated with a specific authorization group
2.) It allows you specify access to specific client-dependent table
3.) It allows you specify access to a specific client independent table
4.) It allows you specify access to tables reference by a specific program group

Correct Answer: 1

Question: 11

Which of the following actions are required to ensure complete logging of table data
changes? (3 correct)
1.) The security log must be activated using transaction SM19
2.) Client change option must be set to Automatic Recording of changes
3.) Instance profile parameter rec/client must be maintained for client
4.) Log Data changes must be enable at the table level in transaction SE13
5.) Parameter RECCLIENT must be maintained in transaction STMS

Correct Answer: 3,4,5

Question: 12

Which of the following phases in SAP AUDIT MANAGEMENT auditing process? (3 correct)

1.) Mitigation Review

2.) Engagement Planning
3.) Remediation Analysis
4.) Communication Results
5.) Monitoring Progress

Correct Answer: 2,4,5

Question: 13

What information can be provided by an Audit Class? (3 correct)

1.) Dialog Logon

2.) RFC/CPIC Logon
3.) Transaction Start
4.) User Roles
5.) User Authorizations

Correct Answer: 1,2,3

Question: 14

Which is the frequency of SAP Patch Day?

1.) Monthly
2.) Yearly
3.) Weekly
4.) Quarterly

Correct Answer: 1
Question: 15

A PFCG role can be linked to an SAP Organizational Management structure by which

object types? (3 correct)

1.) Job
2.) Person
3.) Organizational Unit
4.) Task
5.) Position

Correct Answer: 1,3,5

Question: 16

Which of the following functionalities are supported by SAP Information Lifecycle

Management (ILM)? (3 correct)

1.) Data Archiving

2.) Data Destruction
3.) Data Logging
4.) Data retention
5.) Alert Notification

Correct Answer: 1,2,4

Question: 17

Which application allows a role developer to perform the mass maintenance of menu
options from selected SAP Fiori Title Catalogs?

1.) PRGN_PRINT_AGR_MENU
2.) PRGN_COMPARE_ROLE_MENU
3.) PRGN_CREATE_FIORI_FRONTENDROLE
4.) PRGN_CREATE_FIORI_BACKENDROLES

Correct Answer: 3

Question: 18

When you are troubleshooting an application start issue, what does the Search Startable
Application in Roles report help you determine? (2 correct)
1.) If the PFCG roles contains all the start authorizations required for the application
2.) If the PFCG menu contains SAP Fiori Tile Group
3.) If there is an application start lock
4.) If the PFCG roles assigned to end user

Correct Answer: 1,3

Question: 19

You want to adjust check indicator values for certain authorization object delivered by
SAP. In which of the following tables should your adjustments be recorded?

1.) USOBX_C
2.) USOBT_C
3.) USOBHASH
4.) USOBX

Correct Answer: 1

Question: 20

Which of the following authorization objects are used to secure the execution of External
Commands when a defining a background job step? (2 correct)

1.) S_LOG_COM
2.) S_PROGRAM
3.) S_BTCH_EXT
4.) S_RZL_ADM

Correct Answer: 1,2

Question: 21

How can you enforce an additional transaction start authorization check for custom
transaction?

1.) Without additional custom development it is not possible to add another check during
transaction start.
2.) Maintain the SU24 entry for the custom transaction and adding the desired
authorization object, setting the Check Indicator to "Check" and setting Proposal to Yes.
3.) For each role containing the custom transaction, add the desired authorization object
manually in transaction PFCG, maintained the field values and then generate the profile.
4.) Transaction SE93 the custom transaction definition the Using , update by specifying
desired authorization object and maintaining the desired field values.
 Correct Answer: 2

Question: 22

Which of the following accurately describe a Composite Role? (2 correct)

1.) Authorization are maintained on Single Role level

2.) Menus cannot be adjusted as required
3.) Transaction cannot be deleted from the menu with authorizations retained
4.) User assignment is maintained at the Composite Role level

Correct Answer: 1,4

Question: 23

Which authorization is required to modify authorization data of derived roles?

1.) S_USER_AGR
2.) S_USER_SYS
3.) S_USER_AUT
4.) S_USER_VAL

Correct Answer: 1

Question: 24

Which transaction code allows you to configure the SAP System Audit Log?

1.) SM20
2.) SM19
3.) SM18
4.) SUIM

Correct Answer: 2

Question: 25

Which of the following illustrate the simplification of users and role maintenance on SAP
Cloud?
1.) Business roles are automatically provisioned.
2.) Business users have business roles.
3.) Templates are provided for role derivation.
4.) Read and write access can be restricted.

Correct Answer: 2

Question: 26

How can you protect a system when you do not want the user assignments for a role to be
transported?

1.) Restrict access to the user assignment tab in PFCG in the target system
2.) Restrict import of users in table PRGN_CUST in the target system
3.) Restrict import of users in table PRGN_CUST in the development system
4.) Restrict access to the user assignment tab in PFCG in the Development system

Correct Answer: 2

Question: 27

Which of the following features are provided by the SAP Fiori Launchpad content
Manager? (3 correct)

1.) Activate 0 Data Services

2.) Create and Configure Groups
3.) Create and Configure Catalogs
4.) Display the issue with SAP Fiori Launchpad Content
5.) Display role assignments for Catalogs

Correct Answer: 3,4,5

Question: 28

Which configuration options apply to the usage of VCLIENT in the

parameter icm /server_port_<xx>? (3 correct)

1.) VCLIENT default value is 0

2.) VCLIENT value must be specified if SSL configuration is defined by SSLCONFIG
3.) VCLIENT default value is 1
4.) VCLIENT = 0, which notifies the SSL server that no SSL client verification is needed
5.) VCLIENT = 1 the server asks the client to transfer a certificate

Correct Answer: 3,4,5

Question: 29

Which values are permitted for the S_BTCH_JOB authorization object? (3 correct)

1.) SHOW
2.) RELE
3.) 01 (Create)
4.) 02 (Change)
5.) DELE

Correct Answer: 1,2,5

Question: 30

Which of the following user types are precluded from logging in to system directly? (3
correct)

1.) Service
2.) System
3.) Communication
4.) Reference
5.) Dialog

Correct Answer: 2,3,4

Question: 31

Which of the following SUIM report can you use to determine if a user has segregation of
duty violation? (2 correct)

1.) User Level Access Risk Analysis

2.) User with Critical Authorizations
3.) User Comparision
4.) User by Complex Search

Correct Answer: 2,4

Question: 32

The report "Search for Application in Role Menu" can be called via which of the following
options? (2 correct)
1.) Transaction SUIM (menu node "Roles")
2.) Transaction RSUSR_ROLE_MENU
3.) Transaction RSUSR_START_APPL
4.) Transaction SUIM, (Menu node " Change Documents")

Correct Answer: 1,2

Question: 33

Which of the following parameter must be configured to capture log data in the Security
Audit log?

1.) rec/client
2.) rsau/enable
3.) rdisp/TRACE
4.) dirjogging

Correct Answer: 2

Question: 34

In SAP NetWeaver AS Java, the User Management Engine (UME) supports which of the
following data sources for storing user data? (3 correct)

1.) Java system database

2.) Directory/usr/sap
3.) ABAP-based sap system
4.) UDDI provider
5.) LDAP Directory

Correct Answer: 1,3,5

Question: 35

Which of the transaction allows a user to change the authorization values of multiple roles
at same time?

1.) PFCGROLEDIST
2.) SUPC
3.) PFCGMASSVAL
4.) PFCG

Correct Answer: 3
Question: 36

What are the main features of SAP Enterprise Threat Detection (ETD)? (3 correct)

1.) Forensic investigations

2.) Monitoring of GDPR Compliance
3.) Segregation of Duty Analysis
4.) Monitoring of security events
5.) Realtime Alerts

Correct Answer: 1,4,5

Question: 37

Which of the following checks performed for SAProuter by the SAP security optimization
service (SOS)? (3 correct)

1.) Secure Network Communication Check

2.) Saprouttab Check
3.) User Management Check
4.) Operating System Access Check
5.) Password Check

Correct Answer: 1,2,4

Question: 38

Which of the following describe the behavior of a reference user when assigned to a user
master record? (2 correct)

1.) The reference user roles are directly assigned to the user master record.
2.) The roles of the reference user are always hidden.
3.) The roles of the reference user can be shown.
4.) The user master record references the role and authorizations assigned to the
reference user.

Correct Answer: 3,4

Question: 39
SAP Cloud Identity and Access Governance consists of which of the following software
services? (3 correct)

1.) Access Request

2.) Role Design
3.) Emergency Access Management
4.) User Access Certification
5.) Access Analyst

Correct Answer: 1,2,5

Question: 40

Which of the following actions are correctly describes the usage of Front Channel Single
Sign-On based on (SAML) 2.0? (2 correct)

1.) The identity provider queries the user for authentication credentials
2.) The identity provider presents the requested resource to the user
3.) The identity provider returns the user to service providers with an authentication
request
4.) The service provider queries the user for authentication credentials

Correct Answer: 1,3

Question: 41

In SAP S/4Hana Cloud authorization objects are grouped in to which item?

1.) Groups
2.) Privileges
3.) Single technical roles.
4.) Business Roles

Correct Answer: 4

Question: 42

Which of the various protocols can be used to establish secure communication? (3 correct)

1.) From Secure Login Server to LDAP Server : HTTPS (SSL)

2.) From Secure Login Server to SAP Netweaver : RFC (SNC)
3.) From Business Explorer to SAP Netweaver : DIAG/RFC (SNC), HTTPS (SSL)
4.) From Secure Login Client to Secure Login Server: DIAG/RFC (SNC), HTTPS, RADIUS
5.) From SAP GUI to SAP Netweaver : DIAG/RFC (SNC)
 Correct Answer: 1,2,5

Question: 43

Which of the following describes an Authorization Object Class?

1.) It defines a logical grouping of authorization objects

2.) It defines authorizations for different authorization objects
3.) It defines a group of 1 to 10 authorization field together
4.) It defines smallest unit against which an authorization check can be run

Correct Answer: 1

Question: 44

You want to turn off the SAP menu on Easy Access Menu Screen. What administrative
function do you need in Authorization Object S_USER_ADM ?

1.) PRGN_CUST
2.) USR_CUST
3.) USR_CUST_S
4.) SSM_CUST

Correct Answer: 4

Question: 45

Which of the following actions correctly describes the usage of Back Channel Single Sign-
On based on (SAML) 2.0?

1.) The service provider get the authentication request from the identity provider over a
SOAP channel.
2.) The service provider queries the user for authentication credentials.
3.) The identity provider get the authentication response from the service provider over a
SOAP channel.
4.) The service provider redirects the user to an identity provider and includes a SAML
artifact referring to authentication request.

Correct Answer: 4

Question: 46
Which UCON phase blocks the access to RFC Function Modules without an assigned
Communication Assembly?

1.) Configuration
2.) Logging
3.) Activation
4.) Evaluation

Correct Answer: 4

Question: 47

Which of the following Correctly describe the SAP Security Optimization Service (SOS)
Offering? (3 correct)

1.) Onsite Service: Performed by Specialist

2.) Remote Service : Part of CQC service offering
3.) Self Service : All Completely Automated checks in all SAP system
4.) Onsite Service: Available with additional Cost
5.) Self Service: Perform by experienced service engineers

Correct Answer: 1,2,4

Question: 48

Which feature is available in the CommonCryptoLib Scenario provided by SAP Security

Library?

1.) Hardware Security Model (HSM)

2.) SPNEGO/ABAP
3.) SSL/TLS
4.) Secure Store and Forward(SSF)

Correct Answer: 4

Question: 49

What is the main purpose of SAP Access Control, as an enterprise software solution?

1.) Manage corporate social media presence

2.) Secure authentication for cloud and on-premise
3.) Identify security risk and document compliance
4.) Deployment of encryption services
 Correct Answer: 3

Question: 50

What is the equivalent of the AS ABAP user type System in the AS JAVA UME security
policy?

1.) Internal Service User

2.) J2EE User
3.) Default User
4.) Technical User

Correct Answer: 4

Question: 51

Which of the following technical capabilities does SAP Code Vulnerability Analysis
provide? (2 correct)

1.) Static and Dynamic Application Security Testing

2.) Deprovisioning of problematic ABAP code
3.) Direct integration with Root Cause Analysis
4.) Capture of manual and automated check execution

Correct Answer: 1,4

Question: 52

Which CDS- related repository object types are provided with ABAP CDS? (3 correct)

1.) SQL View

2.) Data Definition
3.) Metadata Extensions
4.) CDS View Entity
5.) Access Control

Correct Answer: 2,3,5

Question: 53

Which of the following are system security threats? (3 correct)

1.) Authority Violation
2.) Nonrepudiation
3.) Code Injection
4.) System Penetration
5.) Availability

Correct Answer: 1,3,4

Question: 54

Where you can enable Read Access Logging tools?

1.) SICF
2.) SPRO
3.) SWI5
4.) SUIM

Correct Answer: 1

Question: 55

Which of the following conditions apply when merging authorizations for the same object?
(2 correct)

1.) Changed authorizations can be merged with manual authorizations, even if the
activation status is different
2.) Changed authorizations can be merged with manual authorizations, as long as the
activation status is the same
3.) Both activation status and maintenance status of the authorizations match
4.) Both activation status and maintenance status of the authorizations do not match

Correct Answer: 2,3

Question: 56

If the OData back-end service is located on a remote back-end users need which
authorization object to perform the RFC call on the back-end system? (2 correct)

1.) S_START
2.) S_SERVICE
3.) S_RFCACL
4.) S_RFC

Correct Answer: 3,4

Question: 57

Which TADIR Service Object type includes business functional authorization objects used
within the OData execution?

1.) IWSG
2.) IWSC
3.) OSOD
4.) IWSV

Correct Answer: 1

Question: 58

When building a PFCG role for SAP Fiori access on an embedded front-end server
configuration, which of the following item should be provided? (3 correct)

1.) SAP Favorites

2.) Catalog for the Start Authorization
3.) UI access to the Apps
4.) Start Authorizations for 0 Data Services
5.) WAPA Business Server Pages

Correct Answer: 2,3,4

Question: 59

What is the purpose of securing sensitive business data? (3 correct)

1.) Reduction of training Cost

2.) Protection of Intellectual property
3.) Correctness of Data
4.) Disruption of software deployment
5.) Protection Image

Correct Answer: 2,4,5

Question: 60
You are responsible for determining the reason why you need personal data and how this
data is processed or stored. What key role do you play under GDPR in relation to personal
data?

1.) Data Steward

2.) Data Controller
3.) Data Subject
4.) Data Processor

Correct Answer: 2

Question: 61

Which of the following are prerequisites for using transaction PFCG? (2 correct)

1.) Fill Initial values for customer tables using transaction SU25
2.) Maintain parameter auth/no_check_in_some_cases = Y
3.) Generate Standard Role SAP_NEW using transaction SU25
4.) Maintain the Check Indicators for Critical Authorization objects

Correct Answer: 1,2

Question: 62

Which of the following defines "Phishing"?

1.) Overloading an application with request

2.) Acquiring sensitive information by masquerading as trustworthy entity
3.) Modifying an IP address of the source of the TCP/IP packet
4.) Pretending to be another user

Correct Answer: 2

Question: 63

Which of the following table contains transport request object list and table entry keys? (2
correct)

1.) E071
2.) E070
3.) E070L
4.) E071K

Correct Answer: 1,4

Question: 64

Which of the following items are addressed by Configuration Validation? (3 correct)

1.) Database Parameters

2.) Critical Roles
3.) Failed Transport
4.) Software Packages
5.) RFC Logins

Correct Answer: 1,4,5

Question: 65

Which of the following core principle of GDPR? (3 correct)

1.) Data Quality

2.) Lawfulness, Fairness and Transparency
3.) Data Archiving
4.) Data Minimization
5.) Storage limitation

Correct Answer: 2,4,5

Question: 66

Which of the following transaction allows you to define role assignments for 0 Data
Services that are available on multiple back-end systems? (2 correct)

1.) /IWFND/MAINT_SERVICE
2.) /IWFND/GW_SYS_ALIAS
3.) /IWFND/GW_CLIENT
4.) /UI2/GW_MAINT_SRV

Correct Answer: 1,4

Question: 67
Your company uses derived roles. During maintenance of the Plant Manager imparting
role, you add a new transaction to the Menu tab which introduces a new organizational
level that will be unique for each of your 150 plants. How will the new organization level
be maintained in the derived roles?

1.) Automatically using the Copy Data button during maintenance of the imparting role
2.) All at once using transaction PFCGMASSVAL
3.) Automatically after generating the profiles of the imparting role and adjusting the
derived roles
4.) Manually by maintaining each derived role individually

Correct Answer: 4

Question: 68

During maintenance of role you notice that the status text for an authorization object
indicates status "Changed New" What does this status text mean?

1.) The authorization object was used to create a new authorization because the value
contained in SU24 differ from the SAP standard contained in SU25
2.) The authorization object must be maintained again
3.) This authorization object has been flagged as critical object
4.) The authorization object was used to create a new authorization because the initial
configuration of the role change a default value maintained in SU24

Correct Answer: 4

Question: 69

Which of the following are the examples of personal data under the GDPR? (3 correct)

1.) IP Address
2.) Email Address
3.) GPS data from Cellular phone
4.) Age Group
5.) Aggregated statistics on the use of a product

Correct Answer: 1,2,3

Question: 70

Which of the following allows you to improve the quality of your enterprise data assets
with consistent data validation rules, data profiling and metadata management?
1.) SAP Information Steward
2.) SAP Process Control
3.) SAP Information LifeCycle Management
4.) SAP Data Services

Correct Answer: 4

Question: 71

Which transaction codes are relevant to enable SNC between ABAP system? (3 correct)

1.) RZ10
2.) SNCO
3.) STRUST
4.) PFCG
5.) SU01

Correct Answer: 2,3,5

Question: 72

Which of the following accurately describe Solution Manager Functionality? (3 correct)

1.) SAP SOS self-service is a convenient entry point to introduce security monitoring.
2.) A system recommendation provide a worklist of potentially relevant security notes.
3.) Configuration validation can check if security policies were applied.
4.) SAP EWA provides the most comprehensive security check.
5.) Configuration validation helps to standardize and harmonize security related
configuration items for ABAP systems only.

Correct Answer: 1,2,4

Question: 73

Which of the following are SAP UI5 Fiori application types? (2 correct)

1.) Legacy
2.) Transactional
3.) Analytical
4.) Web Dynpro

Correct Answer: 2,3

Question: 74

In the case of missing OData authorizations, why is it not recommended to maintained

S_SERVICE manually within an SAP Fiori Authorization Role? (2 correct)

1.) The SRV_NAME Value of the S_SERVICE authorization object is the hash value of an
OData service
2.) The SRV_NAME Value of the S_SERVICE authorization object is the name of an OData
service
3.) Both front-end and back-end entries are generating the same S_SERVICE authorization
object with different authorization values
4.) Both front-end and back-end entries are generating the same S_SERVICE authorization
object with same authorization values

Correct Answer: 1,3

Question: 75

You want to limit an authorization administrator so that they can only assign certain
authorizations. Which authorization object should you use?

1.) S_USER_VAL
2.) S_USER_ADM
3.) S_USER_AGR
4.) S_USER_TCD

Correct Answer: 3

Question: 76

The DBMS tab in transaction SU01 allows you to manage database privilege assignments
for which of the following scenarios? (2 correct)

1.) When users need to use reporting authorizations on SAP BW

2.) When a user needs to run applications that access database directly
3.) When users need 1:1 user mapping to map analytical privileges of database to the
virtual analysis of authorization on SAP BW
4.) When a user needs to execute CDS Views

Correct Answer: 2,3

Question: 77
What content can be shared between SAP Access Control and SAP Cloud Identity and
Access Governance products? (3 correct)

1.) Mitigations
2.) Process Hirarchy
3.) Mitigation Control
4.) Risk Library
5.) Emergency Access

Correct Answer: 1,3,4

Question: 78

Which of the following authorization objects would be required to allow back-end server
access to a Web Dynpro application using the SAP Fiori Launchpad?

1.) S_TCODE
2.) S_START
3.) S_SERVICE
4.) S_PERSONAS

Correct Answer: 3

Question: 79

Which of the following are used in SAP Enterprise Threat Detection ( ETD) architecture?
(2 correct)

1.) SAP HANA Smart Data Streaming

2.) SAP IQ
3.) Forensic Lab
4.) SAP ASE

Correct Answer: 1,3

Question: 80

Which of the following app-specific types of entities do users need to use SAP Fiori apps?
(2 correct)

1.) Master Data

2.) UI
3.) Authorizations
4.) Parameters
 Correct Answer: 2,4

Question: 81

Which cloud-based SAP solution helps organizations control their data across various
cloud platforms and on-premise data sources?

1.) SAP Identity Access Governance

2.) SAP Privacy Governance
3.) SAP Data Custodian
4.) SAP Information Steward

Correct Answer: 3

Question: 82

Which cybersecurity type does NOT focus on protecting connected devices?

1.) Cloud security

2.) Application security
3.) Network security
4.) lot security

Correct Answer: 2

Question: 83

What happens to data within SAP Enterprise Threat Detection during the aggregation
process? (3 correct)

1.) It is prioritized.
2.) It is pseudonymized.
3.) It is categorized.
4.) It is normalized.
5.) It is enriched.

Correct Answer: 2,4,5

Question: 84

What are some security safeguards categories? (3 correct)

1.) Physical
2.) Access Control
3.) Organizational
4.) Technical
5.) Financial

Correct Answer: 1,3,4

Question: 85

Which of the blowing functions within SAP GRC Access Control support access
certification and review? (2 correct)

1.) Role Reaffirm

2.) SOD Review
3.) User Reaffirm
4.) Role Review

Correct Answer: 2,3

Question: 86

Which solution analyzes an SAP system's administrative areas to safeguard against

potential threats?

1.) SAP EarlyWatch Alert

2.) SAP Enterprise Threat Detection
3.) SAP Code Vulnerability Analyzer
4.) SAP Security Optimization Services

Correct Answer: 1

Question: 87

Which solution is NOT used to identify security recommendations for the SAP Security
Baseline?

1.) SAP Code Vulnerability Analyzer

2.) SAP EarlyWatch Alert
3.) SAP Security Optimization Service
4.) SAP Security Notes

Correct Answer: 1
Question: 88

Which functions in SAP Access Control can be used to approve or reject a user's continued
access to specific security roles? (2 correct)

1.) User Access Review

2.) Role Certification
3.) SOD Review
4.) Role Reaffirm

Correct Answer: 1,4

Question: 89

Which of the following are Security Goals? (2 correct)

1.) Repudiation
2.) Identity Authentication
3.) Encryption
4.) Information Integrity

Correct Answer: 2,4

Question: 90

When segregating the duties for user and role maintenance, which of the following should
be part of a decentralized treble control strategy for a production system? (3 correct)

1.) One authorization data administrator

2.) One user administrator per production system
3.) One authorization profile administrator
4.) One user administrator per application area in the production system
5.) One decentralized role administrator

Correct Answer: 1,4,5

Question: 91

In the administration console of the Cloud Identity Services, which system property types
can you add? (2 correct)
1.) Standard
2.) Internal
3.) Credential
4.) Default

Correct Answer: 1,3

Question: 92

In the administration console of the Cloud Identity Services, for which system type can
you define both read and write transformations?

1.) Source systems

2.) Target systems
3.) Proxy systems

Correct Answer: 3

Question: 93

What do you configure the Social Media deny providers?

1.) In the SAP BTP Cockpit Account Explorer

2.) In the code editor of the SAP Business Application Studio
3.) In the administration console for SAP Cloud identity Services

Correct Answer: 3

Question: 94

For which of the following can transformation variables be used?

1.) To save data to the output JSON file

2.) To save data permanently
3.) To save data temporarily

Correct Answer: 3

Question: 95

In the administration console of the Cloud Identity Services, which authentication

providers are available? (2 correct)
1.) Fieldglass
2.) SuccessFactors
3.) Concur
4.) Ariba

Correct Answer: 2,4

Question: 96

In which order do you define the security-relevant objects in SAP BTP?

1.) A. Role collection B. Role templateC. Role

2.) A. Role template B. RoleC. Role collection
3.) A. Role B. Role templateC. Role collection

Correct Answer: 2

Question: 97

Which of the following services does the Identity Authentication Service provide? (2
correct)

1.) Authentication
2.) Single Sign-On
3.) Central User Repository
4.) Policy refinement

Correct Answer: 1,2

Question: 98

What use cases are available for a Local Identity Directory? (3 correct)

1.) Hybrid mode

2.) Merging attributes
3.) S/4HANA use case
4.) Proxy mode
5.) Classic use case

Correct Answer: 1,4,5

Question: 99

SAP BTP distinguishes between which of the following users? (2 correct)

1.) Business users

2.) Technical users
3.) Platform users
4.) Key users

Correct Answer: 1,3

Question: 100

Which cryptographic libraries are provided by SAP? (2 correct)

1.) Cryptlib
2.) SecLib
3.) SAPCRYPTOLIB
4.) CommonCryptoLib

Correct Answer: 3,4

Question: 101

What can be assigned directly to a user when using the SAP Launchpad service in SAP
BTP?

1.) Launchpad roles

2.) Role collections
3.) Spaces
4.) Catalogs

Correct Answer: 2

Question: 102

Which protocol is the industry standard for provisioning identity and access management
in hybrid landscapes?

1.) SCIM
2.) SAML
3.) SSL
4.) OIDC
 Correct Answer: 1

Question: 103

Which log types are available in the Administration Console of Cloud Identity Services? (2
correct)

1.) Change logs

2.) Troubleshooting logs
3.) Performance logs
4.) Usage logs

Correct Answer: 1,2

Question: 104

What does SAP Key Management Service (KMS) do to secure cryptographic keys? (3
correct)

1.) Store keys

2.) Conceal keys
3.) Rotate keys
4.) Generate keys
5.) Transmit keys

Correct Answer: 1,3,4

Question: 105

In the SAP BTP Cockpit, at which level is Trust Configuration available? (2 correct)

1.) Global Account

2.) Organization
3.) Subaccount
4.) Directory

Correct Answer: 1,3

Question: 106

Which levels of security protection are provided by Secure Network Communication

(SNC)? (3 correct)
1.) Authentication
2.) Integrity
3.) Availability
4.) Privacy
5.) Authorization

Correct Answer: 1,2,4

Question: 107

Which tool can you use to modify the entities schema content across multiple repositories?

1.) SAP Business Application Studio

2.) SAP BTP Account Explorer
3.) SAP Cloud Identity Services Transformation Editor
4.) SAP Cloud Identity Services Schemas app

Correct Answer: 4

Question: 108

Following an upgrade of your SAP S/4HANA on-premise system to a higher release, you
perform a Modification Comparison using SU25. What does this comparison do?

1.) It compares your changes to the SAP defaults in USOBX and USOBT with the new SAP
defaults in the current release and allows you to make adjustments.
2.) It compares the Role Maintenance data from the current release with the data for the
previous release and allows you to adjust any custom default values in tables USOBX and
USOBT.
3.) It compares the Role Maintenance data from the previous release with the data for the
current release and writes any new default values in tables USOBX_C and USOBT_C.
4.) It compares your changes to the SAP defaults in USOBX_C and USOBT_C with the new
SAP defaults in the current release and allows you to make adjustments.

Correct Answer: 1

Question: 109

Which of the following allow you to control the assignment of table authorization groups?
(2 correct)
1.) PRGN_CUST
2.) V_DDAT_54
3.) V_BRG_54
4.) SSM_CUST

Correct Answer: 2,3

Question: 110

Which limitations apply to restricted users in SAP HANA Cloud? (3 correct)

1.) They can only create objects in their own database schema.
2.) They can only connect to the database using HTTP/HTTPS.
3.) They only have full SQL access via the SQL console.
4.) They cannot connect via ODBC or JDBC.
5.) They cannot create objects in the database.

Correct Answer: 2,4,5

Question: 111

When performing a comparison from the imparting role, what happens to the
organizational level field values in the derived role? (2 correct)

1.) Data for organizational levels is always transferred when authorization data for the
derived role is modified.
2.) Data for organizational levels that have already been maintained in the derived role is
NOT overwritten.
3.) Data for organizational levels is transferred only when authorization data for the
derived role is first modified.
4.) Data for organizational levels that have already been maintained in the derived role is
overwritten.

Correct Answer: 2,3

Question: 112

What authorization object can be used to restrict which users a security administrator is
authorized to maintain?

1.) S_USER_GRD
2.) S_USER_AUTO
3.) S_USER_SASO
4.) S_USER_GRP
 Correct Answer: 4

Question: 113

In SAP HANA Cloud, who has access to a database object?

1.) The user DBADMIN and the group owner

2.) The user SYSTEM and the creator
3.) The owner and the SAP-owned users
4.) The creator and the schema owner

Correct Answer: 4

Question: 114

What does a status text value of "Old" mean during the maintenance of authorizations for
an existing role?

1.) Field values have not been changed.

2.) Field values were unchanged and no new authorization was added.
3.) Field values were changed as a result of the merge process.
4.) The field delivered with content was changed but the old value was retained.

Correct Answer: 2

Question: 115

What must you do before you can use transaction PFCG? (2 correct)

1.) Fill tables USOBT and USOBX with the SAP-delivered authorization default values.
2.) Set the system profile parameter auth/no_check_in_some_cases to Y.
3.) Fill tables USOBT_C and USOBX_C with the SAP-delivered authorization default
values.
4.) Set the system profile parameter auth/no_check_in_some_cases to N.

Correct Answer: 1,2

Question: 116
Your developer has created a new custom transaction for your SAP S/4HANA on-premise
system and has provided you a list of the authorizations needed to execute the new ABAP
program. What must you do to ensure that each required authorization is automatically
created every time this new custom transaction is added to a PFCG role?

1.) Maintain each authorization object in transaction SU24 and set the Default Status to
"Yes".
2.) Maintain each authorization object in transaction SU22 and set the Default Status to
"Yes".
3.) Maintain each authorization in transaction SU24 and set the Default Status to "Yes".
4.) Maintain each authorization in transaction SU22 and set the Check Indicator value to
"Check".

Correct Answer: 1

Question: 117

What must you do if you want to enforce an additional authorization check when a user
starts an SAP transaction?

1.) Assign authorization object S_START to the chosen transaction code with transaction
SU24 and specify the Program ID and Object Type.
2.) Assign the authorization object to be checked to the chosen transaction code in the
SAP Default authorization data using transaction SU22 and set Check Indicator to
"Check".
3.) Assign the authorization object to be checked to the chosen transaction code with
transaction SU24 and set Default Status to "Yes".
4.) Assign the authorization object and permissions to the chosen transaction code using
transaction SE93.

Correct Answer: 1

Question: 118

Which of the following rules does SAP recommend you consider when you define a role-
naming convention for an SAP S/4HANA on-premise system? (3 correct)

1.) Role names must NOT start with "SAP"

2.) Role names are system language-independent
3.) Role names can be no longer than 20 characters
4.) Role names are system language-dependent
5.) Role names can be no longer than 30 characters

Correct Answer: 1,2,5

Question: 119

Where can you find information on the SAP-delivered default authorization object and
value assignments? (2 correct)

1.) USOBT_C
2.) USOBT
3.) SU22
4.) SU24

Correct Answer: 2,3

Question: 120

After you maintained authorization object S_TABU_DIS and ACTVT field value 02 as
authorization defaults for transaction SM30 in your development system, what would be
the correct option for transporting only these changes to your quality assurance system?

1.) Save your changes to a Workbench transport request and transport using the
Transport Management System.
2.) Save your changes to a Customizing transport request and transport using the
Transport Management System.
3.) Save tables USOBT_C and USOBX_C to a transport request and transport using the
Transport Management System.
4.) Save your changes and use the transport interface in SU25 to transport the changes
using the Transport Management System.

Correct Answer: 1

Question: 121

Which optional components can be included when transporting a role definition from the
development system to the quality assurance system? (3 correct)

1.) Generated profiles of dependent roles

2.) Indirect user assignments
3.) Personalization data
4.) Generated profiles of single roles
5.) Direct user assignments

Correct Answer: 3,4,5

Question: 122

Which privilege types are available in SAP HANA Cloud? (3 correct)

1.) Application
2.) Package
3.) System
4.) Analytic
5.) Object

Correct Answer: 3,4,5

Question: 123

Under which of the following conditions can you merge authorizations for the same object
during role maintenance? (2 correct)

1.) The maintenance status of the changed authorizations must match the status of a
manual authorization.
2.) The activation status and the maintenance status of the authorizations must match.
3.) The activation status and the maintenance status of the authorizations must NOT
match.
4.) The activation status of a manual authorization must match the status of the changed
authorizations.

Correct Answer: 2,4

Question: 124

What are some disadvantages of a Composite Role? (2 correct)

1.) Changes to the authorizations can only be made using the included roles.
2.) Transactions that are deleted from the Composite Role menu are also removed from
the included roles.
3.) Changes to the included roles are not immediately visible in the composite role menu,
requiring a renewed import.
4.) Menus from the included roles cannot be mixed.

Correct Answer: 1,3

Question: 125

For users with system administration authorization, which additional functions are
provided by the SAP Easy Access menu? (2 correct)
1.) Creating users
2.) Calling programs
3.) Creating roles
4.) Calling menus for roles and assigning them to users

Correct Answer: 1,3

Question: 126

What authorization object can be used to authorize an administrator to create specific

authorizations in roles?

1.) S_USER_AUT
2.) S_USER_VAL
3.) S_USER_AGR
4.) S_USER_TCD

Correct Answer: 1

Question: 127

Which code does the authority-check return when a user does NOT have any
authorizations for the authorization object checked?

1.) 12
2.) 16
3.) 0
4.) 4

Correct Answer: 1

Question: 128

Which of the following is part of the SAP S/4HANA central UI component?

1.) SAP Fiori launchpad

2.) SAP Fiori object page
3.) SAP Fiori analytical application
4.) SAP Fiori transactional application

Correct Answer: 1
Question: 129

You are evaluating startable applications. Which of the following can you use to check if
there is an application start lock on an application contained in a PFCG role? (2 correct)

1.) Transaction SUIM-Executable Transactions report

2.) Transaction SM01_DEV
3.) Transaction SM01_CUS
4.) Transaction SUIM - Transactions Executable with Profile report

Correct Answer: 1,4

Question: 130

You are building a PFCG role for access to an SAP Fiori app on your SAP S/4HANA on-
premise system. After you enter the catalog in the role menu, an entry for an OData
service is missing and you have to add it manually to the role menu. When you maintain
authorization data in the PFCG role, why does SAP recommend that you NOT maintain the
SRV_NAME field value of the S_SERVICE authorization object manually?

1.) Because the TADIR Service name is the same for the front-end server component and
the back-end server component.
2.) Because the TADIR Service name for the back-end server component was
automatically added to the role menu.
3.) Because the SRV_NAME hash value for the front-end server component and back-end
server component are the same.
4.) Because the SRV_NAME hash value for the front-end server component and back-end
server component are different.

Correct Answer: 2

Question: 131

When creating PFCG roles for SAP Fiori access, what is included automatically when
adding a catalog to the menu of a back-end PFCG role? (2 correct)

1.) The start authorizations and the authorization default values for each IWSG TADIR
service definitions in the catalog.
2.) The start authorizations and the authorization default values for each IWSV TADIR
service definitions in the catalog.
3.) The IWSG TADIR service definitions from the catalog.
4.) The IWSV TADIR service definitions from the catalog.

Correct Answer: 2,4

Question: 132

Which of the following are SAP Fiori Launchpad functionalities? (2 correct)

1.) Spaces
2.) SAP GUI
3.) Web Dynpro
4.) User Actions Menu

Correct Answer: 1,4

Question: 133

How does Rapid Activation support customers during the SAP S/4HANA on-premise
implementation process? (3 correct)

1.) By helping customers to start exploring SAP Fiori in SAP S/4HANA on premises as
quickly as possible.
2.) By supporting content activation at the business role level, including SAP Fiori apps
and all associated Web Dynpro for ABAP applications.
3.) By allowing customers to select individual SAP Fiori apps for their end-to-end business
processes.
4.) By allowing customers to select and activate SAP Fiori apps one by one, independent
of dependencies needed for app-to-app navigation.
5.) By reducing the SAP Fiori activation effort during the Explore phase of SAP Activate.

Correct Answer: 1,2,5

Question: 134

What is the authorization object required to define the start authorization for an SAP Fiori
legacy Web Dynpro application?

1.) S_SDSAUTH
2.) S_START
3.) S_TCODE
4.) S_SERVICE

Correct Answer: 2

Question: 135
To connect to data sources that are NOT all based on OData, which of the following
options does SAP recommend you use?

1.) SAP Process Integration

2.) SAP Integration Suite
3.) Cloud connector
4.) OData Provisioning service

Correct Answer: 2

Question: 136

An authorization based on what object is required for trusted system access to an SAP
Fiori back-end server?

1.) S_RFC
2.) S_RFCACL
3.) S_SERVICE
4.) S_START

Correct Answer: 2

Question: 137

In S/4HANA on-premise, which of the following combinations is required to grant a

business user access to data from a Core Data Services (CDS) view using the standard
ABAP authorization concept and authorization object S_RS_AUTH?

1.) A CDS role with access conditions based on authorization object S_RS_AUTH, APFCG
role with authorization for object S_RS_AUTH and assignment of the PFCG role, The CDS
role to the business user.
2.) A CDS role with access conditions based on authorization object S_RS_AUTH , APFCG
role containing the CDS role and access conditions based up authorization object
S_RS_AUTH , Assignment of the PFCG role to the business user.
3.) ACDS role with access conditions based on authorization object S_RS_AUTH , A PFCG
role with authorization for object S_RS_AUTH , Assignment of the PFCG role to the
business user.
4.) A CDS role with access conditions based on authorization object S_RS_AUTH , APFCG
role containing the CDS role and access conditions based up authorization object
S_RS_AUTH , Assignment of the PFCG role and the CDS role to the business user.

Correct Answer: 2
Question: 138

When you maintain authorizations for SAPUI5 Fiori apps, which of the following object
types is the front-end authorization object type?

1.) TADIR G4BA-SAP Gateway OData V4 Backend Service Group & Assignments
2.) TADIR IWSV - SAP Gateway Business Suite Enablement-Service
3.) TADIR IWSG - SAP Gateway: Service Groups Metadata
4.) TADIR INA1 InA Service

Correct Answer: 2

Question: 139

Which object type is assigned to activated OData services in transaction SU24?

1.) IWSV
2.) G4BA
3.) IWSG
4.) HTTP

Correct Answer: 1

Question: 140

Which SAP Fiori deployment option requires the Cloud connector?

1.) SAP Fiori for SAP S/4HANA standalone front-end server

2.) SAP S/4HANA embedded
3.) SAP Business Technology Platform
4.) SAP S/4HANA Cloud Public Edition

Correct Answer: 3

Question: 141

Which authorization objects can be used to restrict access to SAP Enterprise Search
models in the SAP Fiori launchpad? (2 correct)

1.) S_ESH_CONN
2.) SDDLVIEW
3.) S_ESH_ADM
4.) RSDDLTIP
 Correct Answer: 1,2

Question: 142

Where can you find SAP Fiori tiles and target mappings according to segregation of duty?

1.) Assigned Pages

2.) Assigned Spaces
3.) Assigned Technical Catalogs
4.) Assigned Business Catalogs

Correct Answer: 4

Question: 143

If you want to evaluate catalog menu entries and authorization default values of IWSG and
IWSV applications, which SUIM reports would you use? (2 correct)

1.) Search Startable Applications in Roles

2.) Search Applications in Roles
3.) Roles By Transaction Assignment in Menu
4.) Roles By Authorization Object

Correct Answer: 1,4

Question: 144

What are some of the rules for SAP-developed roles in SAP S/4HANA Cloud Public
Edition? (3 correct)

1.) Authorization defaults define role authorizations.

2.) Role maintenance reads applications from role menus.
3.) Role maintenance reads applications from a catalog.
4.) Catalogs are assigned to role menus.
5.) Manual role authorizations are supported in custom catalogs.

Correct Answer: 1,3,4

Question: 145

Which user type in SAP S/4HANA Cloud Public Edition is used for API access, system
integration, and scenarios where automated data exchange is required?
1.) SAP Communication User
2.) SAP Technical User
3.) SAP Administrative User
4.) SAP Support User

Correct Answer: 1

Question: 146

What does SAP recommend you do when you transport a custom leading business role in
SAP S/4HANA Cloud Public Edition?

1.) Add all other leading business roles from the same Line of Business as dependencies to
the Software Collection.
2.) Add all derived business roles as dependencies to the Software Collection.
3.) Add the pre-delivered business role that was used as a template to create the custom
leading business role to the Software Collection.

Correct Answer: 2

Question: 147

Which application in SAP S/4HANA Cloud Public Edition allows you to upload employee
information independent of the customers' HR system?

1.) Maintain Business User app

2.) Display Technical Users app
3.) Manage Workforce app
4.) Identity and Access Management app

Correct Answer: 3

Question: 148

When planning an authorization concept for your SAP S/4HANA Cloud Public Edition
implementation, what rules must you consider? (2 correct)

1.) SAP Fiori apps, dashboards, and displays can be assigned directly to a business role.
2.) Business catalogs can be assigned directly to a business user.
3.) Business roles can be assigned directly to a business user.
4.) Business catalogs can be assigned directly to a business role.

Correct Answer: 3,4

Question: 149

In SAP S/4HANA Cloud Public Edition, what does the ID of an SAP-predefined Space refer
to?

1.) The business roles it is to be assigned to

2.) The business area it was designed for
3.) The software release it was created for
4.) The SAP Fiori applications it was defined for

Correct Answer: 2

Question: 150

Which access categories are available to maintain restrictions in SAP S/4HANA Cloud
Public Edition? (3 correct)

1.) Read (read access)

2.) Write, Read (write access)
3.) Read, Value Help (read access)
4.) Value Help (value help access)
5.) Write, Read, Value Help (write access)

Correct Answer: 3,4,5

Question: 151

In SAP S/4HANA Cloud Public Edition, what can you do with the Display Authorization
Trace? (3 correct)

1.) Display business roles granting specific access

2.) Adjust role restrictions to further limit access when performing forensic analysis
3.) Analyze authorization check results for missing authorizations
4.) Adjust role restrictions to account for missing authorizations
5.) Analyze authorization check results for already assigned authorizations

Correct Answer: 1,3,5

Question: 152
In SAP S/4HANA Cloud Public Edition, which of the following can you change in a derived
business role if the "Inherit Spaces in Derived Business Roles" checkbox is NOT selected
in the leading business role?

1.) Business Catalogs

2.) Business Role Template
3.) Pages
4.) Restrictions

Correct Answer: 3

Question: 153

Which user types can log on to the SAP S/4HANA system in interactive mode? (2 correct)

1.) Dialog User

2.) Service User
3.) System User
4.) Communication User

Correct Answer: 1,2

Question: 154

In SAP HANA Cloud, what can you configure in user groups? (2 correct)

1.) Password policy settings

2.) Client connect restrictions
3.) Identity providers
4.) Authorization privileges

Correct Answer: 1,2

Question: 155

Which archiving objects are relevant for archiving change documents for user master
records? (2 correct)

1.) US_PROF
2.) US_USER
3.) US_AUTH
4.) US_PASS

Correct Answer: 2,4

Question: 156

What is the correct configuration setting in table PRGN_CUST for user assignments when
transporting roles within a Central User Administration scenario?

1.) SET_IMP_LOCK_USERS = YES

2.) SET_IMP_LOCK_USERS = NOO
3.) USER_REL_IMPORT = YES
4.) USER_REL_IMPORT = NO

Correct Answer: 4

Question: 157

Which of the following user types are excluded from some general password-related rules,
such as password validity or initial password? (2 correct)

1.) Dialog
2.) System
3.) Communication
4.) Service

Correct Answer: 2,4

Question: 158

What is required to centrally administer a user's master record using Central User
Administration? (3 correct)

1.) An RFC destination to the target system

2.) An RFC destination to the target client
3.) An existing master record in the target client for the user
4.) An ALE distribution model
5.) An entry in transaction BD54 for the child system

Correct Answer: 2,4,5

Question: 159

Which SU01 user types are NOT enabled for interaction? (2 correct)
1.) Service
2.) System
3.) Dialog
4.) Communications Data

Correct Answer: 2,4

Question: 160

Which entities share data with Business Partners in the S/4HANA Business User Concept?
(2 correct)

1.) Employer
2.) Administrator
3.) User
4.) Employee

Correct Answer: 3,4