Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

SAP Authorizations IQ Quiz: The Results

  • Font size: Larger Smaller
  • Hits: 7257
  • 0 Comments
  • Print

Spoiler Alert:
This blog details the scoring results and answers to the SAP Authorizations IQ Quiz. Take the quiz here.

SAP_Authorizations_IQ_Quiz_Results.png

Below is an analysis of the quiz results, including the right and wrong answers and detailed explanations for the questions that most people answered wrong.If you haven’t taken the quiz yet, do so first before reading the answers below. Go to http://www.xpandion.com/Security-Authorizations/quiz-sap-authorizations.html

Main Stats:
Number of qualified people: >500
Number of questions: 10
Average score: 5.67
Average score, not including people that scored zero: 6.83
Average time spent: 8 minutes and 25 seconds
Maximum time taken to complete: 608 minutes (but we categorized this result as irregular, so it wouldn’t impact the average.)
Minimum time taken to complete: 37 seconds

SAP_Authorizations_IQ_Quiz_Percentage_per_Score.png

Interesting to know…

The ratio between time and score… (more time = higher score?)

Score

Percentage of People with This Score

Average Time Spent (Minutes)

Minimum Time Taken to Complete (Minutes)

Maximum Time Taken to Complete (Minutes)

0

17%

N/A

N/A

N/A

1

1%

2.77

0.61

5.85

2

1%

4.95

0.81

10.73

3

4%

6.37

0.8

15.96

4

6%

6.57

1.36

44.15

5

11%

5.70

2.1

17.21

6

11%

7.41

2.38

67.08

7

15%

5.53

1.93

30.78

8

17%

9.72

0.93

246.88

9

13%

6.25

0.98

41.56

10

6%

7.19

0.65

74.6

What’s interesting? The longest time spent produced a score of 8, and that those who got a score of 9 or 10 didn’t spend as much time.

SAP_Authorizations_IQ_Quiz_Average_Time.png

The #1 Questions Answered Correctly
There were two questions that earned the highest amount of correct answers. These were questions #1 and #4.

Question #1: “Can SAP authorizations go beyond the T-Code level?” Most people knew that the answer was “Yes.” SAP authorizations can go much deeper than the T-Code level using the mechanisms of authorization objects, authorization fields and values.

Question #4: “What is the meaning of ACTVT = 02 in an authorization field’s value?” Most people knew that it represents the activity “Change”.

The #1 Questions Answered Incorrectly
The question that most people answered wrong was question #8, followed by question #2. Let’s solve them:

Question #8: In the ABAP program, if you include the AUTHORITY-CHECK command, what from the following is crucial?

Correct answer: To check the value of SY-SUBRC immediately after the command 

In detail: AUTHORITY-CHECK is the only ABAP command that checks if a user (mostly the current user account) has authorizations to a given set of values. If the check is successful, SY-SUBRC is set to 0. Otherwise, it is set to a non-zero value (for a complete description of AUTHORITY-CHECK, see http://help.sap.com/abapdocu_70/en/ABAPAUTHORITY-CHECK.htm).

However, many ABAP commands change the value of SY-SUBRC, so the only place that SY-SUBRC includes the right value for the authorization check is immediately after the AUTHORITY-CHECK command. A common mistake is to check the value of SY-SUBRC but not right after the AUTHORITY-CHECK command, and another mistake is to forget to check it at all. Both create an unsafe situation from an authorizations point-of-view.


Question #2: What is the name of the authorization object that relates to “Company Code”?

Correct answer: There isn’t one authorization object for “company code,” but there are many, each with its own name. (Different T-Codes use different authorization objects).

In detail: SAP’s technology for validating user authorizations is based on a “user buffer” – an area in the memory in which all user authorizations from authorization roles are combined. What this means is if a couple of T-Codes were to use the same object for a permitted company code or organizational value, if one T-Code permits the user to view company code 1000, so must any other T-Code. For this reason, almost every T-Code has its own authorization object for “company code” that is checked by this T-Code. Therefore, a user can be allowed company code 1000 in T-Code FB03 (view financial documents) but not in T-Code F110 (payment run).

For more specifics, download the eBook “SAP Authorizations Concept – Simplified” here: http://www.xpandion.com/eBooks/sap-authorizations-concept-simplified.html

About the Quiz
What's your knowledge level regarding SAP Authorizations? It seems that many people fumble through the authorization process not really knowing that there are things they are missing. Xpandion decided to create this light quiz to see how comfortable you are with your knowledge level when it comes to authorizations.

And Now What?
Make your life easier using Xpandion.

Comments

  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 25/06/2017

RELATED BLOG POSTS

15/04/2011
in XpandionPosted by Yoav Michaeli

Optimize Licensing Costs. Increase Security

These are amongst some of the most worrying words that enterprises and managers can hear.  And, yet, they are a part of day to day terminology- whether whispered behind  soundproof board room doors, discussed openly by upper management or colleagues addressing them casually over the wate...
06/08/2013
in Security & AuthorizationsPosted by Dror Aviv

SUIM: The Pitfalls of Analyzing SAP Authorizations During an Audit

    37 inShare (This is the short version of an article regarding the most popular T-Code used to analyze SAP Authorizations. Download the full SUIM article including examples and screenshots). When it comes to SAP audit time, audi...
30/07/2013
in Security & AuthorizationsPosted by Dror Aviv

How to Understand SAP Authorizations in 10 Minutes or Less

If you’re like most CIOs, CISOs or internal auditors that work in a company that has implemented SAP, every day you have to contend with overloaded terms like “Profile,” “Authorization Role” and “Authorization Object” and quotes such as “This person can't access the company code because he doesn’t h...
16/12/2012
in Security & AuthorizationsPosted by Yoav Michaeli

Who Authorized It?!

"Who authorized it?" is definitely the most asked question following a fraud event or leakage of information.  

14/03/2013
in Security & AuthorizationsPosted by Dror Aviv

Get Rid of Power Users Once and For All

Organizations have Power Users in all systems (at least I have not yet come across an organization without them). Power Users hold a vast amount of authorizations, or even full authorizations in specific applications.


Headquarters

+972-3-624-4245

157 Yigal Alon Street,

Tel Aviv 67443, Israel

info@xpandion.com

US Office

+1-800-707-5144

33 West 19th Street, New York,

NY 10011, USA

info.us@xpandion.com

India Office

+91-989-2546216

C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India

info@xpandion.com