SAP C_SEC_2405 - SAP Certified Associate - Security Administrator

In a Central User Administration (CUA) scenario, the table PRGN_CUST is used to configure settings for role and user management during transports. The correct setting for user assignments when transporting roles is USER_REL_IMPORT = NO. This setting ensures that user assignments linked to roles in the source system are not imported into the target system during the transport process. In CUA, user assignments are centrally managed in the CUA master system, and importing user assignments from a child system could lead to inconsistencies or overwrites, disrupting centralized control. By setting USER_REL_IMPORT to NO, the system preserves the CUA’s authority to manage user-role assignments, ensuring that only role definitions are transported. The options related to SET_IMP_LOCK_USERS control user locking during imports, not user assignments, and USER_REL_IMPORT = YES would incorrectly allow user assignments to be transported, which is undesirable in a CUA setup. This configuration maintains the integrity of centralized user administration in SAP landscapes.

For SAPUI5 Fiori apps, the front-end authorization object type is TADIR IWSV (SAP Gateway Business Suite Enablement-Service). This object type represents the OData services used by Fiori apps on the front-end server, and its authorization is managed via the S_SERVICE authorization object in PFCG roles. The IWSV type specifically defines the services that the front-end server calls to access back-end data, requiring start authorizations and default values to be included in the role. TADIR IWSG is used for service group metadata, not front-end authorizations, and TADIR G4BA pertains to OData V4 services, which are less common in standard SAPUI5 Fiori apps. TADIR INA1 is related to InA (Information Access) services, not typical Fiori app authorizations. By using IWSV, SAP ensures that front-end authorizations are correctly aligned with the OData services powering Fiori apps, providing secure and efficient access control in SAP S/4HANA systems.

Restricted users in SAP HANA Cloud face specific limitations to enhance security and control access. They can only connect to the database using HTTP/HTTPS protocols, typically via web-based interfaces, ensuring that connections are secure and aligned with cloud security standards. They are prohibited from connecting via ODBC or JDBC, which prevents direct database access through external applications, reducing the risk of unauthorized data extraction. Additionally, restricted users cannot create objects in the database, such as tables or views, limiting their ability to modify the database structure and maintaining data integrity. Contrary to option A, restricted users do not have full SQL access via the SQL console; their SQL capabilities are limited. Option E is incorrect, as restricted users cannot create objects at all, even in their own schema. These restrictions ensure that restricted users, often used for read-only or limited-access scenarios, operate within a tightly controlled environment, supporting SAP HANA Cloud’s security model.

In the SAP S/4HANA Business User Concept, the entities that share data with Business Partners are User and Employee. The User entity represents the technical user account in the system, defined in user master records, and is linked to Business Partners to associate system access with business roles and authorizations. The Employee entity represents the human resource data of an individual, such as their organizational assignment or job role, and is synchronized with Business Partners to ensure that user access aligns with their employment details. This integration ensures that Business Partners, which serve as a central entity for managing business relationships, have consistent data for access control and business processes. The Employer entity is not directly linked to Business Partners, as it represents the organization, not an individual. Similarly, Administrator is a role or user type, not an entity sharing data with Business Partners. This data-sharing mechanism supports seamless identity and access management, enhancing security and operational alignment in SAP S/4HANA systems.