SAP C_SEC_2405 - SAP Certified Associate - Security Administrator

Composite roles in SAP systems group multiple single roles to simplify user assignment, but they have notable disadvantages. One disadvantage is that changes to the included single roles, such as adding or removing transactions, are not immediately visible in the composite role’s menu, requiring a renewed import to update the composite role’s structure. This delay can lead to inconsistencies during role maintenance, complicating administration. Another disadvantage is that changes to authorizations within a composite role can only be made through the included single roles, as composite roles do not allow direct authorization maintenance. This restriction limits flexibility and requires administrators to modify each single role individually, increasing effort and potential for errors. Menus from included roles can be mixed in the composite role, making option B incorrect, and deleting transactions from the composite role menu does not affect the included roles, ruling out option D. These limitations highlight the need for careful planning when using composite roles to ensure efficient and secure role management.

When building a PFCG role for an SAP Fiori app in an SAP S/4HANA on-premise system, SAP recommends not manually maintaining the SRV_NAME field value of the S_SERVICE authorization object because the TADIR Service name for the back-end server component is automatically added to the role menu when the catalog is included. The S_SERVICE authorization object is used to control access to OData services, and its SRV_NAME field contains a hash value specific to the service. When a catalog is added to the PFCG role, the system automatically populates the necessary OData service entries, including the TADIR Service name, in the role menu, ensuring consistency between front-end and back-end components. Manually maintaining the SRV_NAME field risks introducing errors, as the hash values are system-generated and complex. The front-end and back-end SRV_NAME hash values are typically different, ruling out options A and D, and option C is irrelevant to the automatic addition process. This automation simplifies role maintenance and ensures accurate authorization assignments for Fiori apps.

To grant a business user access to data from a Core Data Services (CDS) view in SAP S/4HANA on-premise using the standard ABAP authorization concept and S_RS_AUTH, the correct combination includes a CDS role with access conditions based on S_RS_AUTH, a PFCG role containing the CDS role and access conditions based on S_RS_AUTH, and assignment of the PFCG role to the business user. The CDS role defines data access restrictions at the CDS view level, using S_RS_AUTH to enforce specific conditions, such as filtering data by organizational units. The PFCG role incorporates this CDS role and includes S_RS_AUTH authorizations, ensuring that the user’s permissions align with both the CDS view’s restrictions and ABAP authorization checks. Assigning only the PFCG role to the user simplifies administration, as the CDS role is embedded within it. Options A and C incorrectly suggest assigning the CDS role directly to the user, which is not standard practice, and option D omits the CDS role’s integration into the PFCG role. This combination ensures secure and efficient access to CDS view data.

In SAP role maintenance, a status text value of "Old" indicates that the field values for an authorization in an existing role were unchanged and no new authorizations were added. This status appears during PFCG role maintenance when comparing or updating authorizations, showing that the authorization object or field values have not been modified since the last maintenance and no additional permissions have been included. It reflects a stable state, ensuring that the role’s existing permissions remain intact without unintended changes. Option A is less precise, as it does not address the absence of new authorizations. Option B describes a scenario where changes were made but reverted, which is not "Old." Option C relates to merged authorizations, not the "Old" status. The "Old" status helps administrators confirm that no updates were applied, supporting consistent role management and preventing accidental modifications during maintenance in SAP systems.