C_SEC_2405_V_1.

Governance, compliance, and cybersecurity

Question 1

Which cloud-based SAP solution helps organizations control their data across various cloud platforms and
on-premise data sources?

A. SAP Identity Access Governance

B. SAP Privacy Governance

C. SAP Data Custodian

D. SAP Information Steward

Answer C

Governance, compliance, and cybersecurity

Question 3

Which cybersecurity type does NOT focus on protecting connected devices?

A. Cloud security

B. Application security

C. Network security

D. loT security

Answer B

Question 5

What happens to data within SAP Enterprise Threat Detection during the aggregation process?

Note: There are 3 correct answers to this question.

A. It is prioritized.

B. It is pseudonymized.

C. It is categorized.

D. It is normalized.

E. It is enriched.

What are some security safeguards categories?

Note: There are 3 correct answers to this question.

A. Physical

B. Access Control
 C. Organizational

D. Technical

E. Financial

Which of the blowing functions within SAP GRC Access Control support access certification and review?
Note There are 2 correct answers to the Question:.

Choose the Choices:

1. Role Ream

2. GO

3. Review CI User Rea irm

4. Role Review

Question 2

Which of the following functions within SAP GRC Access Control support access certification and review?
Note: There are 2 correct answers to this question.

A. Role Rea irm

B. SOD Review

C. User Rea irm

D. Role Review

Question 36

What are some disadvantages of a Composite Role?

Note: There are 2 correct answers to this question.

A. Changes to the authorizations can only be made using the included roles.

B. Transactions that are deleted from the Composite Role menu are also removed from the included
roles.

C. Changes to the included roles are not immediately visible in the composite role menu, requiring
a renewed import.

D. Menus from the included roles cannot be mixed.

When performing a comparison from the imparting role, what happens to organizational level field
values in the derived role? Note: There are 2 correct answers to this question.

A. Data for organizational levels that have already been maintained in the derived role is NOT
overwritten.
B. Data for organizational levels that have already been maintained in the derived role is overwritten.
C. Data for organizational levels is transferred only when authorization data for the derived role is
first modified.
D. Data for organizational levels is always transferred when authorization data for the derived role is
modified.

Question 64

To connect to data sources that are NOT all based on OData, which of the following options does SAP
recommend you use?

A. SAP Process Integration

B. SAP Integration Suite

C. Cloud connector

D. Data Provisioning service

Question 12

What does SAP recommend you do when you transport a custom leading business role in SAP S/4HANA
Cloud Public Edition?

A. Add all other leading business roles from the same Line of Business as dependencies to the Software
Collection.

B. Add all derived business roles as dependencies to the Software Collection.

C. Add the pre-delivered business role that was used as a template to create the custom leading
business role to the Software Collection.

Question 58

You are evaluating startable applications.

Which of the following can you use to check if there is an application start lock on an application contained in
a PFCG role? Note: There are 2 correct answers to this question.

A. Transaction SUIM - Executable Transactions report

B. Transaction SM01_DEV

C. Transaction SM01_CUS

D. Transaction SUIM - Transactions Executable with Profile report

Question 37

For users with system administration authorization, which additional functions are provided by the SAP Easy
Access menu? Note: There are 2 correct answers to this question.

A. Creating users

B. Calling programs

C. Creating roles

D. Calling menus for roles and assigning them to users

Question 26

What does a status text value of "Old" mean during the maintenance of authorizations for an existing role?

A. Field values have not been changed.

B. Field values were unchanged and no new authorization was added.

C. Field values were changed as a result of the merge process.

D. The field delivered with content was changed but the old value was retained.

Question 51

Which protocol is the industry standard for provisioning identity and access management in hybrid
landscapes?

A. SCIM

B. SAML

C. SSL

D. OIDC

In the administration console of the Cloud Identity Services, which system property types can you add?
Note: There are 2 correct answers to this question.

A. Credential

B. Standard

C. Internal

D. Default
Which levels of security protection are provided by Secure Network Communication (SNC)? Note:
There are 3 correct answers to this question.

A. Availability

B. Authentication

C. Authorization

D. Integrity

E. Privacy

Question 70

Which authorization objects can be used to restrict access to SAP Enterprise Search models in the SAP Fiori
launchpad? Note: There are 2 correct answers to this question.

A. S_ESH_CONN

B. SDDLVIEW

C. S_ESH_ADM

D. RSDDLTIP

Question 44

In the administration console of the Cloud Identity Services, which authentication providers are available?
Note: There are 2 correct answers to this question.

A. Fieldglass

B. Successfactors

C. Concur

D. Ariba

Which solution analyzes an SAP system's administrative areas to safeguard against potential threats?

A. SAP Early Watch Alert

B. SAP Enterprise Threat Detection

C. SAP Code Vulnerability Analyzer

D. SAP Security Optimization Services confuse

Question 9

Which of the following are Security Goals?

Note: There are 2 correct answers to this question.

 A. Repudiation

B. Identity Authentication

C. Encryption

D. Information Integrity

Question 43

For which of the following can transformation variables be used?

A. To save data to the output JSON file

B. To save data permanently

C. To save data temporarily

Question 72

If you want to evaluate catalog menu entries and authorization default values of IWSG and IWSV applications,
which SUIM reports would you use?

Note: There are 2 correct answers to this question.

A. Search Startable Applications in Roles

B. Search Applications in Roles

C. Roles By Transaction Assignment in Menu

D. Roles By Authorization Object

Question 16

Which access categories are available to maintain restrictions in SAP S/4HANA Cloud Public Edition? Note:
There are 3 correct answers to this question.

A. Read (read access)

B. Write, Read (write access)

C. Read, Value Help (read access)

D. Value Help (value help access)

E. Write, Read, Value Help (write access)

Question 11

Which user type in SAP S/4HANA Cloud Public Edition is used for API access, system integration, and
scenarios where automated data exchange is required?

A. SAP Communication User

B. SAP Technical User

C. SAP Administrative User

D. SAP Support User

Question 69
Which SAP Fiori deployment option requires the Cloud connector?

A. SAP Fiori for SAP S/4HANA standalone front-end server

B. SAP S/4HANA embedded

C. SAP Business Technology Platform

D. SAP S/4HANA Cloud Public Edition

Question 14

When planning an authorization concept for your SAP S/4HANA Cloud Public Edition implementation, what
rules must you consider? Note: There are 2 correct answers to this question.

A. SAP Fiori apps, dashboards, and displays can be assigned directly to a business role.

B. Business catalogs can be assigned directly to a business user.

C. Business roles can be assigned directly to a business user.

D. Business catalogs can be assigned directly to a business role.

Question 19

What are some of the rules for SAP-developed roles in SAP S/4HANA Cloud Public Edition? Note: There are 3
correct answers to this question.

A. Authorization defaults define role authorizations.

B. Role maintenance reads applications from role menus.

C. Role maintenance reads applications from a catalog.

D. Catalogs are assigned to role menus.

E. Manual role authorizations are supported in custom catalogs.

Question 63

What is the authorization object required to define the start authorization for an SAP Fiori legacy Web Dynpro
application?

A. S_SDSAUTH

B. S_START

C. S_TCODE

D. S_SERVICE

Question 33

Which optional components can be included when transporting a role definition from the development
system to the quality assurance system? Note: There are 3 correct answers to this question.

A. Generated profiles of dependent roles

B. Indirect user assignments

C. Personalization data
 D. Generated profiles of single roles

E. Direct user assignments

When you maintain authorization data in the PFCG role, why does SAP recommend that you NOT maintain the
SRV_NAME field value of the S_SERVICE authorization object manually?

A. Because the TADIR Service name is the same for the front-end server component and the back-end
server component.

B. Because the TADIR Service name for the back-end server component was automatically added to
the role menu.

C. Because the SRV_NAME hash value for the front-end server component and back-end server
component are the same.

D. Because the SRV_NAME hash value for the front-end server component and back-end server
component are di erent.

Question 41

In the administration console of the Cloud Identity Services, for which system type can you define both read
and write transformations?

A. Source systems

B. Target systems

C. Proxy systems

Question 32

After you maintained authorization object S_TABU_DIS and ACTVT field value 02 as authorization defaults for
transaction SM30 in your development system, what would be the correct option for transporting only these
changes to your quality assurance system?

A. Save your changes to a Workbench transport request and transport using the Transport
Management System.

B. Save your changes to a Customizing transport request and transport using the Transport
Management System.

C. Save tables USOBT_C and USOBX_C to a transport request and transport using the Transport
Management System.

D. Save your changes and use the transport interface in SU25 to transport the changes using the
Transport Management System.
Question 54

In the SAP BTP Cockpit, at which level is Trust Configuration available?

Note: There are 2 correct answers to this question.

A. Global Account

B. Organization

C. Subaccount

D. Directory

Question 78

Which SU01 user types are NOT enabled for interaction? Note: There are 2 correct answers to this question.

A. Service

B. System

C. Dialog

D. Communications Data

Question 67

When you maintain authorizations for SAPUI5 Fiori apps, which of the following object types is the front-end
authorization object type?

A. TADIR G4BA - SAP Gateway Odata V4 Backend Service Group & Assignments

B. TADIR IWSV - SAP Gateway Business Suite Enablement-Service

C. TADIR IWSG - SAP Gateway: Service Groups Metadata

D. TADIR INA1 - InA Service

Question 61

Which of the following are SAP Fiori Launchpad functionalities? Note: There are 2 correct answers to this
question.

A. Spaces

B. SAP GUI

C. Web Dynpro

D. User Actions Menu

Question 29 conf

What must you do if you want to enforce an additional authorization check when a user starts an SAP
transaction?
 A. Assign authorization object S_START to the chosen transaction code with transaction SU24 and
specify the Program ID and Object Type.

B. Assign the authorization object to be checked to the chosen transaction code in the SAP Default
authorization data using transaction SU22 and set Check Indicator to "Check".

C. Assign the authorization object to be checked to the chosen transaction code with transaction
SU24 and set Default Status to "Yes".

D. Assign the authorization object and permissions to the chosen transaction code using transaction
SE93.

Question 75

What is the correct configuration setting in table PRGN_CUST for user assignments when transporting roles
within a Central User Administration scenario?

A. SET_IMP_LOCK_USERS = YES

B. SET_IMP_LOCK_USERS = NO

C. USER_REL_IMPORT = YES

D. USER_REL_IMPORT = NO

Question 53

What does SAP Key Management Service (KMS) do to secure cryptographic keys? Note: There are 3 correct
answers to this question.

A. Store keys

B. Conceal keys

C. Rotate keys

D. Generate keys

E. Transmit keys

Question 71

Where can you find SAP Fiori tiles and target mappings according to segregation of duty?

A. Assigned Pages

B. Assigned Spaces

C. Assigned Technical Catalogs

D. Assigned Business Catalogs

Question 23

When performing a comparison from the imparting role, what happens to organizational level field values in
the derived role? Note: There are 2 correct answers to this question.
 A. Data for organizational levels is always transferred when authorization data for the derived role is
modified.

B. Data for organizational levels that have already been maintained in the derived role is NOT
overwritten.

C. Data for organizational levels is transferred only when authorization data for the derived role is
first modified.

D. Data for organizational levels that have already been maintained in the derived role is overwritten.

Question 17

In SAP S/4HANA Cloud Public Edition, what can you do with the Display Authorization Trace? Note: There are
3 correct answers to this question.

A. Display business roles granting specific access

B. Adjust role restrictions to further limit access when performing forensic analysis

C. Analyze authorization check results for missing authorizations

D. Adjust role restrictions to account for missing authorizations

E. Analyze authorization check results for already assigned authorizations

Question 80

Which user types can log on to the SAP S/4HANA system in interactive mode? Note: There are 2 correct
answers to this question.

A. Dialog User

B. Service User

C. System User

D. Communication User

Question

Which of the following rules does SAP recommend you consider when you define a role-naming convention
for an SAP S/4HANA on-premise system?

Note: There are 3 correct answers to this question.

A. Role names must NOT start with "SAP"

B. Role names are system language-independent

C. Role names can be no longer than 20 characters

D. Role names are system language-dependent

E. Role names can be no longer than 30 characters

What authorization object can be used to restrict which users a security administrator is authorized to
maintain?

A. S_USER_GRD

B. S_USER_AUT

C. S_USER_SAS

D. S_USER_GRP

Question 65

An authorization based on what object is required for trusted system access to an SAP Fiori back-end server?

A. S_RFC

B. S_RFCACL

C. S_SERVICE

D. S_START

Question 59

You are building a PFCG role for access to an SAP Fiori app on your SAP S/4HANA on-premise system. After
you enter the catalog in the role menu, an entry for an OData service is missing and you have to add it
manually to the role menu.

When you maintain authorization data in the PFCG role, why does SAP recommend that you NOT maintain the
SRV_NAME field value of the S_SERVICE authorization object manually?

A. Because the TADIR Service name is the same for the front-end server component and the back-end
server component.
B. Because the TADIR Service name for the back-end server component was automatically added to
the role menu.
C. Because the SRV_NAME hash value for the front-end server component and back-end server
component are the same.
D. Because the SRV_NAME hash value for the front-end server component and back-end server
component are di erent.

Question 68

Which object type is assigned to activated OData services in transaction SU24?

A. IWSV

B. G4BA

C. IWSG

D. HTTP
Question 46

Which of the following services does the Identity Authentication Service provide? Note: There are 2 correct
answers to this question.

A. Authentication

B. Single Sign-On

C. Central User Repository

D. Policy refinement

Which functions in SAP Access Control can be used to approve or reject a user's continued access to specific
security roles? Note: There are 2 correct answers to this question.

A. User Access Review

B. Role Certification

C. SOD Review

D. Role Rea irm

Question 62

How does Rapid Activation support customers during the SAP S/4HANA on-premise implementation
process? Note: There are 3 correct answers to this question.

A. By helping customers to start exploring SAP Fiori in SAP S/4HANA on premises as quickly as
possible.

B. By supporting content activation at the business role level, including SAP Fiori apps and all
associated Web Dynpro for ABAP applications.

C. By allowing customers to select individual SAP Fiori apps for their end-to-end business processes.

D. By allowing customers to select and activate SAP Fiori apps one by one, independent of
dependencies needed for app-to-app navigation.

E. By reducing the SAP Fiori activation e ort during the Explore phase of SAP Activate.

Question 39

Which code does the authority-check return when a user does NOT have any authorizations for the
authorization object checked?

A. 12

B. 16

C. 0

D. 4
Question 27

What must you do before you can use transaction PFCG?

Note: There are 2 correct answers to this question.

A. Fill tables USOBT and USOBX with the SAP-delivered authorization default values.

B. Set the system profile parameter auth/no_check_in_some_cases to Y.

C. Fill tables USOBT_C and USOBX_C with the SAP-delivered authorization default values.

D. Set the system profile parameter auth/no_check_in_some_cases to N.

Question 10

When segregating the duties for user and role maintenance, which of the following should be part of a
decentralized treble control strategy for a production system?

Note: There are 3 correct answers to this question.

A. One authorization data administrator

B. One user administrator per production system

C. One authorization profile administrator

D. One user administrator per application area in the production system

E. One decentralized role administrator

In S/4HANA on-premise, which of the following combinations is required to grant a business user access to
data from a Core Data Services (CDS) view using the standard ABAP authorization concept and authorization
object S_RS_AUTH?

A. A CDS role with access conditions based on authorization object S_RS_AUTH,

 A PFCG role with authorization for object S_RS_AUTH and assignment of the PFCG role

 The CDS role to the business user.

B. A CDS role with access conditions based on authorization object S_RS_AUTH

 A PFCG role containing the CDS role and access conditions based up authorization object
S_RS_AUTH

 Assignment of the PFCG role to the business user.

C. ACDS role with access conditions based on authorization object S_RS_AUTH

 A PFCG role with authorization for object S_RS_AUTH

 Assignment of the PFCG role to the business user.

D. A CDS role with access conditions based on authorization object S_RS_AUTH

 APFCG role containing the CDS role and access conditions based up authorization object
S_RS_AUTH

 Assignment of the PFCG role and the CDS role to the business user.
Question 76

Which of the following user types are excluded from some general password-related rules, such as password
validity or initial password? Note: There are 2 correct answers to this question.

A. Dialog

B. System

C. Communication

D. Service

Question 52

Which log types are available in the Administration Console of Cloud Identity Services? Note: There are 2
correct answers to this question.

A. Change logs

B. Troubleshooting logs

C. Performance logs

D. Usage logs

Question 77

What is required to centrally administer a user's master record using Central User Administration? Note:
There are 3 correct answers to this question.

A. An RFC destination to the target system

B. An RFC destination to the target client

C. An existing master record in the target client for the user

D. An ALE distribution model

E. An entry in transaction BD54 for the child system

SAP BTP distinguishes between which of the following users? Note: There are 2 correct answers to this
question.

A. Business users///

B. Technical users

C. Platform users

D. Key users
When creating PFCG roles for SAP Fiori access, what is included automatically when adding a catalog to the
menu of a back-end PFCG role? Note: There are 2 correct answers to this question.

A. The start authorizations and the authorization default values for each IWSG TADIR service
definitions in the catalog.

B. The start authorizations and the authorization default values for each IWSV TADIR service definitions
in the catalog.

C. The IWSG TADIR service definitions from the catalog.

D. The IWSV TADIR service definitions from the catalog.

Which of the following allow you to control the assignment of table authorization groups? Note: There are 2
correct answers to this question.

A. PRGN_CUST

B. V_DDAT_54

C. V_BRG_54

D. SSM_CUST

Which archiving objects are relevant for archiving change documents for user master records? Note: There
are 2 correct answers to this question.

A. US_PROF

B. US_USER

C. US_AUTH

D. US_PASS //

Question 47

What use cases are available for a Local Identity Directory? Note: There are 3 correct answers to this
question.

A. Hybrid mode

B. Merging attributes

C. S/4HANA use case

D. Proxy mode

E. Classic use case

Question 57

Which of the following is part of the SAP S/4HANA central UI component?

A. SAP Fiori launchpad

B. SAP Fiori object page

C. SAP Fiori analytical application

D. SAP Fiori transactional application

Question 25

In SAP HANA Cloud, who has access to a database object?

A. The user DBADMIN and the group owner

B. The user SYSTEM and the creator

C. The owner and the SAP-owned users

D. The creator and the schema owner

Which solution is NOT used to identify security recommendations for the SAP Security Baseline?

A. SAP Code Vulnerability Analyzer

B. SAP Security Notes

C. SAP Security Optimization Service

D. SAP EarlyWatch Alert

Question 13

Which application in SAP S/4HANA Cloud Public Edition allows you to upload employee information
independent of the customers' HR system?

A. Maintain Business User app

B. Display Technical Users app

C. Manage Workforce app

D. Identity and Access Management app

Question 15

In SAP S/4HANA Cloud Public Edition, what does the ID of an SAP-predefined Space refer to?

A. The business roles it is to be assigned to

B. The business area it was designed for

C. The software release it was created for

D. The SAP Fiori applications it was defined for

Question 18

In SAP S/4HANA Cloud Public Edition, which of the following can you change in a derived business role if the
"Inherit Spaces in Derived Business Roles" checkbox is NOT selected in the leading business role?

A. Business Catalogs

B. Business Role Template

C. Pages

D. Restrictions

Question 20

Following an upgrade of your SAP S/4HANA on-premise system to a higher release, you perform a
Modification Comparison using SU25. What does this comparison do?

A. It compares your changes to the SAP defaults in USOBX and USOBT with the new SAP defaults in
the current release and allows you to make adjustments.

B. It compares the Role Maintenance data from the current release with the data for the previous
release and allows you to adjust any custom default values in tables USOBX and USOBT.

C. It compares the Role Maintenance data from the previous release with the data for the current
release and writes any new default values in tables USOBX_C and USOBT_C.

D. It compares your changes to the SAP defaults in USOBX_C and USOBT_C with the new SAP defaults
in the current release and allows you to make adjustments.

Question 22

Which limitations apply to restricted users in SAP HANA Cloud? Note: There are 3 correct answers to this
question.

A. They can only create objects in their own database schema.

B. They can only connect to the database using HTTP/HTTPS.

C. They only have full SQL access via the SQL console.

D. They cannot connect via ODBC or JDBC.

E. They cannot create objects in the database.

Question 23

When performing a comparison from the imparting role, what happens to organizational level field values in
the derived role? Note: There are 2 correct answers to this question.

A. Data for organizational levels is always transferred when authorization data for the derived role is
modified.
B. Data for organizational levels that have already been maintained in the derived role is NOT
overwritten.
C. Data for organizational levels is transferred only when authorization data for the derived role is
first modified.
D. Data for organizational levels that have already been maintained in the derived role is overwritten.
Question 31

Where can you find information on the SAP-delivered default authorization object and value assignments?
Note: There are 2 correct answers to this question.

A. USOBT_C

B. USOBT

C. SU22

D. SU24

Question 34

Which privilege types are available in SAP HANA Cloud? Note: There are 3 correct answers to this question.

A. Application

B. Package

C. System

D. Analytic

E. Object

Question 35

Under which of the following conditions can you merge authorizations for the same object during role
maintenance? Note: There are 2 correct answers to this question.

A. The maintenance status of the changed authorizations must match the status of a manual
authorization.

B. The activation status and the maintenance status of the authorizations must match.

C. The activation status and the maintenance status of the authorizations must NOT match.

D. The activation status of a manual authorization must match the status of the changed
authorizations.

Question 38

What authorization object can be used to authorize an administrator to create specific authorizations in
roles?

A. S_USER_AUT

B. S_USER_VAL

C. S_USER_AGR

D. S_USER_TCD

Where do you configure the Social Media identity providers?

A. In the SAP BTP Cockpit Account Explorer

B. In the code editor of the SAP Business Application Studio

C. In the administration console for SAP Cloud Identity Services

Question 45

In which order do you define the security-relevant objects in SAP BTP?

A. Role collection 1

B. Role template 2

C. Role 3

Question 49

Which cryptographic libraries are provided by SAP? Note: There are 2 correct answers to this question.

A. Cryptlib

B. SecLib

C. SAPCRYPTOLIB

D. CommonCryptoLib ////

Question 50

What can be assigned directly to a user when using the SAP Launchpad service in SAP BTP?

A. Launchpad roles

B. Role collections

C. Spaces

D. Catalogs

Question 56

Which tool can you use to modify the entities schema content across multiple repositories?

A. SAP Business Application Studio

B. SAP BTP Account Explorer

C. SAP tity Services Transformation Editor

D. SAP Cloud Identity Services Schemas app

Question 73

In SAP HANA Cloud, what can you configure in user groups?

Note: There are 2 correct answers to this question.

A. Password policy settings

B. Client connect restrictions

C. Identity providers

D. Authorization privileges

Question 79

Which entities share data with Business Partners in the S/4HANA Business User Concept? Note: There are 2
correct answers to this question.

A. Employer

B. Administrator

C. User

D. Employee