Learn, Practice, and Improve with SAP C_SEC_2405 Practice Test Questions

Explanation:

Application security focuses on protecting software applications from threats such as:

Code injection
Cross-site scripting (XSS)
Authentication flaws
Data leakage
It is primarily concerned with the security of the application itself, not the connected devices it may run on.

What the Other Options Cover:
B. Cloud security → Protects cloud-based infrastructure, services, and data — including connected devices accessing cloud apps.

C. Network security → Secures data in transit across networks, including traffic from connected devices.

D. IoT security → Specifically designed to protect connected devices (e.g., sensors, wearables, smart appliances) from cyber threats like unauthorized access, firmware exploits, and data breaches.

Reference:
GeeksforGeeks – Types of Cybersecurity
CISA – Cybersecurity for Electronic Devices
Insights2TechInfo – IoT and Cybersecurity

Explanation:
To restrict access to SAP Enterprise Search models in the SAP Fiori launchpad, the following authorization objects are used:

1.S_ESH_ADM (A):
Controls administrative access to Enterprise Search models (e.g., creating, modifying, or deleting search models).
Key fields:
ACTVT (e.g., 02 for create, 03 for change).
ESH_ADMIN (scope of administrative tasks).

2.S_ESH_CONN (D):
Restricts access to search connections (data sources used in search models).
Ensures users only see/search data from authorized sources.
Key fields:
CONN_ID (specific connection ID).
ACTVT (e.g., 16 for execute).

Why Not the Other Options?
B. SDDLVIEW:
Used for DDIC (Data Dictionary) view access, unrelated to search models.

C. RSDDLTIP:
Governs BW/BI data access, not Enterprise Search.

Reference:
SAP’s Enterprise Search Security Guide specifies that S_ESH_ADM and S_ESH_CONN are mandatory for model/connection restrictions.

Explanation:

In SAP systems, change documents for user master records track modifications to user data, such as changes to user attributes, roles, or profiles. Archiving these change documents is essential for compliance, audit purposes, and system performance optimization. SAP provides specific archiving objects to archive change documents related to user master records, which are managed through transactions like SU01 (User Maintenance). Among the provided options, US_PASS and US_USER are the archiving objects relevant for archiving change documents for user master records.

Detailed Breakdown of Options:
1.A. US_PASS
Correct. The US_PASS archiving object is used to archive change documents related to user master records, specifically focusing on changes to user passwords and logon data. This includes modifications to fields like password status, user validity, or lock status in the user master record. Archiving with US_PASS ensures that historical data about these changes is stored for compliance and audit purposes while removing it from the active database to improve performance. This object is directly associated with user master record changes tracked via change documents.

2.B. US_AUTH
Incorrect. The US_AUTH archiving object is used to archive authorization data, such as authorization objects or values assigned to roles or profiles, rather than change documents for user master records. It is relevant for archiving data related to authorization maintenance (e.g., in transaction PFCG) but not for tracking changes to user master data like user attributes or logon details.

3.C. US_USER
Correct. The US_USER archiving object is used to archive user master records and their associated change documents. This includes changes to user attributes, such as user groups, roles, profiles, or other personal data maintained in the user master record (via transaction SU01). US_USER is a key archiving object for managing the historical data of user master records, ensuring that change documents are preserved for audit and compliance while reducing the database load.

4.D. US_PROF
Incorrect. The US_PROF archiving object is used to archive user profiles (e.g., authorization profiles assigned to users or roles). While profiles are linked to user master records, this object does not specifically archive change documents for user master records. Instead, it focuses on archiving the profile data itself, making it irrelevant to the question.

Reference:

According to SAP documentation and resources relevant to the SAP C_SEC_2405 exam (e.g., SAP Help Portal: "Archiving in SAP NetWeaver" and "User Administration"), the US_PASS and US_USER archiving objects are used for archiving change documents related to user master records:
US_PASS: Archives change documents for password and logon-related changes in user master records (SAP Help Portal: "Archiving Object US_PASS"). US_USER: Archives user master records and their change documents, covering modifications to user attributes like roles, groups, or personal data (SAP Help Portal: "Archiving Object US_USER").
These archiving objects are managed using the SAP Archiving Administration (transaction SARA), where administrators can configure archiving runs to store change documents in an archive while removing them from the active database. This process is critical for compliance with regulations (e.g., GDPR, SOX) and for optimizing system performance by reducing database size. This topic is relevant to the SAP C_SEC_2405 exam under User Administration and Governance, Compliance, and Cybersecurity, as security administrators must understand how to manage and archive user-related data to ensure compliance, auditability, and system efficiency. Archiving change documents for user master records helps maintain a secure and compliant SAP environment by preserving historical data for audits while keeping the system performant.

Explanation:

When defining a role-naming convention for SAP S/4HANA on-premise, SAP recommends:
Length restriction – Role names can be up to 30 characters (field length in AGR_DEFINE table).
Language independence – Role names are stored as technical keys and are not language-dependent. Descriptions can be translated, but the role name remains the same across system languages.
Avoid reserved prefixes – Names starting with SAP are reserved for SAP-delivered roles; custom roles should not start with SAP to avoid conflicts during upgrades and transports.

Why not the others?
A. Role names are system language-dependent ❌
Role descriptions can be translated, but the technical role name is language-independent.
D. Role names can be no longer than 20 characters ❌
This was true for some older SAP releases (pre–SAP NetWeaver 7.0), but in S/4HANA the limit is 30 characters.

Reference:
SAP Help Portal – Security Guide (S/4HANA On-Premise):
“Role names are language-independent, have a maximum of 30 characters, and must not start with the prefix SAP.”

Explanation:
The SAP Cloud Connector is required when deploying SAP Fiori applications on SAP Business Technology Platform (BTP) and those apps need to access on-premise backend systems (e.g., SAP S/4HANA or SAP ERP). The Cloud Connector acts as a secure bridge between SAP BTP and your internal landscape, enabling:

Secure HTTPS tunneling
Controlled access to specific services
No need to expose internal systems directly to the internet
This setup is common in hybrid architectures, where Fiori apps run in the cloud but consume data from on-premise systems.

❌ Why Other Options Are Incorrect:

A. SAP S/4HANA Cloud Public Edition → Fully cloud-native; no on-premise connectivity needed, so Cloud Connector is not required.

B. SAP Fiori for SAP S/4HANA standalone front-end server →
Typically deployed on-premise; does not require Cloud Connector unless integrated with SAP BTP.

C. SAP S/4HANA embedded →
Fiori apps are embedded within the same system; no external connectivity needed.

Reference:
StudyX – SAP Fiori Deployment and Cloud Connector
SAP Community – Cloud Connector Integration with SAP BTP

Explanation:
In SAP HANA Cloud, user groups allow you to manage certain security and connection settings collectively for a set of database users.

You can configure in a user group:
1.Client connect restrictions – Restrict which client applications or IP ranges can connect for members of the group.

2.Password policy settings –Define password rules (length, complexity, expiration) that override the global password policy for users in the group.

Why not the others?
A. Authorization privileges ❌
Privileges (object, system, schema) are granted directly to users or roles, not through user groups in SAP HANA Cloud.

C. Identity providers ❌
Identity provider configuration is done at the instance level, not per user group.

Reference:
SAP HANA Cloud Security Guide → Managing User Groups:
“User groups can define connection restrictions and password policies that apply to all users in the group.”
SAP Help Portal – User Groups in SAP HANA Cloud

Explanation:
When a transaction is added to a PFCG role, SAP uses SU24 defaults to automatically propose the relevant authorization objects in the role’s authorizations tab.

For a custom transaction:
Go to SU24.
Enter the transaction code.
Add the authorization objects needed by the program.
Set the Default Status to "Yes" so they will be automatically inserted whenever this transaction is added to a role in PFCG.

Why not the others?
A. Maintain each authorization in SU22 and set Check Indicator = "Check" ❌
SU22 is SAP-delivered proposal maintenance; you don’t edit it directly for custom changes. You use SU24 for customer-specific proposals.

B. Maintain each authorization object in SU22 and set Default Status = "Yes" ❌
Same reason — SU22 is not where you maintain customer proposals; it's overwritten in upgrades.

C. Maintain each authorization in SU24 and set Default Status = "Yes" ❌
Wording is misleading — in SU24 you maintain authorization objects, not the “authorization” itself (which is an instance of an object with specific values).

Reference
SAP Help Portal – SU24 Authorization Proposal Maintenance:
“Transaction SU24 is used to maintain the customer-specific proposal data (authorization objects) for transactions, reports, and services. Setting the Default Status to Yes ensures that these objects are automatically proposed in PFCG role maintenance.”