Question:
Hi guys!!
An auditor told me that I should disable the profile generator as it is a security threat. He argues that since the parameter auth/no_check_in_some_cases -has to be set to Y then not all transaction authorizations are being checked. Is this true? Any experince with this?
regards
Toni
Answer:
The Auditor "knows not of what he speaks", well only partially,
The system parameter auth/no_check_in_some_cases turns on PFCG so you can maintiann authorizations on the Authorization tab in PFCG AND causes SAP to check the settings in SU24 to see if you turned off an athorization check in for a transaction code, A configuration setting which you MAY CHOOSE to USE and is a GOOD THING! if you turn off the setting in production the you cannot maintain authorization in Production with PFCG, not nescesarily a bad thing, but if you set the configuration in SU24 to react a specific way so you do not have to directly give acces in one case and not another then you will loose it. ( very useful in HR where CO and FI need access to HR but you do not want to give HR access)
It is NOT a security threat as long as you control access to SU24.
You should KEEP IT TURNED ON!
Answer:
He argues that since the parameter auth/no_check_in_some_cases has to be set to Y then not all transaction authorizations are being checked. Is this true?
Yes, the parameter has to be set to 'Y' if you are using PG; yes, authority-checks can selectively be disabled (via SU24) if this parameter is set and yes, your auditor probably is a ****.
The decision whether to use the PG or not is made by the management or the security team, but definitely not by the auditor. IF you decide to use it, THEN you MUST set the parameter to 'Y'. It is recommended to regularly review the deactivated authority checks. IF you decide not to use PG, then you should set the parameter to 'N'.
Have fun,
Marc
Answer:
As the guys have said the auditor doesn't really know what they are talking about. They probably read it in their work program. Tell them how you have mitigated teh risk they have identified and they will be able to document it and be happy(ish).
There is nothing wrong with challenging auditors if you know you have the risk covered in a satisfactory manner.
Cheers,
Al.