cancel
Showing results for 
Search instead for 
Did you mean: 

QCRTAUT - recommended value ?

jo_degraeve
Participant
0 Kudos

Hello group

our auditors advise to change the System Value QCRTAUT to *EXCLUDE so that newly created objects are excluded to PUBLIC.

Any observations on the effects of this change in an SAP Iseries environment ?

Thanks

Jo

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

The main concern would be if there are any users that need to access the tables that are not covered by the user authorities that are explicitly set by SAP.

For example, you may run system backups under a system operator id or some related id. I would expect that this id would have *ALLOBJ authority, since that would probably be needed to guarantee that the save succeeds.

You can certainly test the change in a Dev client, but you should also review if there are any users that need access to the files outside of SAP.

For example, we use the iCluster product from DataMirror for High Availability and Disaster Recovery purposes.

This runs under the DMCLUSTER used id. This id has *ALLOBJ authority, since it needs to be able to replicate anything from the primary system to the backup.

Examine your scenarios and determine what will be affected. If the user ids in the varoius scenarios have appropriate authorities, or if they are assigned explicit authorities to necessary objects, you should be fine.

Do you have a separate EDI package running on the same system? Do you have legacy apps?

Testing is the key thing.

Good luck

Brian

Former Member
0 Kudos

Hello Jo,

I guess most of SAP/iSeries customers are using the default value of QCRTAUT. Likely you got an old-school AS/400 auditor, or he/she has a fussy checklist... Most of the auditors I met knew nothing of AS/400 and don't have a good checklist for it either.

SAP has been very careful with security - from what I remember, SAP libraries and directories under /usr/sap/ have already been configured with *EXCLUDE to PUBLIC.

Meanwhile there should not be any real PUBLIC access to a pure SAP/iSeries environments. All the users should be either from IBM (Qxxx), or from SAP(<SID>xxx), or administrators, or from other software vendors like BSI or HA soultions.

If you bring those points to the auditor, many he/she could let you keep the default value. Otherwise, you may have to test it yourself.

Good luck,

Victor

jo_degraeve
Participant
0 Kudos

Hello Victor

You say that SAP has been strict in applying security on the objects created by SAP.

I lately installed an ERP2005 system standard from the DVDs and guess what ?

Objects in the R3<SID>DATA have *PUBLIC *CHANGE authority.

Objects in /usr/sap/SID/* have *PUBLIC *RX authority

So, did you manually change the authority on the objects in your systems ?

Jo

Former Member
0 Kudos

Hello Jo,

Sorry that I didn't check before replying your message! (It was from my memory)

On a sandbox iSeries server I could access, I found the following

R3<SID>DATA

PUBLIC *EXCLUDE for both Basis 4.6 and NetWeaver 7

/usr/sap/SID

PUBLIC *EXCLUDE for Basis 4.6 system

PUBLIC *RX for NetWeaver 7 system

System value QCRTAUT is *CHANGE

I usually don't manually change any SAP-delivered objects (except giving *ALLOBJ to SAP users from time to time) unless instructed by Note or SAP support. I would try to keep the system similar to what other SAP customers are using if possible, to avoid any weird situation.

If you just cannot convince the auditor... I would agree with Brian that "testing is the key".

Best regards,

Victor