Professional Documents
Culture Documents
eCATT Security Guide
eCATT Security Guide
eCATT Security Guide
Contents:
1 Introduction .................................................................................................................... 3 2 The CATT Flag Client Table T000 ................................... Error! Bookmark not defined. 3 eCATT and the SAP Authorization Concept ................................................................ 4
3.1 Preamble ..................................................................................................................................................... 4 3.2 Authorization Objects Used in eCATT Authorization ............................................................................. 5 3.2.1 S_TCODE ................................................................................................................................................ 5 3.2.2 S_DEVELOP............................................................................................................................................ 5 3.2.3 S_RFC ..................................................................................................................................................... 5 3.2.4 S_ADMI_FCD .......................................................................................................................................... 6 3.3 Test Developer Authorizations ................................................................................................................. 6 3.3.1 eCATT Authorizations in the Test Development System ........................................................................ 6 3.3.2 Creating RFC Destinations ...................................................................................................................... 6 3.3.3 eCATT Authorizations in a Remote System ............................................................................................ 7 3.3.4 eCATT Authorizations and External Tools .............................................................................................. 7 3.4 Tester Authorizations................................................................................................................................. 7 3.4.1 eCATT Authorizations in the Test System............................................................................................... 7 3.4.2 eCATT Authorizations in a Remote System ............................................................................................ 8
Page
1 Introduction
Your SAP Systems contain a wealth of sensitive data data that is essential for the day-to-day running of your business, data that you are required by law to protect from unauthorized access, data that you would not want your competitors or a disgruntled employee to see, much less be able to compromise in some way. Security is an issue that SAP takes seriously, providing an extensive authorization concept to protect transactions and data from unwanted access. The aim of this guide is to help you make informed choices about your security policy in your testing environment by explaining the authorizations required for different kinds of eCATT users. It also explains the new security features implemented to protect your systems from unwanted GUI scripting access.
In newer systems, you have more choice than this straightforward allow/do not allow. Instead, you can control the kinds of functions that can be executed, and the manner of the execution, by selecting one of the options shown in the dropdown list box below:
Since one of the main principles of eCATT is to run all test cases from a central test system, RFC communication is required to connect to the target systems. It is possible to restrict this RFC communication to trusted RFC, which prevents passwords from having to be stored in RFC destinations and transmitted over the network. The FUN and ABAP commands in eCATT pose a security problem, since the eCATT environment allows them to bypass normal security mechanisms. With FUN, you can execute function modules remotely, even if they are not designated as remotely-enabled in their attributes. The ABAP command allows you to write and execute ABAP coding with just the authorization to create eCATT scripts (and not the full authorization for creating ABAP programs). Consequently, you may disable these features, or restrict them by allowing them only to run within a trusted RFC relationship. Since eCATT tests frequently make database changes, it is not advisable to allow them to be run in production clients.
Page
Application
eCATT patch
eCATT
SAP Web AS 6.20
eCATT patch
6.20 System
Figure 1: Using the SAP Web AS 6.20 as a Central Test System
To establish how to protect these systems and the connections between them, there are two kinds of user that must be considered:
Test Developer. A test developer must be able to:
Test scripts Test data containers System data containers Test configurations
Execute test configurations assigned to him or her using the Test Workbench
It is also necessary to create and maintain RFC destinations pointing to the various target systems. You can either assign the authorizations for this to test developers, or leave the task to the system administrator.
Page
3.2.1 S_TCODE
Authorizations based on the object S_TCODE regulate the transactions that users are allowed to start. Hence it is possible to restrict a users authorization to the extent that he or she can start no transactions in the system other than SECATT. This authorization is always checked by the SAP kernel.
Field Description
TCD
3.2.2 S_DEVELOP
S_DEVELOP is the authorization object used to regulate access to all development objects in an SAP system. While this potentially gives a user extremely wide-ranging rights, the granularity of the object allows you to create authorizations that restrict access to a particular kind of object (for example, you can stipulate that a user may only work with eCATT objects), particular packages, and particular activities (for example, execute, but not create, change, or delete). Field Description
Package(s) whose objects the user may change Object types that the user may change Object names that the user may change Program group (applies only to programs) Permitted activities (create, change, )
3.2.3 S_RFC
This is a system-side authorization object that is called upon when users try to execute functions in remote systems. It allows you to restrict the function modules that can be called to those in specified function groups.
Field Description
Type of RFC object that the user can work with. Can only take the value FUGR (function group) Name of the function group or groups whose function modules the user may execute Activity. Can only take the value 16 (execute)
Page
3.2.4 S_ADMI_FCD
This is a system administration authorization object. The system checks it when a user tries to create an RFC destination.
Field Description
S_ADMI_FCD
The different system administration functions that the user may perform
Authorization object S_TCODE Field TCD, Value SECATT This allows the user to start transaction eCATT.
Authorization object S_DEVELOP Field OBJTYPE, Values ECAT (script), ECSD (system data container), ECTC (test configuration), ECTD (test data container) Field ACTVT, Values 01 (create) ,02 (change),03 (display),06 (delete), 16 (execute) Field DEVCLASS any values, for example, Y*, Z* for any package in the customer namespace. Field OBJNAME any values, for example Y*, Z* for any package in the customer namespace This allows developers to work with the various types of eCATT objects
Note: If you have separate systems for developing test objects and the actual testing, your developers will also need authorization for the object S_TRANSPORT. Refer to the documentation of this object for full details.
Authorization object S_TCODE Field TCD, Value SM59 Authorization object S_ADMI_FCD Field S_ADMI_FCD, Value NADM This S_ADMI_FCD authorization gives access to all RFC administration functions.
Page
Authorization object S_RFC Field RFC_TYPE, Value FUGR (function group) Field ACTVT, Value 16 (execute) Field RFC_NAME, Value SCAT, STTM, STTF (all eCATT function groups), SBDR (a Batch Input function group - necessary to record TCD commands), SDYN (a function group from screen processing required for the screen simulation function in the eCATT Script Editor)
Authorization object S_RFC Field RFC_TYPE, Value FUGR (function group) Field ACTVT, Value 16 (execute) Field RFC_NAME, Value SYST, ECATT_EXTERNAL_TOOL
Authorization object S_TCODE Field TCD, Value STWB_WORK This allows the user to start the Test Workbench.
Authorization object S_DEVELOP Field OBJTYPE, Value ECTC (test configuration) Field ACTVT, Values 03 (display),16 (execute) Field DEVCLASS any values, for example, Y*, Z* for any package in the customer namespace.
Page
Field OBJNAME any values, for example Y*, Z* for any package in the customer namespace
Authorization object S_RFC Field RFC_TYPE, Value FUGR (function group) Field ACTVT, Value 16 (execute) Field RFC_NAME, Value STTF (eCATT auxiliary functions)
On the server:
o
A profile parameter whose setting determines whether GUI Scripting should be allowed on the current application server
On the client:
o o
Options in the SAP GUI setup program that make it possible to install SAP GUI without the scripting components Registry keys that allow scripting to be disabled on the client.
Page
If GUI Scripting is enabled, the Settings dialog box of the SAP GUI contains the following options for GUI Scripting:
Enable scripting: The user can enable and disable scripting for their own use Notify when a script attaches to a running GUI: A message appears whenever a script attaches to the SAP GUI Notify when a script opens a connection: A message appears whenever a script opens a new GUI connection.
These options set Registry keys under HKCU\SOFTWARE\SAP\SAPGUI Front\SAP Frontend Server\Security\UserScripting. If you are using scripting for the SAPGUI command in eCATT, we recommend that you leave the Notify when a script opens a connection option selected, since eCATT itself never opens a new connection.
4.2.3.2 Local Machine (All Users)
Users with administrator rights on a particular PC can enable and disable scripting using the Registry key HKLM\SOFTWARE\SAP\SAPGUI Front\SAP Frontend Server\Security\UserScripting. This can have the values 0 (disabled) or 1 (enabled). The default setting is enabled.
Page
Page
10