Beruflich Dokumente
Kultur Dokumente
Applies to:
SAP ERP, SAP NetWeaver Application Server ABAP. For more information, visit the Security homepage.
Summary
This article describes step by step procedure for creating Derive roles from a set of Master Roles in Mass.
Derive role creation is basically described here in almost in the same way as creation of single roles by using
SECATT. The difference is the maintaining the relationship of Inheritanc e with the Master roles.
Author Bio
Dipanjan Sanpui has been working in IBM Global Business Working (India) from 2007 as SAP
NetWeaver Security Consultant.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 1
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
Table of Contents
Introduction............................................................................................................................................. 3
Creation of Test Script.......................................................................................................................... 4
Creation of Test Configuration ............................................................................................................ 15
Populating the Test Script variable with Data ....................................................................................... 19
Execution of Script to Create the Derive Roles ..................................................................................... 20
Monitoring the Log of e-CA TT execution.............................................................................................. 23
Review of Role Dat a .......................................................................................................................... 25
Relat ed Content .................................................................................................................................... 29
eCA TT: extended Computer Aided Test Tool (B C-TWB-TS T-ECA ) ....................................................... 29
Disclaimer and Liability Notice................................................................................................................ 30
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 2
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
Introduction
Creation of e-CA TT script and it’s usage is now a widely known feature in automating repetitive works for
creating or modifying master data in SAP. Here is one more such example with description of steps for
creating Derive roles in mass from a set of Master roles. But we are not going to populate the Organiz ation
level values here as the number, set and order of Organization level values varies to great extent for a new
set of Derive roles built from scratch.
As an example, I have shown the creation of Derive roles for the process area PTD (procure to demand) for
an Implementation project I am currently working on.
e-CA TT involves two steps for creating the script to creat e the roles. They are as follows:
1. Creation of Test Script
2. Creation of Test Configuration
e-CA TT stands for Extended Computer Aided Test Tool and the Transaction code is SECATT. To us e e-
CA TT to automate the repetitive steps of same transactions first we need to create a Test Script.
Note: Before I start describing the steps I would like to make this clear that e -CATT Scripts are not something need to be
manually coded in ABAP. Rather it can be seen as a configuration type of job. So, anyone thinks where the coding
is for this Z-scripts, can get the assurance of zero coding effort for these scripts which can be used multiple times
in multiple SAP systems.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 3
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
The create selection will take to the next screen as shown below. Here under Attribute tab you need to put
the following details:
Title of the Test Script – this is basically the Text descriptio
Component – this field holds the unique id of the application component under which the TCode in
consideration falls.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 4
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
The component need to be selected by pressing the F4 key i.e. by using the selection help. In our case, the
creation of derive tole falls under the sub component “Aut horization and Role Management” which is within
the node BC-SEC (Sec urity).
After selecting the Component, click on the button “Pattern” on the Application Toolbar in bet ween “Stop” and
Pretty Printer.
It will pop up a new window where you need to select the following details from the drop down:
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 5
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
Group: UI Control
Command: TCD (Record)
Transaction: PFCG
Interface: this field will get populated automatically after you put the transaction code and press
enter. Interface is PFCG_1
Select on the green right icon and you will get a message to confirm the data you selected. Check Yes to
continue.
Now you will be taken to the TCode PFCG to perform the desired tak you want to automat e. Create a derive
role from the res pective Master role. e-CA TT will capture each screen and operation on it while creating role
together with the input data and instructions (role name, text, master role name, copy of authorization data
from master role, generation of role etc.) given by users. After saving the role, click on the green “Back”
arrow.
Note: Since this article is not meant for role creation process so I am keeping them apart as it is a well known parctice for
SAP Security practioners as this article is not for beginners.
You will be asked for the confirmation whether the data captured can be transferred to Test Script or not.
Select Yes and Next you will see the following screen.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 6
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
In this screen you will get the TCode and it’s interface inside of the “Editor” tab. Double click on the Interface.
Here the Interface for PFCG is PFCG_1.
Double clicking on PFCG_1 will open a spit screen just by the right side of this window frame. We need to
navigate thoruhg various screens just recorded to replace the fixed values entered during the recording with
a generic input which will serve the purpose of a variable. The process is described below:
Go to the node “DYNPRO MODE PROG DYNR” inside of “Command Interface
PFCG_1”.
Open each of the nodes within the DYNP RO menu node marked with serial numbers 1, 2, 3, etc. The node
below this level contains the values need to be replac ed. Double click on the last row whic h contains the:
FIELD MODE NAME VALIN VALOUT
After double clicking on this level, a split screen will appear on the right hand side which shows the columns
where the input values used during rec ording are visible.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 7
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
The row level selected in the below picture is the section where you need to double click to get the right hand
side pane. The right side pane will show the role name used as the Derive role in the VALIN column. All
Input values will appear in the VALIN column.
Remove the role name provide durig the creatio of role while recording and replace wit h a genric value. Here
the Derive role name i.e. AGR_NAME_NEU in VALIN column has been relaced by DE R_ROLE.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 8
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
Press eneter. A window will pop up for the confirmation if you want to Creat e the parameter DER_NAME.
The default parameter type will be Loc al. Change it to “Import” and click on Yes.
The new value for the Derive role has been defined as a variable DE R_NAME.
Same steps need to be performed for all the ot her DYNP ROs in the last row of each node as described
above.
Following Data was used during the creation of the role:
1. Parent Role Name from which the Derive was derived
2. Derive Role Name
3. Derive Role Text
4. Trans action Codes in Role Menu adopted in the Derive role from the Pare nt role’s menu
Please see some of them below.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 9
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
Notes: Please remember to change the parameter type from Local to Import whenever prompted (after chaging a
recorded value with a variable and then presseing eneter).
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 10
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
Note: Do remember to erase any previously filled values while recording your steps otherwise they will appear in the
VALOUT column and you won’t be able to give them variable names)*This is done by opening the Dynpro menu
and double click on the last row that contains Field, Mode, Name etc. columns. We need to enter variable names
in place of those values which we have entered manually.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 11
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
Please note that after changing each of these values and parameterizing these values the icon beside the
respective row as well as at DYNP RO line are changed.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 12
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
Note: The column called “Parameter” represents the Column heading of the input file where you need to put the
corresponding entries under it as described later in this article. The header YZ is representing any TCodes going
to be added in the derive role menu from the parent role during the adoption of the same.
After changing all manual input and defining the variable you need to save. Save it as Local Object.
Note: If you want to Transport the Test Script and use in other system, then you can assign it to a Development class
instead of Local Object.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 13
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
Go back.
After creating the Test Script, we need to creat e the “Test Configuration”.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 14
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
The next screen appears is the General Data tab inside Attribute.
Provide a Text description and the Compoenent name as shown in the above picture.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 15
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
Note: If you select only BC-SEC then it would be more general if you are not sure of the granularity of this.
Then go to configuration tab. Here you need to put the name of the Test Scrpt created in the previuos
section.
After assigning the Te st Script name, click on the download icon on the Application toolbar.
You will prompt ed to save the file in a destination at your Local P C. The default directory will be the
SapWorkDir (as shown in the above picture as the pop up screen). File extention is and has to be “*.txt”.
Save the file in the location as per your choice (if you want to select a different path).
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 16
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
As you click the save button, a system message appears to confirm the Reference to Test Data resolution.
Choose yes and continue.
To check the variant downloaded, go to the Variant tab. Here you will be able to see the variant you
downloaded with the Input columns which are need to populated during the execution of the script for
creating data.
The external path is also evident here which states from where system reads the filled up file to execute the
operation.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 17
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
The default Mode is Internal variable. To use the upload function from your local pc wit h the manually
maintained data in the file which will be used to create the data, you need to change the mode from
Internal Variable to External Variable. Put the file name in the File field.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 18
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
Go Back.
Go to the directory where you saved the file. Open the file with spreadsheet solution (MS Excel).
Here you can see the columns where you can then populate the data. In this example, we have the following
columns to populate:
XY, YZ, PARE NT_ROLE, DERIVE_ROLE _TE XT, DER_ROLE.
The fields XY and Y Z are represnting t wo Organization level fields here.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 19
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
Note: I would suggest not to assign or maintain the organization Levels during this process as the number, type of
Organization Levels may vary in different roles to great extent. So, populating the Org. level fields while creating
the Derive roles can create erronious entries.
Save the file after putting all data in the orginial extention (.txt).
You will be prompted to select the Error behavior and Debugging mode. Also you can choose whet her you
want to keep a log for the execution to review the errors and their details.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 20
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
Inside of the Variants tab, you will be able to see the link to the file you are going to use the Input.
Within the UI (user interface) Control tab you need to select Start mode, SAP GUI behavior, Processing
mode, Error mode for SAP GUI.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 21
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
You can select the option “Save Screenshots” to collect the screen shots of errors In case of error to analyze
it with more detail view.
The screenshot view path is also available to manage.
Breakpoint is another tab where you can put a script and select if you want it to be Inactive (for a particular
version) if you have a more updated version with the same file name.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 22
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
Clicking on the Test Configuration will take you to the Test configuration screen where you can check if you
have enetered correct version or name of test script in the Test Configuration or not .
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 23
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
Without expantion, you can see the high level view of the errors from the color legend.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 24
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
May download for better analysis with the Input data in excel format.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 25
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 26
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
Put the time frame, user id (executed the script) and execute.
Select the relevant log you want to analyze again. (Clicking on the Log “Activity No.” will directly open up
the log).
If you want to download it in you pc, first you go to the print preview and then download it.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 27
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 28
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
Related Content
https://www.sdn.sap.com/irj/sdn/ecatt
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 29
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 30