E CATT

Using e-CATT in Security Works:
Creation of Derive roles by using

SECATT
Applies to:
SAP ERP, SAP NetWeaver Application Server ABAP. For more information, visit the Security homepage.
Summary
This article describes step by step procedure for creating Derive roles from a set of Master Roles in Mass.
Derive role creation is basically described here in almost in the same way as creation of single roles by using
SECATT. The difference is the maintaining the relationship of Inheritanc e with the Master roles.
Author: Dipanjan Sanpui

Company: IBM Global Business Service
Created on: 09 May 2010
Author Bio
Dipanjan Sanpui has been working in IBM Global Business Working (India) from 2007 as SAP
NetWeaver Security Consultant.
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 1
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
Table of Contents
Introduction............................................................................................................................................. 3
Creation of Test Script.......................................................................................................................... 4
Creation of Test Configuration ............................................................................................................ 15
Populating the Test Script variable with Data ....................................................................................... 19
Execution of Script to Create the Derive Roles ..................................................................................... 20
Monitoring the Log of e-CA TT execution.............................................................................................. 23
Review of Role Dat a .......................................................................................................................... 25
Relat ed Content .................................................................................................................................... 29
eCA TT: extended Computer Aided Test Tool (B C-TWB-TS T-ECA ) ....................................................... 29
Disclaimer and Liability Notice................................................................................................................ 30
© 2010 SAP AG 2
Introduction
Creation of e-CA TT script and it’s usage is now a widely known feature in automating repetitive works for
creating or modifying master data in SAP. Here is one more such example with description of steps for
creating Derive roles in mass from a set of Master roles. But we are not going to populate the Organiz ation
level values here as the number, set and order of Organization level values varies to great extent for a new
set of Derive roles built from scratch.
As an example, I have shown the creation of Derive roles for the process area PTD (procure to demand) for
an Implementation project I am currently working on.
e-CA TT involves two steps for creating the script to creat e the roles. They are as follows:
1. Creation of Test Script
2. Creation of Test Configuration
e-CA TT stands for Extended Computer Aided Test Tool and the Transaction code is SECATT. To us e e-
CA TT to automate the repetitive steps of same transactions first we need to create a Test Script.
Note: Before I start describing the steps I would like to make this clear that e -CATT Scripts are not something need to be
manually coded in ABAP. Rather it can be seen as a configuration type of job. So, anyone thinks where the coding
is for this Z-scripts, can get the assurance of zero coding effort for these scripts which can be used multiple times
in multiple SAP systems.
© 2010 SAP AG 3
Creation of Test Script

Go to Transaction SECA TT. Put a name of the Test script (here Z_CREA TE_DERIVE_ROLE ) in the field
“Test Script”, select the radio button beside it and then click create.
The create selection will take to the next screen as shown below. Here under Attribute tab you need to put
the following details:
Title of the Test Script – this is basically the Text descriptio
Component – this field holds the unique id of the application component under which the TCode in
consideration falls.
© 2010 SAP AG 4
The component need to be selected by pressing the F4 key i.e. by using the selection help. In our case, the
creation of derive tole falls under the sub component “Aut horization and Role Management” which is within
the node BC-SEC (Sec urity).
After selecting the Component, click on the button “Pattern” on the Application Toolbar in bet ween “Stop” and
Pretty Printer.
It will pop up a new window where you need to select the following details from the drop down:
© 2010 SAP AG 5
 Group: UI Control
 Command: TCD (Record)
 Transaction: PFCG
 Interface: this field will get populated automatically after you put the transaction code and press
enter. Interface is PFCG_1
Select on the green right icon and you will get a message to confirm the data you selected. Check Yes to
continue.
Now you will be taken to the TCode PFCG to perform the desired tak you want to automat e. Create a derive
role from the res pective Master role. e-CA TT will capture each screen and operation on it while creating role
together with the input data and instructions (role name, text, master role name, copy of authorization data
from master role, generation of role etc.) given by users. After saving the role, click on the green “Back”
arrow.
Note: Since this article is not meant for role creation process so I am keeping them apart as it is a well known parctice for
SAP Security practioners as this article is not for beginners.
You will be asked for the confirmation whether the data captured can be transferred to Test Script or not.
Select Yes and Next you will see the following screen.
© 2010 SAP AG 6
In this screen you will get the TCode and it’s interface inside of the “Editor” tab. Double click on the Interface.
Here the Interface for PFCG is PFCG_1.
Double clicking on PFCG_1 will open a spit screen just by the right side of this window frame. We need to
navigate thoruhg various screens just recorded to replace the fixed values entered during the recording with
a generic input which will serve the purpose of a variable. The process is described below:
Go to the node “DYNPRO MODE PROG DYNR” inside of “Command Interface
PFCG_1”.
Open each of the nodes within the DYNP RO menu node marked with serial numbers 1, 2, 3, etc. The node
below this level contains the values need to be replac ed. Double click on the last row whic h contains the:
FIELD MODE NAME VALIN VALOUT
After double clicking on this level, a split screen will appear on the right hand side which shows the columns
where the input values used during rec ording are visible.
© 2010 SAP AG 7
The row level selected in the below picture is the section where you need to double click to get the right hand
side pane. The right side pane will show the role name used as the Derive role in the VALIN column. All
Input values will appear in the VALIN column.
Remove the role name provide durig the creatio of role while recording and replace wit h a genric value. Here
the Derive role name i.e. AGR_NAME_NEU in VALIN column has been relaced by DE R_ROLE.
© 2010 SAP AG 8
Press eneter. A window will pop up for the confirmation if you want to Creat e the parameter DER_NAME.
The default parameter type will be Loc al. Change it to “Import” and click on Yes.
The new value for the Derive role has been defined as a variable DE R_NAME.
Same steps need to be performed for all the ot her DYNP ROs in the last row of each node as described
above.
Following Data was used during the creation of the role:
1. Parent Role Name from which the Derive was derived
2. Derive Role Name
3. Derive Role Text
4. Trans action Codes in Role Menu adopted in the Derive role from the Pare nt role’s menu
Please see some of them below.
© 2010 SAP AG 9
Notes: Please remember to change the parameter type from Local to Import whenever prompted (after chaging a
recorded value with a variable and then presseing eneter).
© 2010 SAP AG 10
Note: Do remember to erase any previously filled values while recording your steps otherwise they will appear in the
VALOUT column and you won’t be able to give them variable names)*This is done by opening the Dynpro menu
and double click on the last row that contains Field, Mode, Name etc. columns. We need to enter variable names
in place of those values which we have entered manually.
© 2010 SAP AG 11
Please note that after changing each of these values and parameterizing these values the icon beside the
respective row as well as at DYNP RO line are changed.
© 2010 SAP AG 12
Note: The column called “Parameter” represents the Column heading of the input file where you need to put the
corresponding entries under it as described later in this article. The header YZ is representing any TCodes going
to be added in the derive role menu from the parent role during the adoption of the same.
After changing all manual input and defining the variable you need to save. Save it as Local Object.
Note: If you want to Transport the Test Script and use in other system, then you can assign it to a Development class
instead of Local Object.
© 2010 SAP AG 13
The Test Script is saved wit h a confirmation message at the bottom.
Go back.
After creating the Test Script, we need to creat e the “Test Configuration”.
© 2010 SAP AG 14
Creation of Test Configuration

In the screen of SECA TT transaction, select the Test Configuration button and put a name (here
Z_CREA TE_DERIVE_ROLE) and click on Create icon.
The next screen appears is the General Data tab inside Attribute.
Provide a Text description and the Compoenent name as shown in the above picture.
© 2010 SAP AG 15
Note: If you select only BC-SEC then it would be more general if you are not sure of the granularity of this.
Then go to configuration tab. Here you need to put the name of the Test Scrpt created in the previuos
section.
After assigning the Te st Script name, click on the download icon on the Application toolbar.
You will prompt ed to save the file in a destination at your Local P C. The default directory will be the
SapWorkDir (as shown in the above picture as the pop up screen). File extention is and has to be “*.txt”.
Save the file in the location as per your choice (if you want to select a different path).
© 2010 SAP AG 16
As you click the save button, a system message appears to confirm the Reference to Test Data resolution.
Choose yes and continue.
At bottom, the message shows the successful download of the variant.
To check the variant downloaded, go to the Variant tab. Here you will be able to see the variant you
downloaded with the Input columns which are need to populated during the execution of the script for
creating data.
The external path is also evident here which states from where system reads the filled up file to execute the
operation.
© 2010 SAP AG 17
The default Mode is Internal variable. To use the upload function from your local pc wit h the manually
maintained data in the file which will be used to create the data, you need to change the mode from
Internal Variable to External Variable. Put the file name in the File field.
Save it. The message for successful completion of appears at bottom.
© 2010 SAP AG 18
Go Back.
Populating the Test Script variable with Data

After Creation of Test Script and configuring it for using from local pc, we need to populate the dat a in the
downloaded file saved in the loc al PC.
Go to the directory where you saved the file. Open the file with spreadsheet solution (MS Excel).
Here you can see the columns where you can then populate the data. In this example, we have the following
columns to populate:
XY, YZ, PARE NT_ROLE, DERIVE_ROLE _TE XT, DER_ROLE.
The fields XY and Y Z are represnting t wo Organization level fields here.
© 2010 SAP AG 19
Note: I would suggest not to assign or maintain the organization Levels during this process as the number, type of
Organization Levels may vary in different roles to great extent. So, populating the Org. level fields while creating
the Derive roles can create erronious entries.
Save the file after putting all data in the orginial extention (.txt).
Execution of Script to Create the Derive Roles

Go to transaction SECA TT  Select the Test Configuration with the name of the Test configuration 
Execute
You will be prompted to select the Error behavior and Debugging mode. Also you can choose whet her you
want to keep a log for the execution to review the errors and their details.
© 2010 SAP AG 20
Inside of the Variants tab, you will be able to see the link to the file you are going to use the Input.
Within the UI (user interface) Control tab you need to select Start mode, SAP GUI behavior, Processing
mode, Error mode for SAP GUI.
© 2010 SAP AG 21
The Start mode should be “N Background Processing”.
You can select the option “Save Screenshots” to collect the screen shots of errors In case of error to analyze
it with more detail view.
The screenshot view path is also available to manage.
Breakpoint is another tab where you can put a script and select if you want it to be Inactive (for a particular
version) if you have a more updated version with the same file name.
© 2010 SAP AG 22
Monitoring the Log of e-CATT execution

After execution is completed, the log screen appears with the type errors.
In the below screen we can see the errors with the Role name lengt h issue. If you select the option for Error
behavior to continue wit h processing even if any error occurs, then you will be able to see the error details
after a complete execution of the script.
Clicking on the Test Configuration will take you to the Test configuration screen where you can check if you
have enetered correct version or name of test script in the Test Configuration or not .
© 2010 SAP AG 23
Without expantion, you can see the high level view of the errors from the color legend.
Go back after the error analysis.
© 2010 SAP AG 24
Review of Role Data

From the AGR tables, you can verify the newly created roles and their input data.
1. AGR_DEFINE: You can see the high level overview of the role, text, number of roles created.
May download for better analysis with the Input data in excel format.
© 2010 SAP AG 25
2. AGR_P ROF: Successful generation of profiles for each derive role.
Other tables you may want to verify are as follows:

3. AGR_1251
4. AGR_1252
If you want to check the log at later time, you can do it in the following way:
Go to SECA TT transaction  click on “Goto”  Logs
© 2010 SAP AG 26
Put the time frame, user id (executed the script) and execute.
Select the relevant log you want to analyze again. (Clicking on the Log “Activity No.” will directly open up
the log).
If you want to download it in you pc, first you go to the print preview and then download it.
© 2010 SAP AG 27
The downloaded (in html format) error log is shown below.
© 2010 SAP AG 28
Related Content
https://www.sdn.sap.com/irj/sdn/ecatt
eCA TT: extended Computer Aided Test Tool (B C-TWB-TS T-ECA )

eCA TT (wiki link).
For more information, visit the Security homepage
© 2010 SAP AG 29
Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP offic ial interfaces and therefore is not
supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade.
SAP w ill not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document,
and anyone using these methods does so at his/her own risk.
SAP offers no guarantees and assumes no responsibility or liability of any type w ith respect to the content of this technical article or
code sample, including any liability resulting from incompatibility betw een the content within this document and the materials and
services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable w ith respect to the content of this
document.
© 2010 SAP AG 30

E CATT

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

E CATT

Hochgeladen von

Copyright:

Verfügbare Formate

Using e-CATT in Security Works:

Creation of Derive roles by using

Author: Dipanjan Sanpui

Creation of Test Script

The Test Script is saved wit h a confirmation message at the bottom.

Creation of Test Configuration

At bottom, the message shows the successful download of the variant.

Save it. The message for successful completion of appears at bottom.

Populating the Test Script variable with Data

Execution of Script to Create the Derive Roles

The Start mode should be “N Background Processing”.

Monitoring the Log of e-CATT execution

Go back after the error analysis.

Review of Role Data

2. AGR_P ROF: Successful generation of profiles for each derive role.

Other tables you may want to verify are as follows:

The downloaded (in html format) error log is shown below.

eCA TT: extended Computer Aided Test Tool (B C-TWB-TS T-ECA )

For more information, visit the Security homepage

Disclaimer and Liability Notice

Das könnte Ihnen auch gefallen