Beruflich Dokumente
Kultur Dokumente
29.07.2008
Copyright
Copyright 2008 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
29.07.2008
Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.
Typographic Conventions
Type Style Example text Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation. Example text EXAMPLE TEXT Emphasized words or phrases in body text, graphic titles, and table titles. Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER.
Example text
EXAMPLE TEXT
29.07.2008
eCATT Security Guide........................................................................................................... 5 Before You Start ................................................................................................................ 6 Technical System Landscape ............................................................................................ 7 Authorizations.................................................................................................................... 8 Authorization Objects Used in eCATT Authorization ....................................................... 9 Test Developer Authorizations...................................................................................... 10 Tester Authorizations.................................................................................................... 12 Setting up authorizations when execution is done locally .............................................. 13 Network and Communication Security.............................................................................. 14 Security for Additional Applications .................................................................................. 15 Other Security-Relevant Information ................................................................................ 15
29.07.2008
Target Audience
Technical consultants System administrators
29.07.2008
728979
Configuration
In each client in which you want to run CATT procedures or eCATT test scripts, you must specify in the client settings that this should be allowed.
...
1. Start transaction SCC4. You will see a list of all of the clients that have been set up in the system. 2. Choose Maintain, and acknowledge the warning that the table is cross-client. 3. Double-click the client in for which you want to allow CATT or eCATT. Depending on the release in which you are working, you will see one of two screens. In older releases, in the Restrictions group box, select the check box Allows CATT processes to be started. In newer releases, in the group box Restrictions when Starting CATT and eCATT, select one of the following entries: eCATT and CATT Not Allowed eCATT and CATT Allowed eCATT and CATT Allowed for 'Trusted RFC' Only
29.07.2008
eCATT Allowed; FUN/ABAP and CATT Not Allowed eCATT Allowed; FUN/ABAP and CATT for 'Trusted RFC' Only Since one of the main principles of eCATT is to run all test cases from a central test system, RFC communication is required to connect to the target systems. It is possible to restrict this RFC communication to trusted RFC, which prevents passwords from having to be stored in RFC destinations and transmitted over the network. The FUN and ABAP commands in eCATT pose a security problem, since the eCATT environment allows them to bypass normal security mechanisms. With FUN, you can execute function modules remotely, even if they are not designated as remotelyenabled in their attributes. The ABAP command allows you to write and execute ABAP coding with just the authorization to create eCATT scripts (and not the full authorization for creating ABAP programs). Consequently, you may disable these features, or restrict them by allowing them only to run within a trusted RFC relationship. Since eCATT tests frequently make database changes, it is not advisable to allow them to be run in production clients.
Additional Information
For more information about specific topics, see the addresses on the SAP Service Marketplace as shown in the table below. Content Security Security Guides Related SAP Notes Released platforms Network security SAP Solution Manager SAP Service Marketplace Address service.sap.com/security service.sap.com/securityguide service.sap.com/notes service.sap.com/platforms service.sap.com/securityguide service.sap.com/solutionmanager
29.07.2008
Application
eCATT patch
eCATT
SAP Web AS 6.20
eCATT patch
6.20 System
Authorizations
To establish how to protect your systems and the connections between them, there are two kinds of user that must be considered: Test Developer: A test developer must be able to create, change, display, and delete the following items: Test scripts Test data containers System data containers Test configurations Tester: A tester must be able to execute test configurations assigned to him or her using the Test Workbench. It is also necessary to create and maintain RFC destinations pointing to the various target systems. You can either assign the authorizations for this to test developers, or leave the task to the system administrator.
More Information:
Authorization Objects Used in eCATT Authorization [Page 9] Test Developer Authorizations [Page 10] Tester Authorizations [Page 12] Setting up authorizations when execution is done locally [Page 13]
29.07.2008
S_TCODE
Authorizations based on the object S_TCODE regulate the transactions that users are allowed to start. Hence it is possible to restrict a users authorization to the extent that he or she can start no transactions in the system other than SECATT. This authorization is always checked by the SAP kernel. Field TCD Description Permitted transaction code or codes
S_DEVELOP
S_DEVELOP is the authorization object used to regulate access to all development objects in an SAP system. While this potentially gives a user extremely wide-ranging rights, the granularity of the object allows you to create authorizations that restrict access to a particular kind of object (for example, you can stipulate that a user may only work with eCATT objects), particular packages, and particular activities (for example, execute, but not create, change, or delete). Field DEVCLASS OBJTYPE OBJNAME P_GROUP ACTVT Description Package(s) whose objects the user may change Object types that the user may change Object names that the user may change Program group (applies only to programs) Permitted activities (create, change, )
S_RFC
This is a system-side authorization object that is called upon when users try to execute functions in remote systems. It allows you to restrict the function modules that can be called to those in specified function groups. Field RFC_TYPE RFC_NAME ACTVT Description Type of RFC object that the user can work with. Can only take the value FUGR (function group) Name of the function group or groups whose function modules the user may execute Activity. Can only take the value 16 (execute)
S_ADMI_FCD
This is a system administration authorization object. The system checks it when a user tries to create an RFC destination. Field S_ADMI_FCD Description The different system administration functions that the user may perform
29.07.2008
S_RFCACL
This is a system administration authorization object. The system checks it when a user tries to log onto a target system using trusted RFC. Field RFC_SYSID RFC_CLIENT RFC_USER RFC_EQUSER RFC_TCODE RFC_INFO ACTVT Activity (only supports 16 Execute) Description The system ID of the originating system The client of the originating system The user in the originating system Flag: Must the user in the target system be the same as the user in the originating system? Transaction code of the application that executed the call
S_DEVELOP
OBJTYPE
ACTVT
01 02 03 06 16
DEVCLASS
10
SAP Online Help customer namespace OBJNAME Any values, for example Y*, Z* for any package in the customer namespace
29.07.2008
If you have separate systems for developing test objects and the actual testing, your developers will also need authorization for the object S_TRANSPORT. Refer to the documentation of this object for full details.
OBJNAME
11
29.07.2008
All eCATT function groups A Batch Input function group necessary to record TCD commands A function group from screen processing required for the screen simulation function in the eCATT Script Editor
SDYN
Tester Authorizations
In addition to the authorizations listed below, testers will also require authorization to run the transactions included in the test scripts.
12
29.07.2008
This allows the user to start the Test Workbench. Test configuration Display Execute
S_DEVELOP
OBJTYPE ACTVT
ECTC 03 16
DEVCLASS
Any values, for example, Y*, Z* for any package in the customer namespace Any values, for example Y*, Z* for any package in the customer namespace
OBJNAME
Option 1
Allow activity 16 with SCAT and *. This enables the execution in the target system. The reason is that if SCAT is allowed, also SECATT is allowed (and will not be checked separately). Restrict activity 16 with ECAT, ECSC, ECTC to the allowed objects.
13
29.07.2008
Option 2
Allow activity 16 with *. This enables the execution in the target system for all eCATT objects. As you also want to restrict the execution to certain eCATT objects, instead of restricting the execution of these objects (activity 16), you can simply restrict to display these objects (activity 03). Activity 03 is checked before the execution as well, as nobody should be allowed to execute when he is not allowed to display a certain eCATT object.
Disadvantage of option 2: Users will not be able to display the eCATT objects which are not included in the authority of the second step.
1. Log onto the target system and set up an RFC destination that points to your central test system. 2. Start transaction SMT1 and choose (Create).
3. In the next dialog box, enter the name of the RFC destination that you created in step 1. 4. On the next screen, you can use the following settings to restrict the use of the trusted relationship:
14
29.07.2008
You can set the entry to inactive. You can restrict the validity of the relationship. 5. Create RFC destinations in the central test system that use trusted RFC to log onto the system in which you just established the trusted relationship.
1. Start transaction SM59, and open an RFC destination for editing. 2. On the Logon tab, select the Yes radio button for the Trusted System option.
Additional Authorizations
In the target system, each user who wants to log on using trusted RFC requires an authorization containing appropriate values for the authorization object S_RFCACL.
If you start the external tool yourself and want to upload scripts to eCATT, there is no generated user, and you must log onto the SAP System yourself. In this case, you will require the authorizations contained in role SAP_ECET.
15
29.07.2008
Profile parameters whose setting determines whether GUI Scripting should be allowed on the current application server On the client: Options in the SAP GUI setup program that make it possible to install SAP GUI without the scripting components Registry keys that allow scripting to be disabled on the client.
sapgui/user_scripting_force_notification
sapgui/user_scripting_set_readonly
Warning Options
Current User If GUI Scripting is enabled, the Settings dialog box of the SAP GUI contains the following options for GUI Scripting: Enable scripting: The user can enable and disable scripting for their own use Notify when a script attaches to a running GUI: A message appears whenever a script attaches to the SAP GUI Notify when a script opens a connection: A message appears whenever a script opens a new GUI connection.
16
29.07.2008
These options set Registry keys under HKCU\SOFTWARE\SAP\SAPGUI Front\SAP Frontend Server\Security\UserScripting. If you are using scripting for the SAPGUI command in eCATT, we recommend that you leave the Notify when a script opens a connection option selected, since eCATT itself never opens a new connection. Local Machine (All Users) Users with administrator rights on a particular PC can enable and disable scripting using the Registry key HKLM\SOFTWARE\SAP\SAPGUI Front\SAP Frontend Server\Security\UserScripting. This can have the values 0 (disabled) or 1 (enabled). The default setting is enabled.
Logon Screens
The eCATT SAPGUI command never records logon screens. Instead, it creates RFC destinations pointing to the system in question. You are free to adjust these destinations later to allow an unattended logon.
17