Skip to Content
author's profile photo Former Member
Former Member

SCC4 Settings

I'm doing a security review of an SAP production system.

Changes and transport for client specific changes has been set to "No changes" which is fine.

eCatt and CATT have been set to allowed - Does the first setting overwrite these being allowed or is this a risk?

Any help appreciated. Thanks

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Nov 09, 2011 at 04:17 PM

    Hi John,

    CATT = Computer Aided TESTING tool.

    This is simply an on-or-off switch saying CATTs can be run or CATTs can not be run.

    Ideally one should let CATTs run in DEV and sometimes in QAS but never PRD, unless, it is for initial data loads purposes - and then shut it off as soon as possible.

    Implication

    Someone with access to SCAT in production could upload false or bad data into your system. Especialy when it comes to configuration. Without the other areas locked as well, someone could really mess with your tables, load users, etc.

    If someone is allowed to use SCAT and wants to upload something, they could potentially upload during peak usage of the system and cause a major slowdown.

    You usually don't allow anyone to do this in Production once the system is up and running. There may be a rare config occasion, but then they need to request the system to be open during a specific time frame and for how long. Most likely this is all setup during a "change control" process so that everyone knows exactly what that person is doing.

    Example:

    There are functions in the scat related objects, which serve the sole purpose of calling other functions once the first check has been passed at "1" (read the docu). There are also several transactions and reports (SA38 ect) which lead to CATT runs. Therefore, any person with FUGR authorizations for SCAT objects has potentially an SAP_ALL authorization on the system.

    Source:

    http://sapbasisnotes.blogspot.com/2007/11/scc4-and-catt-settings.html

    Hope this helps.

    Regards,

    Varun

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Nov 09, 2011 at 04:38 PM

    Thanks and is this still the case where No Changes have been selected? I'm looking to know if this control overwrites the CATT setting or not.

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member J. Heeck

      IMO accidental big bang mistakes are more likely than intentionsl small misuse.

      Imagine running the year end closing test cases against production instead of QAS in December already? It will be a tough call to put Humpty Dumpty together again... 😊

      Scripting tools also offer "in line" programming options. Those can be misused for sure (how ever the two obvious ones in SAP respect the SCC4 "no change" setting).

      So the first setting limits eCATT, but does not prevent it.

      Cheers,

      Julius

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.