11-09-2011 3:40 PM
I'm doing a security review of an SAP production system.
Changes and transport for client specific changes has been set to "No changes" which is fine.
eCatt and CATT have been set to allowed - Does the first setting overwrite these being allowed or is this a risk?
Any help appreciated. Thanks
11-09-2011 4:17 PM
Hi John,
CATT = Computer Aided TESTING tool.
This is simply an on-or-off switch saying CATTs can be run or CATTs can not be run.
Ideally one should let CATTs run in DEV and sometimes in QAS but never PRD, unless, it is for initial data loads purposes - and then shut it off as soon as possible.
Implication
Someone with access to SCAT in production could upload false or bad data into your system. Especialy when it comes to configuration. Without the other areas locked as well, someone could really mess with your tables, load users, etc.
If someone is allowed to use SCAT and wants to upload something, they could potentially upload during peak usage of the system and cause a major slowdown.
You usually don't allow anyone to do this in Production once the system is up and running. There may be a rare config occasion, but then they need to request the system to be open during a specific time frame and for how long. Most likely this is all setup during a "change control" process so that everyone knows exactly what that person is doing.
Example:
There are functions in the scat related objects, which serve the sole purpose of calling other functions once the first check has been passed at "1" (read the docu). There are also several transactions and reports (SA38 ect) which lead to CATT runs. Therefore, any person with FUGR authorizations for SCAT objects has potentially an SAP_ALL authorization on the system.
Source:
http://sapbasisnotes.blogspot.com/2007/11/scc4-and-catt-settings.html
Hope this helps.
Regards,
Varun
11-09-2011 4:17 PM
Hi John,
CATT = Computer Aided TESTING tool.
This is simply an on-or-off switch saying CATTs can be run or CATTs can not be run.
Ideally one should let CATTs run in DEV and sometimes in QAS but never PRD, unless, it is for initial data loads purposes - and then shut it off as soon as possible.
Implication
Someone with access to SCAT in production could upload false or bad data into your system. Especialy when it comes to configuration. Without the other areas locked as well, someone could really mess with your tables, load users, etc.
If someone is allowed to use SCAT and wants to upload something, they could potentially upload during peak usage of the system and cause a major slowdown.
You usually don't allow anyone to do this in Production once the system is up and running. There may be a rare config occasion, but then they need to request the system to be open during a specific time frame and for how long. Most likely this is all setup during a "change control" process so that everyone knows exactly what that person is doing.
Example:
There are functions in the scat related objects, which serve the sole purpose of calling other functions once the first check has been passed at "1" (read the docu). There are also several transactions and reports (SA38 ect) which lead to CATT runs. Therefore, any person with FUGR authorizations for SCAT objects has potentially an SAP_ALL authorization on the system.
Source:
http://sapbasisnotes.blogspot.com/2007/11/scc4-and-catt-settings.html
Hope this helps.
Regards,
Varun
11-09-2011 4:38 PM
Thanks and is this still the case where No Changes have been selected? I'm looking to know if this control overwrites the CATT setting or not.
11-09-2011 4:50 PM
Hi,
This should be considered as a risk but does not overwrite the client specific changes.
Having eCATT to be enabled allows anyone with SCAT access to misuse the system.
From my personal experience as a Basis Consultant, we have this option as disabled on our Production systems.
Regards,
Varun
11-09-2011 5:55 PM
> Having eCATT to be enabled allows anyone with SCAT access to misuse the system.
Hi Varun,
Can you please tell us how and why automating tasks is considered misuse?
Jurjen
11-09-2011 10:25 PM
IMO accidental big bang mistakes are more likely than intentionsl small misuse.
Imagine running the year end closing test cases against production instead of QAS in December already? It will be a tough call to put Humpty Dumpty together again...
Scripting tools also offer "in line" programming options. Those can be misused for sure (how ever the two obvious ones in SAP respect the SCC4 "no change" setting).
So the first setting limits eCATT, but does not prevent it.
Cheers,
Julius