Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SCC4 Settings

Go to solution
Former Member

‎11-09-2011 3:40 PM

0 Kudos

I'm doing a security review of an SAP production system.

Changes and transport for client specific changes has been set to "No changes" which is fine.

eCatt and CATT have been set to allowed - Does the first setting overwrite these being allowed or is this a risk?

Any help appreciated. Thanks

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎11-09-2011 4:17 PM

0 Kudos

Hi John,

CATT = Computer Aided TESTING tool.

This is simply an on-or-off switch saying CATTs can be run or CATTs can not be run.

Ideally one should let CATTs run in DEV and sometimes in QAS but never PRD, unless, it is for initial data loads purposes - and then shut it off as soon as possible.

Implication

Someone with access to SCAT in production could upload false or bad data into your system. Especialy when it comes to configuration. Without the other areas locked as well, someone could really mess with your tables, load users, etc.

If someone is allowed to use SCAT and wants to upload something, they could potentially upload during peak usage of the system and cause a major slowdown.

You usually don't allow anyone to do this in Production once the system is up and running. There may be a rare config occasion, but then they need to request the system to be open during a specific time frame and for how long. Most likely this is all setup during a "change control" process so that everyone knows exactly what that person is doing.

Example:

There are functions in the scat related objects, which serve the sole purpose of calling other functions once the first check has been passed at "1" (read the docu). There are also several transactions and reports (SA38 ect) which lead to CATT runs. Therefore, any person with FUGR authorizations for SCAT objects has potentially an SAP_ALL authorization on the system.

Source:

http://sapbasisnotes.blogspot.com/2007/11/scc4-and-catt-settings.html

Hope this helps.

Regards,

Varun

5 REPLIES 5

Go to solution
Former Member

‎11-09-2011 4:17 PM

0 Kudos

Hi John,

CATT = Computer Aided TESTING tool.

This is simply an on-or-off switch saying CATTs can be run or CATTs can not be run.

Ideally one should let CATTs run in DEV and sometimes in QAS but never PRD, unless, it is for initial data loads purposes - and then shut it off as soon as possible.

Implication

Someone with access to SCAT in production could upload false or bad data into your system. Especialy when it comes to configuration. Without the other areas locked as well, someone could really mess with your tables, load users, etc.

If someone is allowed to use SCAT and wants to upload something, they could potentially upload during peak usage of the system and cause a major slowdown.

You usually don't allow anyone to do this in Production once the system is up and running. There may be a rare config occasion, but then they need to request the system to be open during a specific time frame and for how long. Most likely this is all setup during a "change control" process so that everyone knows exactly what that person is doing.

Example:

There are functions in the scat related objects, which serve the sole purpose of calling other functions once the first check has been passed at "1" (read the docu). There are also several transactions and reports (SA38 ect) which lead to CATT runs. Therefore, any person with FUGR authorizations for SCAT objects has potentially an SAP_ALL authorization on the system.

Source:

http://sapbasisnotes.blogspot.com/2007/11/scc4-and-catt-settings.html

Hope this helps.

Regards,

Varun

Go to solution
Former Member

‎11-09-2011 4:38 PM

0 Kudos

Thanks and is this still the case where No Changes have been selected? I'm looking to know if this control overwrites the CATT setting or not.

Go to solution
Former Member
In response to Former Member

‎11-09-2011 4:50 PM

0 Kudos

Hi,

This should be considered as a risk but does not overwrite the client specific changes.

Having eCATT to be enabled allows anyone with SCAT access to misuse the system.

From my personal experience as a Basis Consultant, we have this option as disabled on our Production systems.

Regards,

Varun

Go to solution
jurjen_heeck
Active Contributor
In response to Former Member

‎11-09-2011 5:55 PM

0 Kudos 
> Having eCATT to be enabled allows anyone with SCAT access to misuse the system.

Hi Varun,

Can you please tell us how and why automating tasks is considered misuse?

Jurjen

Go to solution
Former Member
In response to Former Member

‎11-09-2011 10:25 PM

0 Kudos

IMO accidental big bang mistakes are more likely than intentionsl small misuse.

Imagine running the year end closing test cases against production instead of QAS in December already? It will be a tough call to put Humpty Dumpty together again...

Scripting tools also offer "in line" programming options. Those can be misused for sure (how ever the two obvious ones in SAP respect the SCC4 "no change" setting).

So the first setting limits eCATT, but does not prevent it.

Cheers,

Julius