Security for the Use of SAP GUI Scripting
eCATT and SAP GUI Scripting
One of the features of eCATT is its capability to record and replay the activity of controls in the SAP GUI, which is necessary to execute the SAPGUI, GETGUI and CHGEUI commands. This function is based on the SAP GUI Scripting extension within SAP GUI Version 6.20 and higher.
SAP is, of course, aware that scripting can be abused, and has therefore taken care to ensure that scripts cannot be executed unless the system administrator has explicitly opened the necessary channels.
Security Features in SAP GUI Scripting
SAP GUI Scripting contains the following security mechanisms:
-
On the server:
-
Profile parameters whose setting determines whether SAP GUI Scripting should be allowed on the current application server
-
-
On the client:
-
Options in the SAP GUI setup program that make it possible to install SAP GUI without the scripting components
-
Registry keys that allow scripting to be disabled on the client.
-
Enabling and Disabling SAP GUI Scripting on the Server
SAP GUI Scripting can be switched on and off for a particular application server (or for dedicated users, see note 983990) using the profile parameter sapgui/user_scripting. By default, scripting is not enabled. To enable scripting, set the value of this profile parameter to TRUE. You do not have to restart the server, but you must log off and back on again, since the change does not affect sessions that are currently running. This setting overrides any client settings.
Additional Profile Parameters in Release 6.40 and higher
As well as sapgui/user_scripting, you can use the following profile parameters for more refined access control in Release 6.40. They are also included in Release 6.20 from support package 37, and in Release 4.6C from support package 47. SAPGUI Release 6.20 patch level 42 or higher is also required.
|
Profile Parameter |
Description |
|
sapgui/user_scripting_disable_recording |
If this parameter is set to TRUE, script playback is possible, but recording is not permitted. |
|
sapgui/user_scripting_force_notification |
If this parameter is set to TRUE, a notification is always displayed at the frontend, regardless of the client options described below under 'Warning Options on Client Side'. |
|
sapgui/user_scripting_set_readonly |
If this parameter is set to TRUE, scripts may only act on read-only user interface elements. |
Installation of Client Components
As well as the server setting, SAP GUI Scripting requires certain components to be installed on the front end. System administrators can prevent the components from being installed by creating installation packages that do not contain the SAP GUI Scripting elements.
If users are allowed to configure their own SAP GUI installation using the front end setup platform, they can choose not to install the scripting components.
Warning Options on Client Side
Current User
If SAP GUI Scripting is enabled (in SAP GUI via
Options 
Accessibility & Scripting Scripting 
), the Settings dialog box of the SAP GUI contains the following options for SAP GUI Scripting:
-
Enable scripting: The user can enable and disable scripting for their own use
-
Notify when a script attaches to a running GUI: A message appears whenever a script attaches to the SAP GUI
-
Notify when a script opens a connection: A message appears whenever a script opens a new GUI connection.
These options set Registry keys under HKCU\SOFTWARE\SAP\SAPGUI Front\SAP Frontend Server\Security\UserScripting.
If you are using scripting for the SAPGUI command in eCATT, we recommend that you leave the Notify when a script opens a connection option selected, since eCATT itself never opens a new connection.
Local Machine (All Users)
Users with administrator rights on a particular PC can enable and disable scripting using the Registry key HKLM\SOFTWARE\SAP\SAPGUI Front\SAP Frontend Server\Security\UserScripting. This can have the values 0 (disabled) or 1 (enabled). The default setting is enabled.
VB Script and Windows Scripting Host
eCATT SAP GUI Scripting does not use VB Script and hence does not require Windows Scripting Host. Not having WSH installed reduces the risk of virus attacks using scripts.
Logon Screens
The eCATT SAPGUI command never records logon screens. Instead, it creates RFC destinations pointing to the system in question. You are free to adjust these destinations later to allow an unattended logon.
SAP GUI Scripting in Remote Systems - Which Settings Apply?
When you are running eCATT from a central test system, you will often need to record SAPGUI commands in remote systems. In order for this to work, scripting must be enabled in both the eCATT system and the target system.