Show TOC Start of Content Area

Background documentation Before You Start  Locate the document in its SAP Library structure

Fundamental Security Guides

eCATT is built on SAP NetWeaver Application Server ABAP. In eCATT scenarios, several systems are usually involved:

      The eCATT script is located in a Test Content System. The eCATT code interpretation is also done in this system.

      The test of the application itself is done in one or more Systems Under Test.

Therefore, the corresponding Security Guides also apply to eCATT. Pay particular attention to the most relevant sections or specific restrictions as indicated in the table below.

Fundamental Security Guides

Scenario, Application or Component Security Guide

SAP NetWeaver Application Server ABAP Security Guide

RFC/ICF Security Guide

For a complete list of the available SAP Security Guides, see the SAP Service Marketplace at service.sap.com/securityguide.

Important SAP Notes

The most important SAP Notes that apply to the security of eCATT are shown in the table below.

SAP Note

Title

Comment

496286

Security concept extended for CATT and eCATT

Valid only for releases older than 6.20  SP 40 / 6.40  SP 03

728979

Missing security checks in eCATT function modules

Valid only for releases older than 6.20  SP 01

Configuration

In each system that is involved (that means, every client system in which you want to run CATT procedures or eCATT test scripts as well as every test server), you must specify in the client settings that this should be allowed.

...

       1.      Start transaction SCC4.

You will see a list of all of the clients that have been set up in the system. 

       2.      Choose Maintain, and acknowledge the warning that the table is cross-client.

       3.      Double-click the client in for which you want to allow CATT or eCATT.

Depending on the release in which you are working, you will see one of two screens.

      In older releases, in the Restrictions group box, select the check box Allows CATT processes to be started.

      In newer releases, in the group box Restrictions when Starting CATT and eCATT, select one of the following entries:

       eCATT and CATT Not Allowed

       eCATT and CATT Allowed

       eCATT and CATT Allowed for 'Trusted RFC' Only

       eCATT Allowed; FUN/ABAP and CATT Not Allowed

       eCATT Allowed; FUN/ABAP and CATT for 'Trusted RFC' Only

Since one of the main principles of eCATT is to run all test cases from a central test system, RFC communication is required to connect to the target systems. It is possible to restrict this RFC communication to trusted RFC, which prevents passwords from having to be stored in RFC destinations and transmitted over the network.

The FUN and ABAP commands in eCATT pose a security problem, since the eCATT environment allows them to bypass normal security mechanisms. With FUN, you can execute function modules remotely, even if they are not designated as remotely-enabled in their attributes. The ABAP command allows you to write and execute ABAP coding with just the authorization to create eCATT scripts (and not the full authorization for creating ABAP programs). Consequently, you may disable these features, or restrict them by allowing them only to run within a trusted RFC relationship.

Since eCATT tests frequently make database changes, it is not advisable to allow them to be run in production clients.

Additional Information

For more information about specific topics, see the addresses on the SAP Service Marketplace as shown in the table below.

Content

SAP Service Marketplace Address

Security

service.sap.com/security

Security Guides

service.sap.com/securityguide

Related SAP Notes

service.sap.com/notes

Released platforms

service.sap.com/platforms

Network security

service.sap.com/securityguide

SAP Solution Manager

service.sap.com/solutionmanager

 

 

End of Content Area