Show TOC Start of Content Area

Background documentation Other Security-Relevant Information  Locate the document in its SAP Library structure

eCATT and GUI Scripting

One of the features of eCATT is its capability to record and replay the activity of controls in the SAP GUI. This function is based on the GUI Scripting extension within SAP GUI Version 6.20 and higher.

SAP is, of course, aware that scripting can be abused, and has therefore taken care to ensure that scripts cannot be executed unless the system administrator has explicitly opened the necessary channels.

Security Features in GUI Scripting

GUI Scripting contains the following security mechanisms:

      On the server:

       Profile parameters whose setting determines whether GUI Scripting should be allowed on the current application server

      On the client:

       Options in the SAP GUI setup program that make it possible to install SAP GUI without the scripting components

¡        Registry keys that allow scripting to be disabled on the client.

Enabling and Disabling GUI Scripting

GUI Scripting can be switched on and off for a particular application server (or for dedicated users, see note 983990) using the profile parameter sapgui/user_scripting. By default, scripting is not enabled. To enable scripting, set the value of this profile parameter to TRUE. You do not have to restart the server, but you must log off and back on again, since the change does not affect sessions that are currently running. This setting overrides any client settings.

Additional Profile Parameters in Release 6.40 and higher

As well as sapgui/user_scripting, you can use the following profile parameters for more refined access control in Release 6.40. They are also included in Release 6.20 from support package 37, and in Release 4.6C from support package 47. SAPGUI Release 6.20 patch level 42 or higher is also required.

Profile Parameter

Description

sapgui/user_scripting_disable_recording

If this parameter is set to TRUE, script playback is possible, but recording is not permitted.

sapgui/user_scripting_force_notification

If this parameter is set to TRUE, a notification is always displayed at the frontend, regardless of the client options described in section 5.2.4.

sapgui/user_scripting_set_readonly

If this parameter is set to TRUE, scripts may only act on read-only user interface elements.

Installation of Client Components

As well as the server setting, GUI Scripting requires certain components to be installed on the front end. System administrators can prevent the components from being installed by creating installation packages that do not contain the GUI Scripting elements.

If users are allowed to configure their own SAP GUI installation using the front end setup platform, they can choose not to install the scripting components.

Warning Options

Current User

If GUI Scripting is enabled, the Settings dialog box of the SAP GUI contains the following options for GUI Scripting:

      Enable scripting: The user can enable and disable scripting for their own use

      Notify when a script attaches to a running GUI: A message appears whenever a script attaches to the SAP GUI

      Notify when a script opens a connection: A message appears whenever a script opens a new GUI connection.

These options set Registry keys under HKCU\SOFTWARE\SAP\SAPGUI Front\SAP Frontend Server\Security\UserScripting.

If you are using scripting for the SAPGUI command in eCATT, we recommend that you leave the Notify when a script opens a connection option selected, since eCATT itself never opens a new connection.

Local Machine (All Users)

Users with administrator rights on a particular PC can enable and disable scripting using the Registry key HKLM\SOFTWARE\SAP\SAPGUI Front\SAP Frontend Server\Security\UserScripting. This can have the values 0 (disabled) or 1 (enabled). The default setting is enabled.

VB Script and Windows Scripting Host

eCATT GUI Scripting does not use VB Script and hence does not require Windows Scripting Host. Not having WSH installed reduces the risk of virus attacks using scripts.

Logon Screens

The eCATT SAPGUI command never records logon screens. Instead, it creates RFC destinations pointing to the system in question. You are free to adjust these destinations later to allow an unattended logon.

GUI Scripting in Remote Systems – Which Settings Apply?

When you are running eCATT from a central test system, you will often need to record SAPGUI commands in remote systems. In order for this to work, scripting must be enabled in both the eCATT system and the target system.

 

End of Content Area