This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
SAP ERP, SAP NetWeaver Application Server ABAP. For more information, visit the Security homepage.
Summary
This article describes step by step procedure for creating Derive roles from a set of Master Roles in Mass.
Derive role creation is basically described here in almost in the same way as creation of single roles by using SECATT. The difference is the maintaining the relationship of Inheritance with the Master roles.
Author: Dipanjan Sanpui
Company: IBM Global Business Service
Created on: 09 May 2010
Author Bio
Dipanjan Sanpui has been working in IBM Global Business Working (India) from 2007 as SAP NetWeaver Security Consultant.
Creation of Test Script.......................................................................................................................... 4
Creation of Test Configuration ............................................................................................................ 15
Populating the Test Script variable with Data ....................................................................................... 19
Execution of Script to Create the Derive Roles ..................................................................................... 20
Monitoring the Log of e-CATT execution.............................................................................................. 23
Review of Role Data .......................................................................................................................... 25
Related Content .................................................................................................................................... 29
eCATT: extended Computer Aided Test Tool (BC-TWB-TST-ECA) ....................................................... 29
Disclaimer and Liability Notice................................................................................................................ 30
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
Creation of e-CATT script and it’s usage is now a widely known feature in automating repetitive works for creating or modifying master data in SAP. Here is one more such example with description of steps for
creating Derive roles in mass from a set of Master roles. But we are not going to populate the Organization level values here as the number, set and order of Organization level values varies to great extent for a new set of Derive roles built from scratch.
As an example, I have shown the creation of Derive roles for the process area PTD (procure to demand) for an Implementation project I am currently working on.
e-CATT involves two steps for creating the script to create the roles. They are as follows:
1. Creation of Test Script
2. Creation of Test Configuration
e-CATT stands for Extended Computer Aided Test Tool and the Transaction code is SECATT. To use e-
CATT to automate the repetitive steps of same transactions first we need to create a Test Script.
Note: Before I start describing the steps I would like to make this clear that e-CATT Scripts are not something need to be manually coded in ABAP. Rather it can be seen as a configuration type of job. So, anyone thinks where the coding is for this Z-scripts, can get the assurance of zero coding effort for these scripts which can be used multiple times
in multiple SAP systems.
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
The component need to be selected by pressing the F4 key i.e. by using the selection help. In our case, the creation of derive tole falls under the sub component “Authorization and Role Management” which is within the node BC-SEC (Security).
After selecting the Component, click on the button “Pattern” on the Application Toolbar in between “Stop” and Pretty Printer.
It will pop up a new window where you need to select the following details from the drop down:
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
Interface: this field will get populated automatically after you put the transaction code and press
enter. Interface is PFCG_1
Select on the green right icon and you will get a message to confirm the data you selected. Check Yes to continue.
Now you will be taken to the TCode PFCG to perform the desired tak you want to automate. Create a derive role from the respective Master role. e-CATT will capture each screen and operation on it while creating role together with the input data and instructions (role name, text, master role name, copy of authorization data
from master role, generation of role etc.) given by users. After saving the role, click on the green “Back” arrow.
Note: Since this article is not meant for role creation process so I am keeping them apart as it is a well known parctice for SAP Security practioners as this article is not for beginners.
You will be asked for the confirmation whether the data captured can be transferred to Test Script or not.
Select Yes and Next you will see the following screen.
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
In this screen you will get the TCode and it’s interface inside of the “Editor” tab. Double click on the Interface. Here the Interface for PFCG is PFCG_1.
Double clicking on PFCG_1 will open a spit screen just by the right side of this window frame. We need to
navigate thoruhg various screens just recorded to replace the fixed values entered during the recording with a generic input which will serve the purpose of a variable. The process is described below:
Go to the node “DYNPRO MODE PROG DYNR” inside of “Command Interface
PFCG_1”.
Open each of the nodes within the DYNPRO menu node marked with serial numbers 1, 2, 3, etc. The node below this level contains the values need to be replaced. Double click on the last row which contains the:
FIELD MODE NAME VALIN VALOUT
After double clicking on this level, a split screen will appear on the right hand side which shows the columns where the input values used during recording are visible.
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
The row level selected in the below picture is the section where you need to double click to get the right hand side pane. The right side pane will show the role name used as the Derive role in the VALIN column. All Input values will appear in the VALIN column.
Remove the role name provide durig the creatio of role while recording and replace with a genric value. Here the Derive role name i.e. AGR_NAME_NEU in VALIN column has been relaced by DER_ROLE.
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
Press eneter. A window will pop up for the confirmation if you want to Create the parameter DER_NAME. The default parameter type will be Local. Change it to “Import” and click on Yes.
The new value for the Derive role has been defined as a variable DER_NAME.
Same steps need to be performed for all the other DYNPROs in the last row of each node as described above.
Following Data was used during the creation of the role:
1. Parent Role Name from which the Derive was derived
2. Derive Role Name
3. Derive Role Text
4. Transaction Codes in Role Menu adopted in the Derive role from the Parent role’s menu
Please see some of them below.
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
Notes: Please remember to change the parameter type from Local to Import whenever prompted (after chaging a recorded value with a variable and then presseing eneter).
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
Note: Do remember to erase any previously filled values while recording your steps otherwise they will appear in the VALOUT column and you won’t be able to give them variable names)*This is done by opening the Dynpro menu and double click on the last row that contains Field, Mode, Name etc. columns. We need to enter variable names in place of those values which we have entered manually.
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
Please note that after changing each of these values and parameterizing these values the icon beside the respective row as well as at DYNPRO line are changed.
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
Note: The column called “Parameter” represents the Column heading of the input file where you need to put the corresponding entries under it as described later in this article. The header YZ is representing any TCodes going
to be added in the derive role menu from the parent role during the adoption of the same.
After changing all manual input and defining the variable you need to save. Save it as Local Object.
Note: If you want to Transport the Test Script and use in other system, then you can assign it to a Development class instead of Local Object.
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
Note: If you select only BC-SEC then it would be more general if you are not sure of the granularity of this.
Then go to configuration tab. Here you need to put the name of the Test Scrpt created in the previuos section.
After assigning the Test Script name, click on the download icon on the Application toolbar.
You will prompted to save the file in a destination at your Local PC. The default directory will be the SapWorkDir (as shown in the above picture as the pop up screen). File extention is and has to be “*.txt”.
Save the file in the location as per your choice (if you want to select a different path).
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
As you click the save button, a system message appears to confirm the Reference to Test Data resolution. Choose yes and continue.
At bottom, the message shows the successful download of the variant.
To check the variant downloaded, go to the Variant tab. Here you will be able to see the variant you downloaded with the Input columns which are need to populated during the execution of the script for
creating data.
The external path is also evident here which states from where system reads the filled up file to execute the operation.
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
The default Mode is Internal variable. To use the upload function from your local pc with the manually maintained data in the file which will be used to create the data, you need to change the mode from Internal Variable to External Variable. Put the file name in the File field.
Save it. The message for successful completion of appears at bottom.
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
Note: I would suggest not to assign or maintain the organization Levels during this process as the number, type of Organization Levels may vary in different roles to great extent. So, populating the Org. level fields while creating
the Derive roles can create erronious entries.
Save the file after putting all data in the orginial extention (.txt).
Execution of Script to Create the Derive Roles
Go to transaction SECATT Select the Test Configuration with the name of the Test configuration
Execute
You will be prompted to select the Error behavior and Debugging mode. Also you can choose whether you want to keep a log for the execution to review the errors and their details.
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
The Start mode should be “N Background Processing”.
You can select the option “Save Screenshots” to collect the screen shots of errors In case of error to analyze it with more detail view.
The screenshot view path is also available to manage.
Breakpoint is another tab where you can put a script and select if you want it to be Inactive (for a particular version) i f you have a more updated version with the same file name.
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
After execution is completed, the log screen appears with the type errors. In the below screen we can see the errors with the Role name length issue. If you select the option for Error
behavior to continue with processing even if any error occurs, then you will be able to see the error details after a complete execution of the script.
Clicking on the Test Configuration will take you to the Test configuration screen where you can check if you
have enetered correct version or name of test script in the Test Configuration or not .
Using e-CATT in Security Works: Creation of Derive roles by using SECATT
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
This document may discuss sample coding or other information that does not include SAP off icial interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade.
SAP w ill not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk.
SAP offers no guarantees and assumes no responsibility or liability of any type w ith respect to the content of this technical article or code sample, including any liability resulting from incompatibility betw een the content within this document and the materials and
services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable w ith respect to the content of this document.