Creation of derive roles with secatt

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2010 SAP AG 1
Using e-CATT in Security Works:
Creation of Derive roles by using
SECATT
Applies to:
SAP ERP, SAP NetWeaver Application Server ABAP. For more information, visit the Security homepage.
Summary
This article describes step by step procedure for creating Derive roles from a set of Master Roles in Mass.
Derive role creation is basically described here in almost in the same way as creation of single roles by using
SECATT. The difference is the maintaining the relationship of Inheritance with the Master roles.
Author: Dipanjan Sanpui
Company: IBM Global Business Service
Created on: 09 May 2010
Author Bio
Dipanjan Sanpui has been working in IBM Global Business Working (India) from 2007 as SAP
NetWeaver Security Consultant.

Using e-CATT in SecurityWorks: Creation of Derive roles by using SECATT
© 2010 SAP AG 2
Table of Contents
Introduction............................................................................................................................................. 3
Creation of Test Script.......................................................................................................................... 4
Creation of Test Configuration ............................................................................................................ 15
Populating the Test Script variable with Data ....................................................................................... 19
Execution of Script to Create the Derive Roles ..................................................................................... 20
Monitoring the Log of e-CATT execution.............................................................................................. 23
Review of Role Data .......................................................................................................................... 25
Related Content .................................................................................................................................... 29
eCATT: extended Computer Aided Test Tool (BC-TWB-TST-ECA) ....................................................... 29
Disclaimer and Liability Notice................................................................................................................ 30

© 2010 SAP AG 3
Introduction
Creation of e-CATT script and it’s usage is now a widely known feature in automating repetitive works for
creating or modifying master data in SAP. Here is one more such example with description of steps for
creating Derive roles in mass from a set of Master roles. But we are not going to populate the Organization
level values here as the number, set and order of Organization level values varies to great extent for a new
set of Derive roles built from scratch.
As an example, I have shown the creation of Derive roles for the process area PTD (procure to demand) for
an Implementation project I am currently working on.
e-CATT involves two steps for creating the script to create the roles. They are as follows:
1. Creation of Test Script
2. Creation of Test Configuration
e-CATT stands for Extended Computer Aided Test Tool and the Transaction code is SECATT. To use e-
CATT to automate the repetitive steps of same transactions first we need to create a Test Script.
Note: Before I start describing the steps I would like to make this clear that e-CATT Scripts are not something need to be
manually coded in ABAP. Rather it can be seen as a configuration type of job. So, anyone thinks where the coding
is for this Z-scripts, can get the assurance of zero coding effort for these scripts which can be used multiple times
in multiple SAP systems.

© 2010 SAP AG 4
Creation of Test Script
Go to Transaction SECATT. Put a name of the Test script (here Z_CREATE_DERIVE_ROLE) in the field
“Test Script”, select the radio button beside it and then click create.
The create selection will take to the next screen as shown below. Here under Attribute tab you need to put
the following details:
Title of the Test Script – this is basically the Text descriptio
Component – this field holds the unique id of the application component under which the TCode in
consideration falls.

© 2010 SAP AG 5
The component need to be selected by pressing the F4 key i.e. by using the selection help. In our case, the
creation of derive tole falls under the sub component “Authorization and Role Management” which is within
the node BC-SEC (Security).
After selecting the Component, click on the button “Pattern” on the Application Toolbar in between “Stop” and
Pretty Printer.
It will pop up a new window where you need to select the following details from the drop down:

© 2010 SAP AG 6
 Group: UI Control
 Command: TCD (Record)
 Transaction: PFCG
 Interface: this field will get populated automatically after you put the transaction code and press
enter. Interface is PFCG_1
Select on the green right icon and you will get a message to confirm the data you selected. Check Yes to
continue.
Now you will be taken to the TCode PFCG to perform the desired tak you want to automate. Create a derive
role from the respective Master role. e-CATT will capture each screen and operation on it while creating role
together with the input data and instructions (role name, text, master role name, copy of authorization data
from master role, generation of role etc.) given by users. After saving the role, click on the green “Back”
arrow.
Note: Since this article is not meant for role creation process so I am keeping them apart as it is a well known parctice for
SAP Security practioners as this article is not for beginners.
You will be asked for the confirmation whether the data captured can be transferred to Test Script or not.
Select Yes and Next you will see the following screen.

© 2010 SAP AG 7
In this screen you will get the TCode and it’s interface inside of the “Editor” tab. Double click on the Interface.
Here the Interface for PFCG is PFCG_1.
Double clicking on PFCG_1 will open a spit screen just by the right side of this window frame. We need to
navigate thoruhg various screens just recorded to replace the fixed values entered during the recording with
a generic input which will serve the purpose of a variable. The process is described below:
Go to the node “DYNPRO MODE PROG DYNR” inside of “Command Interface
PFCG_1”.
Open each of the nodes within the DYNPRO menu node marked with serial numbers 1, 2, 3, etc. The node
below this level contains the values need to be replaced. Double click on the last row which contains the:
FIELD MODE NAME VALIN VALOUT
After double clicking on this level, a split screen will appear on the right hand side which shows the columns
where the input values used during recording are visible.

© 2010 SAP AG 8
The row level selected in the below picture is the section where you need to double click to get the right hand
side pane. The right side pane will show the role name used as the Derive role in the VALIN column. All
Input values will appear in the VALIN column.
Remove the role name provide durig the creatio of role while recording and replace with a genric value. Here
the Derive role name i.e. AGR_NAME_NEU in VALIN column has been relaced by DER_ROLE.

© 2010 SAP AG 9
Press eneter. A window will pop up for the confirmation if you want to Create the parameter DER_NAME.
The default parameter type will be Local. Change it to “Import” and click on Yes.
The new value for the Derive role has been defined as a variable DER_NAME.
Same steps need to be performed for all the other DYNPROs in the last row of each node as described
above.
Following Data was used during the creation of the role:
1. Parent Role Name from which the Derive was derived
2. Derive Role Name
3. Derive Role Text
4. Transaction Codes in Role Menu adopted in the Derive role from the Parent role’s menu
Please see some of them below.

© 2010 SAP AG 10
Notes: Please remember to change the parameter type from Local to Import whenever prompted (after chaging a
recorded value with a variable and then presseing eneter).

© 2010 SAP AG 11
Note: Do remember to erase any previously filled values while recording your steps otherwise they will appear in the
VALOUT column and you won’t be able to give them variable names)*This is done by opening the Dynpro menu
and double click on the last row that contains Field, Mode, Name etc. columns. We need to enter variable names
in place of those values which we have entered manually.

© 2010 SAP AG 12
Please note that after changing each of these values and parameterizing these values the icon beside the
respective row as well as at DYNPRO line are changed.

© 2010 SAP AG 13
Note: The column called “Parameter” represents the Column heading of the input file where you need to put the
corresponding entries under it as described later in this article. The header YZ is representing any TCodes going
to be added in the derive role menu from the parent role during the adoption of the same.
After changing all manual input and defining the variable you need to save. Save it as Local Object.
Note: If you want to Transport the Test Script and use in other system, then you can assign it to a Development class
instead of Local Object.

© 2010 SAP AG 14
The Test Script is saved with a confirmation message at the bottom.
Go back.
After creating the Test Script, we need to create the “Test Configuration”.

© 2010 SAP AG 15
Creation of Test Configuration
In the screen of SECATT transaction, select the Test Configuration button and put a name (here
Z_CREATE_DERIVE_ROLE) and click on Create icon.
The next screen appears is the General Data tab inside Attribute.
Provide a Text description and the Compoenent name as shown in the above picture.

© 2010 SAP AG 16
Note: If you select only BC-SEC then it would be more general if you are not sure of the granularity of this.
Then go to configuration tab. Here you need to put the name of the Test Scrpt created in the previuos
section.
After assigning the Test Script name, click on the download icon on the Application toolbar.
You will prompted to save the file in a destination at your Local PC. The default directory will be the
SapWorkDir (as shown in the above picture as the pop up screen). File extention is and has to be “*.txt”.
Save the file in the location as per your choice (if you want to select a different path).

© 2010 SAP AG 17
As you click the save button, a system message appears to confirm the Reference to Test Data resolution.
Choose yes and continue.
At bottom, the message shows the successful download of the variant.
To check the variant downloaded, go to the Variant tab. Here you will be able to see the variant you
downloaded with the Input columns which are need to populated during the execution of the script for
creating data.
The external path is also evident here which states from where system reads the filled up file to execute the
operation.

© 2010 SAP AG 18
The default Mode is Internal variable. To use the upload function from your local pc with the manually
maintained data in the file which will be used to create the data, you need to change the mode from
Internal Variable to External Variable. Put the file name in the File field.
Save it. The message for successful completion of appears at bottom.

© 2010 SAP AG 19
Go Back.
Populating the Test Script variable with Data
After Creation of Test Script and configuring it for using from local pc, we need to populate the data in the
downloaded file saved in the local PC.
Go to the directory where you saved the file. Open the file with spreadsheet solution (MS Excel).
Here you can see the columns where you can then populate the data. In this example, we have the following
columns to populate:
XY, YZ, PARENT_ROLE, DERIVE_ROLE_TEXT, DER_ROLE.
The fields XY and YZ are represnting two Organization level fields here.

© 2010 SAP AG 20
Note: I would suggest not to assign or maintain the organization Levels during this process as the number, type of
Organization Levels may vary in different roles to great extent. So, populating the Org. level fields while creating
the Derive roles can create erronious entries.
Save the file after putting all data in the orginial extention (.txt).
Execution of Script to Create the Derive Roles
Go to transaction SECATT  Select the Test Configuration with the name of the Test configuration 
Execute
You will be prompted to select the Error behavior and Debugging mode. Also you can choose whether you
want to keep a log for the execution to review the errors and their details.

© 2010 SAP AG 21
Inside of the Variants tab, you will be able to see the link to the file you are going to use the Input.
Within the UI (user interface) Control tab you need to select Start mode, SAP GUI behavior, Processing
mode, Error mode for SAP GUI.

© 2010 SAP AG 22
The Start mode should be “N Background Processing”.
You can select the option “Save Screenshots” to collect the screen shots of errors In case of error to analyze
it with more detail view.
The screenshot view path is also available to manage.
Breakpoint is another tab where you can put a script and select if you want it to be Inactive (for a particular
version) if you have a more updated version with the same file name.

© 2010 SAP AG 23
Monitoring the Log of e-CATT execution
After execution is completed, the log screen appears with the type errors.
In the below screen we can see the errors with the Role name length issue. If you select the option for Error
behavior to continue with processing even if any error occurs, then you will be able to see the error details
after a complete execution of the script.
Clicking on the Test Configuration will take you to the Test configuration screen where you can check if you
have enetered correct version or name of test script in the Test Configuration or not.

© 2010 SAP AG 24
Without expantion, you can see the high level view of the errors from the color legend.
Go back after the error analysis.

© 2010 SAP AG 25
Review of Role Data
From the AGR tables, you can verify the newly created roles and their input data.
1. AGR_DEFINE: You can see the high level overview of the role, text, number of roles created.
May download for better analysis with the Input data in excel format.

© 2010 SAP AG 26
2. AGR_PROF: Successful generation of profiles for each derive role.
Other tables you may want to verify are as follows:
3. AGR_1251
4. AGR_1252
If you want to check the log at later time, you can do it in the following way:
Go to SECATT transaction  click on “Goto”  Logs

© 2010 SAP AG 27
Put the time frame, user id (executed the script) and execute.
Select the relevant log you want to analyze again. (Clicking on the Log “Activity No.” will directly open up
the log).
If you want to download it in you pc, first you go to the print preview and then download it.

© 2010 SAP AG 29
Related Content
https://www.sdn.sap.com/irj/sdn/ecatt
eCATT: extended Computer Aided Test Tool (BC-TWB-TST-ECA)
eCATT (wiki link).
For more information, visit the Security homepage

© 2010 SAP AG 30
Disclaimer and Liability Notice
This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not
supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade.
SAPw ill not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document,
and anyone using these methods does so at his/her own risk.
SAP offers no guarantees and assumes no responsibility or liability of any typew ith respect to the content of this technical article or
code sample, including any liability resulting from incompatibility betw een the content within this document and the materials and
services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable w ith respect to the content of this
document.

Creation of derive roles with secatt

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Creation of derive roles with secatt

Similar to Creation of derive roles with secatt (20)

Recently uploaded

Recently uploaded (20)

Creation of derive roles with secatt