Solved: SCAT in DEV - Critical or not?

Former Member · ‎01-17-2010

Dear All,

Just needed your opinion on the criticality of the transaction SCAT in DEV system. That is, would you regard giving SCAT transaction to a developer/Security person to do a task like Mass Role deletion to be a crtical one?

In my opinion, it would not be critical in the DEV as there are still measures like Quality Testing, which can test in the QAS if the transaction has done something wrong/unintended or same as was expected? Also, should this transction be given permanently or for a limited period (firefighter ID)?

Regards,

Hersh.

<telephone_number_removed_by_moderator>

Edited by: Julius Bussche on Jan 17, 2010 8:53 PM

Former Member · ‎01-18-2010

For mass deletion of roles, a better option would be to use the solution attached to Note 313587 - Mass deletion of activity groups.

Generally you will find better and safer solutions than CATT in SAP, but they might not all be as "fun" as eCATT ...

Cheers,

Julius

Former Member · ‎01-17-2010

It is something that I would monitor but not consider as "critical" in a typical dev environment. The same applies to LSMW or the ability to create batch input sessions.

Arguable, any CATT deployed in a test environment should be created in Dev anyway.

Former Member · ‎01-18-2010

Hi,

As you told, you wish to give CATT to your developer user on DEV system to perform mass deletion of role.

I think it is quite critical.

If your user and role master client is on DEV system and they mistakenly delete or change some role on DEV system it will be a serious problem, since you have a potential risk of missing link between your role on PRD-QA and DEV.

I think that BASIS guys should take care of CATT. If they need to delete eg.100roles, just give the role name need to be deleted to BASIS guys, and then BASIS will perform role deletion using CATT.

if you wish to give them, i think it is better on a given period only (temporary)

hope it help you.

rgds,

Alfonsus Guritno

Former Member · ‎01-18-2010

Hello Alfonsus Guritno,

In my case, DEV is not my User Master.

Regards,

Hersh.

Former Member · ‎01-18-2010

>


> I think that BASIS guys should take care of CATT. If they need to delete eg.100roles, just give the role name need to be deleted >to BASIS guys, and then BASIS will perform role deletion using CATT.

Surely in that instance you would be better giving access to CATTs to your security team? I would not let Basis touch any of my roles!

Former Member · ‎01-18-2010

For mass deletion of roles, a better option would be to use the solution attached to Note 313587 - Mass deletion of activity groups.

Generally you will find better and safer solutions than CATT in SAP, but they might not all be as "fun" as eCATT ...

Cheers,

Julius

Former Member · ‎01-18-2010

Thanks Julius,

This is surely of great help!!

Regards,

HERSH.

Former Member · ‎01-20-2010

Hi All,

Have re-opened the thread as the note 313587 mentioned by Julius is not applicable for version 4.7. Does anyone have any idea of a similar note for 4.7 version?

Regards,

Hersh.

mvoros · ‎01-20-2010

Hi,

what error did you get when you tried to activate the attached report? Because it should be working. Here is a comment


REPORT Z_DEL_AGR .
*--------------------------------------------------------------*
* Version valid from 4.5b - 7.00                               *
*--------------------------------------------------------------

I don't know why 4.7 is not listed in affected releases.

Cheers

Former Member · ‎01-20-2010

Hello Martin,

Thanks, i missed on the same. Though I have tested this program myself to work fine. However, the Client is not ok with the PDF not having the Version we use.

Regards,

Hersh.

Former Member · ‎01-20-2010

Also not sure why it is not explicitly mentioned. Perhaps Bernhard can check and correct as required.

If you do a syntax check on the report and it is fine, then you should be okay (touch wood :-). It works fine in 7.00 for sure.

Alternately, copy report PRGN_DELETE_ACTIVITY_GROUPS into your own namespace and make some additional checks and uncomment the code again. Please be carefull with this report

Cheers,

Julius

Former Member · ‎01-20-2010

Hello Julius,

This works fine for 4.7 as well, but needed a confirmation from SAP on the same. Maybe. they have corrected this in some other note - that's the info I am looking for. i have meanwhile raised an OSS for the SAP support, if I do not get any info here.

Regards,

Hersh.

Bernhard_SAP · ‎01-20-2010

Hi Hersh,

maybe there is a little misunderstanding. The validity in the note and the comment in the coding refers to the basis release. Your application release is 4.7 which runs on a 6.20 Basis, For instance an ECC6 runs on a 700 basis. Nevertheless the validity of the note has to be enhanced anyway as higher basis releases are avalable already.

b.rgds, Bernhard

Former Member · ‎01-21-2010

Hello Bernhard,

My Configuration is as follows:

SAP_BASIS 620 0064 SAPKB62064 SAP Basis Component

SAP_ABA 620 0036 SAPKA62036 Cross-Application Component

SAP_APPL 470 0018 SAPKH47018 Logistics and Accounting

The Developement team manager has come back to us saying the note has correct Basis Version but incorrect Application version, thus can't be implemented. Is it so? In that case I needed the note which can be applicable for our system.

Regards,

Hersh.

mvoros · ‎01-21-2010

Hi,

the report is independent from the application version. You are on sufficient basis version so you can implement it without any problems. If you check the older versions of this note then you will see that originally SAP released it for SAP_APPL 45A-45B and 46A-46B. Later other versions have been added. As Bernanrd mentioned the note will be extended again cause it's still valid for new releases such as 7.01 and so on.

Cheers

Former Member · ‎01-21-2010

Hello Martin,

I just see in the note I have (Note version 7), that it is from 45A to 45B, Can't really see 46A and 46B too for the Software Component SAP_APPL. Can you please suggest how to see those. Also, how is it possible to see the previous versions of the same note?

Regards,

Hersh.

mvoros · ‎01-21-2010

Hi,

you can display older versions of note on service.sap.com/notes. Just click on version. I don't know if you can display older versions in SNOTE.

Cheers

Former Member · ‎01-21-2010

> Software Component SAP_APPL.

This is SAP_BASIS stuff, and if you look in transaction SPAM you will see that you are on basis release 6.20 (see Bernhard's post).

I am not sure at which release SAP introduced role based personalization keys, but if the role is not assigned to a user then that should not be a problem either on the SAP_APPL side.

If you want to be bullet sure and your QAS system is usable, then create a mass transport to delete them and combine it with some other testing cycle (regular support packs?) to be on the safe side - regardless of the SAP report.

There are a number of things to check in advance if the roles have been created directly in PROD, custom programs have re-used generated authorizations, profile name collisions exist, etc. There are "cowboys" out there and you will not see all of them at the application layer...

To be honest, your customer might have this on their concience (hence the resistance) and you should be carefull.

Generally I run some comparisons and request a refresh of a sandbox first if I find any funny stuff. It takes a few days, but that is better than toasting a production system...

Cheers,

Julius

BTW: How many roles do you have to delete?

Former Member · ‎01-29-2010

Hi All,

Thanks for your replies, I was able to solve this after having the program mentioned in the note.

Regards,

Hersh.