Of course all of these are generalizations and every customer is different, has different requirements, rules and controls.

But it is true, there are risks and justifiable anxieties abound in every area of business and IT. Just the decision to get out of bed in the morning might be cause of anxiety. I might step on the dog and it might bite me and I might get tetanus, or in my blurry world of half asleep state I might not see that there is water on the floor in the bathroom and might slip and fall and lie in a helpless state on the bathroom floor waiting to be rescued by someone. So again, every situation has to be evaluated on its own merits.

I am a great advocate of getting all interested parties involved in the evaluation process of a given product from the get go. The notion of skunkworks implementations of solutions invariably results in tears somewhere at some time - maybe only months or years after implementation and use - so getting everyone (including IT) on the same page at the outset really is helpful.

Let's be clear though, products like those offered by Winshuttle exist for a reason. They wouldn't enjoy the success that they do, if they didn't address a very real need. Additionally, if they were as much of a vulnerability as is being intimated, we would be hearing a lot more noise on this topic from customers and their audtors. (Some do send Ninjas!)

Incidentally SUTL isn't required and isn't in fact on the list of recommended authorizations, and I want to emphasize 'recommended' - you can try without SDTX however you may have some difficulties making the RFC calls in which case you are probably limited in what transaction you can automate and how it will work. Generally the suggestion is for users to try to use the products with standard SAP security authorizations that have already been granted to them and then triage issues wi9th use from there.

Cookoid

You comment regarding 'changing the nature of authorisations' is an interesting one because as you have already pointed out and is consistent with the way the product(s) work; you cannot change any more than your SAP credentials allow you to change.

All that said, quite rightly; the idea of being able to perform mass changes on ANYTHING in your SAP system of record should not be taken lightly and due diligence should be applied in determining who should have such tools and under what circumstances they should be used. Design and testing in QA or pre-production environments is an absolute must and this discipline should be applied with the same level of enthusiasm and commitment as you would any objects that you develop for productive use even if they are LSMW or regular BDC's.

The product supports a controlled release approach if implemented in a particular way, using centralised license management and workflow controls around the scripts and data templates and workbooks. Scripts can be restricted to particular SAP instances, particular volumes of data, particular transactions, particular times of day/week/month for execution.

Additionally you have two types of licenses, author/developer licenses and runner-only licenses. This avoids you landing up in a situation where inexperienced users can create their own automation objects, in such circumstances these users would typically only be given a runner license.

Some customers don't choose to use this governance and compliance approach though and choose to buy only the authoring tools, accordingly they essentially leave the door open to the creation of potentially harmful objects.

Again exhaustive testing is always recommended. WIth over 1,000 customers globally there are plenty of ASUG member references and you should actually be able to get referrals to existing customers who can tell you how they have introduced and manage controls around the use of the products.