Skip to Content

Dear blog followers,

I would like to give you some taste of the new features in SAP GUI for Windows 7.30 and more specifically – the security settings. We have significantly improved the usability of the security settings dialog in comparison to SAP GUI 7.20. However, the general security concept from 7.20 remains valid also in 7.30.

Let me first explain briefly how does the security module work and how does one configure it. If you are familiar with this topic, please skip directly to the What’s New section.

Security Module Basics

Motivation

Why is it necessary to configure security in the SAP GUI client application in first place? Well, this is a question of how much do we trust the SAP server applications.

A typical scenario is – a company uses one or more SAP servers with a number of SAP applications. There are possibly some custom applications, maintained by the company or external consultants. Employees at end-user terminals use the SAP GUI client to connect to the servers within the company and execute their daily tasks.

In todays interconnected world there are nummerous channels for access to the server applications and this access is not always within the boundaries of the company. An ABAP application maintained by an external consultant or an external vendor interface are only two examples of many more. In conjunction with a disgruntled employee, malicious vendor or under-cover consultant this openness can become a security risk for the company.

Compromised backend server

Therefore it is imperative to protect the client terminals from any unauthorized access on part of the server side application (inside or outside of the company). This is achieved by providing the end-user with the power to allow or block any relevant action, executed on their terminal.

Security Module Nuts and Bolts

The following diagram depicts a server-side application requesting access to a local resource. The request is processed by the SAP GUI security module.

Resource access request

Every relevant access request, executed on the user terminal by the server side application passes a check in the SAP GUI security module. Based on rules, provided by the network administrator, the user or built in by SAP, the access request may be automatically authorized or denied.

If there is no suitable rule in the configuration the security module can be configured to display a confirmation popup and ask the user to grant access to the resource.

A security rule is a specification of the security module behavior when access to a resource is requested.
There are different types of resources that can be protected by the security module:

  • Files
  • File extensions (generalizing all files of a certain type)
  • Directories
  • Registry keys and values
  • Environment variables
  • ActiveX controls
  • SAP GUI command lines
  • SAP shortcuts

Rule types

For each of these resource types the following types of access requests can be handled:

  • Read
  • Write
  • Execute
  • any combination of the above

If the request matches with the definition of a specific rule, the rule action determines the resulting behavior of the security module. It can be one of the following:

  • Allow – the requested access is granted
  • Ask – a confirmation popup is displayed, asking the user for a confirmation
  • Deny – the access is denied and the user is notified

Rule action

Additionally there is the option to define different action for different contexts, i.e. for a specific SAP System, client, transaction code, screen, etc.
For instance when protecting a file on the file system SAP GUI can be configured to show a confirmation popup for system ABC, client 000 and to grant access automatically for system ABC, client 100.

Rule contexts

Every time an access request is evaluated the security module checks all rules in the list starting from the top. The first rule that matches the request determines the resulting action and no further rules are checked.
If no rule matches the request the behavior is determined by the default action setting:

  • Allow – all requests that do not match a rule are allowed (black list approach)
  • Ask – SAP GUI displays a confirmation popup to the user
  • Deny – all requests that do not match a rule are denied (white list approach)

Default action

The origin shows who has created the rule:

  • SAP – the rule has been created by SAP and is essential for running the SAP GUI application. These rules are not configurable.
  • Administrator – the rule has been created by the network administrator or proposed by SAP and approved by the administrator
  • User – the rule has been created by the end-user.

Further Reading

More information about the topic can be found in the SAP GUI help under Adjusting the Local LayoutSecurity or in the SAP GUI Security Guide.

What’s New in 7.30

The first change to mention is that the security settings are now displayed in a separate window, which can be resized, minimized and maximized.
This is a solution of the frequently reported problem that the security rules list was too small and too much data was compressed into it without the possibility to resize.

In order to open the Security Settings window the user needs to click on the button “Security configuration dialog”.

Security settings main

The main configuration page shows also statistics about the security rules because the full information is no longer visible directly.

The Security Settings dialog contains now filtering and searching capabilities. After applying a string filter only the lines that contain the text in any column remain visible in the list. The rest is hidden.
Searching is done again in all columns of the table. The focus is set automatically to the first found match. Clicking on Search again moves the focus to the next found item.

Resizable dialog

By selecting the checkboxes “Hide SAP rules” and “Hide administrator rules” the user can focus on the user rules without being distracted by a large number of static rules. These checkboxes are selected by default, because in a typical scenario the end-user is interested in seeing primarily her/his own rules.

The security confirmation popup has been changed as well. Now the popup window is clearer and simpler.

Security confirmation popup

The Allow and Deny buttons are self explaining and the checkbox Remember my decision is used to create a security rule and automatically allow, resp. deny, the access request next time.
By selecting “Remember my decision” and clicking on Allow one creates a security rule that always allows requests of the same type. If “Remember my decision” is selected and Deny is clicked, a security rule is created that always denies requests of the same type and in the same context (system, client, Dynpro screen, etc.)

Disclaimer

This information is provided for the sole purpose of gathering user feedback early in the development cycle of SAP GUI. SAP reserves the right to make any changes prior to shipping without further notice. You should not rely on this information for critical business functions.

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Daniel Mead

    Where can you modify security defaults on the Installation Server?  We want to deploy with the Security Setting not set to ASK.

    (0) 
    1. Andreas Rueger

      Hello,

      predefining settings can be done using the event triggered scripting that is available for packages on an installation server. Consequently, you would have to perform these steps in order to predefine the mentioned setting during the installation or update of SAP GUI:

      1.) Define a package on your installation server if you haven’t already done so.

      2.) Add one of the following scripting examples to the events “On Installation End” and “On Update End” depending on what setting you want:

      For “Allow”:

      NwEngine.Shell.SetRegValue “HKLM\Software\SAP\SAPGUI Front\SAP Frontend Server\Security\DefaultAction”, “REG_DWORD”, “0”

      For “Ask”:

      NwEngine.Shell.SetRegValue “HKLM\Software\SAP\SAPGUI Front\SAP Frontend Server\Security\DefaultAction”, “REG_DWORD”, “1”

      For “Deny”:

      NwEngine.Shell.SetRegValue “HKLM\Software\SAP\SAPGUI Front\SAP Frontend Server\Security\DefaultAction”, “REG_DWORD”, “2”

      (0) 

Leave a Reply