I would like to give you some taste of the new features in SAP GUI for Windows 7.30 and more specifically – the security settings. We have significantly improved the usability of the security settings dialog in comparison to SAP GUI 7.20. However, the general security concept from 7.20 remains valid also in 7.30.
Let me first explain briefly how does the security module work and how does one configure it. If you are familiar with this topic, please skip directly to the What’s New section.
Why is it necessary to configure security in the SAP GUI client application in first place? Well, this is a question of how much do we trust the SAP server applications.
A typical scenario is – a company uses one or more SAP servers with a number of SAP applications. There are possibly some custom applications, maintained by the company or external consultants. Employees at end-user terminals use the SAP GUI client to connect to the servers within the company and execute their daily tasks.
In todays interconnected world there are nummerous channels for access to the server applications and this access is not always within the boundaries of the company. An ABAP application maintained by an external consultant or an external vendor interface are only two examples of many more. In conjunction with a disgruntled employee, malicious vendor or under-cover consultant this openness can become a security risk for the company.
Therefore it is imperative to protect the client terminals from any unauthorized access on part of the server side application (inside or outside of the company). This is achieved by providing the end-user with the power to allow or block any relevant action, executed on their terminal.
The following diagram depicts a server-side application requesting access to a local resource. The request is processed by the SAP GUI security module.
Every relevant access request, executed on the user terminal by the server side application passes a check in the SAP GUI security module. Based on rules, provided by the network administrator, the user or built in by SAP, the access request may be automatically authorized or denied.
If there is no suitable rule in the configuration the security module can be configured to display a confirmation popup and ask the user to grant access to the resource.
A security rule is a specification of the security module behavior when access to a resource is requested.
There are different types of resources that can be protected by the security module:
- File extensions (generalizing all files of a certain type)
- Registry keys and values
- Environment variables
- ActiveX controls
- SAP GUI command lines
- SAP shortcuts
For each of these resource types the following types of access requests can be handled:
- any combination of the above
If the request matches with the definition of a specific rule, the rule action determines the resulting behavior of the security module. It can be one of the following:
- Allow – the requested access is granted
- Ask – a confirmation popup is displayed, asking the user for a confirmation
- Deny – the access is denied and the user is notified
Additionally there is the option to define different action for different contexts, i.e. for a specific SAP System, client, transaction code, screen, etc.
For instance when protecting a file on the file system SAP GUI can be configured to show a confirmation popup for system ABC, client 000 and to grant access automatically for system ABC, client 100.
Every time an access request is evaluated the security module checks all rules in the list starting from the top. The first rule that matches the request determines the resulting action and no further rules are checked.
If no rule matches the request the behavior is determined by the default action setting:
- Allow – all requests that do not match a rule are allowed (black list approach)
- Ask – SAP GUI displays a confirmation popup to the user
- Deny – all requests that do not match a rule are denied (white list approach)
The origin shows who has created the rule:
- SAP – the rule has been created by SAP and is essential for running the SAP GUI application. These rules are not configurable.
- Administrator – the rule has been created by the network administrator or proposed by SAP and approved by the administrator
- User – the rule has been created by the end-user.
More information about the topic can be found in the SAP GUI help under Adjusting the Local Layout – Security or in the SAP GUI Security Guide.
The first change to mention is that the security settings are now displayed in a separate window, which can be resized, minimized and maximized.
This is a solution of the frequently reported problem that the security rules list was too small and too much data was compressed into it without the possibility to resize.
In order to open the Security Settings window the user needs to click on the button “Security configuration dialog”.
The main configuration page shows also statistics about the security rules because the full information is no longer visible directly.
The Security Settings dialog contains now filtering and searching capabilities. After applying a string filter only the lines that contain the text in any column remain visible in the list. The rest is hidden.
Searching is done again in all columns of the table. The focus is set automatically to the first found match. Clicking on Search again moves the focus to the next found item.
By selecting the checkboxes “Hide SAP rules” and “Hide administrator rules” the user can focus on the user rules without being distracted by a large number of static rules. These checkboxes are selected by default, because in a typical scenario the end-user is interested in seeing primarily her/his own rules.
The security confirmation popup has been changed as well. Now the popup window is clearer and simpler.
The Allow and Deny buttons are self explaining and the checkbox Remember my decision is used to create a security rule and automatically allow, resp. deny, the access request next time.
By selecting “Remember my decision” and clicking on Allow one creates a security rule that always allows requests of the same type. If “Remember my decision” is selected and Deny is clicked, a security rule is created that always denies requests of the same type and in the same context (system, client, Dynpro screen, etc.)
This information is provided for the sole purpose of gathering user feedback early in the development cycle of SAP GUI. SAP reserves the right to make any changes prior to shipping without further notice. You should not rely on this information for critical business functions.