SAPGUI Security SAPGUI 7.20 - Changing defaults for rollout to workstations
We are looking at rolling out SAPGUI 7.20 (patch 6 at this stage unless Patch 7 is available soon) with Windows 7.
Our initial testing has raised lots of complaints\comments about the SAP GUI Security popups.
SAPGUI 7.20 sets the level of SAPGUI security to the customized level by default. We would like to modify the defaults that get rolled out to the users and I am looking at the options for doing this and have so far come up with the following:
- We don't really want a Central Repository for Security Configuration (because of WAN issues). What happens anyway if someone tries to start the GUI and the saprules.xml file is not available because the Central Repository server is down or network issues prevent a workstation from seeing the central file?
- Is it possible to package the 7.20 GUI and customizing the SAP GUI security settings (so rollout the GUI with the security settings we want but so they are stored locally on people's workstations)
- Or, could we create a 'corporate saprules.xml' setting it up the way we want it to be rolled out initially and copy it to a location on each workstation but then point the registry entry for the "Central Repository" to this location on the local workstation. This way if we wanted to update the saprules.xml we could just copy the file back to everyone's workstation?
Are there any better ways? Can anyone see any flaws with these?
Presently the messages from the SAPGUI Security are a bit confusing I think and we don't want them coming up for all our users when they start using SAPGUI 7.20 (when they are going to be dealing with lots of other changes as they get Windows 7).
Vasil Bachvarov replied
Congratulations for chosing to update to the new SAPGUI 7.20 P6 version!
Let me get to your questions in the order you posted them:
- If SAPGUI is started on a computer, configured to load the security rules from a network location and this location is not reachable, SAPGUI will load as fallback the administrator rules file "sparules.xml", located in the SAPGUI install directory and a message will be displayed indicating the latter action. In case that the "saprules.xml" file is absent at that location, SAPGUI will display another error message indicating that the administrator rules cannot be loaded.
- Yes, this is possible. The administrator can provide an adapted by (her/him) "saprules.xml" which is delivered to the client machines. I believe there is such option in the installation program, used by the administrator to distribute SAP GUI. Should this not work, one could substitute the "saprules.xml" file in the installation source before doing the installation. This should do the trick.
- Yes, this is very easy to do. After the installation create the registry setting to point to a different file on the user's machine and then you can let the administrator update this location when changes are necessary. Just keep in mind to set the proper access rights to the file/folder, so that the user has only read access and cannot change the administrator settings if this is not desirable!
I think these are the easiest options for an admin, which I know.
Regarding the confusing security messages - the security module was newly introduced in 7.20. Because there is not so much experience in using it, there might be some usability issues like too many confirmation popups shown etc. The best ways to approach this issue would be to constantly provide feedback to the development (maybe provide also custom rules which you find general and useful for all customers), so that the module becomes better and better with time. It has been developed initially to provide maximum security at reasonable usability level, but user feedback is needed to make it better.
Thanks for your attention!