cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Logon Pad Restrictions

Go to solution
Former Member

on ‎03-04-2014 8:05 PM

0 Kudos

We have SAP Lgon Pad 720 installed. At my company they have locked the ability for a user to change the theme and to add/modify/delete a new SAP system connection or shortcut. I work in the SAP security space but for the life of me I can't figure out the security implications of granting users this authorization. Can someone please explain what vulnerabilities there are with giving users this ability? I think it would be a useful feature to have.

How are these options restricted within the gui?

Thank you for your time.

Mark

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎03-06-2014 6:23 AM
0 Kudos


Hello Mark,

There does not seems to be any problem by giving any user, aceess to add system in the logon pad as he / she would require user id and password to login to any system added in the logon pad.

There might be posibility that an organisation would like to use a central xml and ini file to distribute to all the user over different regions, so they may restrict as to maintain same xml and ini for all the logon pad.

If you do not see an add/edit button or you see them disabled then you might be using saplgpad.exe.

If you want to add a system of your choice or if you need to edit any connection of any system, you can Navigate to Location

C:\Program Files\SAP\FrontEnd\SAPgui ( this is default location or you can locate this by Right clicking on saplgpad shortcut -> Properties -> Open file Location)

at that Location you will find two files.

saplgpad.exe  --> Will Not allow you to add / edit any System

saplogon.exe --> Will allow you to add / edit the System

similar information is provided by Michael at another blog ( http://scn.sap.com/thread/1928988 )

Hope I did understood your Point Correctly and would have Helped

Thanks and Regards,

Rameez Sarang

Show replies
Show replies
Former Member
‎03-11-2014 2:36 PM
0 Kudos

Rameez,

Sorry for the delay in responding.

It appears that we are using sapglpad.exe. Does this mean there is no work around? If this is the case then I need to understand if Basis can do something to allow users to modify their configuration files in order to add new sap locations/systems or changing the theme being used. Allowing users this ability does not appear to pose any risks so I can't quite understand why the decision was made to restrict this.

Thank you.

Mark

Matt_Fraser
Active Contributor
‎03-11-2014 9:07 PM
0 Kudos

Hi Mark,

Usually it's not so much a security risk as preventing users from accidentally causing themselves problems.  It's not infrequent that a user will poke around in the SAP Logon configuration and end up changing an important connection parameter that then results in a call to the help desk.  Then it's the Basis people who end up having to help the user fix the misconfiguration.

In any case, there are lots of options for customizing an organization's SAPGUI rollout and SAP Logon options, but the first thing is your use of SAP Logon Pad (saplgpad.exe).  The Pad is inherently a read-only version of the SAP Logon utility, so with that the only way to change the configuration file is by distributing a new one centrally (or manually editing the local one in Notepad, etc, which is not recommended for end users).  If you want to give users the option of customizing and configuring their own SAP Logon entries, then you must distribute the full SAP Logon utility instead of or in addition to the SAP Logon Pad.

Once you've done that, if you are using a SAPGUI Installation Server, then you have a great deal of options for central management of configurations, including the ability to centrally distribute and control basic connection configurations while still allowing users to add their own custom configurations.  Options for doing this are pretty well described in the SAPGUI installation documentation.

Best regards,

Matt

Former Member
‎03-12-2014 10:28 AM
0 Kudos

Hello Mark,


Yes you are right. since you / user are not able to make any changes to logon pad system connections, they are surely using the saplgpad.exe

As pointed out by Matt, if you have a central server that has .ini and .xml file, a basis person can edit the same and then distribute the changes throughout but surely cannot stop user from making changes to SAPGUI on their local machine.

As for now you / users are using saplgpad.exe, this is how the installation and settings are done at your place, however you can still edit the logon pad by using the second exe file (saplogon.exe) that would be present at same location where you have saplgpad.exe.

As far as I am aware, basis cannot make any settings which will allow users to change their logon setup if they are using saplgpad.exe unless they will have to login to each user's machine (remote connection / screen sharing) and place the shortcut of file saplogon.exe on user's machine.

Regards,

Rameez Sarang

Matt_Fraser
Active Contributor
‎03-12-2014 3:44 PM
0 Kudos

As a clarification, it is possible for Basis to prevent people from making changes to their configuration files, even if they are using SAP Logon and not the Pad.  It all depends on how they script the installation from the installation server.  This is explained in the SAPGUI Administration Guide, which is included in the SAPGUI distribution, and the "Registry values and read-only feature of the SAP GUI Options dialog" document for SAPGUI 7.30, which, frankly, I'm finding difficult to locate again on the Service Marketplace or SCN.  However, the Administration Guide from the Presentation DVD gives enough to get you started, and the Installation Server Help which -- usually -- can be found in the Help link from NwSapSetupAdmin gives instructions on how to script registry changes in general.  In short, the SAPGUI administrator has many options on how to deploy the frontend software.

It is possible to deploy the SAP Logon Pad and not the SAP Logon, so it's possible the users don't have access to the full SAP Logon.  Without it, they will not be able to customize their configuration files, at least not easily, and so that means your Basis team must have done this intentionally.

Regards,

Matt

Answers (1)

Answers (1)

Former Member
‎03-12-2014 3:58 PM
0 Kudos

I guess the values you are looking for are stored in:

[HKEY_LOCAL_MACHINE\Software\SAP\General\Appearance] (32 Bit OS)

If values have the suffix “_ReadOnly” the users won't be able to edit this value (e.g. “SelectedTheme_ReadOnly”). Please see the SAP GUI Administration Guide, page 20 ff.

Regards

Jann

Show replies
Show replies
Ask a Question