First, it is
important to note that with GuiXT and InputAssistant a user is never able to
reach any data or transaction that he could not reach without these tools.
The only exception:
RFC Calls made in the script ("Call" statement).
With a call to an
ABAP function, you can access all data in the SAP System that the "RFC
user" specified in GuiXT profile is able to see.
security, it is necessary to look at the "Call" statements in the
scripts, and at the rights given to the RFC user specified in GuiXT profile. If
the RFC user can access data that a certain user is not allowed to see, it is
necessary to provide the right "Authority-Check" statements directly
in the called ABAP module. Here the same rules apply as for ABAP modifications
or ones own ABAP developments.
Now, concerning the
use of GuiXT/InputAssistant to restrict user access to transactions or to data.
We do not recommend
you use this approach without defining the right user roles and profiles in the
SAP system. The reason is that it is difficult to assure that a user accesses
the SAP system while having GuiXT active. If he manages to use SAPGUI without
active GuiXT, he could have unaouthorized data access. So, at least for company
critical data, we suggest you implement the normal SAP access definitions.