security during auditing

Questions concerning GuiXT / InputAssistant security during auditing

We are currently helping one of our clients with an audit compliance project. As part of the work required for this, we need to confirm that appropriate segregation of duties is in place over key transaction types within SAP.

The client has a number of SAP instances, some of which are using GuiXT and Input Assistant to provide additional functionality. We would normally check within the SAP configuration to determine which users have access to certain transactions, however, our client has said that this approach may not work with GuiXT and Input Assistant.

They said "We use a third party product (GuiXT/Input Assistant) with SAP to enhance the security or provide access to transactions which SAP might initially allow but is then subsequently blocked by the third party application, or the transaction itself is modified"

What is your recommended method to audit security for an SAP instance with GuiXT / Input Assistant installed? Is there a simple way of determining who has access to each transaction type and variant, and would this differ from a normal SAP installation?

First, it is important to note that with GuiXT and InputAssistant a user is never able to reach any data or transaction that he could not reach without these tools.

The only exception: RFC Calls made in the script ("Call" statement).

With a call to an ABAP function, you can access all data in the SAP System that the "RFC user" specified in GuiXT profile is able to see.

So, concerning security, it is necessary to look at the "Call" statements in the scripts, and at the rights given to the RFC user specified in GuiXT profile. If the RFC user can access data that a certain user is not allowed to see, it is necessary to provide the right "Authority-Check" statements directly in the called ABAP module. Here the same rules apply as for ABAP modifications or ones own ABAP developments.

Now, concerning the use of GuiXT/InputAssistant to restrict user access to transactions or to data.

We do not recommend you use this approach without defining the right user roles and profiles in the SAP system. The reason is that it is difficult to assure that a user accesses the SAP system while having GuiXT active. If he manages to use SAPGUI without active GuiXT, he could have unaouthorized data access. So, at least for company critical data, we suggest you implement the normal SAP access definitions.