Install the right security measures for RFC access
If you allow generic RFC connections for GuiXT, e.g. to access scripts stored in the SAP system, it is important to use the appropriate user rights and security measures. The worst thing you can do is to give the RFC user too many rights and store the RFC password in unencrypted format in your “guixt.ini” file, so that unauthorized or malicious users can read critical data or even change data.
With the security measures described here, you can use RFC connections for GuiXT in a secure manner.
There are essentially three safe settings:
- SSO/SNC
- RFC with the login data of the logged-in user
- Generic RFC user with restricted user rights
Which setting should you choose?
- If the normal user connections are already based on SSO/SNC, we recommend that you also use the SSO/SNC approach for RFC access, ie. solution 1. Only with this setting is the data transmitted encrypted in both directions over the line (SAP Secure Network Communications)
- If you opt for a generic RFC user with password-based login, the certificate-based password encryption as described in solution 3 ensures that the RFC user can only be used on authorized PCs
1. SSO/SNC for RFC access
You execute all RFC functions in the context of the given user. The SAP user roles granted to the given user are automatically observed for all RFC functions. Technically, you use the following configuration in your "guixt.ini" file:
RfcUser *
RFcPassword *
RfcCurrentClient Yes
RfcConnect SNC_MODE=1 SNC_PARTNERNAME="p:CN=&database, O=myCompany,..."
Further details can be found in the article "Configuration for SSO and SNC".
2. RFC with the login data of the logged-in user
The settings in the “guixt.ini” file are the same as for the SSO approach, whereby the SSO/SNC specification is omitted:
RfcUser *
RFcPassword *
RfcCurrentClient Yes
A small disadvantage is that the logon screen cannot yet be configured using a GuiXT script stored in SAP.
3. Generic RFC user with restricted user rights
For this configuration, it is crucial to restrict the generic RFC user rights to unproblematic functions, downloading the GuiXT scripts from the SAP server in most cases and reading the user settings (decimal point/comma, date format) if necessary. A “call” statement in a GuiXT script, e.g. the call of a BAPI function, should be executed in the context of the current user, not the RFC user, by specifying the -currentuser option in the call.
Sample guixt.ini settings:
RfcUser GUIXTRFCRFcPasswordEnc GKCLDHCDKFIIHKDPDCJAKMNDKBCFJLGDJ...
RfcCurrentClient Yes
From GuiXT version 2025 Q1 2, you can secure the generic user password by linking it to a certificate. The encryption and decryption of the password then requires that this certificate is installed on the respective PC and has a valid private key and a valid certificate chain. If you follow this approach, make sure that all users have this certificate in their personal Windows certificate store. To generate the encrypted RFC password and link it to the certificate, copy the thumbprint of the certificate displayed in Windows:
Then encrypt the password in the GuiXT window specifying the certificate via its thumbprint:
The generated password is relatively long and contains an '@'. Add it to your guixt.ini file as RfcPasswordEnc:
RfcUser GUIXTRFC
RFcPasswordEnc HOPACALIAGMDKPALPCBHHJLDPEIMHADJ@EAHALAEMGMGIAFGMOOMCBHL....
RfcCurrentClient Yes
GuiXT will then automatically check the validity of the given certificate on the users's PC.
A final tip
Sometimes password rules require the RFC user password to be changed. It is then advisable to also create a new RFC user. Otherwise, the old RFC password may still exist on a PC and cause the RFC user to be blocked for all others. It can then be a bit of work to identify the PC with the old password. If you create a new RFC user instead, you can lock the old RFC user after a while so that the PCs with the incorrect old password have a problem, but not those with the new correct RFC settings.
Components
GuiXT