Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP Gui scripting - readonly and override (readwrite) for some users (RPA BOTs)

newbie
Explorer

on ‎2021 Aug 23 4:01 PM

0 Likes
1,700

We received some pushback from our internal SAP team on enabling SAP GUI scripting for all users. We requested read-only mode for all users. The concern is that we already have some RPA Bots that need read-write permission. Is it possible to enable read-only for all users but have read-write for specific users. Also can read-only mode be still used to launch denial of service attack by starting reports/processes that need no write permissions. My understanding is that even to start reports there is a need to click on save or some checkbox.

Any pointers to mitigate the risks would be helpful.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (2)

Answers (2)

newbie
Explorer
‎2021 Aug 26 5:30 PM
0 Likes

I was able to get more information from this note to achieve our objectives.

2565390 - SAP GUI Scripting: Changed behavior for combination of profile parameters sapgui/user_scri...

Here are the suggested steps

1.Enable SAP GUI Scripting (RZ11) Sapgui\user_scripting – true

2.Turn on per user scripting (RZ11)

Sapgui\user_scripting_per_user – true

3.Set readonly for most users (RZ11)

Sapgui\user_scripting_set_readonly – true

4.Set windows registry settings for SAP GUI application in CITRIX using group policy

64bit operating system: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SAP\SAPGUI Front\SAP Frontend Server\Security\ScriptingPerUserAccountExecute

32bit operating system: HKEY_LOCAL_MACHINE\SOFTWARE\SAP\SAPGUI Front\SAP Frontend Server\Security\ScriptingPerUserAccountExecute

5.Identify the RPA users who need the read-write privileges and assign them the execute in the authorization object S_SCR in class BC_A (SU01)

Show replies
Show replies
KristinaKunad
Product and Topic Expert
Product and Topic Expert
‎2021 Aug 24 3:46 PM
0 Likes

Hi Venkatesh,

maybe customers can share their experiences here. I can point you to the SAP GUI Scripting Security Guide, which covers the specifics for turning on scripting. I think it should be possible to create a role with read-only for all users and a different role with read-write permission for specific users.

Take care,

Kristina

Show replies
Show replies
Wallace
Active Participant
‎2021 Aug 25 1:56 PM

Hello Kristina and Venkatesh,

We don't (yet) face this bot topic, at least that it comes to SEN.

I think we follow what Kristina references, but with a different source point.

SEN centric, we found this note: https://launchpad.support.sap.com/#/notes/0002403295

and it references creating a role and assigning to users.

We have done this in at least one instance we record to keep it more secure.

Hope this helps.

Best Regards, Wallace

Ask a Question