GuiXT Use

Third Party products such as GuiXT, BMC Patrol, Vertex, Ixos etc...

Moderators: Snowy, thx4allthefish

Post Reply
Harters
Posts: 229
Joined: Thu Feb 07, 2008 8:03 am
Location: Sitting in front of 21 SAP systems
Contact:

GuiXT Use

Post by Harters » Fri Nov 21, 2008 6:23 am

GuiXT is a solution used for many areas where Authorisations cannot provide the restrictions required. Fish has expressed some concerns over GuiXT and he (?) is correct in some ways.
When you look to deploy GuiXT there are considerations to be made...some of which are listed below:

1. Make sure that the GuiXT scripts are held somewhere users had read only access
2. Make sure you deploy so GuiXT is switched on for all users, hidden and the Activate GuiXT menu entry is removed.
3. make sure that the location of the scripts is available whenever SAP is available - create a web respository in SAP - then you can be sure of availability
4. Use the version conccept to ensure caching and this improves performance enormously
5. Think about language if working internationaly
6. Have a central GuiXT Wizard controlling the scripts

There is endless options with GuiXT which when used correctly can make users lives so much easier

Have fun
Regards
Harters
______________
SAP Support Ltd
sapsupport.co.uk

Snowy
Posts: 28796
Joined: Mon Oct 21, 2002 2:33 pm
Location: 3.1415926535

Re: GuiXT Use

Post by Snowy » Fri Nov 21, 2008 8:12 am

ok, stop that now.

stop making ads for GuiXT and for your website.

this is the only warning that you will get.

thx4allthefish
Posts: 5694
Joined: Sat Oct 26, 2002 6:18 pm
Location: barolo barrel

Re: GuiXT Use

Post by thx4allthefish » Fri Nov 21, 2008 10:34 am

thank you, snowy for intervening - you are the best :!:

but actually i challenged harters to open a new thread so that everyone having to do with security (everyone else is also welcome) can post her/his opinion about that tool.

i threw that gauntlet, so i shall start.

security nowadays is about auditing and auditing is about transparency. running guixt scripts (they are scripts still, no matter what you say) binds your ersatz-authorizations to a machine, not to a SAP-userid. which is - IMHO - no concept at all. if that user is to work on another machine (for whatever reason) or you have only one machine in - say - a very remote warehouse - where different users go at different times for some purpose or other they have to stick with what they are offered by the OS (you elaborated that most of the settings are stored in the registry - which is another thing shortsighted, because there are companies that do not run their frontends on microsoft products (and not the only way to do it either - you can store them in a guixt.ini)).

yes, i do know that you can do scripts for individual users, groups of users and so on - but in case of that remote warehouse i'd go mad maintaing those.

as a result i have no central point of view to all authorizations of all users in one system. -for me this is a no-go.

i would have to deal with all our worldwide network-geeks as well. whilst we provide them with every sapgui-patch or latest version on a ftp-server, noone forces my chinese, korean and other partners to install them - there cannot even be talk of 'deploy'. deploying will work if in a homogenous landscape, but once the only access your worldwide 'children' have, is a VPN-tunnel, you go bang.

which brings me to language-dependency. i tried the hint of a script you offered in another post on both: chinese and slowakian pcs running windows. they did not work. i know why they didn't though - and here i quote note 1257079:
GuiXT scripts are language-dependent. If you use transactions in several languages, you must create the GuiXT scripts for each language.
no pain for me - we have only 6 languages installed. but what of others? my former company had over 30 languages installed when i left a couple of years ago ...

which brings me to gui-version dependency: you said, guixt is sap-gui version independent. i believe this not to be true and here i quote note 1069445:
This problem is corrected with GuiXT version 2007 Q3 1 (available July 2007). This version is included in SAP GUI for Windows 7.10 patch level 3 and subsequent patches.
why would SAP say something like that, if guixt were sapgui-independent?

just for the record - i'll post the link to the document on security of scripting again.

harters, you seem to be not too bad a fellow and you seem to be honest (you took my challenge :wink: ) so i cannot really understand what your purpose in those posts was ... are you working for synactive?

[joking mode à la PoD]as for your forum, it seems to be overcrowded, need another mod? PM PoD[/joking mode á la PoD]
curiousorange wrote: I give up. Humanity isn't worth saving. Why is there never a Vogon Constructor Fleet around when you really need one?

Harters
Posts: 229
Joined: Thu Feb 07, 2008 8:03 am
Location: Sitting in front of 21 SAP systems
Contact:

Re: GuiXT Use

Post by Harters » Fri Nov 21, 2008 10:56 am

Firstly sorry if i upset anyone.
I do not work for Synactive, never have and probably never will.
I am a free lance BASIS and security consult and have been for 12 years.

As far as GuiXT is concerned, yes I am a fan, yes i know there are considerations e.t.c however, there have been a few times where it is the only option.

Material master; MM02 change material. A user wants to protect some classification data as follows:
all users with MM02 to keep MM02
all users to be able to display all data as normal
only a small group can change characteristics in class types with org indicator S, class type 001 and of the characteristics, only some are to be allowed to be changed. for all other users with 02 activityin mm02 they are to only have read access to certain class type with certain org indicators and certain characteristics and values there in.

Naturally we (myself and the other 4 consultants who eventually got involved) started with all the obvious auth level restrictions. Even using F7 to pull in extra values in the fields of objects as not listed in SU24 was tried but plain and simply it was simply impossible to define this level of detail. User exits, bespoke mater records e.t.c were all tried. this was all before i arrived with this client. I also tried and got closer than most with the help of F7 but stil no go. I'll spare you all the details.

Anyway, with GuiXT - and granted i had to use input assistant becuase we had to define screen variables and read a desciption field as below - we managed what the client wants

// Set a variable for the class type
Set V[class] "&F[Class Type]"
// get the lower table name text, using coordinates since title varies
GetFieldAttribute #[12,0] text="gtitle"
// Set a variable based on lower table name called gtitle and remove values for class text to leave only classtext variable
Set V[classtext] "&V[gtitle]" search="Values for Class"
// IF statement
if V[classtext=GS_CIGPAPER] or V[classtext=GS_FILTER] e.t.c and V[class=001] and not Q[Role=ZGUIXT0002]
// if IF statement is true then...

I absolutely agree that auths is the way forward but as you knwo it is not without limitations and bugs as take today....A user fails on release PO ME29N with M_BEST_BSA needing 01 and NB. I find the role and sure enough no activity 01. I grant 01 but the problem returns as 01 and ZNB. strange as we're not looking at document type ZNB so I trace it with ST01 and find 01 listed against every doc type. Perplexed I grant * to a copy test user and access is fine. I remove the star back to NB and access is still fine (so SU53 was lieing?). role is promoted to test, compared e.t.c and checked
i tell the user to try again and he is OK. The other user (who has exactly the same roles and logged off and back on again is not OK, i remove the role, reapply it..then it works.

My point is there are many bugs in SAP (wouldn't like to think how many OSS notes and hot packs e.t.c I've had to install over the last decade but I have never had a problem with GuiXT.

You can of course (and I agree) say that from a support perspective it can be difficult especially when a support consultant has different GuiXT changes compared to the user with an issue e.t.c but still over all the plus points (so long as you deploy it securely and carefully) still outweigh and negative points.

Finally thanks for the compliment - all I want to do is help people - that's why I started my own forum (which i will no long advertise...maybe I'll put it through Google adds lol (joke). The forum is aimed partly at new users and not just us techies - whoever needs help I will try to help and it is just a few weeks old...not ment to step on SAPFANS toes even if i could - whichI can't.
have a good weekend...
Last edited by Harters on Fri Nov 21, 2008 11:08 am, edited 1 time in total.
Regards
Harters
______________
SAP Support Ltd
sapsupport.co.uk

Harters
Posts: 229
Joined: Thu Feb 07, 2008 8:03 am
Location: Sitting in front of 21 SAP systems
Contact:

Re: GuiXT Use

Post by Harters » Fri Nov 21, 2008 11:05 am

just spotted the version comment. You are correct but only half correct. GuiXT is not SAPGUI dependant. It is GUIXT dependant. yes GUIXT is installed as part of the SAPGui but you don't need to use that GuiXT version if you play with dlls e.t.c. I would always deploy GuiXT version across the user base irrespective of the SAPGui version.
Regards
Harters
______________
SAP Support Ltd
sapsupport.co.uk

thx4allthefish
Posts: 5694
Joined: Sat Oct 26, 2002 6:18 pm
Location: barolo barrel

Re: GuiXT Use

Post by thx4allthefish » Fri Nov 21, 2008 11:09 am

i do agree that authorizations have their limitations (i had to learn this in a painful way this morning concerning FB70 and FB60) and just at the moment i am very insecure if everything i did works like i thought it would ... but be that as it may - i'll have to go with that and no auditor can poke me when there is no other choice.

as for bugs, they are there and they have to be solved - even if i have to take another battle with CSS global support!

as for the plus points - i fail to see them:

no transparency
no support of non-windows systems
high maintenance cost when multiple languages installed
gui dependency
...

but thanks for taking up the gauntlet - i appreciate it!
curiousorange wrote: I give up. Humanity isn't worth saving. Why is there never a Vogon Constructor Fleet around when you really need one?

Al.
Posts: 3049
Joined: Tue Feb 25, 2003 5:35 am
Location: London
Contact:

Re: GuiXT Use

Post by Al. » Sat Nov 22, 2008 3:14 pm

My 2p worth.....

I've used GuiXT in the past with good results & it is an underused tool.

More recently I have worked on a project where, for legal reasons, certain pieces of data were required to be hidden from some users. This data is not controlled via the standard auth concept in most cases.

It was the legal implications of the data being visible that it was not recommended that GuiXT (among other methods) was not used as one of the restriction mechanisms.

Harters
Posts: 229
Joined: Thu Feb 07, 2008 8:03 am
Location: Sitting in front of 21 SAP systems
Contact:

Re: GuiXT Use

Post by Harters » Thu Jan 15, 2009 7:27 am

Launguage fix...

When using GuiXT in an environment where user log into SAp using different languages, scripts get confused.

there is a solution however..

in the profile you can say that you want language independant scripts...so as an example the login page script is normally called "elogon.txt" and I never really thought much about it until I set to independant scripts and now it is called "logon.txt"...french language would be "flogon.txt"...so I learnt something there...(and saves having a script for every language...only downside is that instead of the field text name you have to use the technical names to cope with multi-language environments)

Harters
Regards
Harters
______________
SAP Support Ltd
sapsupport.co.uk

Documation
Posts: 16
Joined: Wed Oct 25, 2006 4:40 am
Location: South Africa
Contact:

Re: GuiXT Use

Post by Documation » Thu Jun 11, 2009 7:55 am

The GuiXT file name is constructed sa follows :

Program.LanguageKey.ScreenNumber.txt, also, to maintain scripts globally, I would suggest you use versioning, and store the scripts in the SAP Web Repository.

Everytime changes are made to the scripts, you increment the version number by 1. GuiXT will then check the local cached version of the script against the version in the web repository, and download the latest version if it exists.

Regards,

Freddie Botha

(Oh, and I do not work for Synactive either, but GuiXT is an awesome piece of Software!)
Freddie Botha
Documation Consulting Services

http://www.documation.co.za
freddieb@documation.co.za
27.72.733.3034
086.621.6786

SAP FUN© - Finetuned User Navigation
"Contact us for more information on this exciting concept"

Harters
Posts: 229
Joined: Thu Feb 07, 2008 8:03 am
Location: Sitting in front of 21 SAP systems
Contact:

Re: GuiXT Use

Post by Harters » Thu Jun 11, 2009 8:10 am

I agree with using versions....it will also help with performance too but you need to remember to change the version number each time you make a change to any script for best results
Regards
Harters
______________
SAP Support Ltd
sapsupport.co.uk

thx4allthefish
Posts: 5694
Joined: Sat Oct 26, 2002 6:18 pm
Location: barolo barrel

Re: GuiXT Use

Post by thx4allthefish » Fri Jun 19, 2009 12:04 am

according to this:

viewtopic.php?f=33&t=329526

it is decided that all GuiXT threads go to the 3rd Party Forum, the description of which will be modified accordingly.

i am moving this there.
curiousorange wrote: I give up. Humanity isn't worth saving. Why is there never a Vogon Constructor Fleet around when you really need one?

Post Reply