SAP Graphical User Interface

SAP GUI is the graphical user interface client in SAP ERP's 3-tier architecture of database, application server and client. It is software that runs on a Microsoft Windows, Apple Macintosh or Unix desktop, and allows a user to access SAP functionality in SAP applications such as SAP ERP and SAP Business Information Warehouse (BW). It is used for remote access to the SAP central server in a company network.

Family

 * SAP GUI for the Windows environment and Apple Macintosh
 * SAP GUI for the Java(TM) environment
 * SAP GUI for HTML / Internet Transaction Server (ITS)

Single sign-on
SAP GUI on Microsoft Windows or Internet Explorer can also be used for single sign-on. There are several portal-based authentication applications for single sign-on. SAP GUI can have single sign-on with SAP Logon Ticket as well. Single sign-on also works in the Java GUI.

Criticism of using SAP GUI for authentication to SAP server access
SAP is a distributed application, where client software (SAP GUI) installed on a user's workstation is used to access the central SAP server remotely over the company's network. Users need to authenticate themselves when accessing SAP. By default, however, SAP uses unencrypted communication, which allows potential company-internal attackers to get access to usernames and passwords by listening on the network. This can expose the complete SAP system, if a person is able to get access to this information for a user with extended authorization in the SAP system. Information about this feature is publicly accessible on the Internet.

SAP Secure Network Communications
SAP offers an option to strongly protect communication between clients and servers, called Secure Network Communications (SNC).

Security
In total, the vendor has released 25 security patches (aka SAP Security Notes). One of the most notorious vulnerabilities was closed among the set of fixes released in March 2017. The vulnerability in the SAP GUI client for Windows allows remote code execution. Also, researchers who identified the security issues pointed out that the vulnerability allows an attacker to download ransomware on the SAP server that would be automatically installed on every workstation within a company.

Screen editing with Personas
Since 1998 SAP GUI screens (so-called "DynPros") can be adjusted and customized with GuiXT. Now this can also be achieved with "SAP Screen Personas". Personas is installed on one of the SAP NetWeaver ABAP 7.0x or 7.3x servers in the system landscape. Then it can be used on all SAP NetWeaver ABAP servers with a kernel of 7.21 or higher, including on NetWeaver ABAP 7.11 systems (on which Personas cannot be installed directly).

iOS and Android implementations
Native iOS and Android implementations of SAP GUI are available from GuiXT.