Configuring and Assigning SAP Authorizations in SAP Fiori Apps

SAST Blog: Configuring and Assigning SAP Authorizations in SAP Fiori AppsFor a number of years now, SAP has been pursuing a new strategy for how SAP users interact with its software. Complex SAP applications are being subdivided into role-based SAP Fiori apps, with the aim improving user friendliness while also enhancing the user experience. A rising number of companies are considering implementation of SAP Fiori apps and are now faced with determining which authorizations must be allocated to their employees for access to the app.

In the following, we will distinguish between front-end and back-end authorizations. This distinction is relevant for you only if you choose a central hub deployment approach. If you instead take the path of embedded deployment, you do not need to differentiate between front-end and back-end authorizations: You can include all the authorizations in one role.

Basic Authorizations for Access to the SAP Fiori Launchpad

The SAP Fiori launchpad is the central point of access for all Fiori apps. The following authorizations must be assigned to a user to allow access to the launchpad:

Front-end authorizations:

  • Transaction /UI2/FLP: This transaction allows the launchpad to be called directly from the SAP GUI.
  • The S_SERVICE authorization object must be configured as follows for the SAP Fiori launchpad OData services:

SAST Blog: Configuring and Assigning SAP Authorizations in SAP Fiori Apps

It is important to integrate both the IWSV and the IWSG services via the Role menu. To do this, you need to select the authorization default TADIR service, the R3TR program ID, and the corresponding IWSV or IWSG service.

  • The authorization object /UI2/CHIP is required for transaction /UI2/FLP as well as for some the services listed above. This is why it is automatically included in the role with the following parameters:

SAST Blog: Configuring and Assigning SAP Authorizations in SAP Fiori Apps

The SAP standard roles SAP_UI2_USER_700 and SAP_UI2_USER_750 are considered predefined SAP Fiori roles for users and are templates that can be copied. However, they include only the IWSV entries, meaning they are not complete and that you must add the IWSG entries listed above.

Back-end authorizations:

  • The authorization objects S_RFC and S_RFCACL are required to enable access to the backend server via a trusted RFC connection.

App-Specific Authorizations for Access to Individual Fiori Apps

To access individual Fiori apps from the SAP Fiori launchpad, app-specific authorizations are required. The relevant authorizations for all available SAP Fiori apps are listed in the Fiori Apps Reference Library.

How the frontend is shown depends the assigned Fiori catalogs and groups. The groups and catalogs necessary for access to the relevant app are entered in the configuration settings of the Fiori Reference Apps Library.

Fiori catalogs are a collection of apps that logically belong together and contain definitions of the tiles (e.g. title and symbol) and target assignment. For example:

SAST Blog: Configuring and Assigning SAP Authorizations in SAP Fiori Apps

Fiori groups represent collections of apps that logically belong together; these collections define the initial Fiori launchpad screen. The apps in a group can originate with multiple catalogs. Users see only those apps on their respective launchpad for which they are authorized based on their group and catalog assignment.

The SAP Fiori tile catalogs and groups are integrated via the Role menu. The integration of the catalog adds into the role the IWSG services required to start the Fiori app and the IWSV services required to call business data (S_SERVICE authorization object).  If these services have SU24 authorization default values, then these are also part of the authorization role.

Integration of Fiori Groups and Catalogs in the App-Specific Authorizations

The following is a summary of how the app-specific authorizations fit together:

Front-end authorizations:

  • Integration of the required Fiori groups via the Role menu.
  • Integration of the required Fiori catalogs via the Role menu.

This ensures that the IWSG services required to start the Fiori app are included automatically in the role (S_SERVICE authorization object).

Back-end authorizations:

  • Integration of the required Fiori catalogs via the Role menu.

This ensures that the IWSV services required to call business data are included automatically in the role (S_SERVICE authorization object). Additional authorizations for business transactions are also included, for example authorization default values from SU24.

The recommendation is to use the technical SAP catalogs and groups as a reference by saving them in the customer-specific namespace and to then streamline them as much as possible (for performance reasons).

Before you implement app-specific authorizations, first ensure that the frontend and backend components in your SAP system have the required status and that the relevant SAPUI5 applications and OData services are activated.

If you need support to set up SAP Fiori authorizations, you are welcome to contact us at sast@akquinet.de. Check out our SAST SOLUTIONS home page to learn more about us.

Alina-Demuth (SAST-SOLUTIONS)
Alina Demuth (SAP S/4HANA Consultant, SAST SOLUTIONS)

 

More on the topic of SAP authorizations:

SAP S/4Hana Authorizations – it’s your choice: Brownfield or Greenfield?

Cut down on critical SAP authorizations without interrupting operations