Sap Security Pages

Learn SAP Security & Authorizations Concepts

S/4 HANA 

Create a Fiori Role

Aninda 0 Comments ,

In the last few posts, we have already discussed about the basics of the Fiori based UI. In this post, we will create a role to give access to a Fiori catalog and group which would show in a user’s Fiori launchpad. To start this process, we first need to know the catalog and group that we need to give access to which are shown in the screenshots below. Please note the technical names of both the catalog and the group as these will be needed when creating the roles.

Fiori Catalog for Role
Fiori Group For Role

In the example, we would be creating a PFCG role with access to the catalog SAP_EPM_BC_PURCHASER_T and the group SAP_EPM_BCG_PURCHASER_T. When you are creating custom catalogs or groups, you might want to set up a naming convention which makes it easy to understand which roles contain access to which catalogs and groups. We name the role ZSAP_EPM_BC_PURCHASER_T with role description as Purchaser (EPM) – Content. So in our convention, the technical name and description of the role is the same as the name and description of the catalog.

Fiori Role Creation

In the menu, we first add the catalog whose technical name we already know from the launchpad designer – SAP_EPM_BC_PURCHASER_T

Add Fiori Launchpad Catalog to Role

Since we checked the Include applications checkbox, all the services corresponding to the tile apps on the catalog are also added as shown below. In some older versions of SAP, the webservices might need to be individually added. However, the case might be remember to check that the services are added to the role menu.

Fiori Role Showing Services Included in the Catalog

Once the catalog is added, we need to add the Fiori Group as well to the role menu as shown below

Assign Fiori Group to Role

After adding both the catalog and group, the role menu looks like the screenshot below

PFCG Role with Fiori Catalog, Group and Services Added to the Role menu

The next step would be maintain the authorization tab of the role like any other roles. The process has not really changed for this in S4HANA. The only change is the introduction of some new objects. Since we added the services to the role menu the default objects needed would be pulled into the role based on the SU24 entries of the individual services. During further security testing, we might discover new objects which should be added to SU24 entries for the services and the role updated in the expert mode to merge the new SU24 changes with the old values. Manually added objects to the role are still to be avoided like in ECC or R/3.

Fiori role showing authorization objects pulled in through SU24 entries

In addition to the services needed for a particular catalog, certain objects are needed to access the Fiori launchpad itself. These objects typically are added to the general access role for users accessing Fiori applications. The main objects are given below and can be further refined by using a security trace on a user logging into Fiori launchpad.

Services:

  1. /UI2/INTEROP, ZINTEROP_0001
  2. /UI2/LAUNCHPAD
  3. /UI2/PAGE_BUILDER_PERS, ZPAGE_BUILDER_PERS_0001

Authorization Objects:

  1. S_PB_CHIP with ACTVT 03 and CHIP_NAME=X-SAP-UI2-CHIP*, X-SAP-UI2-PAGE*
  2. /UI2/CHIP with ACTVT=03 and /UI2/CHIP=X-SAP-UI2-CHIP*, X-SAP-UI2-PAGE*
  3. S_USER_GRP with ACTVT 03

We assign all the authorizations mentioned above to a test user, and login to the Fiori launchpad, when we can see the assigned apps on the home screen.

Fiori launchpad showing assigned group

Leave a Reply

Your email address will not be published. Required fields are marked *