Skip to Content

3/Nov/2016 blog updated for re-tagging due to SCN migration

The purpose of this document is to summarise the technical solutions to custom-build your NWBC screens should you decide the SAP pre-delivered screens do not meet your requirements. The focus on this document applies to GRC 10.x Access Controls. However, some options apply to NWBC in general. This document does mention quite a few technical concepts (PFCG role menu for NWBC access, webdynpro, launchpads, etc). If you are not familiar with these concepts, I recommend you review available documentation in SCN and SAP Help. Technical implementation steps have not been included; however, links to other SCN blogs and Wiki where possible have been provided.

 

 

A Quick overview of the GRC SAP standard

 

In GRC 10.x Access Controls Work Center roles are provided by SAP to provide users with the NWBC layouts (each role provides a different tab). These roles are built based on PFCG Role menu using ABAP webdynpro GRFN_SERVICE_MAP with the specific application configuration mapped. Each folder name in the PFCG role provides the Level 1 Tab (such as Master Data, Access Request) and the webdynpro provides the layout for that tab. The individual links/icons are displayed based on configuration of a launchpad and authorisation object GRFN_REP (if the user does not have authorisations of the link in NWBC for that specific item they will not see it on their screen). Example role of this is SAP_GRC_NWBC as shown in the screen shot below with access to the the My Home, Rule Setup, Access Management and Reports and Analytics work centers.

 

1_SAP_role.jpg

Screen Shot: example of SAP standard role that grants NWBC Work Center access for GRC

 

 

The idea of the GRFN_REP object allows you to reuse the launchpad to provide different links to different users (or if you are not using all of the functionality you can hide some from the users). However, lack of access to the authorisation does not guarantee the users has been prevented from accessing the functionality (if they know the SICF service name they can enter the URL assuming SICF has not been restricted with S_ICF authorisation).

 

  The launchpads can be customised to add/remove the SAP standard proposed links. Launchpad functionality does allow you to compare your changes to the SAP standard version. For information on GRC example, refer to the following document by Trinadh Bokka

 

 

I did not like the SAP standard work centers outside of prototyping/demonstration for the following reasons:

  1. Having to assign the user multiple work centers to get their full access;
  2. User having to jump across multiple tabs (Org Structure on one, Access Control Owners on another, risk and mitigation split up, etc);
  3. Wanting to set up custom work center layouts as per the process steps (much more user friendlier); and
  4. Old school’ avoidance to maintaining SAP standard (although possible, I am not a fan of maintaining the SAP launchpads as I like to have the original reference and not have headache at support packs/enhancement packs). Happy for someone to come along and convince me otherwise (a SAP Basis expert managed to convince me to stop building Custom ZSAP* work center roles for Solution Manager).

 

Hence, time to provide options on how you can build your own layout for users:

 

Option 1 – Standard NWBC Build

 

In this option you build your PFCG role menu without using the GRC Work Center concept. Refer to SAP help documentation for how to achieve this. Each link (webdynpro) must be added to the PFCG role menu as a link and configured to appear in NWBC. This option does allow you to add different levels of folders and group the links together. It provides you the greatest control in choosing what you want to display in the SAPGUI menu and/or NWBC menu. It does not leverage the GRC launchpads or GRFN_SERVICE_MAP.

 

One benefit of this option is that by adding the webdynpro to the role menu you can leverage the SU24 mapping proposals. At the same time, you will need to go through and figure out the defaults for each webdynpro as SAP did not deliver any standard SU24 proposals (it takes time but is worth it when it comes to security build and testing).

 

You will, however, need to build PFCG role menu for each access scenario instead of re-use of the work center roles and launchpads. This may not be a drawback for you if your PFCG role is also including the underlying authorisations to execute the functionality.

 

/wp-content/uploads/2014/08/2_custom_build_nwbc_role_522395.jpg

Screen Shot: Building custom PFCG menu for NWBC layout

 

 

Option 2 – Use the Launchpad Webdynpro

 

Instead of using GRFN_SERVICE_MAP you can create the NWBC layout by adding the webdynpro APB_LAUNCHPAD_NWBC to the PFCG role menu. As part of the configuration parameters, you must specify the launchpad instance and role name.

 

3_APB_Launchpad_Role.jpg

Screen Shot: Launchpad added to PFCG via APB_LAUNCHPAD_NWBC

 

 

This approach does not use the SAP delivered GRFN_SERVICE_MAP (and therefore hiding of links in NWBC via authorisation object GRFN_REP object). It also does not include each webdynpro link in the role menu to import the SU24 proposals (again assuming they exist). I had this as a solution on my options after looking at this webdynpro for an ECC build. However, I did not like that it provided the use with the option in NWBC to “change launchpad” as the user would be presented with the full list of launchpads to choose another.

 

4_Change_Launchpad_Nwbc.jpg

Screen Shot: Change Launchpad button for APB_LAUNCHPAD_NWBC

 

 

Option 3 – Build your own configuration for GRFN_SERVICE_MAP

 

In this option, you follow the SAP GRC work center approach by using GRFN_SERVICE_MAP to build your own launchpads and use them instead. Unlike the APB_LAUNCHPAD_NWBC, the PFCG item definition does not reference the role and instance. This is configured in the webdynpro configuration via SE80.

 

The diagram below provides the mappings of the webdynpro configuration and applications for GRFN_SERVICE_MAP. You will need to have a developer key to do this – or you may need to ask a developer depending on your company’s policy. You will not need to register an SAP object in the Marketplace. If you receive a prompt of the object repair key you have attempted to modify the standard instead of copying your own.

 

5_GRFN_SERVICE_MAP_diagram.jpg

Diagram: Mapping of Webdynpro Configuration for GRFN_SERVICE_MAP

 

 

 

You will need to access SE80 for the GRFN_SERVICE_MAP and launch the Webdynpro Application Configurator (a link appears). To create your own, you need to copy the GRAC_FPM* items listed in the example and map them to each other. You are not modifying SAP standard. The “UIBB” item contains the link to the launchpad instance and role. The “AC” item is added to the PFCG menu for the GRFN_SERVICE_MAP.

 

My tip for copying these items: stick to a naming convention such as ZGRAC_FPM* to denote custom, use the AC/CC/UIBB (marked in red) and have the last character (example above ACCESS_MGMT) reflect the launchpad name. It becomes a lot easier to trace your configuration if you have a build error.

 

6_UIBB_Launchpad_Mapping.jpg

Screen Shot: UIBB Configuration showing mapping to launchpad

 

 

This option allows you to leverage the GRC NWBC design and continue to use launchpad. It also means you do not need to maintain the SAP standard launchpad and can build your own.

 

 

Refer to the following Wiki article for the SE80 webdynpro configuration.

 

 

Option 3 Extended to leverage SU24 proposals

 

Each webdynpro referenced in the launchpad can also be added to the PFCG role menu but kept invisible. In doing this, SU24 proposal can then be defaulted into PFCG. This option will require dual maintanance of the launchpad and the PFCG menu.

 

 

Interested in Option 3… and more?

If the SAP standard roles are not appropriate for you, I recommend you have a look at the Option 3 mappings. Have a look at the PFCG role menu to see differences in making links invisible and changing the icons that you see in NWBC. You can also have a look in the SE80 configuration to change the Launchpad headings from hyperlink to plain bold text; see if you can find the default empty launchpad that has been mapped to all work centers; and work out why your are limited to two columns in your launchpad.

 

 

I welcome your constructive feedback in the comments below J

 

 

Regards

Colleen

To report this post you need to login first.

13 Comments

You must be Logged on to comment or reply to a post.

  1. Corina Aerni

    Dear Colleen,

    Thanks a lot for your article… it’s very useful.

    I have one more question:

    We have added the APB_LAUNCHPAD (APB_LAUNCHPAD_NWBC is obsolete says our system) to the PFCG role menu (Web Dynpro application).

    We also added to the APB_LAUNCHPAD the role and instance parameter. The value to this we needed to fill out manually… but it doesn’t work in NWBC… it takes still the “standard Launchpad view”.

    How can I map the APB_LAUNCHPAD (SE80) with the customized Launchpads in LPD_CUST?

    `

    Thanks a lot for your help! Would really appreciate your answer as I couldn’t find a solution for this step until now.

    Thanks and best Regards, Corina

    (0) 
    1. Colleen Hebbert Post author

      Hi Corina

      I don’t have access to a SAP system at the moment to check item being obsolete (I had that idea from ECC system build so may need to check which package it was part of).

      What do you mean by “standard launchpad view”

      Regards

      Colleen

      (0) 
      1. Corina Aerni

        Dear Colleen,

        Thanks for your prompt reply 🙂 .

        Regarding the item being obsolete… the systems says to take APB_LAUNCHPAD instead of APB_LAUNCHPAD_NWBC….so I thought this should be ok.

        /wp-content/uploads/2014/08/21_08_1111111111111_524584.jpg

        With “standard launchpad view” I mean in the LPD_CUST the role GRACMGMT and instance GRAC_ACCESS_MANAGEMENT which takes for our NWBC user view.

        /wp-content/uploads/2014/08/21_08_524597.jpg

        Thanks a lot for your answer.

        Best Regards, Corina

        (0) 
        1. Colleen Hebbert Post author

          When you do this what does the user see?

          It may also be that the launchpad needs different attributes (those three columns with the X in them)…. The third column for FP(m?) is needed for the GRFN_SERVICE_MAP. I’m wondering if the second one is needed for the APB_LAUNCHPAD. It might be worth searching for that webdynpro (example Launching a custom Launchpad)

          Once yours is up and running I can edit this document to reflect the changes 🙂

          Regards

          Colleen

          (0) 
          1. Corina Aerni

            Dear Colleen,

            I tested by creating a launchpad with the second attribute (embedded) but still don’t work. I will now open an OSS and share when I get a solution. Seems to be a NWBC/Webdynpro issue.

            Best Regards, Corina

            (0) 
            1. Corina Aerni

              Hi Colleen,

              Here is the solution:

              To match the Launchpad with PFCG role you need to create the Launchpad as “stand alone” and not as I did as “FPM GUIBB”.

              After you have created the new launchpad (role/instance-combination) you can use it in

              transaction PFCG and add the launchpad to the PFCG role using the Web

              Dynpro application parameter ROLE and INSTANCE.

              This is option 2 from above.

              Best Regards, Corina

              (0) 
  2. Chelsea Giacherio

    Hello,

    “You can also have a look in the SE80 configuration to change the Launchpad headings from hyperlink to plain bold text”

    Do you know the steps to on how to change the folder links into text? I’m having issues finding it in the configuration settings, and the user settings on the webdynpro remove the whole heading.

    Thank you,

    -Chelsea

    (0) 
    1. Colleen Hebbert Post author

      Hi Chelsea

       

      I don’t have access to a GRC box to find where it is. I stumbled on it when I was looking for the launchpad references. I’ll see if I can find any notes on this but I’m not confident

      (0) 
      1. Chelsea Giacherio

         

        Hello,

        I found the configuration setting to change the folder(header) links to text from OSS Note 1851321 that is in the UIBB component of the work center.

        Thank you,

        -Chelsea

        (0) 

Leave a Reply