Skip to Content
Author's profile photo Tejas Chouhan

Restrict Fiori Application access through Roles

UPDATE : Please note that this blog relates to configuration done on NON S/4HANA (ECC Systems). Configuration on S/4HANA systems might be slightly different. Please read through the end of this blog to find out what changes are new in Fiori 2.0 with S/4HANA.

Scenario: User wants to view the application only assigned to him/her

 

User would require only scenario specific tile to be assigned to his/her login. This would be required while assigned production users a certain tile and not all the tiles. This document would also talk about restriction for a specific tile.

 

For e.g.: Material management PO approve.

 

User wants only “Approve Purchase order” Tile to be in his/her Launchpad.

Prerequisite :

 

  • All the specific UI components are in place.
  • Fiori admin URL is working fine
  • Admin user has administrator role assigned : You have created an administrator user who needs extensive authorizations,

          such as S_SERVICE, S_DEVELOP, /UI2/CHIP, S_RFC_ACL, and S_CTS_SADM. If applicable, create the user with the ID the user already has in the back end

  • Role name : SAP_UI2_ADMIN_700

 

Admin URL : http://<sapfiori.com>:PORT/sap/bc/ui5_ui5/sap/arsrvc_upb_admn/main.html?scope=CUST

As we are dealing here with only 1 application for the user (Approve PO). Let’s go to the standard tile catalog offered by SAP.

Tile catalog name: Buyer (MM) – Content

/wp-content/uploads/2015/04/1_693149.png

Now we want only Approve Purchase orders application.

Before copying the tile from this catalog. Let’s create a new tile catalog by clicking on below on the left catalog view.

/wp-content/uploads/2015/04/2_693150.png

Create catalog screen appears :

/wp-content/uploads/2015/04/3_693151.png

Enter your desired catalog name:

/wp-content/uploads/2015/04/4_693179.png

  • My New Catalog is created.
  • Now go back to your standard catalog and drag the “Approve purchase orders tile” and you see a copy option.
  • Drag to the copy option and your tile is copied. Once you drop your tile, it asks for Destination to be copied to.

/wp-content/uploads/2015/04/5x_693180.png

Select “My New Catalog” from the selection criteria.

/wp-content/uploads/2015/04/6_693181.png

Make sure you repeat the same operation for Target mapping for “Approve Purchase orders”.

Once done, now you have the Tile catalog with standard Approve PO tile.

/wp-content/uploads/2015/04/7_693188.png

Here target mapping is 0. Once you copy target mapping as well. It shows as 1.

Create Target Group:

 

Follow the same approach for creating groups. Go to group tab :

/wp-content/uploads/2015/04/8_693189.png

You can disable Group personalization as well. User won’t be able to delete the Tiles from Launchpad using this.

Add tile to the group

/wp-content/uploads/2015/04/9_693190.png

/wp-content/uploads/2015/04/10_693194.png

Create a custom role for your group “My New Group” in PFCG:

/wp-content/uploads/2015/04/11_693195.png

Choose Fiori Tile catalog from the Transaction in Menu tab :

Similiarly choose Fiori Group :

/wp-content/uploads/2015/04/13_693200.png

/wp-content/uploads/2015/04/14_693201.png

Now you see that both Catalog and group is maintained for the role.

/wp-content/uploads/2015/04/16_693202.png

  • Assign relevant authorizations and number of users. Now you can open your Fiori Launchpad.
  • Make sure you save your PFCG role.
  • Clear your browser cache and open your Launchpad.

/wp-content/uploads/2015/04/17_693206.png

You should see the app tile assigned to you.

  • For S/4HANA Fact sheet apps follow :  Visit
  • For Fiori 2.0 security/authorization control : Download

Thanks !!

Do follow “Fiori” tag for more updates on SAP Fiori blogs/discussions. 🙂

Assigned tags

      19 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Very Nice document, Keep up your good work Tejas

      Thanks

      Author's profile photo Tejas Chouhan
      Tejas Chouhan
      Blog Post Author

      Thanks Surya

      Regards,

      Tejas

      Author's profile photo ANURAG SINGH
      ANURAG SINGH

      Thanks a lot Tejas for sharing this blog.... 🙂

      regards,

      Anurag Singh

      Author's profile photo Munna Mishra
      Munna Mishra

      Thanks Tejas for sharning this Document.

      Regards

      Munna Mishra

      Author's profile photo Baithi Srinivas
      Baithi Srinivas

      Excellent document

      Regards

      Baithi

      Author's profile photo Cham Xu
      Cham Xu

      Very nice document, just what I'm looking for. Thanks.


      Best regards

      Cham

      Author's profile photo Juan Manuel Rodriguez
      Juan Manuel Rodriguez

      Hello, very Useful document - have you tried or someone has tried to restrict FIORI applications in another language ? (ex. French) I was trying but I got a message indicating: "Page can not be modify in language FR" Thanks, Juan

      Author's profile photo Former Member
      Former Member

      Hi Tejas

      Excellent document, but I need 1 clarification, who exactly will create the custom catalogs and groups.

      Whether UI5 developer or Authorization consultant.

      Thanks
      harish

      Author's profile photo Tejas Chouhan
      Tejas Chouhan
      Blog Post Author

      This is just configuration changes, can be done by anyone who knows this. But make sure you add it to transport request (customizing). The PFCG part you see above has to be done by security consultant/ auth consultant like you say.

      Regards,
      Tejas

      Author's profile photo Sriram Sampath
      Sriram Sampath

      Hi Tejas

      Thanks for answer. Also please can you send me some sample authorization concept for Front end system, because I have designed for Backend system.

      Thanks

      Author's profile photo Nandish m
      Nandish m

      Hi Tejas,

       

      One doubt, Approve PO will have some business role, how to add that role (i.e authorization to approve) in our custom user.

       

      Thanks

       

      Author's profile photo Vipin Nagpal
      Vipin Nagpal

      Hello Expert,

      Will mention above steps remain same for Fact sheet type application?

      Thanks

      Author's profile photo Tejas Chouhan
      Tejas Chouhan
      Blog Post Author

      Hi Vipin,

      No, Factsheets are search based apps which appear in the search bar. You can control the authorizations from Search models and connectors. Based on which factsheets user requires, you need to assign only those search models to the user (Also please note that there are other search models used which needs to activated other than the app specific search models. Detailed step is mentioned here :

      https://help.sap.com/doc/saphelp_nw751abap/7.51.0/en-US/b4/f6b7313bf2455fa5bb3fa2abd52436/frameset.htm

      Regards,
      Tejas

      Author's profile photo Vipin Nagpal
      Vipin Nagpal

      Thanks a lot for your reply,

      My assumption is that Search models are applicable for backed system in hub deployment option.  Steps which you have mentioned above need to be executed in front end and same for fact sheet?

      Please guide me.

      Author's profile photo Tejas Chouhan
      Tejas Chouhan
      Blog Post Author

      steps mentioned in this blog is for transactional apps to be done in frontend system since your frontend system has ui5 content to display launchpad designer.

      search conenctors have to be controlled from backend systems.

      Regards,

      Tejas

      Author's profile photo HITESHKUMAR LIMBACHIYA
      HITESHKUMAR LIMBACHIYA

      HI TEJAS,

       

      I GOT THIS ERROR WHILE LOAD PROFIT CENTER APP : F1730. WILL YOU PLZ PROVIDE ME SOLUTION

      Author's profile photo Colleen Hebbert
      Colleen Hebbert

      Hi Hiteshkumar

       

      You might get better assistance if "ask a question" instead of putting this as a comment on a blog that isn't quite related to your issue

       

      That aside, I did  quick search and found https://answers.sap.com/questions/415735/fiori-initialization-of-query-erpsfin-m01-q2103-fa.html - describes configuration work required

       

      There is also https://launchpad.support.sap.com/#/notes/2673081 which has similar issue that may be of help

       

      Again, if neither help then suggest you create a question.

       

      Regards

      Colleen

       

      Author's profile photo Arun m
      Arun m

      HI Experts,

      i am facing an issue, i have developed a custom application using web IDE and it is working all fine in development and quality system but in production system it is not coming in fiori launchpad. even-though it is still there in the fiori launchpad designer.

       

      any insights would be helpful.

      regards,

      arun

       

      Author's profile photo Tejas Chouhan
      Tejas Chouhan
      Blog Post Author

      Hi Arun,

      Your issue is not related to this blog. Please raise a discussion.