Skip to Content
Author's profile photo Masayuki Sekihara

SAP Fiori LL20 – Role and Authorization settings for SAP Fiori launchpad

Please feel free to edit this document and add your tips.

SAP Fiori Lessons Learned 20. Role and Authorization settings for SAP Fiori launchpad

Background:

I see many consultants had issues accessing Fiori launchpad because authorizations were not assigned.

Help documents:

Frontend server:

    Administrator: SAP Fiori launchpad Designer

  • Z_SAP_UI2_ADMIN_700 (Role)
  • R3TR IWSG ZINTEROP_0001 (Menu Authorization default)
  • R3TR IWSG ZPAGE_BUILDER_PERS_0001 (Menu Authorization default)
  • R3TR IWSG ZPAGE_BUILDER_CONF_0001 (Menu Authorization default)
  • R3TR IWSG ZPAGE_BUILDER_CUST_0001 (Menu Authorization default)
  • R3TR IWSG ZTRANSPORT_0001 (Menu Authorization default)
  • /IWFND/RT_ADMIN (Authorization Template)
  • Add authorization objects listed in the Authorizations – SAP NetWeaver User Interface Services – SAP Library.

    Runtime User: SAP Fiori launchpad

  • Z_SAP_UI2_USER_700 (Role)
  • R3TR IWSG ZINTEROP_0001 (Menu Authorization default)
  • R3TR IWSG ZPAGE_BUILDER_PERS_0001 (Menu Authorization default)
  • /IWFND/RT_GW_USER (Authorization Template)
  • S_PB_CHIP(Authorization Object)
  • /UI2/CHIP (Authorization Object)
  • S_SERVICE (Authorization Object)
  • App specific OData service. For example R3TR IWSG GBAPP_POAPPROVAL_0001 (Find it in the Fiori Apps Library)
  • App specific Catalog Role SAP_MM_BC_BUYER_X1 (Find it in the Fiori Apps Library)
  • App specific Group RoleAP_MM_BCR_BUYER_X1 (Find it in the Fiori Apps Library)

Backend server:

    Administrator:

  • IWBEP/RT_BEP_ADM(Authorization Template)
  • S_RFCACL (Authorization Object)

    Runtime User:

  • /IWBEP/RT_MGW_USR (Authorization template)
  • S_RFCACL (Authorization Object)
  • App specific OData role. SAP_MM_PO_APV_APP (Find it in the Fiori Apps Library)

Steps: Example setting for runtime user role in the Frontend server.

Step 1. Copy the role SAP_UI2_USER_700 to Z_SAP_UI2_USER_700

Step 2. Add authorization default in the menu tab

/wp-content/uploads/2015/07/role1_743747.png

Note: R3TR IWSG is for Hub deployment. R3TR IWSV is for embedded deployment.

Step 3. Add Gateway authorizations from template in the authorization tab.

Edit -> Insert Authorizations -> From Template …

Please find authorization template name in User, Developer, and Administrator Roles – SAP GatewayFoundation (SAP_GWFND) – SAP Library

/wp-content/uploads/2015/07/role2_743749.png

/wp-content/uploads/2015/07/role3_743798.png

Step 4. Manually add additional authorization objects

Please find the list of authorization objects in Authorizations – SAP NetWeaver User Interface Services – SAP Library.

/wp-content/uploads/2015/07/role4_743799.png

Step 5. Add App specific OData service. For example R3TR IWSG GBAPP_POAPPROVAL_0001 (Find it in the Fiori Apps Library)

Step 6. Add App specific Catalog Role SAP_MM_BC_BUYER_X1 (Find it in the Fiori Apps Library)

Step 7. Add App specific Group Role SAP_MM_BCR_BUYER_X1 (Find it in the Fiori Apps Library)

How to check missing authorizations:

  • Transaction SU53 – Just shows last failed authorization
  • Transaction ST01 – You can take authorization trace

Assigned tags

      10 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Hemendra Sabharwal
      Hemendra Sabharwal

      Thanks Masa,

       

      Beautifully explained and provide the clear picture of the segregated role assignation in FE and BE and promptly mentioning the roles which we usually miss during implementations i.e. S_PB_CHIP, /UI2/CHIP.

       

      Warm Regards

      Hemendra

      Author's profile photo Spiro Papadatos
      Spiro Papadatos

      /wp-content/uploads/2016/01/222_875871.jpg

      I don't have an option to add those services under IWSG.

      Is there a way to have them added to the list?

      Author's profile photo Leonardo Gomez
      Leonardo Gomez

      You have to check in transaction /IWFND/MAINT_SERVICE that those services are active and assigend to the corresponding system alias.

      Author's profile photo Naoto Amari
      Naoto Amari

      Bookmarked , thanks!

      Author's profile photo Somnath Choudhury
      Somnath Choudhury

      Hello Masa ,

       

      Are the above steps relevant for S4 Hana 1709 ? Many of thescrennshots as mentioned above doesn't exists.

       

       

      Author's profile photo Masayuki Sekihara
      Masayuki Sekihara
      Blog Post Author

      The blog was created 3 years ago based on NW740.

      For 1709, take a look at UI Content and Authorization Concept.

      Author's profile photo Raymond Du
      Raymond Du

      Thanks Masa

      Author's profile photo CHENG HUAN Chao
      CHENG HUAN Chao

      Dear Sir

      Could you please teach me the permission setting of fiori 1809
      user's fiori menu

      Author's profile photo Hubert Englmaier
      Hubert Englmaier

      Just wanted to mention that you saved my day.

      You provided easily to find information on a wild topic, prepared very fine and short.

      Author's profile photo Dilip Kumar Krishnadev Pandey
      Dilip Kumar Krishnadev Pandey

      A nice information set, thanks Masayuki Sekihara,

      I'm giving your link reference in answer to one query regarding developer-user-roles in Fiori.

      Thanks & Regards,

      Dilip Pandey