Please feel free to edit this document and add your tips.
SAP Fiori Lessons Learned 20. Role and Authorization settings for SAP Fiori launchpad
Background:
I see many consultants had issues accessing Fiori launchpad because authorizations were not assigned.
Help documents:
- Assign Administrator Role for SAP Fiori Launchpad to Administrat – Configuration of SAP Fiori Infrastructure – SAP Libra…
- (740) User, Developer, and Administrator Roles – SAP Gateway Foundation (SAP_GWFND) – SAP Library
- Authorizations – SAP NetWeaver User Interface Services – SAP Library
Frontend server:
Administrator: SAP Fiori launchpad Designer
- Z_SAP_UI2_ADMIN_700 (Role)
- R3TR IWSG ZINTEROP_0001 (Menu Authorization default)
- R3TR IWSG ZPAGE_BUILDER_PERS_0001 (Menu Authorization default)
- R3TR IWSG ZPAGE_BUILDER_CONF_0001 (Menu Authorization default)
- R3TR IWSG ZPAGE_BUILDER_CUST_0001 (Menu Authorization default)
- R3TR IWSG ZTRANSPORT_0001 (Menu Authorization default)
- /IWFND/RT_ADMIN (Authorization Template)
- Add authorization objects listed in the Authorizations – SAP NetWeaver User Interface Services – SAP Library.
Runtime User: SAP Fiori launchpad
- Z_SAP_UI2_USER_700 (Role)
- R3TR IWSG ZINTEROP_0001 (Menu Authorization default)
- R3TR IWSG ZPAGE_BUILDER_PERS_0001 (Menu Authorization default)
- /IWFND/RT_GW_USER (Authorization Template)
- S_PB_CHIP(Authorization Object)
- /UI2/CHIP (Authorization Object)
- S_SERVICE (Authorization Object)
- App specific OData service. For example R3TR IWSG GBAPP_POAPPROVAL_0001 (Find it in the Fiori Apps Library)
- App specific Catalog Role SAP_MM_BC_BUYER_X1 (Find it in the Fiori Apps Library)
- App specific Group RoleAP_MM_BCR_BUYER_X1 (Find it in the Fiori Apps Library)
Backend server:
Administrator:
- IWBEP/RT_BEP_ADM(Authorization Template)
- S_RFCACL (Authorization Object)
Runtime User:
- /IWBEP/RT_MGW_USR (Authorization template)
- S_RFCACL (Authorization Object)
- App specific OData role. SAP_MM_PO_APV_APP (Find it in the Fiori Apps Library)
Steps: Example setting for runtime user role in the Frontend server.
Step 1. Copy the role SAP_UI2_USER_700 to Z_SAP_UI2_USER_700
Step 2. Add authorization default in the menu tab
Note: R3TR IWSG is for Hub deployment. R3TR IWSV is for embedded deployment.
Step 3. Add Gateway authorizations from template in the authorization tab.
Edit -> Insert Authorizations -> From Template …
Please find authorization template name in User, Developer, and Administrator Roles – SAP GatewayFoundation (SAP_GWFND) – SAP Library
Step 4. Manually add additional authorization objects
Please find the list of authorization objects in Authorizations – SAP NetWeaver User Interface Services – SAP Library.
Step 5. Add App specific OData service. For example R3TR IWSG GBAPP_POAPPROVAL_0001 (Find it in the Fiori Apps Library)
Step 6. Add App specific Catalog Role SAP_MM_BC_BUYER_X1 (Find it in the Fiori Apps Library)
Step 7. Add App specific Group Role SAP_MM_BCR_BUYER_X1 (Find it in the Fiori Apps Library)
How to check missing authorizations:
- Transaction SU53 – Just shows last failed authorization
- Transaction ST01 – You can take authorization trace
Thanks Masa,
Beautifully explained and provide the clear picture of the segregated role assignation in FE and BE and promptly mentioning the roles which we usually miss during implementations i.e. S_PB_CHIP, /UI2/CHIP.
Warm Regards
Hemendra
I don’t have an option to add those services under IWSG.
Is there a way to have them added to the list?
You have to check in transaction /IWFND/MAINT_SERVICE that those services are active and assigend to the corresponding system alias.
Bookmarked , thanks!
Hello Masa ,
Are the above steps relevant for S4 Hana 1709 ? Many of thescrennshots as mentioned above doesn’t exists.
The blog was created 3 years ago based on NW740.
For 1709, take a look at UI Content and Authorization Concept.
Thanks Masa