SAP Fiori LL20 – Role and Authorization settings for SAP Fiori launchpad

Please feel free to edit this document and add your tips.

SAP Fiori Lessons Learned 20. Role and Authorization settings for SAP Fiori launchpad

Background:

I see many consultants had issues accessing Fiori launchpad because authorizations were not assigned.

Help documents:

• Assign Administrator Role for SAP Fiori Launchpad to Administrat – Configuration of SAP Fiori Infrastructure – SAP Libra…
• (740) User, Developer, and Administrator Roles – SAP Gateway Foundation (SAP_GWFND) – SAP Library
• Authorizations – SAP NetWeaver User Interface Services – SAP Library

Frontend server:

    Administrator: SAP Fiori launchpad Designer

• Z_SAP_UI2_ADMIN_700 (Role)
• R3TR IWSG ZINTEROP_0001 (Menu Authorization default)
• R3TR IWSG ZPAGE_BUILDER_PERS_0001 (Menu Authorization default)
• R3TR IWSG ZPAGE_BUILDER_CONF_0001 (Menu Authorization default)
• R3TR IWSG ZPAGE_BUILDER_CUST_0001 (Menu Authorization default)
• R3TR IWSG ZTRANSPORT_0001 (Menu Authorization default)
• /IWFND/RT_ADMIN (Authorization Template)
• Add authorization objects listed in the Authorizations – SAP NetWeaver User Interface Services – SAP Library.

    Runtime User: SAP Fiori launchpad

• Z_SAP_UI2_USER_700 (Role)
• R3TR IWSG ZINTEROP_0001 (Menu Authorization default)
• R3TR IWSG ZPAGE_BUILDER_PERS_0001 (Menu Authorization default)
• /IWFND/RT_GW_USER (Authorization Template)
• S_PB_CHIP(Authorization Object)
• /UI2/CHIP (Authorization Object)
• S_SERVICE (Authorization Object)
• App specific OData service. For example R3TR IWSG GBAPP_POAPPROVAL_0001 (Find it in the Fiori Apps Library)
• App specific Catalog Role SAP_MM_BC_BUYER_X1 (Find it in the Fiori Apps Library)
• App specific Group RoleAP_MM_BCR_BUYER_X1 (Find it in the Fiori Apps Library)

Backend server:

    Administrator:

• IWBEP/RT_BEP_ADM(Authorization Template)
• S_RFCACL (Authorization Object)

    Runtime User:

• /IWBEP/RT_MGW_USR (Authorization template)
• S_RFCACL (Authorization Object)
• App specific OData role. SAP_MM_PO_APV_APP (Find it in the Fiori Apps Library)

Steps: Example setting for runtime user role in the Frontend server.

Step 1. Copy the role SAP_UI2_USER_700 to Z_SAP_UI2_USER_700

Step 2. Add authorization default in the menu tab

Note: R3TR IWSG is for Hub deployment. R3TR IWSV is for embedded deployment.

Step 3. Add Gateway authorizations from template in the authorization tab.

Edit -> Insert Authorizations -> From Template …

Please find authorization template name in User, Developer, and Administrator Roles – SAP GatewayFoundation (SAP_GWFND) – SAP Library

Step 4. Manually add additional authorization objects

Please find the list of authorization objects in Authorizations – SAP NetWeaver User Interface Services – SAP Library.

Step 5. Add App specific OData service. For example R3TR IWSG GBAPP_POAPPROVAL_0001 (Find it in the Fiori Apps Library)

Step 6. Add App specific Catalog Role SAP_MM_BC_BUYER_X1 (Find it in the Fiori Apps Library)

Step 7. Add App specific Group Role SAP_MM_BCR_BUYER_X1 (Find it in the Fiori Apps Library)

How to check missing authorizations:

• Transaction SU53 – Just shows last failed authorization
• Transaction ST01 – You can take authorization trace