Please feel free to edit this document and add your tips.

SAP Fiori Lessons Learned 20. Role and Authorization settings for SAP Fiori launchpad

Background:

I see many consultants had issues accessing Fiori launchpad because authorizations were not assigned.

Help documents:

Frontend server:

    Administrator: SAP Fiori launchpad Designer

  • Z_SAP_UI2_ADMIN_700 (Role)
  • R3TR IWSG ZINTEROP_0001 (Menu Authorization default)
  • R3TR IWSG ZPAGE_BUILDER_PERS_0001 (Menu Authorization default)
  • R3TR IWSG ZPAGE_BUILDER_CONF_0001 (Menu Authorization default)
  • R3TR IWSG ZPAGE_BUILDER_CUST_0001 (Menu Authorization default)
  • R3TR IWSG ZTRANSPORT_0001 (Menu Authorization default)
  • /IWFND/RT_ADMIN (Authorization Template)
  • Add authorization objects listed in the Authorizations – SAP NetWeaver User Interface Services – SAP Library.

    Runtime User: SAP Fiori launchpad

  • Z_SAP_UI2_USER_700 (Role)
  • R3TR IWSG ZINTEROP_0001 (Menu Authorization default)
  • R3TR IWSG ZPAGE_BUILDER_PERS_0001 (Menu Authorization default)
  • /IWFND/RT_GW_USER (Authorization Template)
  • S_PB_CHIP(Authorization Object)
  • /UI2/CHIP (Authorization Object)
  • S_SERVICE (Authorization Object)
  • App specific OData service. For example R3TR IWSG GBAPP_POAPPROVAL_0001 (Find it in the Fiori Apps Library)
  • App specific Catalog Role SAP_MM_BC_BUYER_X1 (Find it in the Fiori Apps Library)
  • App specific Group RoleAP_MM_BCR_BUYER_X1 (Find it in the Fiori Apps Library)

Backend server:

    Administrator:

  • IWBEP/RT_BEP_ADM(Authorization Template)
  • S_RFCACL (Authorization Object)

    Runtime User:

  • /IWBEP/RT_MGW_USR (Authorization template)
  • S_RFCACL (Authorization Object)
  • App specific OData role. SAP_MM_PO_APV_APP (Find it in the Fiori Apps Library)

Steps: Example setting for runtime user role in the Frontend server.

Step 1. Copy the role SAP_UI2_USER_700 to Z_SAP_UI2_USER_700

Step 2. Add authorization default in the menu tab

/wp-content/uploads/2015/07/role1_743747.png

Note: R3TR IWSG is for Hub deployment. R3TR IWSV is for embedded deployment.

Step 3. Add Gateway authorizations from template in the authorization tab.

Edit -> Insert Authorizations -> From Template …

Please find authorization template name in User, Developer, and Administrator Roles – SAP GatewayFoundation (SAP_GWFND) – SAP Library

/wp-content/uploads/2015/07/role2_743749.png

/wp-content/uploads/2015/07/role3_743798.png

Step 4. Manually add additional authorization objects

Please find the list of authorization objects in Authorizations – SAP NetWeaver User Interface Services – SAP Library.

/wp-content/uploads/2015/07/role4_743799.png

Step 5. Add App specific OData service. For example R3TR IWSG GBAPP_POAPPROVAL_0001 (Find it in the Fiori Apps Library)

Step 6. Add App specific Catalog Role SAP_MM_BC_BUYER_X1 (Find it in the Fiori Apps Library)

Step 7. Add App specific Group Role SAP_MM_BCR_BUYER_X1 (Find it in the Fiori Apps Library)

How to check missing authorizations:

  • Transaction SU53 – Just shows last failed authorization
  • Transaction ST01 – You can take authorization trace
To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

  1. Hemendra Sabharwal

    Thanks Masa,

     

    Beautifully explained and provide the clear picture of the segregated role assignation in FE and BE and promptly mentioning the roles which we usually miss during implementations i.e. S_PB_CHIP, /UI2/CHIP.

     

    Warm Regards

    Hemendra

    (0) 

Leave a Reply