In the following example, I will try to explain how you can connect a Fiori app with multiple backend systems using User Roles with System Aliases in SAP Gateway.

Prerequisites: you have created RFC destinations and System Aliases for backend systems.

Assigning SAP System Alias to OData Service – SAP NetWeaver Gateway – SAP Library

As mentioned in the above link, you can assign multiple SAP system aliases to an oData service and also have specific roles assigned to them using transaction /IWFND/MAINT_SERVICE.

In the below screenshot you can see that I have assigned 4 system aliases with different roles assigned to the service of the “Approve Purchase Orders” Fiori app.

Capture.JPG

  • If the system alias do not have a user role assigned, then all users will have access to this system through the Fiori app.
  • If the system alias has a user role assigned, then only the users that have this role will have access to this system through the Fiori app.

Let me try to give an example:

– First you create a blank role for each backend system in SAP Gateway (transaction PFCG).

Z_ROLE_SYSTEM_1

Z_ROLE_SYSTEM_2

etc.

Then, when you add a system alias to a service, you define also the role for this (transaction /IWFND/MAINT_SERVICE).

Alias User Role
ALIAS_SYSTEM_1 Z_ROLE_SYSTEM_1
ALIAS_SYSTEM_2 Z_ROLE_SYSTEM_2
ALIAS_SYSTEM_3

– Now the behavior of the app depends on the roles assigned to a user:


Scenario App Behavior

User having none of the above roles

App will have access to system ALIAS_SYSTEM_3

User having role Z_ROLE_SYSTEM_1

App will have access to systems

ALIAS_SYSTEM_1 and ALIAS_SYSTEM_3

User having roles Z_ROLE_SYSTEM_1 and Z_ROLE_SYSTEM_2

App will have access to systems

ALIAS_SYSTEM_1, ALIAS_SYSTEM_2 and ALIAS_SYSTEM_3

*** ATTENTION ***


SAP Gateway caches the metadata of the service. Because you have one service for the system aliases, you may experience unexpected behavior in case you have extended the oData in one system and not in the others. See the problem here: One quite haunted Gateway cache issue

Problem:

In system A you extended the Fiori app oData entity through the available BADIs and added some fields.

In system B you use the standard functionality without any modifications.

In Gateway you have the standard Fiori app and you also extended it to a Z_APP to include the additional fields of system A.

– User A accesses the Z_APP with the additional fields in Launchpad through system alias pointing to system A.

– User B accesses the standard app in Launchpad through system alias pointing to system B.

Gateway behavior: Metadata cache is cleared manually or by the system eg. because you raised SP level of the app or the SAPUI5 libraries SP level.

Scenario 1:

  • User A logs on first, Gateway caches the metadata of the service from system A (standard structure + the additional fields). App works fine.
  • User B logs on second, Gateway has already cached the metadata and do not get them from system B. App works fine because the standard structure is there.

Scenario 2:

  • User B logs on first, Gateway caches the metadata of the service from system B (only standard structure exists). App works fine.
  • User A logs on second, Gateway has already cached the metadata and do not get them from system A. App NOT working because it can’t find the additional fields in the cached metadata.

Solution:

Caching of metadata based on the system-alias information can be used in the SAP NW Gateway 2.0 SP08 and higher.

http://service.sap.com/sap/support/notes/2000134

Capture2.JPG



Regards,

Vasils

To report this post you need to login first.

10 Comments

You must be Logged on to comment or reply to a post.

  1. Pranav Nagpal

    Very nice blog Vasils. It surely helps in hub scenario. Though i m facing small issue. Even though i have created a blank role in PFCG, i am not able to add the role to my service. Is it some front end component dependent. Please see the screen shot. The green “tick mark” is disabled

    ec1 rols.PNG

    Thanks

    Pranav

    (0) 
    1. Vasilios Lianos Post author

      Thanks Pranav,

        I guess you are trying to assign a role to an existing alias of your service. “User role” field is part of the key of this customizing view table so you can’t change it for an existing entry.

      What you can do is either remove the system alias from the service and add it again… or when you are at the view table -> select the line of the existing one -> press button “Copy as..” -> enter the role at the new line -> Press Enter -> Scroll up and delete the old one -> Save

      Regards,

      Vasilis

      (0) 
      1. Venkat Raja

        Hi Vasilis,

        Thanks for writing good blog. Its help many people like me.

        We are also setting up fiori however I am facing one issue with regards to SSO.

        my landscape is as below:

        ===================

        Gateway system is different (client is 001) and ECC system is different(client is 100).

        We have configured web dispatcher to handle the requests(OData/SData to gateway and other /sap/bc/ requests to backend).

        RFCs are created between both abap systems and trusted relations ship is working between them through trusted rfcs.

        my issue is when we call a URL from browser it is asking credentials two times (one is for gateway system and another for ECC system). my doubt is shall we over come this issue? if yes how do we achive it?

        and also in further we will integrate this fiori into portal system and call from there, is the SSO will work without having any issues( Portal-web dispatcher-gateway system-backend system)? i tried to search but unable to find a information related to my scenario please help me here.

        Thanks,

        Venkat

        (0) 
        1. Vasilios Lianos Post author

          Hi Venkat,

          I am not familiar with the SSO in technical level. It might be a web dispatcher configuration issue.

          I also haven’t implemented fiori in portal so I can not advice you on it.

          Sorry,

          Vasilis

          (0) 
  2. Timothy Muchena

    Hi

    I created blank roles for the 2 system aliases but after assigning them to the aliases i got error No System Alias found for Service ‘ZTASKPROCESSING_0002’ and user ‘XXXX’. If I remove the the blank roles from my alias I get Error has occurred while creating proxy for logical port ’80’

    Its perfectly working with one alias

    Its for My Inbox app and I have to connect to the core system and the HR system

    Thanks

    (0) 
    1. Vasilios Lianos Post author

      Hi,

      “My Inbox” app is a little bit different that the other fiori apps as it wants a different setup in the alias. I haven’t worked it with multiple backends so I am not sure if it works.

      What I would have checked:

      • Have you created the aliases with these settings (the highlighted yellow one)?

      Capture2.PNG

      • Have you assigned the aliases to ZTASKPROCESSING_002 service?

      Capture4.PNG

      I have no other clue,

      Vasilis

      (0) 
  3. Huy Ma

    Hello Vasilios,

    I’ve tried to connect Purchase Requisition Approval application to 2 backends with one Gateway same client.

    I have followed your post and enable 2 system aliases to this app but the app do not displayed any purchase requisition from those 2 backends. But I’ve noticed that the entityset_get method is called on the 2 backends.

    When I declare only one system alias, purchase requisitions are well retrieved..

    Am I missing one customizing point?

    Thanks in advance for your help

    (0) 
    1. Vasilios Lianos Post author

      Hi,

      please check if the user can retrieve PRs for each alias. First check the 1st alias then remove it and check the 2nd alias.

      Check also if the user has the same authorizations in both backends.

      Vasilis

      (0) 
      1. Huy Ma

        Thank you Vasilios for your help.

        It appears that I have to apply OSS note 2250491, and everything turns alright!

        (0) 

Leave a Reply