For many years, SAP Authorizations has been a near mystical dark art. S/4HANA brings the start of a new approach with easier alignment to business roles. This blog explains the new Fiori Launchpad-driven authorization approach in S/4HANA.
Once upon a time and not so very long ago, SAP authorizations were reserved as one of the dark arts of the security administrator. The business brought their challenges to the altar of the security gods – a business role that did this and this but not that – pointed to a couple of delivered SAP security roles stumbled across in the documentation as if to a faded and ancient treasure map and the security administrator started on a perilous quest to deliver the golden security roles.
In this journey, the security administrator and his companions – dogged experienced warrior developers, plucky and determined business analysts – would traverse dark ravines of the SAP system, deploying mystical incantantions (aka authorization trace tools such as transaction STAUTHTRACE) to extract long lost authorization objects and collect them into their treasure chest. Once all the authorization objects were collected, they would lay out all the pieces, and fit them together like a jigsaw puzzle or a broken amulet to build formidable security roles. Security roles that would provide both a shining path to productivity and a powerful protection against the risks of inappropriate access.
With S/4HANA we start to peel away the magical veils to bring SAP Fiori authorizations into the light. While the security administrator remains the White Wizard of authorizations knowledge and the ultimate high priest of access, the journey to those golden security roles has been made easier, safer, and more obvious to the novice adventurer and business process expert alike. SAP has even done a little magical wand-waving to build bridges across some of those dark ravines.
The end result are security roles that clearly and directly relate to the business role. Simplifying the initial creation of roles, and adjustments to roles as new business roles are introduced or existing business roles flex with organizational changes to meet new market and operational opportunities.
In these new and marvellous times, the business challenge remains the same – a business role that does this and this but not that – and the journey still holds the occasional dragon or trolls to overcome. Thus both the novice authorizations adventurer and the experienced White Wizard will benefit from a little explanation of these new pathways. If only to save them from the rock-falls of false assumptions.
Our travelling companions on the authorizations journey are still much the same:
- Security Administrator – the ultimate arbiter of authorizations
- Business Analysts – who set the challenge
- Developers – who help track down hidden authorization objects
And to our team we add a special friend:
- Launchpad Content Administrator – whose access to the Launchpad Designer tool shines a light down the occasional dark ravine to illuminate treasure and ward off the occasional monster
Let’s start by setting the scene for our adventure with a few assumptions and prerequisites:
- Our S/4HANA system is installed including any add-on modules in scope
- As recommended we are running Fiori Frontend Server in Hub mode, i.e. the Fiori Frontend Server is separate from the S/4HANA backend server
- The Fiori Launchpad has been activated
- All Fiori Apps and Other App Types have been activated including Fiori Search
- The Fiori Launchpad and all apps in scope have been tested with a user with the appropriate delivered authorizations
- The Fiori Launchpad Designer Tool has been activated (as per SAP Best Practice guide S/4HANA Fiori Foundation Configuration (MAA))
Our journey still has many stages. These stages are followed in loosely the following order:
- Define the access challenge for the Business Role
- Map needed Activities to Apps
- Collect Apps into Tile Catalogs
- Assign Fiori Launchpad access to the Business Role
- Assign Tile Catalogs to Business Role in the Fiori Frontend Server
- Assign Tile Catalogs to Business Role in the S/4HANA Core
- Prove our authorizations
In this Part 1 we will look at the first 3 stages. These stages set up the Fiori Launchpad Tile Catalog that determines what apps and related authorizations will be assigned to your business role. In Part 2 we will look at the remaining 4 stages that derive our authorizations from the Tile Catalog.
Define the access challenge for the Business Role
In any journey it’s vital to know where you are headed.
You can frame the access challenge using a UX Point-of-View statement
“As a <business role> for <my organizational area> I need access to <activity> so that I can <fulfil goal or responsibility>.”
You might also want to expand this to capture a couple more details that will give some context to overarching security access, testing and change management needs.
- What device types will be used
- How frequently we expect the user will do this activity, i.e. are they a casual or expert user
- Whether the apps will be accessed externally (from outside the company firewall) or only internally
Perhaps you could frame this as:
“As a <business role> for <my organizational area> I need access to <activity> so that I can <fulfil goal or responsibility>.
I do this <activity> on my <device type> when <use case> which happens <frequency>. I consider myself a <casual/frequent/expert user> in doing this <activity>.”
Note: If you have more than one device type you might need to capture the different use cases where that applies. For example someone might use the app mostly on their mobile phone, and are an expert user in that, but occasionally they need to access the app on desktop as well. It’s helpful to know WHY they do that: Are there features they can only access on desktop? Or is it just a matter of the location they are at the time? This is important to know as it can identify some extra authorization requirements that might otherwise be overlooked.
“As a Procurement Officer I need to Review Purchase Orders so that I can manage our corporate spend. I do this mainly on my Desktop, but I may also need to do this on Tablet when I am at a meeting. I consider myself an expert user in purchase order activities.”
Map needed activities to Apps
Having established our access challenge, we need to take it apart and examine it in more detail. We map each activity to the App that provides that feature. Here the S/4HANA Simplification List and the delivered sample Fiori security roles are our guide.
We identify the App(s) needed to perform these activities. Occasionally, there may be some alternatives that our business analysts need to define which option is best for the given business role and device usage (desktop, tablet, phone). You may need to capture other organizational considerations, e.g. for an app that will initially be used on desktop, there may be plans to provide it on tablet later.
Here a simple table may be effective.
|Employee||Submit Purchase Order||Create Purchase Order||Desktop|
|Procurement Officer||Review Purchase Orders||Manage Purchase Orders||Desktop, Tablet|
|Purchasing Manager||Approve Request||Fiori My Inbox||Phone, Tablet, Desktop|
Understanding Tile Catalogs and the Launchpad Designer
As your next step will be to collect apps into Tile Catalogs, you need to be familiar with the Launchpad Designer tool. The Launchpad Designer enables you to manage your Tile Catalogs.
NOTE: This blog is not intended to be a how-to guide on the Launchpad Designer. If you haven’t used the Launchpad Designer before you might want to explore some delivered tile catalogs to increase your understanding. We’ll work through a few basics.
Tip: You can find a step by step description in the SAP Best Practice guide for User Experience – SAP S/4HANA Fiori Launchpad Operation (MAG), and deeper dive information in the documentation for SAP Fiori Launchpad > Administration Guide > Setting up Launchpad Content > Setting up Content with the Launchpad Designer
You access the Launchpad Designer tool which is launched from transaction /UI2/FLPD_CUST (customizing scope – default) or /UI2/FLPD_CONF (configuration scope) or the URL:
(where <host> is the hostname of the frontend server and <port> is the ICM port).
Here is an example tile catalog showing the Tiles Preview in the Launchpad Designer tool.
Tip: Remember you will need to create a Change Transport Request for all the configuration you do in the Launchpad Designer Tool. You can find more information on that in the documentation SAP NetWeaver AS ABAP 7.51 > Fiori Launchpad > Administration Guide > Setting up Launchpad Content > Setting up content with the Launchpad Designer > Creating Transport Requests for User Changes.
A tile catalog contains the list of apps. Apps can be listed as either a:
- Tile – i.e. a main entry point that can be included on a Launchpad. These are shown in a preview view and a list view.
- Target Mapping – i.e. a semantic object/action navigation reference called as an action (button, link, icon, etc.) from a tile app in the same Tile Catalog
Example catalog showing the Tiles List view
From the tile preview or tile list you can select a tile to view or edit its tile configuration. This controls the appearance of the tile, and contains the Semantic Object and Action that points to the app to be launched when the user selects the tile in the Fiori Launchpad. It’s the Semantic Object and Action that need to be configured in the Target Mappings view.
The apps to be launched by Semantic Object and Actions are listed in the Target Mappings View. You will need a target mapping for each Semantic Object and Action pair required by each tile, and by any intent-based navigation requirements in the app.
NOTE: Check the documentation for the App in the Fiori Apps Library for Semantic Object/Action pairs required.
When you are setting up authorizations it’s helpful to understand how you can use intent-based navigation to control which app is launched for which business role. This works becausee intent-based navigation uses semantic object and actions. In other words – providing each business role has its own Tile Catalog – you can use the same semantic reference to point to different target apps for different business roles. Similarly you can define a different target depending on the device type in use.
You can find out more about this in the SAP help for SAP Fiori Launchpad 7.51 > Setting up Launchpad Content > Setting up Content with the Launchpad Designer> Setting up Navigation > About Navigation
Example catalog showing the Target Mappings view
The tile catalog contains the tile configuration (or reference to configuration) for each app – including on which device types should appear. Marking the device types automatically declutters irrelevant apps from the Launchpad when moving from one device type to another
NOTE: You can OPTIONALLY collate tiles from one or more catalogs into Tile Groups. Tile Groups are used to control what apps a user sees by default on the Home Page of the Fiori Launchpad. The tile group is assigned to a user via the security roles in the Fiori Frontend Server. However it’s important to understand that Tile Groups have no impact on the authorizations of a user.
Tip: When you are working with Tile Catalogs, it’s very useful to use the support tools to check your work and make sure nothing is missing. The most important tools are:
Access to Tool
|Launchpad Content Checks||Transaction /UI2/FLC||Consistency checks|
|Launchpad Intent Analysis||Transaction /UI2/FLIA||Checks the assignment of a given intent to a user|
|Orphaned Catalogs and Groups||Transaction /UI2/FLC1||Checks for orphaned catalogs and groups. This may happen if you use both the customizing and configuration scope of the Launchpad Designer.|
You can find further information on these tools in the SAP Help documentation via the following links:
Collect Apps into Tile Catalogs
Now that we know what apps are needed by the business role, we can start to put together our Tile Catalog for that business role. The Tile Catalog defines all the apps that a user assigned to this business role is authorized to use. These apps may appear to the user on the Home Page of the Launchpad, in the App Finder, or they can be found via keyword using the Fiori Search bar.
These steps are the responsibility of your Launchpad Content Administrator. Here’s a quick overview of the Launchpad Content Administrator’s tasks.
NOTE: As we mentioned previously Tile Groups do not actually impact authorizations. Tile Groups simply determine which apps are shown on the Home Page by default. We will focus purely on the Tile Catalogs in this blog.
In this example for simplicity we will create one Tile Catalog per Business role.
NOTE: Again we emphasize this blog is not intended to be a how-to guide on the Launchpad Designer. We are showing a simple approach to get you started. Refer to the documentation for more options, i.e. SAP Fiori Launchpad > Administration Guide > Setting up Launchpad Content > Setting up Content with the Launchpad Designer
NOTE: It is possible to share tile catalogs that contain shared apps. Just remember you want to make sure they are truly shared. A user will get the sum of all of the catalogs assigned to them.
Start by creating a catalog:
Add the tiles you want into your catalog. If the tiles already exist in a delivered catalog, you can add them to your own catalog using the Create Reference option. Just select the tile you want to reference and select the Create Reference option.
And then select your own catalog as the target.
NOTE: Once you have added the tile to your own catalog, you can adjust tile names, icons and other information using the Configure option.
Similarly add the Target Mappings you need to your own catalog. Again you can use the Create Reference option to do this. Just select the mapping, select the Create Reference option and then select your own catalog as the target.
You can create references from more than one tile catalog, and you can also add your own entries. Check your own catalog to make sure you have all the tiles and target mappings you expect. The tile catalog displays a useful count of the number of tiles and target mappings in your catalog to assist.
Once you have populated your Tile Catalog with tiles and target mappings you are ready to assign the Tile Catalog to a security role.
We’ll see how that works in Part 2.