In part 1 Launchpad-driven Authorizations - Configuring the Launchpad, we configured the Tile Catalog for the Fiori Launchpad that holds all the apps to be assigned to our business role. In part 2, we use the Tile Catalog to derive the authorizations.
Deriving the authorizations for our business role we break into the final 4 stages:
Lastly, we’ll give insights into how Tile Groups relate to security roles and touch on the broader topic of Launchpad Design.
NOTE: This blog assumes you already have some knowledge of creating security roles in an ABAP server using transaction PFCG.
You derive authorizations from the Tile Catalogs to create your security roles that hold all the necessary authorizations. We will need to assign authorizations in the:
Start by checking that:
Tip: It’s a useful approach to create a composite role per business role in both Fiori Frontend Server and S/4HANA backend server. This will make it easy to find all of the access assigned to a business role.
Before your users can access tiles they need to be authorized to use the Fiori Launchpad itself. You can find the details of this in the documentation SAP Fiori Launchpad > Administration Guide > Initial Setup of the Launchpad > Configuring Authorizat...
NOTE: Ah there’s a little monster here… miss this step and your user might see unfriendly messages such as “Failed to load groups”.
Tip: You might want to create a common single role for the access to start the Fiori Launchpad. This single role should be assigned to all Fiori users in the Fiori Frontend Server. For example you could assign the common role to all Fiori Frontend Security composite security roles that represent business roles.
In transaction PFCG we can now add our Tile Catalogs to a role. This will give users with this business role the authorization to start any of the Apps listed as Tiles or Target Mappings in our Tile Catalog.
NOTE: This is only the authorization to *start* the app. Before the app can start pulling data from the S/4AHANA Core server users will need authorizations in the S/4HANA Core server as well. Why doesn’t it grant everything? It’s worth remembering that Apps can come from Cloud Platforms and 3rd party content as well. So we need layers of authorization to cater for the different types of Apps that are supported by the Fiori Launchpad.
NOTE: We don’t need to think yet about Classic Apps – such as Web Dynpro ABAP and SAPGUI for HTML. These will be assigned in the S/4HANA backend server.
Start by creating your Security Role in transaction PFCG as normal.
Since the Tile Catalogs also live in the Fiori Frontend Server we add Tile Catalogs using the Local assignment option. In the Menu tab, select the option to add a “SAP Fiori Tile Catalog”, check that Catalog Provider “Fiori Launchpad Catalog Page” is selected, select “Local Front-end Server”, enter or search and select your Tile Catalog ID, and check the “Include Applications” flag is checked.
NOTE: If the button currently says something different – such as Transaction – use the dropdown menu on the button to swap to the SAP Fiori Tile Catalog option.
Tip: You can find more information in the documentation SAP Fiori Launchpad > Administration Guide > Initial Setup of the Launchpad > Configuring Authorizat...
It’s the Include Applications flag that adds the magic! It reads the tile catalog and derives any IWSG start permissions for the OData Services related to the Fiori Apps.
Tip: Ok so at this point we may have hit our first troll. While this process will derive the majority of OData Service start authorizations it may not pick up all Dynamic calls defined in the configuration of each app in the Tile Catalog.
In this example our Create Billing Documents tile has a Dynamic Data pointing to OData Service path "/sap/opu/odata/SAP/SD_CUSTOMER_INVOICES_CREATE/C_BillingDueListItem_F0798/$count"
You can see the Dynamic Data in the Tile configuration:
We are ok here because the Dynamic Data and the App share the same OData service – which is quite common. However there is always the chance that a different OData Service is used.
If this happens you can correct the security role by simply adding any additional IWSG permissions using the add Authorization Default option in PFCG. In the Menu tab, select the add Authorization Default option, choose Authorization Default TADIR Service, Program ID R3TR, Object Type IWSG, and use the dropdown in the TADIR Service table to select and find your service.
Tip: Don’t just enter your service name – you need the technical GUID assigned to the OData Service which the dropdown will find for you.
Save your role and assign it to your users as usual.
NOTE: If you are using a composite role, don’t forget to assign your single role to your composite role that represents the collection of all authorizations the business role will need.
OPTIONALLY: You can also assign Tile Groups to your Fiori Frontend Server role. This will assign the tile group to the Home Page of the business role.
So now you are ready to derive the backend authorizations for the S/4HANA Core server into your security role in the S/4HANA backend server. There’s an excellent step-by-step guide written by Gilbert Wong – so I’ll just touch on a few differences.
In transaction PFCG in the S/4HANA backend server we also use our Tile Catalogs to derive our security role. This time we use the Remote assignment method as the Tile Catalogs are hosted in the Fiori Frontend Server.
Once again start in the Menu tab of transaction PFCG, use the add SAP Fiori Tile Catalog option to start, and select Catalog Provider “Fiori Launchpad Catalog Page”. This time select “Remote Front-end Server”, and enter the RFC Destination that points to your Fiori Frontend Server that hosts the catalogs. Just as before enter your Catalog ID.
Instead of simply assigning Start Authorizations to the OData Services, there is some new magic happening here!
When we add the Tile Catalog using Remote assignment reads the tile catalog and derives:
Remote assignment also derives where needed:
Tip: You can find the DCL Authorizations in transaction SACM. It's important to note that not every CDS view defines DCL Authorizations.
Tip: Ok at this point you may hit another troll. Again the dynamic data OData Service may not be included. If this happens you can correct the security role by simply adding any additional IWSV permissions using the Authorization Default option in PFCG. The approach is similar to adding missing IWSG authorizations in the Fiori Frontend Server – just specify Object Type IWSV this time.
Having added our Tile Catalog we now need to check and complete the setting for the authorization objects in the Authorizations tab as usual.
In the Authorization Data you can see and complete the authorizations derived.
You can restrict data access to the appropriate organizational entities just as you are used to doing if you have worked with security roles in SAP Business Suite or Suite on HANA. And of course generate the security profile as normal.
All you need to do to test your role is logon to the Fiori Launchpad with your test user id for the business role.
Check you can find all the apps in the Fiori Search or App Finder.
VERY IMPORTANT: Do not simply look at the tiles on the Home Page. The Home Page only shows selected tiles based on what has been assigned to the business role as Tile Groups. You need to test more broadly to make sure you have checked all the apps of the business role. And no – don’t just put every tile on the Home Page – that’s likely to create a bad user experience… as we’ll explain in the next section “From Access to Productivity”.
Check you can open each app and navigate to the other apps as expected.
Tip: Ok so there’s always the possibility of a lurking troll. If you have assigned all your authorizations correctly, then the app should open as expected. If you receive a message “Could not open app” you may still be missing something. So check transaction SU53 or STAUTHTRACE and add that to your security role.
What happens if you later change the Tile Catalog? For example to add more tiles or target mappings. Just enter the PFCG roles again in edit mode and the authorizations are automatically added. You simply need to complete any new authorization objects in the Authorizations tab
Remember that access is only one of our goals… an essential stepping stone on the way to improved User Productivity and delightful User Experience.
For this you will also need to think about another topic: Launchpad Design.
Lastly, like any good quest book we include a treasure map to show the whole kingdom with thanks to Van Vi
Deriving the authorizations for our business role we break into the final 4 stages:
- Assign Fiori Launchpad access to the Business Role
- Assign Tile Catalogs to Business Role in the Fiori Frontend Server
- Assign Tile Catalogs to Business Role in the S/4HANA Core
- Prove our authorizations
Lastly, we’ll give insights into how Tile Groups relate to security roles and touch on the broader topic of Launchpad Design.
NOTE: This blog assumes you already have some knowledge of creating security roles in an ABAP server using transaction PFCG.
Assign Fiori Launchpad Access to the Business Role
You derive authorizations from the Tile Catalogs to create your security roles that hold all the necessary authorizations. We will need to assign authorizations in the:
- Fiori Frontend Server – i.e. the authority to access the Fiori Launchpad and Fiori Apps
- S/4HANA backend server – i.e. access to Classic Apps and backend data used by Fiori Apps
Start by checking that:
- User ids are created in both servers
- You have created a composite role for the business role
Tip: It’s a useful approach to create a composite role per business role in both Fiori Frontend Server and S/4HANA backend server. This will make it easy to find all of the access assigned to a business role.
Before your users can access tiles they need to be authorized to use the Fiori Launchpad itself. You can find the details of this in the documentation SAP Fiori Launchpad > Administration Guide > Initial Setup of the Launchpad > Configuring Authorizat...
NOTE: Ah there’s a little monster here… miss this step and your user might see unfriendly messages such as “Failed to load groups”.
Tip: You might want to create a common single role for the access to start the Fiori Launchpad. This single role should be assigned to all Fiori users in the Fiori Frontend Server. For example you could assign the common role to all Fiori Frontend Security composite security roles that represent business roles.
Assign Tile Catalogs to the Business Role in the Fiori Frontend Server
In transaction PFCG we can now add our Tile Catalogs to a role. This will give users with this business role the authorization to start any of the Apps listed as Tiles or Target Mappings in our Tile Catalog.
NOTE: This is only the authorization to *start* the app. Before the app can start pulling data from the S/4AHANA Core server users will need authorizations in the S/4HANA Core server as well. Why doesn’t it grant everything? It’s worth remembering that Apps can come from Cloud Platforms and 3rd party content as well. So we need layers of authorization to cater for the different types of Apps that are supported by the Fiori Launchpad.
NOTE: We don’t need to think yet about Classic Apps – such as Web Dynpro ABAP and SAPGUI for HTML. These will be assigned in the S/4HANA backend server.
Start by creating your Security Role in transaction PFCG as normal.
Since the Tile Catalogs also live in the Fiori Frontend Server we add Tile Catalogs using the Local assignment option. In the Menu tab, select the option to add a “SAP Fiori Tile Catalog”, check that Catalog Provider “Fiori Launchpad Catalog Page” is selected, select “Local Front-end Server”, enter or search and select your Tile Catalog ID, and check the “Include Applications” flag is checked.
NOTE: If the button currently says something different – such as Transaction – use the dropdown menu on the button to swap to the SAP Fiori Tile Catalog option.
Tip: You can find more information in the documentation SAP Fiori Launchpad > Administration Guide > Initial Setup of the Launchpad > Configuring Authorizat...
It’s the Include Applications flag that adds the magic! It reads the tile catalog and derives any IWSG start permissions for the OData Services related to the Fiori Apps.
Tip: Ok so at this point we may have hit our first troll. While this process will derive the majority of OData Service start authorizations it may not pick up all Dynamic calls defined in the configuration of each app in the Tile Catalog.
In this example our Create Billing Documents tile has a Dynamic Data pointing to OData Service path "/sap/opu/odata/SAP/SD_CUSTOMER_INVOICES_CREATE/C_BillingDueListItem_F0798/$count"
You can see the Dynamic Data in the Tile configuration:
We are ok here because the Dynamic Data and the App share the same OData service – which is quite common. However there is always the chance that a different OData Service is used.
If this happens you can correct the security role by simply adding any additional IWSG permissions using the add Authorization Default option in PFCG. In the Menu tab, select the add Authorization Default option, choose Authorization Default TADIR Service, Program ID R3TR, Object Type IWSG, and use the dropdown in the TADIR Service table to select and find your service.
Tip: Don’t just enter your service name – you need the technical GUID assigned to the OData Service which the dropdown will find for you.
Save your role and assign it to your users as usual.
NOTE: If you are using a composite role, don’t forget to assign your single role to your composite role that represents the collection of all authorizations the business role will need.
OPTIONALLY: You can also assign Tile Groups to your Fiori Frontend Server role. This will assign the tile group to the Home Page of the business role.
Assign Tile Catalogs to the Business Role in the S/4HANA Backend Server
So now you are ready to derive the backend authorizations for the S/4HANA Core server into your security role in the S/4HANA backend server. There’s an excellent step-by-step guide written by Gilbert Wong – so I’ll just touch on a few differences.
In transaction PFCG in the S/4HANA backend server we also use our Tile Catalogs to derive our security role. This time we use the Remote assignment method as the Tile Catalogs are hosted in the Fiori Frontend Server.
Once again start in the Menu tab of transaction PFCG, use the add SAP Fiori Tile Catalog option to start, and select Catalog Provider “Fiori Launchpad Catalog Page”. This time select “Remote Front-end Server”, and enter the RFC Destination that points to your Fiori Frontend Server that hosts the catalogs. Just as before enter your Catalog ID.
Instead of simply assigning Start Authorizations to the OData Services, there is some new magic happening here!
When we add the Tile Catalog using Remote assignment reads the tile catalog and derives:
- IWSV start permissions for the OData Service Implementation of Fiori Apps
- Transaction Code (S_TCODE) authorizations for SAPGUI for HTML Apps
- WDYA start permissions for the Web Dynpro ABAP apps
Remote assignment also derives where needed:
- Authorization objects referenced in the DCL Authorizations of the underlying CDS view(s) of the OData Service Implementation.
Tip: You can find the DCL Authorizations in transaction SACM. It's important to note that not every CDS view defines DCL Authorizations.
Tip: Ok at this point you may hit another troll. Again the dynamic data OData Service may not be included. If this happens you can correct the security role by simply adding any additional IWSV permissions using the Authorization Default option in PFCG. The approach is similar to adding missing IWSG authorizations in the Fiori Frontend Server – just specify Object Type IWSV this time.
Having added our Tile Catalog we now need to check and complete the setting for the authorization objects in the Authorizations tab as usual.
In the Authorization Data you can see and complete the authorizations derived.
You can restrict data access to the appropriate organizational entities just as you are used to doing if you have worked with security roles in SAP Business Suite or Suite on HANA. And of course generate the security profile as normal.
Prove our authorizations
All you need to do to test your role is logon to the Fiori Launchpad with your test user id for the business role.
Check you can find all the apps in the Fiori Search or App Finder.
VERY IMPORTANT: Do not simply look at the tiles on the Home Page. The Home Page only shows selected tiles based on what has been assigned to the business role as Tile Groups. You need to test more broadly to make sure you have checked all the apps of the business role. And no – don’t just put every tile on the Home Page – that’s likely to create a bad user experience… as we’ll explain in the next section “From Access to Productivity”.
Check you can open each app and navigate to the other apps as expected.
Tip: Ok so there’s always the possibility of a lurking troll. If you have assigned all your authorizations correctly, then the app should open as expected. If you receive a message “Could not open app” you may still be missing something. So check transaction SU53 or STAUTHTRACE and add that to your security role.
What happens if you later change the Tile Catalog? For example to add more tiles or target mappings. Just enter the PFCG roles again in edit mode and the authorizations are automatically added. You simply need to complete any new authorization objects in the Authorizations tab
From Access to Productivity
Remember that access is only one of our goals… an essential stepping stone on the way to improved User Productivity and delightful User Experience.
For this you will also need to think about another topic: Launchpad Design.
Authorization Adventure Map
Lastly, like any good quest book we include a treasure map to show the whole kingdom with thanks to Van Vi
- SAP Managed Tags:
10 Comments
