Skip to Content
Author's profile photo Jocelyn Dart

Leading S/4HANA UX – Launchpad-driven Authorizations – Part 2 – Configuring the Authorizations

In part 1 Launchpad-driven Authorizations – Configuring the Launchpad, we configured the Tile Catalog for the Fiori Launchpad that holds all the apps to be assigned to our business role.  In part 2, we use the Tile Catalog to derive the authorizations.

Deriving the authorizations for our business role we break into the final 4 stages:

  1. Assign Fiori Launchpad access to the Business Role
  2. Assign Tile Catalogs to Business Role in the Fiori Frontend Server
  3. Assign Tile Catalogs to Business Role in the S/4HANA Core
  4. Prove our authorizations

Lastly, we’ll give insights into how Tile Groups relate to security roles and touch on the broader topic of Launchpad Design.

NOTE: This blog assumes you already have some knowledge of creating security roles in an ABAP server using transaction PFCG.

Assign Fiori Launchpad Access to the Business Role

You derive authorizations from the Tile Catalogs to create your security roles that hold all the necessary authorizations.  We will need to assign authorizations in the:

  • Fiori Frontend Server – i.e. the authority to access the Fiori Launchpad and Fiori Apps
  • S/4HANA backend server – i.e. access to Classic Apps and backend data used by Fiori Apps

Start by checking that:

  • User ids are created in both servers
  • You have created a composite role for the business role

Tip: It’s a useful approach to create a composite role per business role in both Fiori Frontend Server and S/4HANA backend server.  This will make it easy to find all of the access assigned to a business role.

Before your users can access tiles they need to be authorized to use the Fiori Launchpad itself. You can find the details of this in the documentation SAP Fiori Launchpad > Administration Guide > Initial Setup of the Launchpad > Configuring Authorization Roles > Configuring Roles with Launchpad Start Authorizations

NOTE: Ah there’s a little monster here… miss this step and your user might see unfriendly messages such as “Failed to load groups”.

Tip: You might want to create a common single role for the access to start the Fiori Launchpad.  This single role should be assigned to all Fiori users in the Fiori Frontend Server.  For example you could assign the common role to all Fiori Frontend Security composite security roles that represent business roles.

Assign Tile Catalogs to the Business Role in the Fiori Frontend Server

In transaction PFCG we can now add our Tile Catalogs to a role.  This will give users with this business role the authorization to start any of the Apps listed as Tiles or Target Mappings in our Tile Catalog.

NOTE: This is only the authorization to *start* the app.  Before the app can start pulling data from the S/4AHANA Core server users will need authorizations in the S/4HANA Core server as well. Why doesn’t it grant everything? It’s worth remembering that Apps can come from Cloud Platforms and 3rd party content as well.  So we need layers of authorization to cater for the different types of Apps that are supported by the Fiori Launchpad.

NOTE: We don’t need to think yet about Classic Apps – such as Web Dynpro ABAP and SAPGUI for HTML. These will be assigned in the S/4HANA backend server.

Start by creating your Security Role in transaction PFCG as normal.

Create a security role in transaction PFCG

Since the Tile Catalogs also live in the Fiori Frontend Server we add Tile Catalogs using the Local assignment option. In the Menu tab, select the option to add a “SAP Fiori Tile Catalog”, check that Catalog Provider “Fiori Launchpad Catalog Page” is selected, select “Local Front-end Server”, enter or search and select your Tile Catalog ID, and check the “Include Applications” flag is checked.

PFCG menu tab highlighting the steps for local assignment of a Tile Catalog

NOTE: If the button currently says something different – such as Transaction – use the dropdown menu on the button to swap to the SAP Fiori Tile Catalog option.

Tip: You can find more information in the documentation SAP Fiori Launchpad > Administration Guide > Initial Setup of the Launchpad > Configuring Authorization Roles > Configure Roles for Tile Catalogs > Assign Tile Catalogs to Role

It’s the Include Applications flag that adds the magic!  It reads the tile catalog and derives any IWSG start permissions for the OData Services related to the Fiori Apps.

PFCG Menu tab showing the derived IWSG OData Service start permissions

Tip: Ok so at this point we may have hit our first troll. While this process will derive the majority of OData Service start authorizations it may not pick up all Dynamic calls defined in the configuration of each app in the Tile Catalog.

In this example our Create Billing Documents tile has a Dynamic Data pointing to OData Service path “/sap/opu/odata/SAP/SD_CUSTOMER_INVOICES_CREATE/C_BillingDueListItem_F0798/$count”

You can see the Dynamic Data in the Tile configuration:

Example Tile configuration showing Dynamic Data configuration

We are ok here because the Dynamic Data and the App share the same OData service – which is quite common.  However there is always the chance that a different OData Service is used.

If this happens you can correct the security role by simply adding any additional IWSG permissions using the add Authorization Default option in PFCG. In the Menu tab, select the add Authorization Default option, choose Authorization Default TADIR Service, Program ID R3TR, Object Type IWSG, and use the dropdown in the TADIR Service table to select and find your service.

Tip: Don’t just enter your service name – you need the technical GUID assigned to the OData Service which the dropdown will find for you.

PFCG Menu tab add Authorization Defaults for IWSG permissions

Save your role and assign it to your users as usual.

NOTE: If you are using a composite role, don’t forget to assign your single role to your composite role that represents the collection of all authorizations the business role will need.

OPTIONALLY: You can also assign Tile Groups to your Fiori Frontend Server role.  This will assign the tile group to the Home Page of the business role.

Assign Tile Catalogs to the Business Role in the S/4HANA Backend Server

So now you are ready to derive the backend authorizations for the S/4HANA Core server into your security role in the S/4HANA backend server.  There’s an excellent step-by-step guide written by Gilbert Wong – so I’ll just touch on a few differences.

In transaction PFCG in the S/4HANA backend server we also use our Tile Catalogs to derive our security role. This time we use the Remote assignment method as the Tile Catalogs are hosted in the Fiori Frontend Server.

Once again start in the Menu tab of transaction PFCG, use the add SAP Fiori Tile Catalog option to start, and select Catalog Provider “Fiori Launchpad Catalog Page”.  This time select “Remote Front-end Server”, and enter the RFC Destination that points to your Fiori Frontend Server that hosts the catalogs. Just as before enter your Catalog ID.

PFCG Menu tab showing Remote assignment of a Tile Catalog

Instead of simply assigning Start Authorizations to the OData Services, there is some new magic happening here!

PFCG Menu tab showing assignment of IWSV, TCODE and WDYA permissions

When we add the Tile Catalog using Remote assignment reads the tile catalog and derives:

  • IWSV start permissions for the OData Service Implementation of Fiori Apps
  • Transaction Code (S_TCODE) authorizations for SAPGUI for HTML Apps
  • WDYA start permissions for the Web Dynpro ABAP apps

Remote assignment also derives where needed:

  • Authorization objects referenced in the DCL Authorizations of the underlying CDS view(s) of the OData Service Implementation.

Tip: You can find the DCL Authorizations in transaction SACM. It’s important to note that not every CDS view defines DCL Authorizations.

Tip: Ok at this point you may hit another troll.  Again the dynamic data OData Service may not be included. If this happens you can correct the security role by simply adding any additional IWSV permissions using the Authorization Default option in PFCG. The approach is similar to adding missing IWSG authorizations in the Fiori Frontend Server – just specify Object Type IWSV this time.

Having added our Tile Catalog we now need to check and complete the setting for the authorization objects in the Authorizations tab as usual.

PFCG Authorization tab highlighting Change Authorization Data button

 

In the Authorization Data you can see and complete the authorizations derived.

PFCG Change Authorization Data dialog showing completed authorization object assignments S_SERVICE, S_START and S_TCODE

You can restrict data access to the appropriate organizational entities just as you are used to doing if you have worked with security roles in SAP Business Suite or Suite on HANA. And of course generate the security profile as normal.

Prove our authorizations

All you need to do to test your role is logon to the Fiori Launchpad with your test user id for the business role.

Check you can find all the apps in the Fiori Search or App Finder.

VERY IMPORTANT: Do not simply look at the tiles on the Home Page. The Home Page only shows selected tiles based on what has been assigned to the business role as Tile Groups. You need to test more broadly to make sure you have checked all the apps of the business role.  And no – don’t just put every tile on the Home Page – that’s likely to create a bad user experience… as we’ll explain in the next section “From Access to Productivity”.

Check you can open each app and navigate to the other apps as expected.

Tip: Ok so there’s always the possibility of a lurking troll.  If you have assigned all your authorizations correctly, then the app should open as expected.  If you receive a message “Could not open app” you may still be missing something.  So check transaction SU53 or STAUTHTRACE and add that to your security role.

What happens if you later change the Tile Catalog? For example to add more tiles or target mappings.   Just enter the PFCG roles again in edit mode and the authorizations are automatically added.  You simply need to complete any new authorization objects in the Authorizations tab

From Access to Productivity

Remember that access is only one of our goals… an essential stepping stone on the way to improved User Productivity and delightful User Experience.

For this you will also need to think about another topic: Launchpad Design.

Authorization Adventure Map

Lastly, like any good quest book we include a treasure map to show the whole kingdom with thanks to Van Vi

Complete diagram of Launchpad Authorizations derived in both Fiori Frontend Server and S/4HANA backend server

Assigned Tags

      10 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Hi  Jocelyn,

      thanks for your blog! Are you planning a further chapter on autorizations?

      E.g. how to use a ‘manage’-app in read-only mode, like Manage Purchase Orders or Manage Sales Orders.

       

      Thanks

      Birgit

      Author's profile photo Jun Wu
      Jun Wu

      What happens if you later change the Tile Catalog? For example to add more tiles or target mappings. Just enter the PFCG roles again in edit mode and the authorizations are automatically added. You simply need to complete any new authorization objects in the Authorizations tab

      I have to add the catalog manually to see the authorizations. did I miss anything?

      Author's profile photo Jocelyn Dart
      Jocelyn Dart
      Blog Post Author

      Hi Jun Wu,

      The good news is that works fine - once you have manually added the Tile Catalog to the security role in PFCG the very first time the tile catalog is listed in the the Menu tab.

      If you change the tiles and target mappings associated with that tile catalog all you need to do is open your PFCG security role again in EDIT mode in transaction PFCG, and open the Authorizations tab.

      You'll find the changes to the tile catalog are picked up automatically - including any additional authorizations.  You can then review or complete any new authorizations in the Authorizations tab of transaction PFCG as per usual.

      Actually works pretty well.

      Hope that helps.

      Rgds,

      Jocelyn

      Author's profile photo Akash Garg
      Akash Garg

       

      Hello Jocelyn,

      Can you please help us understand, the "MAGIC" logic, we are in the project implementation phase and very hesitant to allow manual addition of Services in the Roles, if any Catalog is missing any service, which is the exact source where we can update them. so that the "MAGIC pulls them".

      we tried debugging the FM = /UI2/CATALOG_PFCG_APP_GRP_DTL

      but that's referencing too many things.

      Regards,

      Akash

      Author's profile photo Jocelyn Dart
      Jocelyn Dart
      Blog Post Author

      Hi Akash, Ah well.. it's not magic if you know how it works 😉

      The main reason you need to permit manual addition of services in roles is for any dynamic OData counts or values shown on the tile itself, e.g. the count of tasks on the My Inbox app.

      Unfortunately the current "magic" only looks at the target mappings - not at the dynamic OData services.  This is not something you should consider changing as a customer.

      However you could raise a SAP Incident starting with "Enhancement Request" and ask for the tooling to be improved. It might take a while to deliver this though.

      Rgds

      Jocelyn

      Author's profile photo Kiran J
      Kiran J

      Some of the oData Services are not added to the role -> Authorizations even though the Catalogs are removed and added to the role

      also the "Launchpad Content Manager" shows that SAPUI5 app in warning stage (Activation Stage) and “check services” is not showing the oData Services that used in the SAPUI5 application?

      is there any connection between these two issues?

      how can we resolve oData Services to get added to the roles without adding them manually?

       

      Author's profile photo Jocelyn Dart
      Jocelyn Dart
      Blog Post Author

      HI Kiran,

      The best way to resolve these issues is to use the task list SAP_FIORI_FCM_CONTENT_AUTHORIZATION. This updates the role menu and authorizations in a consistent manner for all automated information.

      See microlearning Activating SAP Fiori Content in Custom Business Roles - SAP S/4HANA

      Program PRGN_COMPARE_ROLE_MENU is another useful tool in these situations.

      If you find OData Services or other authorizations that are missing, it may be they have not been correctly linked to the app information.  For these we would suggest report them in via SAP Incident.

      Generally speaking we include these in SAP Notes for the current release/FPS and look to correct the connections in future release/FPS combinations.

      Kind rgds

      Jocelyn

      Author's profile photo Kiran J
      Kiran J

      Thank you Jocelyn for your quick reply. May I know if we need to follow same process for the custom SAPUI5 application, custom business catalogs and roles?

      Regards

      Author's profile photo Jocelyn Dart
      Jocelyn Dart
      Blog Post Author

      Yes! The authorizations are derived from the content.

      Author's profile photo Kiran J
      Kiran J

      Thanks Dart, is there a help documentation for the Fiori Content admin to update the oData Services authorisations for custom Tiles, custom businesss catalogs /technical catalogs.

      I never saw any way to add oData Services to the Business Catalogs that can update the PFCG role -> authorizations.

       

      Thank you so much for your help.