SAP Fiori for SAP S/4HANA – Troubleshooting Authorization concept in SADL based OData Services
UPDATE – Relevant for S/4HANA 1909, 1809, 1709, 1610, 1511
Starting in S/4HANA 1511 many Fiori Applications make use of SADL based OData services, in order to consume and expose CDS views meaning the development paradigm has become more complex and so is the troubleshooting.
Let’s start by understanding what SADL means in the context of OData services:
Service Adaptation Definition Language (SADL) enables fast read access to data for scenarios on mobile and desktop applications based on SAP HANA using query push-down and it has the following characteristics:
- Can consume different business entities.
- SADL models are entities that are used in business applications – for example, business objects, database tables, search views.
- A SADL model is a data model like:
- DDIC tables or views
- As part of the query push-down process, the user’s input and the application parameters are collected through consumer APIs and used to configure the request for the database
- The authorization enforcement in this process is interposed between query specification by application or end user and data retrieval from the database
In this blog we will focus on explaining how to identify and troubleshoot authorization issues when running a Fiori App that consumes a SADL based OData service by going through 8 steps.
1. Identify the OData request executed by the app using your browser’s developer tools. In this example:
OData Service: MM_PUR_PO_MAINTAIN
2. Based on the collection, try to identify if the ABAP code implements SADL.
To navigate to the implementation class open transaction /IWFND/MAINT_SERVICE, select the required service and click in the “Service Implementation” button.
Once the service details are displayed, double click on the “Data Provider Class” name.
3. Once you confirm that the OData service consumes a CDS view navigate to transaction SEGW and identify the associated CDS.
4. Using ADT, find the required CDS view and open the “Access Control” object.
5. The “Access Control” object will display the required authorization objects.
6. In transaction PFCG generate a new role with the required authorization objects and assign it to your users.
7. In transaction SACM use the Runtime Simulator. Enter the name of the CDS view you wish to test and the user whose authorizations need to be checked.
8. When you run the simulator you will notice the required authorization objects and the values used for the query execution, notice that a results list will be displayed and you will be able to identify any clashing authorization definitions.
Becoming a SAP Fiori for SAP S/4HANA guru
You’ll find much more on our SAP Fiori for SAP S/4HANA wiki
Do you have any questions? Let us know in the comments section.
SAP S/4HANA RIG