SAP Fiori for SAP S/4HANA – Limit Search Object Access in Fiori Launchpad
UPDATE – Relevant for S/4HANA 1909, 1809, 1709, 1610, 1511
If you are working with Fiori and using Embedded Search features in the Launchpad you surely have been wondering how to limit access to the search connectors and reduce the number of searchable objects in the Launchpad for each user role.
This blog aims to explain the required steps to achieve this setting along with some configuration tips (click on the images to enlarge them).
If the following image meets your expectations, this is the blog for you:
To obtain these results, please follow the next steps:
1. First of all, you need to identify the user role you wish to restrict, we recommend using Fiori Apps Library for this since there you can find all the required Search Connectors and OData services per Role. We will use the standard role SAP_BR_AR_ACCOUNTANT.
2. Using Fiori Apps library, identify the required OData services and Search Connectors per role. In case of the OData services you need to find all OData services starting with syntax “C_” as this means the OData service is CDS view based and may be used by the search connectors, services that start with syntax “CB_” are also worth taking into consideration as these services are usually based on an Enterprise Search Model. Keep in mind that some user roles may not use any CDS view or ESH based OData services.
You can double check and identify which Search Connectors are used by the services with prefix “CB_” by following the steps in the image:
3. Once you have a list of the OData services and Search Connectors we will start by defining a custom role. Copy standard role SAP_ESH_SEARCH to a custom role following your naming standards, make sure you rename the additional roles as role SAP_ESH_SEARCH is a composite role.
Note – We will pay special attention to the custom version of roles SAP_ESH_SEARCH_USER and SAP_ESH_SEARCH_CDS as these are the roles which limit the display of Search Objects in Fiori Launchpad.
4. We will now need to identify the connector details using transaction ESH_COCKPIT. Here we will need to obtain the “Connector ID” and “Template Name” for each of the Search Connectors required in our role as was noted in Fiori Apps Library. This would be useful when we modify the custom version of role.
5. In our case, our role does not use any OData service with the syntax “C_”, meaning we will not require specific authorizations for CDS views. However, there will be some scenarios where you will need to limit the authorizations for CDS view search based objects. In the following images, you will find two options to identify the CDS views used by an OData service as this will be useful when you modify the custom version of role SAP_ESH_SEARCH_CDS.
6. Now that we have all the required information, we can start modifying the authorization objects in the custom version of roles SAP_ESH_SEARCH_USER and SAP_ESH_SEARCH_CDS. You will need to define all the Enterprise Search objects in role SAP_ESH_SEARCH_USER and the CDS definitions in role SAP_ESH_SEARCH_CDS.
7. After defining the authorization objects, you can now assign the custom role to a test user and open the Launchpad. Once you open the Launchpad Search you will notice that the list of available search objects has been reduced. Nevertheless, if you perform a search query you will not receive any results.
8. In order to make all Search objects work properly we still need to add some additional authorization objects. To do this, we will use transaction ESH_MODELER and obtain the authorization objects required per Search Object, as described in the following image.
9. Once you have added all the required authorization objects the end user will be able to perform search queries for a limited number of objects in Fiori Launchpad.
Becoming a SAP Fiori for SAP S/4HANA guru
You’ll find much more on our SAP Fiori for SAP S/4HANA wiki
Do you have any questions? Let us know in the comments section.
SAP S/4HANA RIG
Please help us to solve below Odata(Meta data Refresh Issue)(When try to implement Profit Center Apps fact sheet Apps in 1610
& Error Data object 'BillingDocument' not found.(SAP GATEWAY Error)
Dear Jorge, thanks for that blog. The CDS based usage in the search is new to me. Regarding to that i have a lot more questions, for example if i want to include my own cds-view / solution in the fiori search:
1: What requirements needs to be fullfilled by my own cds-view so the search will include it. i expected that the searchUI annotations must be used. But after checking for example the CFIAPCSHDISCFCST CDS view in our system i cannot find any specific details on that.
2. What fields of the cds view will be used for the search. i believe also there are some annotions used.
3. Where`s the definition of the target application, if i`m able to get the right objects out of my table. i assume there`s a mapping between the search result object and the corresponding ui (Transaction, WDA, Fiori UI) and also the action that we can execute on the search result ( for example: create, change, view etc).
Right now i can`t find any documentation on that steps. i`ve found only the documentation for the HANA native search (“ina”) which i expect that it is not the right one.
If you can bring some lights on that topics, i really appreciate that.
P.S: After writing that comment i`ve found the following notes:
2407921 - ES: Annotations for CDS-based search connectors
2399860 - ES: Behavior of CDS-based search connectors
Are that the right ones or do you have any other source / documentation?
Regarding step 8, can you please clarify that the additional authorization objects would be added to the Enterprise search model role (vs. the business role)?