SAP Fiori for SAP S/4HANA – Limit Search Object Access in Fiori Launchpad
UPDATE – Relevant for S/4HANA 1909, 1809, 1709, 1610, 1511
If you are working with Fiori and using Embedded Search features in the Launchpad you surely have been wondering how to limit access to the search connectors and reduce the number of searchable objects in the Launchpad for each user role.
This blog aims to explain the required steps to achieve this setting along with some configuration tips (click on the images to enlarge them).
If the following image meets your expectations, this is the blog for you:
To obtain these results, please follow the next steps:
1. First of all, you need to identify the user role you wish to restrict, we recommend using Fiori Apps Library for this since there you can find all the required Search Connectors and OData services per Role. We will use the standard role SAP_BR_AR_ACCOUNTANT.
2. Using Fiori Apps library, identify the required OData services and Search Connectors per role. In case of the OData services you need to find all OData services starting with syntax “C_” as this means the OData service is CDS view based and may be used by the search connectors, services that start with syntax “CB_” are also worth taking into consideration as these services are usually based on an Enterprise Search Model. Keep in mind that some user roles may not use any CDS view or ESH based OData services.
3. Once you have a list of the OData services and Search Connectors we will start by defining a custom role. Copy standard role SAP_ESH_SEARCH to a custom role following your naming standards, make sure you rename the additional roles as role SAP_ESH_SEARCH is a composite role.
Note – We will pay special attention to the custom version of roles SAP_ESH_SEARCH_USER and SAP_ESH_SEARCH_CDS as these are the roles which limit the display of Search Objects in Fiori Launchpad.
4. We will now need to identify the connector details using transaction ESH_COCKPIT. Here we will need to obtain the “Connector ID” and “Template Name” for each of the Search Connectors required in our role as was noted in Fiori Apps Library. This would be useful when we modify the custom version of role.
5. In our case, our role does not use any OData service with the syntax “C_”, meaning we will not require specific authorizations for CDS views. However, there will be some scenarios where you will need to limit the authorizations for CDS view search based objects. In the following images, you will find two options to identify the CDS views used by an OData service as this will be useful when you modify the custom version of role SAP_ESH_SEARCH_CDS.
6. Now that we have all the required information, we can start modifying the authorization objects in the custom version of roles SAP_ESH_SEARCH_USER and SAP_ESH_SEARCH_CDS. You will need to define all the Enterprise Search objects in role SAP_ESH_SEARCH_USER and the CDS definitions in role SAP_ESH_SEARCH_CDS.
7. After defining the authorization objects, you can now assign the custom role to a test user and open the Launchpad. Once you open the Launchpad Search you will notice that the list of available search objects has been reduced. Nevertheless, if you perform a search query you will not receive any results.
8. In order to make all Search objects work properly we still need to add some additional authorization objects. To do this, we will use transaction ESH_MODELER and obtain the authorization objects required per Search Object, as described in the following image.
9. Once you have added all the required authorization objects the end user will be able to perform search queries for a limited number of objects in Fiori Launchpad.
Becoming a SAP Fiori for SAP S/4HANA guru
You’ll find much more on our SAP Fiori for SAP S/4HANA wiki
Do you have any questions? Let us know in the comments section.
SAP S/4HANA RIG