Skip to Content

As a UX specialist in the S/4HANA Regional Implementation Group team I’m privileged to work with many of our S/4HANA customers.  Many of these S/4HANA customers are looking to drive the business benefits of S/4HANA by implementing Fiori at scale.  Such customers typically want to launch a large number of SAP Fiori apps, Web Dynpro ABAP apps, and/or SAP GUI transactions from the SAP Fiori launchpad.

 

For customer projects wanting to launch such a large SAP Fiori scope, typically many PFCG security roles linking to Fiori Catalogs and Groups have to be created to control:

  • Which apps appear by default as tiles or links on the user’s Home Page
  • All of the apps the user may launch from the Fiori App Finder or Fiori Search
  • Apps launched as a navigation target of another app.

 

There are many places where app-to-app navigation applies, such as:

  • From the card of an Overview Page
  • From an action button or link of a Manage <business object> app or a Smart Business KPI tile
  • From a List of Links dialog in a Monitor <business object> app

Up to now, creating sufficient security roles has been a manual and cumbersome task to be repeated in the different environments and clients.  Now we have a new and automated way to create these PFCG security roles and this will lower the implementation effort needed for implementing SAP Fiori for S/4HANA.

These enhancements are delivered via 2 SAP notes :

In this blog we describe how to create the PFCG security roles from a text file.   This makes it easier to create several new PFCG security roles by combining existing business catalogs, technical catalogs, and groups in one step. This sort of mass maintenance can also be easily redone in different environments and clients.

In case you have a separate front and backend server you can use the second note to import the role menu from the frontend server into the backend server.

To start, you first need to implement SAP Note 2648554 – Creation of front-end roles for SAP Fiori launchpad. If you have a 2-system Fiori landscape, you will do this on the frontend (or gateway) server.

You can implement this note using transaction SNOTE as per standard practice.    This note requires you to make some manual changes – mostly to add translation texts to the creation program. You will need to upload the program in the attachment relevant to your release, e.g. ZNOTE_2648554_FOR_752.

Run the program in Test Mode first to check everything is ready.  If everything is ok, run the program again in Update and Activate mode and check all traffic lights are green.

Don’t forget to go back to transaction SNOTE and confirm all manual steps have been completed.

The mass maintenance program itself is called: PRGN_CREATE_FIORI_FRONTENDROLE.  This program can be run as an executable program, e.g. via transaction SA38, SE38, etc.

The initial screen appears like this:

 

From this screen there is some documentation available via Program Documentation (or shortcut SHIFT+F1):

 

In the program on the initial screen you select your maintenance mode to select whether you want to:

  • Create a new role
  • Append to an existing role
  • Replace an existing role

Then you need to indicate how you are providing the apps that are to be part of the role. The choices are:

  • Without template – this will take you to a maintenance screen where you can list the apps manually
  • Import from file – provide the filename which contains a list of Fiori Catalogs and Groups
  • Generation from Fiori Catalogs – in order to generate a PFCG security role based on the one or multiple Fiori Catalogs

There is also an option to delete and recreate the profile and authorizations of the PFCG security role.

All three assignment options will navigate to the Maintenance Screen where you can refine the roles to be created or updated.   Here you can manually add and delete entries or import and export the configuration to a file.

Using a text file as input is probably the most flexible way of using the report.  The structure of the text file should be as follows:

  • A data record is made up of the following fields:
    • Name of role
    • Short description of role
    • Type of menu entry (CAT_PROVIDER for catalog or GROUP_PROVIDER for group)
    • Name of the Fiori tile catalog or Fiori tile group
  • The data fields are divided by tab signs.
  • The data records are divided from one another by a line break.
  • When uploading the file, select the appropriate code page, so that special characters are displayed.

 

As an example we create 2 new PFCG security roles linking to the standard Budget Responsible Fiori Catalog and Group :

 

After selecting this file the report navigates to the maintenance screen, providing an overview of the roles to be created, which can here still be changed :

First select the roles in the screen above you want to create ore update (left column – in the screenshot above none are selected).  When executing from this maintenance screen, the report will create the selected roles – or show any errors that occurred:

These security roles can now be inspected using transaction PFCG :

Another way to use the report is use assignment option “Without template”, showing an empty maintenance screen.  From here also a file can be imported or you can manually add new rows.

The 3rd assignment option is “Generation from Fiori Catalogs”, here you can, in the intial screen  specify the Fiori Catalogs and delete and add prefix for the Role names :

This gives you the following result in the maintenance screen:

From the maintenance screen details, you can see what is needed:In case you have a separate backend and frontend server you can use report PRGN_CREATE_FIORI_BACKENDROLES to import the roles defined in the previous steps on the frontend server into the backend server.

For this you need to implement SAP Note 2533007 – Transfer of role menu from front-end server on the S/4HANA backend server.  As described in the note solution description you can use the report or PFCG transaction on the backend, and transfer the menu of one or multiple frontend roles.

After generating the PFCG security roles you will still need to:

  • Generate the authorizations profile
  • Assign users to the role

 

We hope that this tool will be useful and save time in the implementation of SAP Fiori in your S/4HANA Projects.  Please let us know your feedback.

 

Becoming a SAP Fiori for SAP S/4HANA guru

You’ll find much more on our SAP Fiori for SAP S/4HANA wiki

 

Brought to you by the S/4HANA RIG

To report this post you need to login first.

13 Comments

You must be Logged on to comment or reply to a post.

  1. Nabheet Madan

    Super blog Hannes Defloo, one month back we were working on a proposal where we need to create mass role for catalogs/groups and this tool we were planning to make. Good to know that SAP has already provided this.

    Thanks

    Nabheet

    (1) 
  2. dinesh k

    Hi  Hannes Defloo,

    Usually we copy the standard front end roles that’s given in app configuration steps in fiori library. So, Why would I create custom roles in mass and add multiple fiori catalogs to it when I know it will make my launchpad slow to load all the tiles?

    May be I am thinking in another direction. Can you please help share a use case for this here?

    Thanks.

     

     

    (0) 
    1. Hannes Defloo Post author

      Hi Dinesh,

      Copying standard roles is fine. Some customer however will want to adapt the apps in a calalog (eg. when some apps are not used), this will require you to create custom catalogs and custom groups, and also requires you to create new roles instead of copying from standard ones.

      In addition you might require to create multiple roles referencing the same catalogs, but different authorization profiles.

      The tools described will be much faster than creating everything manually in PFCG in the different environments.

      Hope this helps !

      Regards, Hannes

      (0) 
  3. Dushyant Bhardwaj

    Hello Hannes,

    Thanks for sharing this blog.

    We are trying to implement this technique in our landscape. We are using Central Hub Gateway deployment approach where both our SAP Frontend Gateway and SAP Backend System are hosted on different servers.

    In both SAP Gateway and SAP Backend Systems, the SAP BASIS Component is at 752 SP level 01.

    We are using S4HANA 1709 SPS 01.

    We have successfully implemented SNOTE 2648554 in our Frontend Gateway system which involves uploading the report ZNOTE_2648554_FOR_752.txt and ZNOTE_2648554_FOR_752_EN.txt manually.

    We are also able to execute the report PRGN_CREATE_FIORI_FRONTENDROLE in our Frontend Gateway system.

    But we are facing some issues. When trying to create the PFCG roles ( using the report PRGN_CREATE_FIORI_FRONTENDROLE), while we are providing the details of our custom catalogs and custom groups (in CAT_PROVIDER and GROUP_PROVIDER), the roles are not getting created.

    What we wanted to know is ->

    1. Is this method suitable for creating roles using custom catalogs and custom groups
    2. Since we are at SAP BASIS 752 SP level 01, is this fine to be at this same level for using this approach?
    3. If we are not good with point 2 (SAP BASIS level), do we need to upgrade it?
    4. If yes (for point 3) we need to upgrade our SAP BASIS component, up to which level we should upgrade it?
    5. Do we need to upgrade it in both Frontend Gateway and Backend?

    Just for FYI – We haven’t performed the implementation of the SNOTE 2533007 and execution of the report PRGN_CREATE_FIORI_BACKENDROLES in our Backend system.

    Kindy let us know if you need any other inputs.

    Thanks and Regards,

    Dushyant

    (0) 
    1. Hannes Defloo Post author

      Hi Dushyant,

      Your system components look ok.

      Make sure the roles are actually selected before you execute (I see now in my screenshot they are not).  Are there any error messages in the following messages screen?

      Thanks, Hannes

       

       

      (0) 
      1. Dushyant Bhardwaj

        Hello Hannes,

        Below are the steps I have executed in Frontend Gateway system.

        1. Execution of report PRGN_CREATE_FIORI_FRONTENDROLE with Processing Mode – ‘Create Roles with Menu’ and Assigning of Fiori Tile Catalogs – ‘Without Template’
        2. While providing the CAT_PROVIDER, it is not throwing any error. But while providing the GROUP_PROVIDER, a pop-up comes saying that the Custom Group which I have selected is invalid.

        But this custom group exist in my SAP Fiori Launchpad Designer and I have selected it from the double square of GROUP_PROVIDER.

        Since I am getting the error at providing Custom Group Name, I am not able to proceed further and not yet clicked on Execute button.

        Kindly let me know if you need any other details.

        Thanks and Regards,

        Dushyant

        (0) 
        1. Jocelyn Dart

          Hi Dushyant, That looks like a bug – hopefully something simple such as upper/lower case confusion. Please raise a SAP Incident as per the usual process.

          Rgds

          Jocelyn

          (0) 

Leave a Reply