Fiori for S/4HANA – Mass maintenance of Business Roles for SAP Fiori launchpad
As a UX specialist in the S/4HANA Regional Implementation Group team I’m privileged to work with many of our S/4HANA customers. Many of these S/4HANA customers are looking to drive the business benefits of S/4HANA by implementing Fiori at scale. Such customers typically want to launch a large number of SAP Fiori apps, Web Dynpro ABAP apps, and/or SAP GUI transactions from the SAP Fiori launchpad.
For customer projects wanting to launch such a large SAP Fiori scope, typically many PFCG security roles linking to Fiori Catalogs and Groups have to be created to control:
- Which apps appear by default as tiles or links on the user’s Home Page
- All of the apps the user may launch from the Fiori App Finder or Fiori Search
- Apps launched as a navigation target of another app.
There are many places where app-to-app navigation applies, such as:
- From the card of an Overview Page
- From an action button or link of a Manage <business object> app or a Smart Business KPI tile
- From a List of Links dialog in a Monitor <business object> app
Up to now, creating sufficient security roles has been a manual and cumbersome task to be repeated in the different environments and clients. Now we have a new and automated way to create these PFCG security roles and this will lower the implementation effort needed for implementing SAP Fiori for S/4HANA.
These enhancements are delivered via 2 SAP notes :
- SAP Note 2648554 – Creation of front-end roles for SAP Fiori launchpad
- SAP Note 2533007 – Transfer of role menu from front-end server
UPDATE 01/10/2018 : two new notes were released to fix issues with the report:
- SAP Note 2696715 – PRGN_CREATE_FIORI_FRONTENDROLE: Invalid name for SAP Fiori tile groups
- SAP Note 2698457 – PRGN_CREATE_FIORI_FRONTENDROLE: Applications do not exist
In this blog we describe how to create the PFCG security roles from a text file. This makes it easier to create several new PFCG security roles by combining existing business catalogs, technical catalogs, and groups in one step. This sort of mass maintenance can also be easily redone in different environments and clients.
In case you have a separate front and backend server you can use the second note to import the role menu from the frontend server into the backend server.
To start, you first need to implement SAP Note 2648554 – Creation of front-end roles for SAP Fiori launchpad. If you have a 2-system Fiori landscape, you will do this on the frontend (or gateway) server.
You can implement this note using transaction SNOTE as per standard practice. This note requires you to make some manual changes – mostly to add translation texts to the creation program. You will need to upload the program in the attachment relevant to your release, e.g. ZNOTE_2648554_FOR_752.
Run the program in Test Mode first to check everything is ready. If everything is ok, run the program again in Update and Activate mode and check all traffic lights are green.
Don’t forget to go back to transaction SNOTE and confirm all manual steps have been completed.
The mass maintenance program itself is called: PRGN_CREATE_FIORI_FRONTENDROLE. This program can be run as an executable program, e.g. via transaction SA38, SE38, etc.
The initial screen appears like this:
From this screen there is some documentation available via Program Documentation (or shortcut SHIFT+F1):
In the program on the initial screen you select your maintenance mode to select whether you want to:
- Create a new role
- Append to an existing role
- Replace an existing role
Then you need to indicate how you are providing the apps that are to be part of the role. The choices are:
- Without template – this will take you to a maintenance screen where you can list the apps manually
- Import from file – provide the filename which contains a list of Fiori Catalogs and Groups
- Generation from Fiori Catalogs – in order to generate a PFCG security role based on the one or multiple Fiori Catalogs
There is also an option to delete and recreate the profile and authorizations of the PFCG security role.
All three assignment options will navigate to the Maintenance Screen where you can refine the roles to be created or updated. Here you can manually add and delete entries or import and export the configuration to a file.
Using a text file as input is probably the most flexible way of using the report. The structure of the text file should be as follows:
- A data record is made up of the following fields:
- Name of role
- Short description of role
- Type of menu entry (CAT_PROVIDER for catalog or GROUP_PROVIDER for group)
- Name of the Fiori tile catalog or Fiori tile group
- The data fields are divided by tab signs.
- The data records are divided from one another by a line break.
- When uploading the file, select the appropriate code page, so that special characters are displayed.
As an example we create 2 new PFCG security roles linking to the standard Budget Responsible Fiori Catalog and Group :
After selecting this file the report navigates to the maintenance screen, providing an overview of the roles to be created, which can here still be changed :
First select the roles in the screen above you want to create ore update (left column – in the screenshot above none are selected). When executing from this maintenance screen, the report will create the selected roles – or show any errors that occurred:
These security roles can now be inspected using transaction PFCG :
Another way to use the report is use assignment option “Without template”, showing an empty maintenance screen. From here also a file can be imported or you can manually add new rows.
The 3rd assignment option is “Generation from Fiori Catalogs”, here you can, in the intial screen specify the Fiori Catalogs and delete and add prefix for the Role names :
This gives you the following result in the maintenance screen:
From the maintenance screen details, you can see what is needed:In case you have a separate backend and frontend server you can use report PRGN_CREATE_FIORI_BACKENDROLES to import the roles defined in the previous steps on the frontend server into the backend server.
For this you need to implement SAP Note 2533007 – Transfer of role menu from front-end server on the S/4HANA backend server. As described in the note solution description you can use the report or PFCG transaction on the backend, and transfer the menu of one or multiple frontend roles.
After generating the PFCG security roles you will still need to:
- Generate the authorizations profile
- Assign users to the role
We hope that this tool will be useful and save time in the implementation of SAP Fiori in your S/4HANA Projects. Please let us know your feedback.
Becoming a SAP Fiori for SAP S/4HANA guru
You’ll find much more on our SAP Fiori for SAP S/4HANA wiki
Brought to you by the S/4HANA RIG