Skip to Content
Product Information
Author's profile photo Hannes Defloo

Fiori for S/4HANA – Mass maintenance of Business Roles for SAP Fiori launchpad

UPDATE 10/2/2023 : Also relevant for S/4HANA 2022

UPDATE : 24/01/2022 Added SAP Note 3140176 for support of Spaces and Pages

UPDATE: 01/10/2018 : two new notes were released to fix issues

As a UX specialist in the S/4HANA Regional Implementation Group team I’m privileged to work with many of our S/4HANA customers.  Many of these S/4HANA customers are looking to drive the business benefits of S/4HANA by implementing Fiori at scale.  Such customers typically want to launch a large number of SAP Fiori apps, Web Dynpro ABAP apps, and/or SAP GUI transactions from the SAP Fiori launchpad.


For customer projects wanting to launch such a large SAP Fiori scope, typically many PFCG security roles linking to Fiori Catalogs and Groups have to be created to control:

  • Which apps appear by default as tiles or links on the user’s Home Page
  • All of the apps the user may launch from the Fiori App Finder or Fiori Search
  • Apps launched as a navigation target of another app.


There are many places where app-to-app navigation applies, such as:

  • From the card of an Overview Page
  • From an action button or link of a Manage <business object> app or a Smart Business KPI tile
  • From a List of Links dialog in a Monitor <business object> app

Up to now, creating sufficient security roles has been a manual and cumbersome task to be repeated in the different environments and clients.  Now we have a new and automated way to create these PFCG security roles and this will lower the implementation effort needed for implementing SAP Fiori for S/4HANA.

These enhancements are delivered via 2 SAP notes :

UPDATE 01/10/2018 : two new notes were released to fix issues with the report:

UPDATE : 24/01/2022 Added SAP Note 3140176 for support of Spaces and Pages

In this blog we describe how to create the PFCG security roles from a text file.   This makes it easier to create several new PFCG security roles by combining existing business catalogs, technical catalogs, and groups in one step. This sort of mass maintenance can also be easily redone in different environments and clients.

In case you have a separate front and backend server you can use the second note to import the role menu from the frontend server into the backend server.

To start, you first need to implement SAP Note 2648554 – Creation of front-end roles for SAP Fiori launchpad. If you have a 2-system Fiori landscape, you will do this on the frontend (or gateway) server.

You can implement this note using transaction SNOTE as per standard practice.    This note requires you to make some manual changes – mostly to add translation texts to the creation program. You will need to upload the program in the attachment relevant to your release, e.g. ZNOTE_2648554_FOR_752.

Run the program in Test Mode first to check everything is ready.  If everything is ok, run the program again in Update and Activate mode and check all traffic lights are green.

Don’t forget to go back to transaction SNOTE and confirm all manual steps have been completed.

The mass maintenance program itself is called: PRGN_CREATE_FIORI_FRONTENDROLE.  This program can be run as an executable program, e.g. via transaction SA38, SE38, etc.

The initial screen appears like this:


From this screen there is some documentation available via Program Documentation (or shortcut SHIFT+F1):


In the program on the initial screen you select your maintenance mode to select whether you want to:

  • Create a new role
  • Append to an existing role
  • Replace an existing role

Then you need to indicate how you are providing the apps that are to be part of the role. The choices are:

  • Without template – this will take you to a maintenance screen where you can list the apps manually
  • Import from file – provide the filename which contains a list of Fiori Catalogs and Groups
  • Generation from Fiori Catalogs – in order to generate a PFCG security role based on the one or multiple Fiori Catalogs

There is also an option to delete and recreate the profile and authorizations of the PFCG security role.

All three assignment options will navigate to the Maintenance Screen where you can refine the roles to be created or updated.   Here you can manually add and delete entries or import and export the configuration to a file.

Using a text file as input is probably the most flexible way of using the report.  The structure of the text file should be as follows:

  • A data record is made up of the following fields:
    • Name of role
    • Short description of role
    • Type of menu entry (CAT_PROVIDER for catalog or GROUP_PROVIDER for group)
    • Name of the Fiori tile catalog or Fiori tile group
  • The data fields are divided by tab signs.
  • The data records are divided from one another by a line break.
  • When uploading the file, select the appropriate code page, so that special characters are displayed.


As an example we create 2 new PFCG security roles linking to the standard Budget Responsible Fiori Catalog and Group :


After selecting this file the report navigates to the maintenance screen, providing an overview of the roles to be created, which can here still be changed :

First select the roles in the screen above you want to create ore update (left column – in the screenshot above none are selected).  When executing from this maintenance screen, the report will create the selected roles – or show any errors that occurred:

These security roles can now be inspected using transaction PFCG :

Another way to use the report is use assignment option “Without template”, showing an empty maintenance screen.  From here also a file can be imported or you can manually add new rows.

The 3rd assignment option is “Generation from Fiori Catalogs”, here you can, in the intial screen  specify the Fiori Catalogs and delete and add prefix for the Role names :

This gives you the following result in the maintenance screen:

From the maintenance screen details, you can see what is needed:In case you have a separate backend and frontend server you can use report PRGN_CREATE_FIORI_BACKENDROLES to import the roles defined in the previous steps on the frontend server into the backend server.

For this you need to implement SAP Note 2533007 – Transfer of role menu from front-end server on the S/4HANA backend server.  As described in the note solution description you can use the report or PFCG transaction on the backend, and transfer the menu of one or multiple frontend roles.

After generating the PFCG security roles you will still need to:

  • Generate the authorizations profile
  • Assign users to the role


We hope that this tool will be useful and save time in the implementation of SAP Fiori in your S/4HANA Projects.  Please let us know your feedback.


Becoming a SAP Fiori for SAP S/4HANA guru

You’ll find much more on our SAP Fiori for SAP S/4HANA wiki


Brought to you by the S/4HANA RIG

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Syambabu Allu
      Syambabu Allu

      Hi Hannes,

      Thanks for sharing information.

      We are looking into the same.

      Thank you,


      Author's profile photo Nabheet Madan
      Nabheet Madan

      Super blog Hannes Defloo, one month back we were working on a proposal where we need to create mass role for catalogs/groups and this tool we were planning to make. Good to know that SAP has already provided this.



      Author's profile photo Hannes Defloo
      Hannes Defloo
      Blog Post Author

      Thanks Nabheet ! Good luck with the project and let us know if you have any feedback on the tool !

      Author's profile photo dinesh k
      dinesh k

      Hi  Hannes Defloo,

      Usually we copy the standard front end roles that's given in app configuration steps in fiori library. So, Why would I create custom roles in mass and add multiple fiori catalogs to it when I know it will make my launchpad slow to load all the tiles?

      May be I am thinking in another direction. Can you please help share a use case for this here?




      Author's profile photo Hannes Defloo
      Hannes Defloo
      Blog Post Author

      Hi Dinesh,

      Copying standard roles is fine. Some customer however will want to adapt the apps in a calalog (eg. when some apps are not used), this will require you to create custom catalogs and custom groups, and also requires you to create new roles instead of copying from standard ones.

      In addition you might require to create multiple roles referencing the same catalogs, but different authorization profiles.

      The tools described will be much faster than creating everything manually in PFCG in the different environments.

      Hope this helps !

      Regards, Hannes

      Author's profile photo dinesh k
      dinesh k

      Thanks for your input Hannes ! Do we also have any way to create custom catalogs/tiles in mass as well ?

      Author's profile photo Jocelyn Dart
      Jocelyn Dart

      Hi Dinesh

      Expect to hear more soon.

      Right now, if you want to create a custom catalog that is primarily GUI transactions and Web Dynpro ABAP apps you can do that using the Mass Maintenance App Descriptor tool. There's a step by step description in the Fiori Launchpad Guide section Integrating Web Dynpro and SAP GUI applications using Mass Maintenance.



      Author's profile photo Suvonkar Bashak
      Suvonkar Bashak

      Hi Hannes Defloo,

      Nice blog, this would help in creating Fiori roles instead of manually embedding Catalog, Groups.

      Need to explore if odata services can also incorporated.






      Author's profile photo Jocelyn Dart
      Jocelyn Dart

      Hi Suvonkar

      We are planning some other tools to be released soon so watch out for those.



      Author's profile photo Dushyant Bhardwaj
      Dushyant Bhardwaj

      Hello Hannes,

      Thanks for sharing this blog.

      We are trying to implement this technique in our landscape. We are using Central Hub Gateway deployment approach where both our SAP Frontend Gateway and SAP Backend System are hosted on different servers.

      In both SAP Gateway and SAP Backend Systems, the SAP BASIS Component is at 752 SP level 01.

      We are using S4HANA 1709 SPS 01.

      We have successfully implemented SNOTE 2648554 in our Frontend Gateway system which involves uploading the report ZNOTE_2648554_FOR_752.txt and ZNOTE_2648554_FOR_752_EN.txt manually.

      We are also able to execute the report PRGN_CREATE_FIORI_FRONTENDROLE in our Frontend Gateway system.

      But we are facing some issues. When trying to create the PFCG roles ( using the report PRGN_CREATE_FIORI_FRONTENDROLE), while we are providing the details of our custom catalogs and custom groups (in CAT_PROVIDER and GROUP_PROVIDER), the roles are not getting created.

      What we wanted to know is ->

      1. Is this method suitable for creating roles using custom catalogs and custom groups
      2. Since we are at SAP BASIS 752 SP level 01, is this fine to be at this same level for using this approach?
      3. If we are not good with point 2 (SAP BASIS level), do we need to upgrade it?
      4. If yes (for point 3) we need to upgrade our SAP BASIS component, up to which level we should upgrade it?
      5. Do we need to upgrade it in both Frontend Gateway and Backend?

      Just for FYI - We haven't performed the implementation of the SNOTE 2533007 and execution of the report PRGN_CREATE_FIORI_BACKENDROLES in our Backend system.

      Kindy let us know if you need any other inputs.

      Thanks and Regards,


      Author's profile photo Hannes Defloo
      Hannes Defloo
      Blog Post Author

      Hi Dushyant,

      Your system components look ok.

      Make sure the roles are actually selected before you execute (I see now in my screenshot they are not).  Are there any error messages in the following messages screen?

      Thanks, Hannes



      Author's profile photo Dushyant Bhardwaj
      Dushyant Bhardwaj

      Hello Hannes,

      Below are the steps I have executed in Frontend Gateway system.

      1. Execution of report PRGN_CREATE_FIORI_FRONTENDROLE with Processing Mode – ‘Create Roles with Menu’ and Assigning of Fiori Tile Catalogs – ‘Without Template’
      2. While providing the CAT_PROVIDER, it is not throwing any error. But while providing the GROUP_PROVIDER, a pop-up comes saying that the Custom Group which I have selected is invalid.

      But this custom group exist in my SAP Fiori Launchpad Designer and I have selected it from the double square of GROUP_PROVIDER.

      Since I am getting the error at providing Custom Group Name, I am not able to proceed further and not yet clicked on Execute button.

      Kindly let me know if you need any other details.

      Thanks and Regards,


      Author's profile photo Jocelyn Dart
      Jocelyn Dart

      Hi Dushyant, That looks like a bug - hopefully something simple such as upper/lower case confusion. Please raise a SAP Incident as per the usual process.



      Author's profile photo Dushyant Bhardwaj
      Dushyant Bhardwaj

      Hello Jocelyn,


      This is resolved now. SAP has created two new SAP Notes which we need to implement in our SAP Gateway system - 2696715 and  2698457


      Thanks and Regards,


      Author's profile photo Hannes Defloo
      Hannes Defloo
      Blog Post Author

      Thanks Dusyant, I've added these to the blog too.

      Please also confirm the incident if the issues are solved now.

      Regards, Hannes

      Author's profile photo Pankaj Jha
      Pankaj Jha

      Looks like there is no option to mass create backend role referencing the front end role using the program - PRGN_CREATE_FIORI_BACKENDROLES similar to the front end program - PRGN_CREATE_FIORI_FRONTENDROLE ?

      Author's profile photo Vipin Nagpal
      Vipin Nagpal

       Hi Expert, We are working in Hub deployment mode with green field implementation of 1809. I have generated back end role from SAP standard program PRGN_CREATE_FIORI_BACKENDROLES Now, I have done changes in Fiori Groups and catalog. How can I regenerate back end roles after making changes?



      Author's profile photo Johan Gobeyn
      Johan Gobeyn

      Hello, this program is working with groups. Is there a new version that works with spaces as of S/4Hana version 2020?


      Thanks for your answer.


      Author's profile photo Nils Lutz
      Nils Lutz

      Hi Jocelyn Dart,

      do you know if there is any updated version of this tool which support spaces and pages?

      Thanks in advance 🙂

      Author's profile photo Johan Gobeyn
      Johan Gobeyn


      I opened an incident and I'm inn contact with the support service of SAP.

      There is no updated version. I'm describing the issue and hope they will correct the program...


      Kind regards,


      Johan Gobeyn

      Author's profile photo Jocelyn Dart
      Jocelyn Dart

      Thanks Johan. That's the correct process. I know it was under discussion.

      Author's profile photo Johan Gobeyn
      Johan Gobeyn

      The program has been modified for Spaces 🙂


      You just need to implement note 3140176

      Best regards,


      Author's profile photo Hannes Defloo
      Hannes Defloo
      Blog Post Author

      Thanks for creating the incident and providing the note, I added it to the blog as well !