Skip to Content
Technical Articles

SAP Fiori Gateway Client – OData Service Error for Trusted System

Objective

 

I have been working on multiple S/4HANA implementations and of course FIORI implementation has been an integral part of these projects. I want to share a recent problem we faced when FIORI developer was trying to test a few ODATA services via SAP Gateway Client. It’s also a good idea to gradually extend the discussion into further blog parts to cover many problems / error I have been observing as a Basis consultant in FIORI projects.

 

Problem Scenario

 

SAP Developer was not able to test an ODATA service in SAP gateway Client. She received the following error:

RFC Error: No authorization to log via a trusted system (L-RC=1002 T-RC=2).

Environment we were working on consisted of SAPUIFT 100, UISHOP1 200 and SAP_UI 751 (NW 7.5) in SAP FIORI system (Gateway) and the Backend system was S/4HANA 1610.

 

Analysis

 

From my experience, normally this kind of error is observed when the user is not able to login from source system to a target system because of improper/missing RFC authorization or Trust relationship between FIORI and backend is in problem – for e.g. RFC connection problem.

When the customer has Central Hub installation for SAP FIORI then an HTTP RFC serves the purpose of trusted communication from SAP FIORI system to S/4HANA system. For e.g.

As we can see in the ‘logon and security’ tab, the logon procedure is configured as ‘Trust Relationship’ and ‘current user’ to be used for login purpose when SAP FIORI system tries to reach the backend i.e. S/4HANA system. That means, when the developer tries to test an ODATA service using SAP gateway client then this RFC is used, and the developer user ID’s authorization will be checked if it has proper RFC authorizations.

Another condition which should be satisfied is that SAP FIORI frontend system should already be configured as a ‘trusted system’ in the target backend system S/4HANA. How do we validate it? – Using the transaction SMT1.

So, the system validates the following items in order to make the trusted relationship to work:

  1. A trusted RFC between the gateway and S/4HANA system should be in place. Validation results were good, as we tested above mentioned RFC with our basis user ID.
  2. User who is testing the gateway services – should have the same Username in FIORI and backend system. Validation results were good, and the username for the FIORI developer was same in both the systems.
  3. User should have RFC authorization roles for e.g. authorization object SAP_S_RFCACL. Here the result was negative. User in the backend S/4HANA system was missing this authorization.
  4. FIORI gateway system should be registered as a trusted system in the backend. Validated using the transaction SMT1. FIORI system SID was listed under the ‘Systems whose calls are trusted’

 

Solution and Testing

 

Create a Z role for SAP_S_RFCACL authorization object, for e.g. Z_SAP_S_RFCACL. Assign the role to the user in target backend S/4HANA system. S_RFCACL object serves the purpose – Authorization Check for RFC User (e.g. Trusted System), which is required for having access to the trusted systems. The object (role) should be assigned to the user and both the systems – FIORI and the backend S4.

Execute the transaction /n/IWFND/MAINT_SERVICE in FIORI/gateway client and search for the concerned ODATA service. Select the ODATA service and click on ‘SAP Gateway Client’.

SAP Gateway Client opens with the default screen as below. Enter the default Request URI (/sap/opu/odata/sap/Z..). Don’t forget to append the request path with “?$format=xml”.

Click ‘Execute’ to test the gateway service.

Testing Result

 

The execution should display the result as ‘HTTP Response’ as seen below. Status code 200 suggests that the service call was successful.

 

Conclusion

 

FIORI developer was able to test the ODATA services using SAP Gateway Client after the trusted relationship conditions for SAP Fiori and SAP S4 systems were validated and rectified.

Hope the blog helps fellow colleagues in SAP domain resolve similar problems in Fiori technology. I plan to share more problems and observation in further blogs. If any suggestions or if you want to discuss further on Fiori Basis topics then you may comment below.

2 Comments
You must be Logged on to comment or reply to a post.
  • Nice blog Bhudev Sharma – I too have experienced this many times over the years and now have a spreadsheet of security roles I provide to clients so that we don’t have these issues stopping progress.

    The HTTP type of connections are also crucial – especially in older setups where you want to call Webdynpros or SAP GUI transactions from the front end Gateway server (FLP). Good that you included this information as well.

    Thanks for sharing this to the wider community, very valuable!

    cheers

    Phil