Skip to Content
Technical Articles
Author's profile photo Özkan YILMAZ

Maintain Back-End Authorization Objects for Fiori App


This blog is meant to help you to find all authorization objects which are using by custom Fiori app and then creating roles in back-end, front-end systems.

In this blog you will learn, how we can maintain authorization objects for custom Fiori/SAPUI5 apps step by step.

When after creating a Fiori project, some authorization objects related to processes are needed. Users who want to use Fiori app need back-end and front-end roles to run the app properly.

Front-end system roles

As a beginning Launchpad Catalog, Group and Gateway service should be added to role in Front-end system.
You can take reference below documentation for front-end;

Back-end system roles

For authorization objects of back-end role, traces can save with t-codes in below and add to roles easily,
STUSOBTRACE – Authorization Trace,
STAUTHTRACE – System Trace,

Step 1: Trace

I will use STAUTHTRACE tcode for trace in this blog.

At first, we need to activate trace for testing user in tcode,

After process all cases in Fiori app, we can see the report of all used authorization objects with “Evaluate” button.

Step 2: Maintain Authorization Values in SU24

We should add these objects to our Gateway service in SU24 tcode,

Type of Application should be TADIR for Fiori app,
Object name begins with your gateway project name.

When we open it with “Edit” mode, we can insert Object from Trace like in below, also there is opportunity to add object directly.

You can select filter of trace here for all applications or only current application.

After adding objects, proposal should be selected yes for object which we will need in role.

We can see values for fields of objects in STAUTHTRACE.

In here some values begin with $ , that means this object on organizational level and we can maintain that in PFCG.

Step 3: Adding Authorization object to role

We’ve completed su24 maintain, next step is creating a role in PFCG tcode.

I will create a test role for our example (blue SAP screens),

Add Authorization Default in Menu tab;

Auth. Default will be        TADIR
Obj. Type is                         IWSV.

We should select our gateway service which its objects already filled.

After press copy, service will be seen in Menu tab.

Now we should go “Change authorization data” in Authorizations tab,

All authorization objects will be automatically inherited from gateway service in su24 tcode.

The values for organizational level fields need to know and filling them in that step.

After generate and save, finally users can be added in our role.

When users have back-end and front-end roles, they will be able to use the Fiori app.


In this blog you learned, how you can maintain authorization objects for custom Fiori/SAPUI5 apps step by step. So we are able to maintain all roles for a custom Fiori app and add users to roles.

Please feel free for your suggestions and questions.



Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Vandana Arora
      Vandana Arora

      Explained well.. thanks.. ????

      Author's profile photo Emre Çetinkaya
      Emre Çetinkaya

      Hello Özkan,

      Thank you for sharing.

      Author's profile photo Suleyman Dogu
      Suleyman Dogu

      Really really helpful blog! Thanks a lot!

      Author's profile photo Nipun Mahajan
      Nipun Mahajan

      Hi Ozkan,

      What's the source of the backend authorizations for S4 Hana. I am curious to know if the source of authority checks is only through DCL configured for the associated CDS view or ABAP code written specifically for those apps.

      Trying to understand the authorization from an auditor perspective to validate that correct authorizations have been added to the PFCG roles.

      Look forward to your reply!


      Author's profile photo Özkan YILMAZ
      Özkan YILMAZ
      Blog Post Author

      Dear Nipun,

      All processes might have authorizations in back-end system therefore you could save a trace for service and add needed objects to role.

      Also you could find Fiori authorization concept in below link,


      Author's profile photo Allan Albuquerque
      Allan Albuquerque

      Thanks Özkan for sharing all these tools.

      Lots of users and system admins are daily challenged to map profile troubles on S4/HANA apps and I particularly see that all tools for tracing are welcome.