Maintain Back-End Authorization Objects for Fiori App
This blog is meant to help you to find all authorization objects which are using by custom Fiori app and then creating roles in back-end, front-end systems.
In this blog you will learn, how we can maintain authorization objects for custom Fiori/SAPUI5 apps step by step.
When after creating a Fiori project, some authorization objects related to processes are needed. Users who want to use Fiori app need back-end and front-end roles to run the app properly.
Front-end system roles
As a beginning Launchpad Catalog, Group and Gateway service should be added to role in Front-end system.
You can take reference below documentation for front-end;
Back-end system roles
For authorization objects of back-end role, traces can save with t-codes in below and add to roles easily,
STUSOBTRACE – Authorization Trace,
STAUTHTRACE – System Trace,
STUSERTRACE – User Trace.
Step 1: Trace
I will use STAUTHTRACE tcode for trace in this blog.
At first, we need to activate trace for testing user in tcode,
After process all cases in Fiori app, we can see the report of all used authorization objects with “Evaluate” button.
Step 2: Maintain Authorization Values in SU24
We should add these objects to our Gateway service in SU24 tcode,
Type of Application should be TADIR for Fiori app,
Object name begins with your gateway project name.
When we open it with “Edit” mode, we can insert Object from Trace like in below, also there is opportunity to add object directly.
You can select filter of trace here for all applications or only current application.
After adding objects, proposal should be selected yes for object which we will need in role.
We can see values for fields of objects in STAUTHTRACE.
In here some values begin with $ , that means this object on organizational level and we can maintain that in PFCG.
Step 3: Adding Authorization object to role
We’ve completed su24 maintain, next step is creating a role in PFCG tcode.
I will create a test role for our example (blue SAP screens),
Add Authorization Default in Menu tab;
Auth. Default will be TADIR
Obj. Type is IWSV.
We should select our gateway service which its objects already filled.
After press copy, service will be seen in Menu tab.
Now we should go “Change authorization data” in Authorizations tab,
All authorization objects will be automatically inherited from gateway service in su24 tcode.
The values for organizational level fields need to know and filling them in that step.
After generate and save, finally users can be added in our role.
When users have back-end and front-end roles, they will be able to use the Fiori app.
In this blog you learned, how you can maintain authorization objects for custom Fiori/SAPUI5 apps step by step. So we are able to maintain all roles for a custom Fiori app and add users to roles.
Please feel free for your suggestions and questions.
Explained well.. thanks.. ????
Thank you for sharing.
Really really helpful blog! Thanks a lot!
What's the source of the backend authorizations for S4 Hana. I am curious to know if the source of authority checks is only through DCL configured for the associated CDS view or ABAP code written specifically for those apps.
Trying to understand the authorization from an auditor perspective to validate that correct authorizations have been added to the PFCG roles.
Look forward to your reply!
All processes might have authorizations in back-end system therefore you could save a trace for service and add needed objects to role.
Also you could find Fiori authorization concept in below link,
Thanks Özkan for sharing all these tools.
Lots of users and system admins are daily challenged to map profile troubles on S4/HANA apps and I particularly see that all tools for tracing are welcome.