Skip to Content
Technical Articles

SAP Fiori for SAP S/4HANA – Combining business catalogs into custom business roles

This is a how-to blog post and part of our blog series on Understanding Business Roles.

In this blog post we compare and contrast using familiar SAP GUI transaction tools such as PFCG, versus mass maintenance tools such as Mass Maintenance of Business Roles for SAP Fiori launchpad. You will see how the SAP Fiori launchpad content manager works for custom business roles just as it does for SAP Business Roles. 

There are a few tools available for creating custom business roles.

For example, you can create your business role manually using PFCG or via mass maintenance programs as explained in Mass Maintenance of Business Roles for SAP Fiori launchpad.

In practice, the mass maintenance programs are easier and scale better.

You can use a simple scenario to compare and contrast the effort by combining catalogs from 2 different business roles.

For example:

You have a business role called a Maintenance Monitor. This person reviews your equipment and facilities and makes maintenance requests on behalf of others. They do not make the repairs themselves, however they need to be able to see what maintenance requests have already been submitted or are in progress to avoid creating duplicate requests where maintenance is already planned.

There is no exact fit to SAP Business Roles, however you see that the SAP Business Roles Employee – Maintenance Info and Maintenance Technician contain some business catalogs with all of the SAP Fiori apps and classic user interfaces (SAP GUI, ABAP Web Dynpro for HTML, Web Client UI) that you need.

You decide to create a new custom business role that combines the relevant business catalogs from the SAP Business Roles.

Tip: The screenshots below were taken in a SAP S/4HANA 1909 FPS02 system, with SAP Fiori frontend server is in embedded mode.

Important: Note the effort below for is duplicated for both approaches when using SAP Fiori frontend server in standalone(hub) mode, as roles and authorizations have frontend and backend components.

Summary flow for creating a custom business role

The overall flow for creating a custom business role is:

  1. Identify the launchpad content you want to bring into your business role
  2. Verify that the content is active & ready to use, and to see if any adjustments are needed
  3. Adjust content (where needed)
  4. Create a new security authorizations role to represent your custom business role.
  5. Assign business catalogs to your role.
  6. Generate the authorizations needed to access the launchpad content

Tip: You can optionally refine the authorizations later as needed.

In the simple example in this blog post:

  • The launchpad content are whole business catalogs
  • A decision was taken that the content is ok to use as-is, so you will not find the adjust content step. That will be covered in a future blog in the series.

Identify business catalogs

You start by looking at the closest fit SAP Business Roles, and their related business catalogs that contain the SAP Fiori apps and classic UIs as explained in How SAP Business Roles simplify refining SAP User Experience.

Into your new Maintenance Monitor role, you want to combine:

  • The business catalog SAP_EAM_BC_MREQ from the SAP Business Role Employee – Maintenance Info (SAP_BR_EMPLOYEE_MAINTENANCE), which grants the SAP Fiori app F1511 Request Maintenance
  • The business catalog SAP_EAM_BC_TL_MW from the SAP Business Role Maintenance Technician (SAP_BR_MAINTENANCE_TECHNICIAN), which grants the SAP Fiori app F2661 Find Maintenance Task List and Operations along with related apps to see further details of the maintenance tasks and operations on equipment and facilities

You can see the discovery in the SAP Fiori apps library to find the apps in the business catalog SAP_EAM_BC_TL_MW as of SAP S/4HANA 1909 FPS02.

Apps%20in%20the%20catalog%20SAP_EAM_BC_TL_MW%20as%20of%20SAP%20S/4HANA%201909%20FPS02

Apps in the catalog SAP_EAM_BC_TL_MW as of SAP S/4HANA 1909 FPS02

Before you create your new business role, you will also need to check your prerequisites.

Prerequisites

You will need:

  • Access to read SAP Fiori catalogs, e.g. security role SAP_UI2_FIORI_CATALOGS_READ
  • Access to run the SAP GUI transaction codes PFCG, SU01 (to assign a user), and SA38 (to run the program)
  • A Fiori User role that grants business users access to the SAP Fiori launchpad, such as the Z_FIORI_FOUNDATION_USER role created by the Fiori Foundation task list SAP_FIORI_FOUNDATION_S4
  • Your SAP Fiori launchpad URL to test your custom business role

Verify launchpad content is active

Before you start combining the catalogs into a custom business role, you should verify if the content is active and therefore ready to use. Only active content will launch correctly from the SAP Fiori launchpad. Only active content will generate authorizations correctly.

You can activate the content before or after you create your custom business role. The important thing is to know whether the content is active, as this impacts on deriving authorizations.

The SAP Fiori launchpad content manager provides an easy way to verify your content, from both the Roles tab and the Catalogs tab. Simply select the role or catalog you want to verify, and use the Check Services button to confirm what has been activated.

You use the GUI transaction /UI2/FLPCM_CUST (client-independent) or /UI2/FLPCM_CONF (cross-client) to start the Fiori launchpad content manager. In the Roles tab you search for the roles you want to combine. Select the role to see the catalogs in the role. Then select Check Services button to see if the related catalogs are active and ready to use.

Check%20Services%20for%20a%20role%20in%20SAP%20Fiori%20launchpad%20content%20manager

Check Services for a role in SAP Fiori launchpad content manager

Check Services will see a horizontal traffic light (red/yellow/green) indicator for Service Activation Status to indicate if content is:

  1. Red – not active
  2. Yellow – partially active with some issue still to be resolved
  3. Green – active

All%20services%20active%20%28green%20light%29%20for%20a%20business%20role

All services active (green light) for a business role

If something is not active you will also be given some hints on what is missing – you can see an example below.

Important: Check Services is also available for custom business catalogs and custom business roles.

If for some reason the content is not active you will need to activate the content before finalizing your authorizations and before testing your new role.

You can activate the content before building the business role, e.g. by activating the source SAP Business Roles using rapid activation.  However in a development environment there may be valid reasons for not activating the SAP Business Role.  In this case, you can activate the content after the building the business role by activating using your new business role itself using the task list SAP_FIORI_FCM_CONTENT_ACTIVATION as explained in Further enhancements of SAP Fiori launchpad content manager tool now available.

Manual creation of a new custom role

You can manually create the custom business role using transaction PFCG.

From the SAP Fiori launchpad content manager Roles tab, or from the Roles containing Catalog table in the Catalogs tab, use the Open in PFCG option.

The flow for manual creation of a custom role is:

  1. In transaction PFCG, create your new role in the custom namespace.
  2. In the Menu tab, manually assign Fiori Tile Catalogs to the role one by one.
  3. Go to the Authorizations tab and generate the authorization profile.

Important: In the examples below, this process is shown using a SAP Fiori frontend server in embedded mode.  If your SAP Fiori frontend server is in standalone (hub) mode, authorizations are split between the frontend and the backend, so you will need to repeat this in the backend using the “Remote front-end server” option when entering the catalog ids.

Taking the example, you decide to start by copying the SAP Business Role SAP_BR_EMPLOYEE_MAINTENANCE to your custom role.

Tip: Alternatively you could create a new empty role and then add the just the catalog to the role. The main difference with starting by copying a SAP Business Role is that you at least get its business catalogs defaulted in as a starting point. You can also pick up any business groups as your default launchpad layout.

Enter%20original%20role%20name%20and%20press%20Copy%20button%20in%20GUI%20Transaction%20PFCG

Enter original role name and press Copy button in GUI Transaction PFCG

 

Your custom role needs to be in the customer namespace.  You decide to call it ZI_BR_MAINTENANCE_MONITOR. You use Copy All to copy across all the related subcomponents of the role.

Name%20the%20copied%20role%20and%20Copy%20All%20subcomponents%20of%20the%20role

Name the copied role and Copy All subcomponents of the role

You edit the role to change the description and press Save.  You have to press Save before you make further changes, you will be prompted to save if you forget.

Enter%20the%20role%20description%20and%20Save%20your%20new%2C%20empty%20business%20role

Enter the role description and Save your new, empty business role

You go to the Menu tab to add the additional catalog from the Maintenance Technician role.  You select the Add Transaction button menu and change it to Add SAP Fiori Tile Catalog.

Selecting%20the%20Add%20Fiori%20Tile%20Catalog%20option%20in%20the%20Menu%20tab

Selecting the Add Fiori Tile Catalog option in the Menu tab

You select your catalog provider Fiori Launchpad Catalogs.  You select your local SAP Fiori front-end catalog id.

Important: You need to use the dropdown button on catalog id to get the full internal technical name of the catalog. Alternatively you can use a wildcard * to enter a partial name such as SAP_EAM* and then select the catalog from the dropdown value list.

You make sure the Include Applications checkbox is marked. This is necessary to ensure all the related application authorizations are derived.  You press Continue.

Selecting%20the%20catalog%20provider%2C%20catalog%2C%20and%20Include%20Applications%20checkbox

Selecting the catalog provider, catalog, and Include Applications checkbox

Now both business catalogs are assigned and you can expand them to see the related catalogs.

Expanding%20business%20catalogs%20in%20the%20Menu%20tab%20of%20PFCG%20to%20see%20the%20assigned%20content

Expanding business catalogs in the Menu tab of PFCG to see the assigned content

Lastly you need to generate the authorizations related to these apps. So you move to the Authorizations tab and use the Change Authorization Data button to generate the authorization profile manually.

PFCG%20Authorizations%20tab%20and%20Change%20Authorizations%20button

PFCG Authorizations tab and Change Authorizations button

Tip: Generating the authorizations works much the same as in SAP Business Suite.

Once the Authorization profile is saved you can now assign the role to users.

This process works however the assigning of catalogs to the role and adjusting the authorizations quickly becomes tedious with only a few catalogs. It doesn’t scale well.

Mass Maintenance creation of a new custom role

The easier option is to use the mass maintenance programs to generate a new role using a selection list of catalogs.  You can even use the mass maintenance programs to create multiple custom roles at the same time.

Start the execution program PRGN_CREATE_FIORI_FRONTENDROLE using GUI transaction SA38.

Executing%20program%20PRGN_CREATE_FIORI_FRONTENDROLE%20using%20GUI%20transaction%20SA38

Executing program PRGN_CREATE_FIORI_FRONTENDROLE using GUI transaction SA38

Important: If your SAP Fiori frontend server is in standalone (hub) mode, the authorizations are split between the frontend and backend servers so you will also need to repeat all of this in the backend using program PRGN_CREATE_FIORI_BACKENDROLE to complete the role.

You have a few different options for running the program, e.g. you can upload a list of desired role to catalog assignments from a tab-delimited file; you can use the program to create, change(append), or change(replace) custom business roles. You can find all the options in the program documentation using the “i” (information) button.

For your simple Maintenance Monitor example, you select the Create option and the Without Template option.  You also select the option Delete and Recreate Profile and Authorizations, as this will do all the hard work of profile generation for you.  You press Execute.

Selecting%20the%20options%20to%20Create%20a%20new%20role%20without%20template%20and%20with%20automatic%20authorization%20profile%20generation

Selecting the options to Create a new role without template and with automatic authorization profile generation

You use the Append Row button to add 2 rows and enter your role name and the 2 catalogs you want to assign to it. Remember the role name has to be in the customer namespace – you decide to use ZM_BR_MAINTENANCE_MONITOR. Then press Enter to validate the catalogs.

Tip: If you want to add some business groups to default your launchpad layout for the role, you can do that by adding additional lines with type of entry GROUP_PROVIDER and the business group id as the name of the menu entry.

Entering%20the%20list%20of%20business%20catalogs%20to%20be%20assigned%20to%20business%20catalogs

Entering the list of business catalogs to be assigned to business catalogs

Now all you need to do is press Execute to create the role.You should see a dialog showing a green square indicator to confirm your role was created successfully.

Success%20dialog%20showing%20business%20role%20has%20been%20created%20successfully

Success dialog showing business role has been created successfully

Review the role in transaction PFCG and you will find the role has been created with just a few clicks, ready to assign to a test user id. Even the Authorizations have been created for you.

Generated%20role%20in%20transaction%20PFCG%2C%20business%20catalogs%20expanded%20to%20show%20content%20is%20assigned

Generated role in transaction PFCG, business catalogs expanded to show content is assigned

When you review the authorizations, you will see by default complete authorizations are given to apps and their associated data.  This includes access to all of the SAP Fiori apps, ABAP Web Dynpro applications, SAP GUI transaction codes, and Web Client Uis contained in the business catalogs. You can refine the data access afterwards where needed e.g. to limit access to specific companies, plants, functional locations, cost centers, equipment types, etc.

Generated%20role%20in%20transaction%20PFCG%2C%20showing%20generated%20authorizations

Generated role in transaction PFCG, showing generated authorizations

So you have now learned that the mass maintenance tools are much easier to work with than individual maintenance in transaction PFCG.

Find more information on the mass maintenance generation programs in blog post Mass maintenance of Business Roles for SAP Fiori launchpad

Testing and further refining your custom business role

At this point you now have a custom business role represented by your new custom security role.

You can assign the custom business role to business users, e.g. using GUI transaction PFCG or SU01.

Important: Don’t forget the user will also need generic access to the SAP Fiori launchpad – you can use the Fiori User role created by the Fiori Foundation task list

For example you can create a user id MAINTMONITOR with the assigned roles:

  • Z_FIORI_FOUNDATION_USER to give access to the SAP Fiori launchpad
  • ZM_BR_MAINTENANCE_MONITOR to give the custom business role

Finally you can go to your SAP Fiori launchpad to test your new business role using your test user.

Important: Remember at this stage you have not added any tiles to the home page.  So the home page will be empty. This is fine – remember this is just layout which you adjust later through groups, spaces and pages, or personalization.

SAP%20Fiori%20launchpad%20with%20the%20new%20business%20role%2C%20home%20page%20is%20empty%20as%20groups%20have%20not%20been%20assigned

SAP Fiori launchpad with the new business role, home page is empty as groups have not been assigned

You can see the assigned catalogs and related apps by going to the App Finder. From the App Finder you can launch the apps by selecting the tiles, or use the pin icon to add them to your home page.

For example you can launch the SAP Fiori app F1511 Request Maintenance to try it out.

Request%20Maintenance%20app%20launched%20from%20the%20App%20Finder

F1511 Request Maintenance app launched from the App Finder

What else can you do?

You can access apps via app to app navigation, e.g. where hyperlinks lead you from one app to another.  You can see this in the SAP Fiori app F2661 Find Maintenance Task List and Operations

Maintenance%20Task%20List%20showing%20links%20to%20other%20apps

F2661 Find Maintenance Task List and Operations app showing links to other apps

You can access the apps via the Fiori Search.

Access%20maintenance%20apps%20via%20Fiori%20Search

Accessing maintenance apps via Fiori Search

You can access the apps via the Home/App Title button.

Accessing%20maintenance%20apps%20via%20the%20Home/App%20Title%20button

Accessing maintenance apps via the Home/App Title button

Once you are satisfied that everything is working as expected, you can further refine your role, e.g. adjusting the generated authorizations to limit access to data.

Reviewing your custom business role and other next steps

You can review your new role in the SAP Fiori launchpad content manager, in the same way that you reviewed the original SAP Business Roles.

Custom%20business%20role%20and%20related%20catalogs%20shown%20in%20the%20SAP%20Fiori%20launchpad%20content%20manager

Custom business role and related catalogs shown in the SAP Fiori launchpad content manager

If your apps were not ready, you can activate them now using the task list SAP_FIORI_FCM_CONTENT_ACTIVATION. Don’t forget to adjust your authorizations afterwards.

Becoming a SAP Fiori for SAP S/4HANA guru

You’ll find much more on our SAP Fiori for SAP S/4HANA wiki

Brought to you by the S/4HANA RIG

4 Comments
You must be Logged on to comment or reply to a post.
  • Thanks Jocelyn for this useful blog. Very informative !

    Launchpad Content manager tools like /UI2/FLPCM_CUST & /UI2/FLPCM_CONF have really helped for Apps rapid activation.

    Looking forward if Business catalog groups can also be created from these tools.

     

    Really appreciate Fiori development & RIG team who are working hard to bring simplified tool for rapid Fiori Adoption & Implementation.

     

    Thanks.

     

    Regards

    Samir

    • Adding the group creation would be awesome! Also if one was able to delete BC’s in mass, deleting one by one is slow, perhaps the biggest feature I would like to see improved is the updating of the content after a transport is initiated! When you have 4 security consultants working on role build all at once, there needs to be a timed releases and SCC1’s!

      The changes that have come over the past year have been fantastic, it’s clear to see the dev’s listening to their customers and pumping out some awesome features!

    • Thanks Samir. I can confirm that business groups are NOT part of this tool, for the simple reason that they are being superseded by Spaces and Pages which will be managed via a new SAP Fiori app.

      For the latest info on this please refer to Thomas Reiss latest blog on Multi-page spaces.