SAP Security for S/4HANA – How Adding Business Catalogs to the Role Menu automates authorization maintenance
If you are not familiar with managing roles and authorizations in SAP S/4HANA then you might like to have a look at an excellent blog series by https://people.sap.com/jocelyn.dart before reading this one. A great one to start with is SAP Fiori for SAP S/4HANA – Adding Custom Content to Business Roles (click here).
Transaction PFCG authorization role menu has the “smarts” to facilitate and simplify authorization maintenance for Fiori Catalog access. With some exceptions (see below), role administrators only need to add the Fiori Catalog to the menu before they maintain the authorization data.
The system will automatically determine the required authorizations for OData Services (IWSG for the Front-End System, IWSV for the Backend System, or both for Embedded), SAP GUI Transaction Codes, ABAP Web Dynpro applications, and SAP Web Client UI executables. The arrow next to the catalog can be expanded out to show the imported menu items. These items are read only and cannot be removed directly from the role menu nor can they be maintained.
This blog provides some technical information and tips to leverage this automation. The aim is to simplify your security authorization role build whereby you add the business catalogs and then maintain the authorization data (and hey, if your SU24 is complete – this is where we map default authorizations proposals to executables – you have minimal work to do this in this space as well).
(you didn’t have to do that….)
How do I make the values default into the menu from the catalog?
The following pre-requisites are required for the authorization values to be imported from your SAP Fiori business catalogs to your security authorization roles.
- SAP Fiori foundation is already active
- SAP Fiori apps have been activated
- System Aliases have been maintained (e.g. Transaction SM30 maintenance view V_ALIASMAP)
- Include Applications checkbox is selected when the SAP Fiori business catalog is added to the authorization role (see screen shot below)
- You have the correct authorizations for transaction PFCG to add Catalogs to roles and read the catalog information (in addition the usual authorizations for create, change of S_USER* objects)
(Authorizations: Transactions in Roles)
|You will most likely need full access (asterisk) as a check is performed to add every executable within the business catalog to the authorization role menu. If the object is restricted, then added $SERVICES$ is required for all OData services|
|S_RFCACL (Authorization Check for RFC User (e.g. Trusted System))||You will need this is you have a Hub model (your Gateway system is separate to your backend). Do not enable full access.|
|S_RFC (Authorization Check for RFC Access)||
You will require the following RFC authorizations to search for business catalogs and refresh the menu
/UI2/CATALOG_PFCG PFCG nodetype ‘Catalog’
/UI2/CATALOG_PFCG_APP_GRP_DTL Provide details of sub-applications of the CHIP catalog
/UI2/CATALOG_PFCG_CHANGE Change Chip Catalog
/UI2/CATALOG_PFCG_CREATE Create Chip Catalog
/UI2/CATALOG_PFCG_DISPLAY Display Chip Catalog
/UI2/CATALOG_PFCG_EXECUTE Call Fiori Launchpad Designer From PFCG
/UI2/CAT_PROV_ID_SH Search Help Exit for CHIP Name
Tip: if you do not have the /UI2/CATALOG_PFCG_CREATE RFC you will receive a ‘Catalog does not exist’ message when trying to add the catalog to the menu.
I copied the SAP Standard Business Role so why didn’t it work?
The SAP Standard Business Role template was built and added to your system before the pre-requisite configuration and app activation was completed.
Alos, the copy function in transaction PFCG does exactly (and only that) that! The SAP Standard Role didn’t have the values which means your custom authorization role won’t have them either. You need to fix the menu to import the values.
Alternatively, you might have prepared a load file to mass create your authorization Roles. You can use transaction code SUIM “Search for Applications in Role Menu” to identify the Fiori Catalogs in the SAP Business Role menu and then use mass creation program PRGN_CREATE_FIORI_FRONTENDROLE. When taking this approach, the catalog menus will be read, and all menu items automatically imported (so long as pre-requisites have been met).
Refer to blog: Mass maintenance of Business Roles for SAP Fiori launchpad for information:
What should I do if the target mappings have changed?
Catalogs must be adjusted in the authorization role menu whenever the target mappings are changed. You do not need to delete and re-add the catalog to the menu when updated have been made (good news)!
Navigate to Transaction Code PFCG in edit mode > Select Role > Menu Tab > Select updated Catalog > Right Click > Choose Details.
So long as you met the prerequisites (especially include application selected and you have the right authorizations), the catalog will be re-read and PFCG will calculate the required changes. The “Application in Catalog” will provide you with
- Line is highlighted in Red with a Minus (-) Sign – items that will be removed from the menu (target mapping was removed or changed, or application deactivated) which will result in less access
- Line is highlighted in Green with Plus (+) Sign – items that are new (target mapping added to catalog or underlying application activation issue fixed) which will result in more access
- Line is highlighted in Blue with Equal (=) Sign – the value was in the catalog in PFCG before the comparison and there is no change.
You will need to press the green tick to accept the changes. The PFCG menu catalog will now show the updated menu items.
Before maintaining the authorisations, you will need to save the changes to the menu. The Authorization tab will turn red when you press save if you had any additions or removals.
If the Authorizations tab shows a red traffic icon you will now need to adjust the role authorizations (another “smart” in transaction PFCG is to compare timestamps between authorization role menu updates and last time authorization data was maintained or generated).
Are you concerned there are a lot of updates to make and it’ll take ages doing it manually?
Good news, we have a mass tool that can help you out.
SE38 Program PRGN_COMPARE_ROLE_MENU can be used to mass compared the authorization role menu.
You can enter multiple authorization roles as well as choosing which catalogs are to be refreshed. When you execute the report, you will see the changes that the menu refresh has identified. You will then need to choose Adapt Menu to update the menu items and choose Yes to the confirmation prompt.
Once updates have been made, you can then mass generate the menu, or maintain the authorization role individually.
But then how do I know which role authorizations need to be maintained?
If you find there are several administrators involved in maintaining Fiori Catalogs and authorization Roles, it can get confusing as to know if your roles are fully maintained. When menu items are changed, the Authorization tab will show a red traffic light until the authorizations have been maintained.
SAP GUI transaction SUPC Mass Role Generation is useful to check which authorization roles require menu authorization adjustments. This transaction can be executed in display mode and provide the report of authorization status from the roles entered in the selection criteria.
How do I know what items were added or removed (what if someone else is making changes)?
More good news – transaction PFCG change documents will capture what has been added or removed via the catalog.
SUIM > Change Documents > Roles > Or PFCG > Display Role > Utilities > Display Changes
Enter the selection criteria and choose Change Documents > Other Objects in Menu and execute the for selected roles
You will see all changes to the menu with the Action or Added or Removed. Business Catalogs, Fiori Groups, and the menu items relating to the target mappings will appear. The change documents will all start with “OTSERVICE” even if it was a transaction code removed from the catalog
Tip: table USOBHASH can be used to map the GUID S_SERVICE value back to the OData Service Name.
What if our SAP Fiori frontend server is Standalone (hub)
That’s okay – the PFCG “smarts” apply to both Standalone(Hub) and Embedded. PFCG “smarts” even know what should go in the Front-End authorization Role versus the Back-End authorization Role.
The key difference: you will need to have RFC connections established and include the RFC destination for a backend authorization role in to remote-read the catalog information. And, you will need to build 2 authorization roles – one in each system with both containing the business catalogs.
Hey what were those exceptions you mentioned at the start of this blog?
The following exceptions will require the role administrator to assign additional executables to the role menu:
- Default OData Services – the base authorization role for the user will require default services to access Fiori Launchpad that are not linked to a target mapping
- OBN Menu Items or other menu parameters – Items that have been imported via the Catalog are read only. Attributes cannot be maintained in the menu. Older style programs may use Object Based Navigations or need other authorization role menu item settings (e.g. webdynpros may contain parameters). These items will need to be manually added to the role menu (and can be marked as invisible to hide from SAP User Menu, etc)
- SAP Fiori 1.0 Apps, e.g. SAP Access Control Request Access App – the Fiori Application was built prior to the planned integration. Additional OData services are part of the application but not automatically added to the authorization role.
In these situations, the role administrator must add the menu items in addition the Business Catalog. Ongoing maintenance will require the administrator to review the menu and determine if items should remain.
For example, underlying application is removed from the catalog and the manually added item should also be removed.
As another tip, it can help to create a folder in the PFCG menu with the App Name, add those additional items in (you then know why they are manually in the authorization role) and set them to invisible (avoid appearing in user menus if the SAP User Menu services is enabled in Fiori Launchpad or users have SAPGUI backend access.
Becoming a SAP Fiori for SAP S/4HANA guru
Please let us know by commenting below if you’ve found this blog helpful or noticed other “smarts” to help build authorization roles for Fiori access.
You’ll find much more on our SAP Fiori for SAP S/4HANA wiki
Sponsored by the S/4HANA RIG