SAP Fiori for SAP S/4HANA – Granting Project Users SAP Fiori Launchpad Access – Extras
This blog is a continuation of SAP Fiori for SAP S/4HANA – Granting Project Users SAP Fiori Launchpad Access. The previous blog was getting quite large. As I wrote, the lessons of projects’ past came back to me. I thought I’d share the rest in this blog.
Integration with SAP Solution Manager
SAP Solution Manager can have several impacts on your Fiori Application activations and project user access. This includes:
- Use of CHaRM (Change and Release Management) for transports
- Solution Documentation
CHaRM impacts with SAP Fiori
Before activating Fiori, content and building security roles you will need transports made available. If CHaRM has been implemented, you will need to coordinate transport creation via SAP Solution Manager.
Your project may need to consider a platform enablement set of changes, including SAP Fiori app activation to complete baseline activation of your SAP S/4HANA User Experience that is in scope for your first go live. This will reduce multiple transports or teams with shared applications managing the app activation. It will also reduce potential CSOL (Cross System Object Locks) where several projects require access to the same object.
Solution Documentation allows the users to launch SAP Fiori apps from process diagrams to navigate from solution document the SAP Fiori launchpad (FLP). The user will need to authenticate to FLP and require the associated target mapping (which they are granted via a catalog from their authorization role).
Also, within Solution Documentation, an Executable Library stores the definition of the SAP Fiori apps based on target mapping value. These definitions are assigned to the process steps to enable the above user interaction (launch FLP from Solution Manager).
Depending on the approach you take, your project team will require access to test users with the target mapping or their own account. If not, they will not be able to launch the application via SAP Solution Manager.
Note: if you have not used this integration before, you can review the SAP Solution Manager Demo system. If you have a S/4HANA CAL system (with system ID S4H and the host file containing the right mappings for the domain names to your IP addresses) then the integration will work – you will be able to launch the SAP Fiori executable from this SAP Solution Manager demo system and authenticate to your system.
Managing the Role Build
If you choose to build authorisation roles in SAP GUI transaction PFCG with many catalogs you may find it better to split out the authorisation maintenance. In conjunctions with an implicit security model you could try:
- One or more roles with Catalogs Only – when adding the catalog to the role, do not include applications or maintain authorisation data
- One or more roles with Authorisations Only – manually add the required authorisation objects and use ranges and asterisk values to maintain (you will not see standard, maintained, or changes in the authorization status in PFCG).
- This is a deliberate choice to reserve SU24 integration and default proposals for production role build (less transports) and avoid many authorisation proposals in the role
- Less administrative effort to continually adjust the roles when SU24 data is changed
- Reduce change of overflow of authorisations (unique authorisations proposals from SU24 may result in exhausting the internal authorisation allocations per object – i.e. you might find more than 100 combinations for on object)
- Continue to restrict authorisation object S_TCODE, S_START, S_RFC, S_SERVICE for protect all entry points to the applications.
- For S_SERVICE, in project systems you may find it acceptable to allow an asterisk for all HT services (Hash value for TADIR Objects). You cannot maintain this authorisation until the OData service has been activated. As part of activation, a hash value is written to table USOBHASH which controls the link between the authorisation granted and the IWSG/IWSV OData objects.
- Provide a Base Authorisation Role based on SAP Standard role SAP_UI2_USER – Composite role for end-user tasks within UI technologies to provide the minimum authorizations for accessing the FLP. You may also choose to include a “Base” all user Fiori business catalogs with some common applications, such as My Inbox.
Tip: If you are using SAP Fiori rapid activation, the Foundation task list (SAP_FIORI_FOUNDATION_S4) will generate in the customer namespace a base SAP Fiori user authorization role for accessing the FLP, e.g. Z_FIORI_USER.
As a general guide to project role build, you may want to consider the following project user groups under the guiding principles (i.e. security is not meant to be in place of communication when sharing configuration) to provide authorization roles in addition to Fiori access:
- Platform Administrators/Basis
- Roles and Authorisation Team
- Development Team
- Business Analysts and Business Subject Matter Experts
- Functional Consultants
- Display role for Auditors and other groups
- Analytic Teams
These are starting categories for roles. Some may need to be split out for specific requirements. Some users may wear multiple hats and need several roles assigned to the. I’ve noticed over the years more functional consultants perform basic enhancements (i.e. development) and workflow administration split amongst functional consultants and developers.
SAP Fiori Home Page Design
In these options, do not grant the project users any SAP Fiori Business Groups, I.e. leave the home page empty. Encourage the project users to prepare their home page (using personalization) or access the test user to demonstrate the SAP business role template.
Give the users a blank canvas: their home page is empty, and they can personalize it for their requirements.
An alternative option is to consider a Home Page group for getting started and provide links/documentation to help guide the team (even possibly URL tile to project documentation).
Tip: Of course this is a project conversation that is larger than security but can be helpful with key communications. The Project Management Office (PMO) may appreciate this as another avenue to communicate key project information to everyone.
User Menu and SAP Menu
SAP Fiori launchpad can be configured to allow users to search their menus from SAP GUI. Users can add these items as tiles to their Home Page.
For access to User Menu, the Security Administrator will need to build an authorisation role with a Menu in transaction PFCG and assign it to the project user.
Users will require a SAP Fiori business catalog with a target mapping value to the back-end system. If they have this access and the OData Services have been activated, the user will see additional tabs for User Menu and SAP Menu to search in the App Finder.
Users will navigate to the User Menu and see the available options for the authorisation roles with menus maintained that have been assigned to them.
Alternatively, they can use the SAP Menu
In both cases, target mapping Shell-StartGUI is called and passes the transaction code as a parameter. Note: the configuration guide also provides Web Dynpro ABAP and (from SAP S/4HANA 1909) Web Client UI configuration scenarios as well.
Providing menu access to project users helps keep the team in FLP and away from direct login to the backend via SAP Logon. If they are demonstrating SAP Fiori to business users, they can still access SAP GUI transaction codes (so long as they have a menu as SAP GUI user favourites will not work here).
This can also be an option to reduce assignment of SAP standard business catalogs where they only provide classic User Interfaces (e.g. SAP GUI Transactions, Web Dynpro ABAP applications, and Web Client UIs). However, preferencing the menu over catalogs may cause navigation issues if a user requires a specific target mapping for app to app navigation. For example, Fiori Application F1873 Manage Sales Order includes target mapping SalesOrder-create which launches transaction code VA01 (Create Sales Order). Users will require the target mapping SalesOrder-create to access navigation to transaction VA01 from within Application F1873.
Conversely, you could always consider leveraging the backend technical catalog and build a custom catalog for access to classic UIs .
For more information, refer to WIKI: How to Enable SAP Easy Access Menu for Fiori Launchpad Step-by-Step.
Impacts of Inactive Apps in a Business Catalog
One impact of mass assigning business catalogs to users is the impact of inactive applications or incomplete configuration to support them. Users may experience unexpected errors in FLP when they try to launch the application.
By avoiding defaulting apps to the homepage, you reduce the number of errors. In Sandpit, where project teams may be able adapt to the errors and assigning many catalogs may be acceptable, provided the project team members are sufficiently experienced to understand that this is NOT the desired end user experience.
You may find troubleshooting and investigation impeded by additional error noise as the Gateway Error Logs and other areas are capturing these problems. For these reasons, as the project determines the application scope, start to shift away from SAP business catalogs and use custom business catalogs without the inactive applications.
Don’t Forget the Configuration in SAP Fiori apps themselves
As you sift through the Project Access for SAP Fiori requirements for business user applications, don’t forget there are some SAP Business Roles that must be provided to your Project Team. The following SAP Business Role templates are useful to copy and provide access to SAP Fiori apps that configure other SAP Fiori apps. The table also includes examples of SAP Fiori apps that configure other SAP Fiori apps that these roles provide.
|Business Role Template||Example Apps|
• F1481 Apps to add custom fields to apps
• F2058 Application Job Templates
• F2587 Extensibility Inventory
• F2814 Manage KPIs and Reports
• F1572 Custom Analytical Queries
Business Process Specialist
• F2190 Manage Workflows
• F2412 Manage Teams and Responsibilities
Configuration Expert – Business Process Configuration
• F3264 Monitor Situations for Situation Handling
• Manage Workflows for flexible workflow
Becoming a SAP Fiori for SAP S/4HANA guru
In the comments please let us know your thoughts on Project Access for SAP S/4HANA.
What strategies or practices you have found that work at your site?
What has been the response of your users?
You’ll find much more on our SAP Fiori for SAP S/4HANA wiki
Sponsored by the S/4HANA RIG