Technical Articles
How to Identify Authorization Errors in the SAP Fiori Launchpad
The first app I’ve setup in the SAP Fiori Launchpad was My Leave Requests in version 1 of the transactional app. As being relatively new to Fiori and to HR topics, it was quite a struggle for me to figure out which authorizations are required to run the app. Of course, HR authorization checks have their own challenges, but adding these challenges to a distributed landscape, simply leads to a very long implementation phase.
Fortunately, now there is the possibility to speed up authorization troubleshooting, without having to switch to SAP GUI. In the following article, I will cover the possibilities of looking up authorization issues by using the App Support plugin in the SAP Fiori Launchpad. For easier reading I’ve split up the topic into two different point of views. I think this makes sense, as the requirements for somebody with a more technical background (key user or admin) might be different from a business user.
Prerequisites
In a distributed landscape, please ensure your back-end system has the sufficient SAP Basis level, as per SAP Note 2871194
https://launchpad.support.sap.com/#/notes/2871194
To generally activate App Support in your SAP Fiori Launchpad, follow the steps mentioned here:
https://help.sap.com/viewer/a7b390faab1140c087b8926571e942b7/202009.001/en-US/04bc7b47932f4e689f7911901087a8f2.html
Example setup: End User
Usually, business users are not really interested in the error details themselves, but more in a correctly working app. I’ll start with the steps from the user’s point of view and then follow up with the setup.
In this example, I’m using the Create Purchase Requisition app, which is a UI5 application. After the user clicks on the tile the stops with an authorization error message. The user is now able to retrieve his authorization errors from App Support:
Start App Support from the user actions menu
App Support view for a user with minimal authorizations
The user can now download an Excel file and forward it to the IT support staff or a key user. The file contains multiple sheets, most importantly the authorization errors for the front-end and back-end system:
Example for a downloaded excel file
How to setup App Support for this scenario
On the front-end server you will have to add authorization object S_FLP_AS to your general user roles. In transaction PFCG you can then specify which information should be generally available. In this case, you would only add ADELOCALAUTHORIZATIONLOG and ADEREMOTEAUTHORIZATIONLOG for field SUI_ADEDS. As you only want them to be able to access their own logs, set SUI_ADEUS to CURRENT. The settings for ACTVT depend mostly on your company’s preferences. You can decide, if users should be able to see their authorization errors or only be able to download them. In this example I’ve set them to ‘DL’ Download only.
PFCG settings for end user
After assigning this role to your user group, it should be possible for them to retrieve their authorization logs as described above.
Example setup: Key User
Key users usually can handle the more technical information displayed in authorization logs, so they would want to see the authorization errors right away for their own and for other users. We continue to use the app Create Purchase Requisition. Let’s assume another user contacted our key user for assistance, the only information provided is the screenshot above with the error message.
Our key user now logs in to the same app and checks, if authorization errors exist for the other user with App Support.
App Support in user actions menu for key users
After the dialog opens, the key user can navigate to the authorization errors of the participating systems.
Example Authorization Errors for Create Purchase Requisition app
After switching the name in the User field, our key user is able to look up the missing authorizations for the other users.
How to setup App Support for this scenario
On the front-end server you will have to add authorization object S_FLP_AS to your key user roles. In transaction PFCG you can then specify which information should be generally available.
PFCG settings for key users
For field SUI_ADEDS you define which logs should be displayed. In this case only the authorization logs ADELOCALAUTHORIZATIONLOG and ADEREMOTEAUTHORIZATIONLOG are relevant. Since you want key users to review authorization issues for other users as well, grant full authorizations for SUI_ADEUS. For field ACTVT you can decide, if the users should be able to see their authorization errors or only be able to download them.
In addition to the setting for S_FLP_AS the key user will also require authorization to read error logs for a different user on the backend and frontend. These authorization rights should already be in place, if the key users are able to lookup the errors in transaction SU53. These would be tied to authorization object S_USER_GRP.
Summary
While authorization errors are only a small set of App Support’s features, they are probably the most important ones in a day-to-day business. By setting up the system in this way, users are enabled to retrieve their own authorization errors and speed up problem solving. For further information on the full set of features of App Support, check out the following article.
For Questions and Answers on SAP Fiori – please see the SAP Community Q&A area and feel free to post your own questions. I hope you find this blog post helpful – feel free to leave comments and feedback, you can follow the SAP Fiori Launchpad tag to receive updates on blog posts here.
Great knowledge article.
Well that is a pity since many(most?) SAP customers are still using SAPUI5 1.71.xx which is long term support.
I hope SAP will consider down porting this to lower supported releases of SAPUI5 for their customers.
Regards,
Hi Nelis,
App Support has actually already been downported to SAP_UI 7.54 SP06 in S/4HANA 1909 SP04 or Frontend Server 6.0 SP04. This would translate to SAPUI5 1.71, if I'm not mistaking. For further information, please also check the following blog:
https://blogs.sap.com/2021/02/08/app-support-for-the-sap-fiori-launchpad/
Regards,
Tobias
Thanks for the info Tobias, much appreciated. I see we are still on FES 6.0 SP02 / SAP_UI 7.54 SP03 but I am planning an upgrade in the next couple months so will definitely look out for this very useful feature.
Regards,
Thanks this is very usefull information.
I wonder if we can use this feature for webgui applications or program.
Webgui is an abap program that we display it inside th web browser.
Thanks
Tj
Hi Tj,
Yes, I can definitely confirm, that App Support also works for WebGUI applications, as well as WebDynpro, Fiori/UI5 apps and WCF. In this example transaction VL02n is actually a WebGUI application running in the SAP Fiori Launchpad.
Best regards,
Tobias
Hello together,
thanks for detailed post.
Is there a possibility to do the authorization checks with the "App Support" with SAPUI5 version 1.64 ?
Or with an other Transaction or App ?
Best Regards
Ralf
Hi Ralf,
Sorry, for the late reply. I missed your comment unfortunately. The availability of App Support mainly depends on the S/4 or Frontend Server system you are working on. From UI side there are not many dependencies, but the ABAP part requires one of the following:
Which basically translate to a dependency of the UI5 version of 1.71 as described here:
https://sapui5.hana.ondemand.com/versionoverview.html
Best regards,
Tobias
Hello,
I am not a developer but the title states: "How to Identify Authorization Errors in the SAP Fiori Launchpad". However, the body talks about only custom created apps. Will this apply for SAP-delivered applications as well? Thank you for your kind reply,
Hi Raja,
The article uses a standard Fiori app (F1643) as example, so in general App Support works for customer apps, as well as apps delivered by SAP. There is also no restriction regarding the App type - App Support works for UI5, WebGUI transactions and WebDynpro applications.
Ideally try it out in a sandbox or test system, the setup procedure can be found here:
https://help.sap.com/viewer/a7b390faab1140c087b8926571e942b7/202009.001/en-US/04bc7b47932f4e689f7911901087a8f2.html
Best regards,
Tobias
Hello,
Is the App Support also available on S4/Hana Public Cloud? Are the steps that are described in this blog sufficient to make it work there?
Please let me know,
David de Graaf.
Hello David,
Currently App Support is not available for customers in the S/4 Hana Cloud. Usually customers should not require this level of detail for troubleshooting, but maybe I'm not understanding your use case. If you think it makes sense for you, please reach out to me via PM.
regards,
Tobias