Skip to Content
Technical Articles
Author's profile photo Tobias Moessle

How to Identify Authorization Errors in the SAP Fiori Launchpad

The first app I’ve setup in the SAP Fiori Launchpad was My Leave Requests in version 1 of the transactional app. As being relatively new to Fiori and to HR topics, it was quite a struggle for me to figure out which authorizations are required to run the app. Of course, HR authorization checks have their own challenges, but adding these challenges to a distributed landscape, simply leads to a very long implementation phase.

Fortunately, now there is the possibility to speed up authorization troubleshooting, without having to switch to SAP GUI. In the following article, I will cover the possibilities of looking up authorization issues by using the App Support plugin in the SAP Fiori Launchpad. For easier reading I’ve split up the topic into two different point of views. I think this makes sense, as the requirements for somebody with a more technical background (key user or admin) might be different from a business user.

Prerequisites

In a distributed landscape, please ensure your back-end system has the sufficient SAP Basis level, as per SAP Note 2871194

https://launchpad.support.sap.com/#/notes/2871194

To generally activate App Support in your SAP Fiori Launchpad, follow the steps mentioned here:
https://help.sap.com/viewer/a7b390faab1140c087b8926571e942b7/202009.001/en-US/04bc7b47932f4e689f7911901087a8f2.html

Example setup: End User

Usually, business users are not really interested in the error details themselves, but more in a correctly working app. I’ll start with the steps from the user’s point of view and then follow up with the setup.

In this example, I’m using the Create Purchase Requisition app, which is a UI5 application. After the user clicks on the tile the stops with an authorization error message. The user is now able to retrieve his authorization errors from App Support:

Start%20App%20Support%20from%20the%20user%20actions%20menu

Start App Support from the user actions menu

 

App%20Support%20view%20for%20a%20user%20with%20minimal%20authorizations

App Support view for a user with minimal authorizations

The user can now download an Excel file and forward it to the IT support staff or a key user. The file contains multiple sheets, most importantly the authorization errors for the front-end and back-end system:

Example%20for%20a%20downloaded%20excel%20file

Example for a downloaded excel file

 

How to setup App Support for this scenario

On the front-end server you will have to add authorization object S_FLP_AS to your general user roles. In transaction PFCG you can then specify which information should be generally available. In this case, you would only add ADELOCALAUTHORIZATIONLOG and ADEREMOTEAUTHORIZATIONLOG for field SUI_ADEDS. As you only want them to be able to access their own logs, set SUI_ADEUS to CURRENT. The settings for ACTVT depend mostly on your company’s preferences. You can decide, if users should be able to see their authorization errors or only be able to download them. In this example I’ve set them to ‘DL’ Download only.

PFCG%20settings%20for%20end%20user

PFCG settings for end user

After assigning this role to your user group, it should be possible for them to retrieve their authorization logs as described above.

Example setup: Key User

Key users usually can handle the more technical information displayed in authorization logs, so they would want to see the authorization errors right away for their own and for other users. We continue to use the app Create Purchase Requisition. Let’s assume another user contacted our key user for assistance, the only information provided is the screenshot above with the error message.

Our key user now logs in to the same app and checks, if authorization errors exist for the other user with App Support.

App%20Support%20in%20user%20menu

App Support in user actions menu for key users

After the dialog opens, the key user can navigate to the authorization errors of the participating systems.

Example%20Authorization%20Errors%20for%20Create%20Purchase%20Requisition%20app

Example Authorization Errors for Create Purchase Requisition app

After switching the name in the User field, our key user is able to look up the missing authorizations for the other users.

How to setup App Support for this scenario

On the front-end server you will have to add authorization object S_FLP_AS to your key user roles. In transaction PFCG you can then specify which information should be generally available.

PFCG%20settings%20for%20key%20users

PFCG settings for key users

For field SUI_ADEDS you define which logs should be displayed. In this case only the authorization logs ADELOCALAUTHORIZATIONLOG and ADEREMOTEAUTHORIZATIONLOG are relevant. Since you want key users to review authorization issues for other users as well, grant full authorizations for SUI_ADEUS. For field ACTVT you can decide, if the users should be able to see their authorization errors or only be able to download them.

In addition to the setting for S_FLP_AS the key user will also require authorization to read error logs for a different user on the backend and frontend. These authorization rights should already be in place, if the key users are able to lookup the errors in transaction SU53. These would be tied to authorization object S_USER_GRP.

 

Summary

While authorization errors are only a small set of App Support’s features, they are probably the most important ones in a day-to-day business. By setting up the system in this way, users are enabled to retrieve their own authorization errors and speed up problem solving. For further information on the full set of features of App Support, check out the following article.

For Questions and Answers on SAP Fiori – please see the SAP Community Q&A area and feel free to post your own questions. I hope you find this blog post helpful – feel free to leave comments and feedback, you can follow the SAP Fiori Launchpad tag to receive updates on blog posts here.

Assigned Tags

      4 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Warren Nash
      Warren Nash

      Great knowledge article.

      Author's profile photo Nelis Lamprecht
      Nelis Lamprecht

      SAPUI5 version must be 1.84 or above.

      Well that is a pity since many(most?) SAP customers are still using SAPUI5 1.71.xx which is long term support.

      I hope SAP will consider down porting this to lower supported releases of SAPUI5 for their customers.

      Regards,

      Author's profile photo Tobias Moessle
      Tobias Moessle
      Blog Post Author

      Hi Nelis,

      App Support has actually already been downported to SAP_UI 7.54 SP06 in S/4HANA 1909 SP04 or Frontend Server 6.0 SP04. This would translate to SAPUI5 1.71, if I'm not mistaking. For further information, please also check the following blog:

      https://blogs.sap.com/2021/02/08/app-support-for-the-sap-fiori-launchpad/

      Regards,
      Tobias

       

      Author's profile photo Nelis Lamprecht
      Nelis Lamprecht

      Thanks for the info Tobias, much appreciated. I see we are still on FES 6.0 SP02 / SAP_UI 7.54 SP03 but I am planning an upgrade in the next couple months so will definitely look out for this very useful feature.

      Regards,