Skip to Content
Technical Articles
Author's profile photo Japneet Singh

How to incorporate SAP Fiori APP[FAPP] and Service[SVC] in the ruleset.

  1. The first step is to identify what all Service[SVC] s are associated with SAP Fiori APP[FAPP] . You can check the same on SAP Fiori APP[FAPP]
    url: https://fioriAPP[FAPP] slibrary.hana.ondemand.com/sap/fix/externalViewer/#/home
  2. Search for the SAP Fiori APP[FAPP] . As an example, I am taking the standard SAP Fiori APP[FAPP] “Manage outgoing checks”.
  3. Click on Implementation Information and check the associated OData Service[SVC] s. Refer to the screenshot below for more details.

 

  1. There could be more than 1 Odata Service[SVC] associated with the SAP Fiori APP[FAPP] . In such a scenario, choose the one which is most relevant. Which in this case is “FAP_OUTGOING_CHECKS_SRV”.
  2. Once the SAP Fiori APP[FAPP] and Odata Service[SVC]  is identified, we need to add the SAP Fiori APP[FAPP]  and/or Odata Service[SVC]  in the Actions tab of the Function and click Enter.
    Note: To create rules for Service[SVC], you need to run the Authorization Sync for S4HANA System. To create rules for Fiori APP[FAPP], you need to run the Authorization Sync for Fiori / Gateway System.
  1. The SAP Fiori APP[FAPP] will not have any permissions. The permissions are associated with Service[SVC] . If you only add SAP Fiori APP[FAPP]  in the action’s tabs, the permission tab will be empty.Odata Service[SVC] are available in Action Search like normal Transaction Codes. You can simply go to Function and search for the Service[SVC]. The moment you add the Odata Service[SVC]  in the Action tab of Function, all the associated SU24 Permissions will come automatically in Permission Tab.

    Note: Specific naming conventions are to be followed to create Rules for SAP Fiori APP[FAPP]  and Service[SVC]. Refer to note 2655122 – Prefix / Abbreviation requires Action for creating & running risk analysis.

  1. Now depending on the type of Risk you want to create; you can follow the Approach mentioned below.
  • Risk: SAP Fiori APP[FAPP] VS SAP Fiori APP[FAPP] (Action Level Risk).
    Add SAP Fiori APP[FAPP] 1 in Function 1 and the SAP Fiori APP[FAPP] 2 in Function 2. Maintain Function 1 and 2 in Risk 1 and Generate the rules. While running the risk analysis, the system will only check if the user/ role has access to conflicting SAP Fiori APP[FAPP] s. Running risk analysis against the risk will only yield action Risks.
  • Risk: Odata Service[SVC] VS Service[SVC] (Action and Permission Level Risk). 
    Add Service[SVC] 1 in Function 1 and the Odata Service[SVC]  2 in Function 2. Maintain Function 1 and 2 in Risk 1 and Generate the rules. While running the risk analysis, the system will only check if the user/ role has access to conflicting Service[SVC] s.
    Running risk analysis against the risk will yield action as well as permission Risks. 
  • Risk: SAP Fiori APP[FAPP] and Odata Service[SVC]  combination vs SAP Fiori APP[FAPP]  and Odata Service[SVC] (Action and Permission Level Risk).
    You want to check the violations at a granular level. You want to identify the risk for SAP Fiori APP[APP] and Corresponding Odata Service[SVC]. Kindly follow the steps mentioned below.
  1. In the Actions tab, Maintain the SAP Fiori APP[FAPP]. The permissions will be blank as SAP Fiori APP[FAPP] does not have any permission. The permission is associated with Service[SVC].
  2. In the permission tab, you need to manually copy and paste the permission of the Service[SVC]. For example, For the SAP Fiori APP[FAPP] “Manage outgoing Check (Outgoingcheck-Managelineitems)”, we need to maintain permission from Odata Service[SVC] “FAP_OUTGOING_CHECKS_SRV” against the SAP Fiori APP[FAPP]. Once we have pasted the authorization, we need to link the Odata Service[SVC] with the SAP Fiori APP[FAPP]  and that is done by maintaining the Hash value of the Odata Service[SVC] against the SAP Fiori APP[FAPP]. The line item highlighted in the screenshot below is the linkage for the Odata Service[SVC]  with the SAP Fiori APP[FAPP].
  3. The same process needs to be followed in the other conflicting function.
  4. Once done, Generate the rules.
    Running Risk analysis against this Risk will yield action as well as permission Risks.

I have taken an example of a standard SAP Fiori APP[FAPP], in the case you want to add the standard SAP Fiori APP[FAPP] in another Standard Function or want to add a custom SAP Fiori APP[FAPP], kindly follow the step mentioned below.

  1. The First step is to fetch the Hash Value of the Odata Service[SVC]. This can be fetched from the table USOBHASH in the S4 system.
  2. Once you have the Hash Value, you can fetch the authorization data from the table USOBT.
  3. You can download the authorizations and use the same as per the process mentioned above.

 

Important KBA:

  • 2681886 – Instructions to create custom Risk for Fiori APP[FAPP] s or ODATA Service[SVC] s in addition to SAP Standard Ruleset
  • 265512
  • 2 – Prefix / Abbreviation requires with Action for creating & running risk analysis

Important Blog:

https://blogs.sap.com/2020/01/17/running-risk-analysis-for-the-sap-s-4hana-and-sap-fiori-system./

Assigned Tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Gopinath Reddy Amuri
      Gopinath Reddy Amuri

      Very Good Information and well explained, thanks Japneet Singh !

      Author's profile photo Japneet Singh
      Japneet Singh
      Blog Post Author

      Thanks Gopinath.

      Author's profile photo Praveen Venkat
      Praveen Venkat

      Excellent Blog Japneet !! It was very helpful. Thanks Much.

      Author's profile photo Japneet Singh
      Japneet Singh
      Blog Post Author

      You welcome Parveen.

      Author's profile photo Akash Parekh
      Akash Parekh

      Excellent Blog Japneet!

      1 question, how do we add a Fiori app that does have odata service (apps like Webdynpro or SAP GUI) to GRC function so that its permission are auto-filled from SU24.

      Author's profile photo Yashasvi Sanvaliya
      Yashasvi Sanvaliya

      Great blog Japneet ! Very informative and helpful.

      Author's profile photo plaban sahoo
      plaban sahoo

      Hi Japneet,

      Thank you for the blog post. Could you please clarify the below.i do not have access at the moment.Hence cannot look at the SU24 data of Odata service.

      If S_SERVICE is already available as tagged to the OdataService, it should automatically appear as Permission, like other auth. objects.

      However, if it is not already available(i do not think so) or is marked Check-No, then it makes sense to add it.

      Also, you have mentioned that "...The moment you add the Odata Service[SVC]  in the Action tab of Function, all the associated SU24 Permissions will come automatically in Permission Tab.". But in point 2 you have mentioned "...In the permission tab, you need to manually copy and paste the permission of the Service[SVC]..."

      Would you like to clarify this

      Regards

      Plaban