SAP Fiori for SAP S/4HANA –Finding authorization objects for SAP Fiori apps with SU24
TL;DR: Ever needed to work out exactly which auth objects relate to a SAP Fiori app? There’s a quick way to reliably do this using transaction SU24 and the OData Service(s) listed for your SAP Fiori app in the SAP Fiori apps reference library.
Example of finding authorization objects for a SAP Fiori app in transaction SU24:
In this blog post you will learn:
- How authorizations work in SAP Fiori
- Example use case – SAP Fiori app F3264 Monitor Situations
- How the generated authorizations work (in brief)
- Where to find the OData Service for your SAP Fiori app
- How to find the authorizations for the OData Service
- Special cases: Transactional Apps
- Special cases: Smart Business Apps
Want some official references? You can read related official documentation in the SAP Help Portal:
- SAP Fiori Launchpad Content and Authorization Concept
- Creating Authorization Roles for Catalogs
- Default Authorization Values and PFCG Roles
- Access Controls
There’s a good explanation of the power of transaction SU24 in blog post:
Screenshots in this blog post are taken from a SAP S/4HANA 2022 FPS01 or SAP S/4HANA 2022 FPS02 Fully Activated Appliance CAL trial. However the technique is known to work reliable in earlier SAP S/4HANA releases.
How authorizations work in SAP Fiori
SAP Fiori apps use a programming model that typically includes 3 levels as shown in the diagram and explanation below.
IMPORTANT: This is a very simplified view of a SAP Fiori app that is aimed at security authorization administrators. Keep in mind that developers need to know much more!
At the top is the SAP Fiori app itself.
- As a business user, you need authorization to launch the SAP Fiori app.
- If you are not authorized, you will (usually) not be able to see the app at all.
- Authorization is granted by assignment of the app (via tile/target mapping) to a business catalog. The business catalog is assigned to one or more business roles.
Hint: This is why asking for SAP_ALL profile in a sandbox system is a waste of time… you only get the app if it’s assigned to your role by a catalog. SAP_ALL won’t do that.
The SAP Fiori app calls data from the system using one or more OData Services. Usually there is one main OData Service, and then there may be additional services for reusable features such as Attachments.
- As a business user, you need the correct authorization to call the OData Service(s).
- If you are not authorized, when you try to launch the app you will (usually) see an error message.
- For some apps, depending on which OData Service(s) are missing from your authorizations, the app may open without errors, but no data can be seen.
- For some apps, especially those that include dynamic information (e.g. charts or counts) on the tile that launches the app may show a “Cannot load tile” error
- Authorization is granted via permissions to launch and execute the service, i.e.
- For ODataV2 services – auth objects IWSV and IWSG
- For ODataV4 services – auth object G4BA
The OData Service(s) extract data from the database using CDS Views (CDS View Entities or CDS DDIC-based views). CDS Views are mapped to authorizations using objects called DCL Grants.
- As a business user, you need the correct authorization to extract data from the database.
- If you are not authorized, the app may open without errors, but no data can be seen.
- If your authorizations are incomplete, the app may open without errors, you may see some data, but not all the data you expect to see.
- If your authorizations are incomplete, the app may open without errors, you may see some data, but some actions (buttons/links) may return errors when pressed.
- Authorizations are granted via auth objects defined in the Access Controls (aka DCL Grant statements) that apply auth objects to CDS Views.
Now finding the CDS Views related to a SAP Fiori app and its OData Service(s) is possible but often a rather tedious business. This is mostly because there are several historical programming models in play, so you first need to work out which programming model is being used for your SAP Fiori app, and then you have some hope of working out the CDS View(s).
Hint: If you really want the gory details, you can refer to some examples of how this is done for the main programming models you are likely to find in SAP S/4HANA:
- RAP model – Get to Know RAP: Define CDS-based data model – Part 2
- Mostly used for the latest apps created for SAP S/4HANA releases 2020 to current releases
- BOPF model – Fiori for SAP S/4HANA – Identifying the OData Services, CDS Views, and Authorizations of a SAP Fiori App
- Mostly used for apps created for releases 1709 to 2020
- SEGW model – How to find the CDS view used by an OData service in SAP Gateway?
- Mostly used for the oldest apps originally created for releases 1511 to 1709
However, there is a much easier way to work out which auth objects apply…. transaction SU24 is your friend!
You can see this in the example use cases listed below.
Example Use Case – SAP Fiori app F3264 Monitor Situations
When you are introducing intelligent experiences, you typically need a few additional configuration apps.
For customers introducing Situation Handling use cases, one of the apps they need is app F3264 Monitor Situations.
Monitor Situations is used to check how well your users are taking advantage of your Situations, including looking for patterns in which situations are being raised for which template, and whether the situations are being updated as resolved.
One of our customers had an authorization issue with this app, and this was the trigger for creating this blog post.
They were raising SAP Incidents because they could launch the app without error, but when they went into the app they couldn’t see any data. There were no obvious errors being shown.
Hint: A good place to check for errors is directly from your Fiori launchpad using the App Support feature which you should have turned on for SAP S/4HANA release 2020 FPS01 or higher. This collects up a bunch of error log tools including the authorization errors (Business Suite users will recognize this as the content from transaction SU53). Refer to F4914 App Support or blog post App Support for the SAP Fiori Launchpad. You can find instructions for turning on App Support in the Fiori launchpad administration guide in the SAP Help Portal section Setting Up App Support.
After some discussions, they realized that their security team had given them authorizations to launch the app, but NOT the authorizations needed to view the data.
This occurred partly because they were maintaining the authorizations manually rather than using the generated authorizations, as unfortunately they were still using standalone mode for their Fiori front-end server (FES).
Hint: There is less likelihood of this sort of error occurring if you are using generated authorizations with embedded Fiori front-end server mode. However, as your security administrator can (and should) still further adjust the generated authorizations, these sorts of errors can be experienced even in embedded FES mode.
How the generated authorizations work (in brief)
When your SAP Fiori frontend server is in embedded mode – the recommended mode – the easy option is to rely on the generated authorization proposal to assign authorizations to your users’ roles.
When you add a business catalog to a custom business role, and then activate the role, there is a default authorization proposal that is added to your custom business role.
Typically, this generation is triggered in your development environment by generating a task list run of the rapid activation task list for custom business roles, which is SAP_FIORI_FCM_CONTENT_ACTIVATION. You generate and execute a run of the task list using transaction STC01.
Hint: You can see an example of how to use the task list in the Microlearning video Activating SAP Fiori Content in Custom Business Roles – SAP S/4HANA
IMPORTANT: This is a different task list from the task list used to activate delivered SAP Business Roles for exploration purposes – which is SAP_FIORI_CONTENT_ACTIVATION. If you want to understand the differences refer to SAP Fiori for SAP S/4HANA – Creating your custom business roles – the end-to-end process and video playlist
The task list updates the role and the role menu with the authorizations needed for the SAP Fiori apps and the classic UIs (GUI transactions, Web Dynpro ABAP apps, Web Client UIs) assigned to that role. It assigns both the permissions to launch the apps/UIs and the related auth objects needed to expose the data for the apps/UIs. It does this using SAP delivered authorization defaults – known as Authorization Proposals. You can find these Authorization Proposals in transaction SU24.
As a security administrator you still need to review and, where needed, complete the assigned authorizations. For example, you can swap the Authorization Proposal to your own custom Authorization Variant. You can create your own custom Authorization Variants in transaction SU24.
Arguably, the easiest way to review and complete the assigned authorizations is using program PRGN_COMPARE_ROLE_MENU. This gives you a handy traffic light summary of what needs adjusting and features to help you work through the changes, including Adapt Menu, Change Role, and Mass Generation.
Where to find the OData Service for your SAP Fiori app
The easiest way to find the OData Service for your SAP Fiori app is to look in the app details in the SAP Fiori apps library.
Bring up the app. Select the Implementation Information tab and navigate to the Configuration information. Look for the subsection OData Service to find your OData Service name.
For the app F3264 Monitor Situations the OData Service is called C_SITNINSTCEACTYMONITORING_CDS.
Make a note of whether the service is listed as an ODataV2 service which looks like this…
…or is listed as an ODataV4 service which looks like this one for app F5038 Manage Supplier Confirmations.
How to find the authorizations for the OData Service
Now that you have the OData Service you can confirm which authorization objects are needed from the SAP-delivered authorization proposal in transaction SU24.
For most services you can use the Type of Application for OData V2 services which is titled SAP Gateway Business Suite Enablement – Service, i.e. object type IWSV.
IMPORTANT: Make sure you use the dropdown help to find the full service name. You can simply put the first part of the OData Service name followed by wildcard character * and use the dropdown help to get the complete name.
Then press Execute to find the authorization objects needed by the OData Service.
So this is how we confirmed that as well as the S_SERVICE auth object to launch the app, the user also needed to be assigned the authorization objects C_SITNACT and C_SITNDEF to see the data.
IMPORTANT: Not seeing anything in transaction SU24 ? Make sure your team have completed the security basics, i.e. once on first install and once again after each SAP S/4HANA release upgrade run transaction SU25 to update your authorizations. If they missed it, you might also need to run program SU24_AUTO_REPAIR.
Now of course you can do much more with transaction SU24 than just look up authorizations. If you want to create your own authorization variants to simplify updating your roles, refer to:
IMPORTANT: If your app uses an ODataV4 service then use Type of Application SAP Gateway OData V4 Backend Service Group & Assignments, i.e. object type G4BA.
For the Object Name, make sure you assign the full service name using the dropdown help.
Then execute as before to find the related authorization objects.
If you see a section called “Authorization Default Values” these are the default authorizations proposed by the generation of roles.
IMPORTANT: The section “Authorization Default Values” may appear for both ODataV2 and ODataV4 services.
You can create your own authorization variants as alternatives to the authorization default values. This simplifies creating your custom roles, refer to:
Special cases: Transactional Apps
You have just seen 2 examples from analytical apps, but what about transactional apps? Yes they work the same way.
IMPORTANT: Many SAP Fiori apps are a mash-up of transactional and analytical features. It can be helpful to simply think of them simply as SAP Fiori apps. This is yet another way that SAP Fiori paradigm is different to SAP GUI where transactional and analytical UIs were usually separated.
Example 1: F3893 Manage Sales Orders – Version 2
Like most transactional apps, there are several actions that can be performed represented by links or buttons – as highlighted here in the table toolbar. Depending on the table selection features implemented, you select one or select multiple rows and then choose your action, e.g. via the button on the table toolbar displayed just above the table.
Typically, if the user is not permitted to do an action on a certain document, they will receive an error message when they press the button. If you want to hide an action completely for some users then consider creating an App Variant.
Hint: Want to find out more about App Variants? Refer to SAP Fiori for SAP S/4HANA – App Variants are the EASY way to control App Features
IMPORTANT: Remember that an App Variant changes what is visible to the user. App Variants are not a full security protection. There might be more than one way the user can access that feature. So you are recommended to set authorizations appropriately as well.
How do you find the related auth objects? In exactly the same way!
For this app, 2 OData Services are listed: SD_F1873_SO_WL_SRV and SD_SO_PROCFLOW_SRV.
By convention the main OData Service is listed first. The other OData Services are often for reusable features, in this case for the process flow feature.
When you review the settings for the main OData Service SD_F1873_SO_WL_SRV version 0001 in SU24 you can see that quite a lot of auth objects are applied.
The Authorization Default Values show the minimum authorizations needed for full use of all the features of the app, and this is what is applied by default when you generate the role authorizations. You can select the display icon to check the value of each setting, for example to confirm which activities are included in the default authorizations.
IMPORTANT: If you don’t want to use the Authorization Default Values create your own Authorization Variants. You can then apply them when you complete the role, e.g. using program PRGN_COMPARE_ROLE_MENU.
Remember that you can always restrict the user’s permissions further by using your own authorization variants or in your role by adjusting the fields of the auth objects, such as restricting which document types can be posted, or restricting the activity to release so they cannot unblock a Delivery Block or Billing Block.
For more details on how authorizations are controlled, check the app documentation and it’s worth searching for SAP Notes with further explanations such as SAP Note 2889098 – Authorization check for change of various fields in sales document
Special cases: Smart Business Apps
Some analytical apps use a generic app as their foundation – such as the Smart Business app. In this situation the OData Service is only part of the answer. You need to find the authorization object for the CDS View (or BeX query) called by the app.
The good news is that SU24 even works for this scenario. The main difference is you can mostly ignore the main OData Service which represents the generic app. Instead review the other OData Services using the same approach.
For example for SAP Fiori app F2270 Sales Order Volume – Open Sales.
In the SAP Fiori apps reference library you can see 2 OData Services listed, the generic service for Smart Business /SSB/SMART_BUSINESS_RUNTIME_SRV and the specific OData Service for the app C_SALESANALTYICSQRY_1_CDS,
Using transaction SU24, the OData Service C_SALES_ANALYTICSQRY_1_CDS shows you the authorizations used.
Becoming a SAP Fiori for SAP S/4HANA guru
You’ll find much more on the community topic page for SAP Fiori for SAP S/4HANA
Other helpful links in the SAP Community:
- Follow our tag SAP S/4HANA RIG for more from the SAP S/4HANA Customer Care and RIG
- See all questions and answers about SAP Fiori for SAP S/4HANA
- Follow SAP Fiori for SAP S/4HANA for more blogs and updates
- Ask a Question about SAP Fiori for SAP S/4HANA
Brought to you by the SAP S/4HANA Customer Care and RIG.