Schedule Demo

SAP has been implementing a strategy for how users interact with its software for several years. Complex SAP applications are divided into role-based SAP Fiori apps to improve user-friendliness and enhance the user experience. Many companies are considering implementing these apps and must determine which authorizations their employees require to access them.

In the following article, we will distinguish between front-end and back-end authorizations. This distinction is relevant for you only if you choose a central hub deployment approach. If you instead take the path of embedded deployment, you do not need to differentiate between front-end and back-end authorizations; you can include all the authorizations in one role.

Protect Critical SAP Transactions & Address Business Risks

Learn how Pathlock protects SAP transactions with sophisticated controls that strengthen access policies and enhance logging & analytics capabilities.

Basic Authorizations for Access to the SAP Fiori Launchpad

The SAP Fiori launchpad is the central point of access for all Fiori apps. The following authorizations must be assigned to a user to allow access to the launchpad:

Front-end Authorizations:

  • Transaction /UI2/FLP: This transaction allows the launchpad to be called directly from the SAP GUI.
  • The S_SERVICE authorization object must be configured as follows for the SAP Fiori launchpad OData services:

Integrating both the IWSV and the IWSG services via the Role menu is important. To do this, you need to select the authorization default TADIR service, the R3TR program ID, and the corresponding IWSV or IWSG service.

  • The authorization object /UI2/CHIP is required for transaction /UI2/FLP as well as for some of the services listed above. This is why it is automatically included in the role with the following parameters:

The SAP standard roles SAP_UI2_USER_700 and SAP_UI2_USER_750 are considered predefined SAP Fiori roles for users and are templates that can be copied. However, they include only the IWSV entries, meaning they are incomplete, and you must add the IWSG entries listed above.

Back-end Authorizations:

  • The authorization objects S_RFC and S_RFCACL are required to enable access to the back-end server via a trusted RFC connection.

App-Specific Authorizations for Access to Individual Fiori Apps

App-specific authorizations are required to access individual Fiori apps from the SAP Fiori launchpad. The relevant authorizations for all available SAP Fiori apps are listed in the Fiori Apps Reference Library.

How the front end is shown depends on the assigned Fiori catalogs and groups. The groups and catalogs necessary for access to the relevant app are entered in the configuration settings of the Fiori Reference Apps Library.

Fiori catalogs are a collection of apps that logically belong together and contain definitions of the tiles (e.g., title and symbol) and target assignment. For example:

Fiori groups represent collections of apps that logically belong together; these collections define the initial Fiori launchpad screen. The apps in a group can originate with multiple catalogs. Users see only those apps on their respective launchpad for which they are authorized based on their group and catalog assignment.

The SAP Fiori tile catalogs and groups are integrated via the Role menu. The integration of the catalog adds to the role of the IWSG services required to start the Fiori app and the IWSV services required to call business data (S_SERVICE authorization object). If these services have SU24 authorization default values, then these are also part of the authorization role.

Integration of Fiori Groups and Catalogs in the App-specific Authorizations

The following is a summary of how the app-specific authorizations fit together:

Front-end Authorizations:

  • Integration of the required Fiori groups via the Role menu.
  • Integration of the required Fiori catalogs via the Role menu.

This ensures that the IWSG services required to start the Fiori app are included automatically in the role (S_SERVICE authorization object).

Back-end Authorizations:

  • Integration of the required Fiori catalogs via the Role menu.

This ensures that the IWSV services required to call business data are included automatically in the role (S_SERVICE authorization object). Additional authorizations for business transactions are also included, for example, authorization default values from SU24.

The recommendation is to use the technical SAP catalogs and groups as a reference by saving them in the customer-specific namespace and then streamlining them as much as possible (for performance reasons).

Before you implement app-specific authorizations, ensure that your SAP system’s front-end and back-end components have the required status and that the relevant SAPUI5 applications and OData services are activated.

If you need support to set up SAP Fiori authorizations, get in touch with us today.

Table of contents