SAP has been implementing a strategy for how users interact with its software for several years. Complex SAP applications are divided into role-based SAP Fiori apps to improve user-friendliness and enhance the user experience. Many companies are considering implementing these apps and must determine which authorizations their employees require to access them.
In the following article, we will distinguish between front-end and back-end authorizations. This distinction is relevant for you only if you choose a central hub deployment approach. If you instead take the path of embedded deployment, you do not need to differentiate between front-end and back-end authorizations; you can include all the authorizations in one role.
Learn how Pathlock protects SAP transactions with sophisticated controls that strengthen access policies and enhance logging & analytics capabilities.
The SAP Fiori launchpad is the central point of access for all Fiori apps. The following authorizations must be assigned to a user to allow access to the launchpad:
Front-end Authorizations:
Integrating both the IWSV and the IWSG services via the Role menu is important. To do this, you need to select the authorization default TADIR service, the R3TR program ID, and the corresponding IWSV or IWSG service.
The SAP standard roles SAP_UI2_USER_700 and SAP_UI2_USER_750 are considered predefined SAP Fiori roles for users and are templates that can be copied. However, they include only the IWSV entries, meaning they are incomplete, and you must add the IWSG entries listed above.
Back-end Authorizations:
App-specific authorizations are required to access individual Fiori apps from the SAP Fiori launchpad. The relevant authorizations for all available SAP Fiori apps are listed in the Fiori Apps Reference Library.
How the front end is shown depends on the assigned Fiori catalogs and groups. The groups and catalogs necessary for access to the relevant app are entered in the configuration settings of the Fiori Reference Apps Library.
Fiori catalogs are a collection of apps that logically belong together and contain definitions of the tiles (e.g., title and symbol) and target assignment. For example:
Fiori groups represent collections of apps that logically belong together; these collections define the initial Fiori launchpad screen. The apps in a group can originate with multiple catalogs. Users see only those apps on their respective launchpad for which they are authorized based on their group and catalog assignment.
The SAP Fiori tile catalogs and groups are integrated via the Role menu. The integration of the catalog adds to the role of the IWSG services required to start the Fiori app and the IWSV services required to call business data (S_SERVICE authorization object). If these services have SU24 authorization default values, then these are also part of the authorization role.
The following is a summary of how the app-specific authorizations fit together:
This ensures that the IWSG services required to start the Fiori app are included automatically in the role (S_SERVICE authorization object).
This ensures that the IWSV services required to call business data are included automatically in the role (S_SERVICE authorization object). Additional authorizations for business transactions are also included, for example, authorization default values from SU24.
The recommendation is to use the technical SAP catalogs and groups as a reference by saving them in the customer-specific namespace and then streamlining them as much as possible (for performance reasons).
Before you implement app-specific authorizations, ensure that your SAP system’s front-end and back-end components have the required status and that the relevant SAPUI5 applications and OData services are activated.
If you need support to set up SAP Fiori authorizations, get in touch with us today.
Share
The recent data breach at HealthEquity, a leading heal...
SAP published 16 new and three updated Security Notes for S...
SAP published 17 new and eight updated Security Notes for A...
SAP published 16 new and two updated Security Notes for Jul...