Scribd
Upload
49 views30 pages

Exercise 3 - SAP Fiori Security Roles

This documents shows how to create Fiori Security roles

Uploaded by

spscrttraining
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
49 views30 pages

Exercise 3 - SAP Fiori Security Roles

This documents shows how to create Fiori Security roles

Uploaded by

spscrttraining
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 30

Exercise 3:

SAP FIORI SECURITY ROLES


Exercise 3: SAP Fiori Security Roles

Table of Contents
Table of Contents .............................................................................................................................................................1
Introduction: SAP Fiori Security Roles ...............................................................................................................................2
Exercise Pre-requisites: Non-App Specific SAP Fiori Security Requirements ......................................................................2
1.) User Setup .........................................................................................................................................................2
2.) Backend Security Roles ......................................................................................................................................2
3.) Frontend Security Roles .....................................................................................................................................2
Part 1: SAP Fiori Roles – Frontend System .........................................................................................................................3
Part 1.1: Create SAP Frontend Role ...............................................................................................................................3
Part 1.2: Add Fiori Tile Catalog to Frontend Role ...........................................................................................................4
Part 1.3: Add Fiori Tile Group to Frontend Role .............................................................................................................7
Part 1.4: Add App OData Service to Frontend Role ........................................................................................................9
Part 1.5: Generate Authorizations ...............................................................................................................................12
Part 1.6: Assign Role to User .......................................................................................................................................15
Part 2: SAP Fiori Roles – Backend System ........................................................................................................................17
Part 2.1: Create SAP Backend Role ..............................................................................................................................17
Part 2.2: Add App OData Service to the Backend Role .................................................................................................18
Part 2.3: Generate Authorizations ...............................................................................................................................20
Part 2.4: Assign Role to User .......................................................................................................................................23
Part 3: Accessing the Fiori Launchpad .............................................................................................................................25
Part 3.1: Access Fiori Launchpad .................................................................................................................................25
Fiori Exercises Recap ......................................................................................................................................................29
Additional Information – SAP Fiori Security Roles ...........................................................................................................29

1
Exercise 3: SAP Fiori Security Roles

Introduction: SAP Fiori Security Roles


After activating the SAP Fiori apps and adding them to SAP Fiori Tile Catalogs and Groups, users must be assigned the
appropriate authorizations before they’re accessible in the Fiori Launchpad. We’ll need to add the OData Services of the
app to the user in both the frontend and backend systems so that he/she can start and access the apps. Additionally, we
need to assign users the SAP Fiori Tile Catalogs and Groups to make them accessible in his/her Fiori Launchpad.
In this exercise, we’ll create the requisite SAP Fiori roles in both the frontend and backend systems.
Note: SAP also provides template roles that include both the App OData services as well as the standard Fiori Tile Groups
and Catalogs the apps belong to – this information is also contained in the App documentation in the SAP Fiori Apps
Library. If these roles are used it means that potentially you will have to add multiple roles to a single user for all of the
apps in his/her functional areas. The SAP delivered Fiori Tile Catalogs and Groups should not be edited – and thus it limits
any changes made to the catalogs/groups. Additionally, using these standard roles could provide users with more Fiori
apps than you’d like them to have. The creation and maintenance of SAP Fiori Tile Catalogs/Groups through the
Launchpad Designer allows more control over what apps are/aren’t displayed for users without changing SAP provided
groups.

Exercise Pre-requisites: Non-App Specific SAP Fiori Security Requirements


In addition to the SAP Fiori app roles that we’re going to create in this exercise, users need to meet the following
Security pre-requisites to access the Fiori Launchpad and the apps.

1.) User Setup


All Fiori users must have a user ID in both the backend and frontend systems. This user ID must be the same in
both systems. For example: If user ID in backend system is JSMITH, this should be the same user ID assigned in
the frontend System.

2.) Backend Security Roles


In addition to the role that we’ll create in this exercise, for users to access the appropriate Apps, all Fiori Users
must have the following roles assigned in the backend System:
 SAP_S_RFCACL – This role includes the authorization objects required to establish the trusted RFC
relationship between the SAP backend and frontend systems.
3.) Frontend Security Roles
In addition to the role that we’ll create in this exercise, for users to access the appropriate Apps, all Fiori Users
must have the following roles assigned in the frontend System:
 SAP_UI2_USER_750 – This role includes the authorizations required to access the Fiori Launch Pad
(central entry point for SAP Fiori apps).
 ZEP_GATEWAY_USER – This role includes the SAP provided template for Gateway Users
(/IWFND/RT_GW_USER) to enable users to access the SAP Gateway runtime services.
 SAP_S_RFCACL – This role includes the authorization objects required to establish the trusted RFC
relationship between the frontend and backend systems.

2
Exercise 3: SAP Fiori Security Roles

Part 1: SAP Fiori Roles – Frontend System


In this section, we’ll create a role in PFCG and assign the Fiori Tile Group, Tile Catalog and app OData service to the role
we created. The assignment of the Fiori Tile Catalog makes the Fiori apps in that Catalog available to the user assigned
that role. Fiori Tile Groups control the tiles displayed when users access the Launchpad. Users can be assigned multiple
groups. Finally, we’ll assign the appropriate app OData Service to the frontend role created.

Part 1.1: Create SAP Frontend Role


1.) Navigate to transaction PFCG
2.) In the “Role” input field, enter the following:
 ZXY:EXERCISE_3 (where XY are your initials)
Record the appropriate information in Exercise 3, section 1.1 of the “My Exercises” worksheet. Once you’ve
recorded this information and made the appropriate entry in the “Role” input field, select “Single Role”.

3.) Enter the following in the “Description” input field: Fiori Role – Exercise 3
Then, hit “Save”.

3
Exercise 3: SAP Fiori Security Roles

Part 1.2: Add Fiori Tile Catalog to Frontend Role


1.) We’ll now add the Fiori Tile Catalog created and Recorded in Exercise 2, part 2.2b of the “My Exercises”
worksheet to the role we just created. Ensure you’re in change mode for the PFCG role created and Recorded in
Exercise 3, part 1.1 of the “My Exercises” worksheet.
2.) Navigate to the “Menu” tab.

3.) Select the “Insert Node” dropdown option, then select the “Fiori Tile Catalog” option from the list presented.

4
Exercise 3: SAP Fiori Security Roles
4.) The “Assign Tile Catalog” Dialog will be presented, ensure the “Local Front-End Server” is enabled and select the
value help option of the “Catalog ID” input field to view the available SAP Fiori Tile Catalogs.

5.) A list of all of the SAP Fiori Tile Catalogs is displayed. Select the Fiori Tile Catalog created and Recorded in
Exercise 2, part 2.2b of the “My Exercises” worksheet from the list by double clicking on it.

5
Exercise 3: SAP Fiori Security Roles
6.) When returned to the “Assign Tile Catalog” dialog, make sure the “Include Applications” option is selected and
hit “Enter”.

7.) You’re returned to the “Menu” tab. Here you’ll see that the Fiori Catalog has been added to the role. Now, save
the role.

6
Exercise 3: SAP Fiori Security Roles

Part 1.3: Add Fiori Tile Group to Frontend Role


1.) Next we’ll add the Fiori Tile Group created and Recorded in Exercise 2, part 4.2b of the “My Exercises”
worksheet to the role we just created. Ensure you’re in change mode for the PFCG role created and Recorded in
Exercise 3, part 1.1 of the “My Exercises” worksheet. Once again, confirm you’re in the “Menu” tab.
2.) Select the “Insert Node” option and then select the “Fiori Tile Group” option from the dropdown list presented.

3.) The “Assign Group” dialog is presented. Select the “Input Help” option.

7
Exercise 3: SAP Fiori Security Roles
4.) A list of all of SAP Fiori Tile Groups available are presented. Select the Fiori Tile Group created and Recorded in
Exercise 2, part 4.2b of the “My Exercises” worksheet from the list presented by double clicking on it.

5.) You’ll be returned to the “Assign Group” dialog window. Confirm the group selected is in the “Group ID” input
field and then hit “Enter”.

8
Exercise 3: SAP Fiori Security Roles
6.) You’re returned to the “Menu” tab. Here you’ll see that the SAP Fiori Tile Group has been added to the role.
Now, save the role.

Part 1.4: Add App OData Service to Frontend Role


1.) Next we’ll add the OData service for the Fiori app activated and recorded in Exercise 1, part 1b of the “My
Exercises” worksheet to the role we just created. Ensure you’re in change mode for the PFCG role created and
Recorded in Exercise 3, part 1.1 of the “My Exercises” worksheet. Once again, confirm you’re in the “Menu”
tab.
2.) Select the “Insert Node” button and then select the “Authorization Default” option. From the list presented.

9
Exercise 3: SAP Fiori Security Roles
3.) In the screen presented, make the following selections, then hit “Enter”:
Authorization Default: TADIR Service
Program ID: R3TR
Object Type: IWSG

4.) In the “Tadir Service” input field, select the “F4” search help option. In the list provided, search for the OData
service for the Fiori app activated and recorded in Exercise 1, part 1b of the “My Exercises” worksheet and
enable the checkbox in front it (Note: When adding this service, it will have a “Z” in front of it.) Then select
“Enter”

10
Exercise 3: SAP Fiori Security Roles
5.) Once the service have been entered in the “Tadir Service” input field, hit “Enter” to populate the “Text” field.
Then, select “Copy”.

6.) You’re returned to the “Menu” tab. Here you’ll see that the App OData Service has been added to the role. Now,
save the role.

Note: SAP does allow you to authorize all activated OData services for users. This can be done by entering an * in the
value of the authorization object of S_SERVICE in the frontend user role.

11
Exercise 3: SAP Fiori Security Roles

Part 1.5: Generate Authorizations


1.) Next we’ll generate the authorizations for the role we just created. Ensure you’re in change mode for the PFCG
role created and Recorded in Exercise 3, part 1.1 of the “My Exercises” worksheet.
2.) Navigate to the “Authorizations” tab, then select the “Propose Profile Name” option.

12
Exercise 3: SAP Fiori Security Roles
3.) Select the “Save” button and then “Expert Mode for Profile Generation” option.

4.) Select “Enter” in the message presented.

13
Exercise 3: SAP Fiori Security Roles
5.) Select the “Generate” option, then select “Back”

6.) You’re returned to the “Authorizations” tab. The traffic light for the “Authorizations” tab is now green.

14
Exercise 3: SAP Fiori Security Roles

Part 1.6: Assign Role to User


1.) Next we’ll assign the role we just created to your user ID. Ensure you’re in change mode for the PFCG role
created and Recorded in Exercise 3, part 1.1 of the “My Exercises” worksheet.
2.) Navigate to the “User” tab.

3.) Enter your User name in the “User ID” input field and hit “Enter”. Then select the “Save” option.

15
Exercise 3: SAP Fiori Security Roles
4.) Now, select the “User Comparison” option.

5.) In the screen presented, select the “Complete Comparison” option.

6.) Then, select the “Cancel” option.

16
Exercise 3: SAP Fiori Security Roles
7.) You’ll be returned to the “User” tab. The traffic light is now green. The role has been successfully added to the
user.

Part 2: SAP Fiori Roles – Backend System


In this section, we’ll create a role in PFCG and assign the app OData service to the role we created.

Part 2.1: Create SAP Backend Role


1.) Navigate to transaction PFCG
2.) In the “Role” input field, enter the following:
 ZXY:EXERCISE_3 (where XY are your initials)

Record the appropriate information in Exercise 3, section 2.1 of the “My Exercises” worksheet. Once you’ve
recorded this information and made the appropriate entry in the “Role” input field, select “Single Role”.

3.) Enter the following in the “Description” input field: Fiori Role – Exercise 3
Then, hit “Save”.

17
Exercise 3: SAP Fiori Security Roles

Part 2.2: Add App OData Service to the Backend Role


1.) Next we’ll add the OData service for the Fiori app activated and recorded in Exercise 1, part 1b of the “My
Exercises” worksheet to the role we just created. Ensure you’re in change mode for the PFCG role created and
Recorded in Exercise 3, part 1.1 of the “My Exercises” worksheet.
2.) Navigate to the “Menu” tab.
3.) Select the “Insert Node” button and then select the “Authorization Default” option. From the list presented.

4.) In the screen presented, make the following selections, then hit “Enter”:
Authorization Default: TADIR Service
Program ID: R3TR
Object Type: IWSV

18
Exercise 3: SAP Fiori Security Roles
5.) In the “Tadir Service” input field, select the “F4” search help option. In the list provided, search for the OData
service for the Fiori app activated and recorded in Exercise 1, part 1b of the “My Exercises” worksheet and
enable the checkbox in front of it.

6.) Once the service have been entered in the “Tadir Service” input field, hit “Enter” to populate the “Text” field.
Then, select “Copy”.

19
Exercise 3: SAP Fiori Security Roles
7.) You’re returned to the “Menu” tab. Here you’ll see that the OData Service has been added to the role. Now,
save the role.

Part 2.3: Generate Authorizations


1.) Next we’ll generate the authorizations for the role we just created. Ensure you’re in change mode for the PFCG
role created and Recorded in Exercise 3, part 2.1 of the “My Exercises” worksheet.
2.) Navigate to the “Authorizations” tab, then select the “Propose Profile Name” option.

20
Exercise 3: SAP Fiori Security Roles
3.) Select the “Save” button and then “Expert Mode for Profile Generation” option.

4.) Select “Enter” in the message presented.

21
Exercise 3: SAP Fiori Security Roles
5.) Select the “Generate” option, then select “Back”

6.) You’re returned to the “Authorizations” tab. The traffic light for the “Authorizations” tab is now green.

22
Exercise 3: SAP Fiori Security Roles

Part 2.4: Assign Role to User


1.) Next we’ll assign the role we just created to your user ID. Ensure you’re in change mode for the PFCG role
created and Recorded in Exercise 3, part 2.1 of the “My Exercises” worksheet.
2.) Navigate to the “User” tab.

3.) Enter your User name in the “User ID” input field and hit “Enter”. Then select the “Save” option.

23
Exercise 3: SAP Fiori Security Roles
4.) Now, select the “User Comparison” option.

5.) In the screen presented, select the “Complete Comparison” option.

6.) Then, select the “Cancel” option.

24
Exercise 3: SAP Fiori Security Roles
7.) You’ll be returned to the “User” tab. The traffic light is now green. The role has been successfully added to the
user.

Part 3: Accessing the Fiori Launchpad


Part 3.1: Access Fiori Launchpad
1.) Open your internet browser.
2.) Enter the following URL in the browser:
https://sh014l.s.local.mphi.org/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html
3.) In the login screen presented, enter your User ID and Password for the frontend system. Then, hit “Log On”.

25
Exercise 3: SAP Fiori Security Roles
4.) You’re taken into the main screen of the Fiori Launchpad. You should see the Fiori Tile Group you assigned to
your user in Part 1.3 of this exercise. You should see the app tile that you added to the group.

5.) Select the app to open it.

26
Exercise 3: SAP Fiori Security Roles
6.) After accessing the app, select the “Home” option.

7.) Once you’ve returned to the Launch Pad home screen, select your name in the upper right hand corner. In the
dropdown list presented, select the “Open App Finder” option.

27
Exercise 3: SAP Fiori Security Roles
8.) In the screen presented, you should see the Fiori Tile Catalog you assigned to your user in Part 1.2 of this
exercise.

You’ve now completed the Fiori Exercise portion of the Workshop!

28
Exercise 3: SAP Fiori Security Roles

Fiori Exercises Recap


We’ve now completed the SAP Fiori portion of the workshop. During the course of our exercises, you’ve now completed
the following tasks:
 Activation of SAP Fiori Apps
 Creation of SAP Fiori Tile Catalogs
o Edited the Title of the Catalog
o Added Tile/Target Mapping from Catalog
o Removed Tile/Target Mapping from Catalog
o Deleted Catalog
 Creation and Maintenance of SAP Fiori Tile Groups
o Edited the Title of the Group
o Added Apps to the Group
o Removed Apps from Group
o Deleted Group
 Creation of Frontend SAP Fiori App Role
o Addition of Fiori Tile Catalog to Role
o Addition of Fiori Tile Group to Role
o Addition of OData Service to Role
 Creation of Backend SAP Fiori App Role
o Addition of OData Service to Role
 Accessed Fiori Launchpad
o Accessed Fiori App Group
o Accessed SAP Fiori App Created
o Accessed Fiori Tile Catalog

Additional Information – SAP Fiori Security Roles


 As mentioned throughout the document, SAP provides standard Fiori Tile Catalogs and Groups for SAP Fiori
apps. You can always choose to assign these roles to users vs creating your own. However, this means they will
be able to see / add all of these apps to their Launchpad. To provide only those apps that you want users to be
able to access, its best to create your own Catalogs/Groups so that the Standard SAP Fiori Tile Catalogs/Groups
remain unchanged.
 Additionally, many SAP Fiori roles have standard SAP provided roles. But as is the case with the Fiori Tile
Catalogs/Groups, this role may contain more than the users need. SAP is also starting to only provide the App
services instead of App roles in the new apps that they release. Because of this, it’s a good idea to create your
own role with the App(s) necessary.
 Here’s the link once more to the SAP Fiori Apps Library where the Standard SAP Fiori Roles, Tile Catalogs and Tile
Groups can be found.

29

You might also like