In order to use and secure SAP Fiori applications being a security analyst we need to create roles in gateway system. If client has embedded approach we create all roles in one system.
First I would like to discuss about types of FIORI deployment. There are two approaches for Fiori implementation:
Central Hub Deployment – This means that approach,Gateway/Frontend server and your Backend system (ERP) resides on different servers. These OData services are registered on the Front-End Server via a Trusted-RFC ABAP Connection.
Embedded Deployment – One server with backend and frontend components. It is not recommended by SAP specifically for customers who have multiple backend systems. The main consequence is that for multiple business suite system requires Gateway to be configured multiple times. It is usually used for sandbox purpose only or for certain S/4HANA landscapes.
Creation of Roles
In this scenario we have two systems frontend/gateway and Backend separately but we will create role only in gateway system. To create role in Frontend or Gateway we would need Catalog ID and Group ID.
SAP provides some standard role bases fiori apps we can use these standard roles. In Fiori apps library home page –> SAP Fiori apps for SAP Business Suite–> by roles –> Employee – HR Info . Here we can see all employee related apps under the role SAP_HR_BCR_EMPLOYEE_T.
In case if we don’t have role name, we can search catalog ID and group ID for that particular Tile for example ‘My Leave Requests’ via fiori apps library also. Then we create role for app in PFCG .
- Go to transaction PFCG , enter role name. Click on ‘Single Role’
2. Enter a description for role then save the role.
4. Go to Menu tab, change the context from Transaction to SAP Fiori Tile Catalog. Put Catalog ID then click on continue.
Now you can see it in Role menu, if you double click on Node , you can see details of this node on right side.
5. Again look for Group ID under menu tab click on Group ID then continue.
Now you can see both catalog provider and group provider in role menu.
6. Now when role is ready, assign this role to user under User tab. lick on the Save button. After doing User Comparison we can see User tab in green color.
Note: In order to see the Tile without error, along with catalog and group launchpad users must have the PFCG role SAP_UI2_USER_700 assigned.
7. Login into fiori via URl and look for tile in fiori launchpad which you have assigned to user. We can see Tile ‘My Leave Requests’. Here we see some extra Tiles also just because we used standard catalog ID. In this standard catalog we have all these Tiles.If you make custom Catalog Id , Group (in SAP Fiori Launchpad Designer)you can put only required Tiles in your custom catalog and group.
Conclusion: We learnt how to create SAP security roles for FIORI tiles. This way, the user can see the tiles, but she still needs business data. To access business data users must have authorizations S_RFCACL in backend system with same user ID as in front-end system and of course the corresponding business roles. The PFCG role on the Front-End Server needs the catalog for the start authorization and the group for Tile display at the SAP Fiori Launchpad.
I hope the blog is useful for fellow enthusiasts. Any questions or comments are always welcome and I am available for further discussions on FIORI topics.