ABSTRACT

This document will explain the Fiori Landscape

and Fiori activation for S/4HANA system

SAP FIORI ACTIVATION

Amr Abdulhamid
Contents
Purpose ......................................................................................................................................................... 2
System Landscape for Fiori Apps .................................................................................................................. 3
Components of the System Landscape ..................................................................................................... 4
Activating OData Services ............................................................................................................................. 5
Context ...................................................................................................................................................... 5
Procedure.................................................................................................................................................. 6
Activating ICF Services of SAPUI5 Application .............................................................................................. 6
Prerequisites ............................................................................................................................................. 6
Procedure.................................................................................................................................................. 6
Creating PFCG Role ....................................................................................................................................... 7
Prerequisites ............................................................................................................................................. 7
Context ...................................................................................................................................................... 7
Caution ...................................................................................................................................................... 7
Assigning Roles to Users ............................................................................................................................... 8
Procedure.................................................................................................................................................. 8

Page 1 of 8
Purpose
The purpose of this Document is to provide sufficient information for the consultants about the SAP Fiori
Landscape.
Also it will contain the necessary steps of for the activation of the Fiori applications vendor to provide
the adequate hardware for the SAP system

Page 2 of 8
System Landscape for Fiori Apps

Page 3 of 8
Components of the System Landscape

Depending on the app type, the following components are used:

Client

To be able to run SAP Fiori apps, the runtime environment (such as the browser) of the client must
support HTML5.

SAP Web Dispatcher

SAP Fiori apps are processed as follows: First, the client loads the UIs for the SAP Fiori apps. Second,
while running, the app consumes data from the back-end systems.

The SAP Fiori apps send requests to several systems, depending on the application type and the
connected system landscape.

Standard browsers have a “same origin” policy, that is, HTTPS requests for the UI data and the back-end
data must communicate with just one web address.

To meet this requirement, a reverse proxy server between the client and the SAP system must be
installed. The reverse proxy server acts as the only point of entry for all HTTPS requests. Depending on
the requests that the app sends, the reverse proxy server selects the appropriate application server, the
ABAP front-end server, or the SAP Gateway server.

Note

We recommend using SAP Web Dispatcher as reverse proxy server.

ABAP Front-End Server

The ABAP front-end server contains all the infrastructure components to generate an SAP Fiori app-
specific UI for the client and to communicate with the back-end systems. The UI components and the
gateway are based on SAP NetWeaver. Typically, both are deployed on the same server.

The central UI component is a framework that provides the common infrastructure for all SAP Fiori apps:
SAP Fiori launchpad is the basis of all SAP Fiori UIs and provides fundamental functions for SAP Fiori apps
such as logon, surface sizing, navigation between apps, and role-based app catalogs. End-users access
the SAP Fiori apps from the SAP Fiori launchpad. The specific UIs for the apps are delivered as product-
specific UI add-on products, which must be additionally installed on the front-end server.

SAP Gateway handles the communication between the client and the back end. SAP Gateway uses
OData services to provide back-end data and functions and processes HTTPS requests for OData
services.

Page 4 of 8
ABAP Back-End Server

On the ABAP back-end server, the products that provide the business logic and the back-end data,
including users, roles, and authorizations, are installed. The back-end server is based on SAP NetWeaver.

Database

The database stores the data for the ABAP back-end server.

System Landscape Recommendations

SAP Fiori front-end server can be deployed in the following ways:

 Embedded deployment: SAP Fiori front-end server is deployed on the SAP Business Suite or SAP
S/4HANA backend system directly (recommended for S/4 HANA).
 Hub single backend deployment: A dedicated SAP Fiori front-end server is deployed "in front of"
one S/4HANA (SAP Business Suite) backend system.
 Hub multi-backend deployment: A dedicated SAP Fiori front-end server is deployed "in front of"
several backend systems (for SAP Business Suite only).

Based on SAP note 2775163 , embedded deployment is the recommended deployment for S/4 HANA.

Activating OData Services

On the front-end server, activate the OData services delivered for the SAP Fiori app you want to
implement.

Context
There are several ways to activate the relevant OData services:

You can activate the OData services for each app individually, as described below.

You can activate OData services for several apps at the same time, by using a task list.

For more information, see Activating OData Services for Several SAP Fiori Apps.

Determining the OData Service Names for Your Apps

For apps that are delivered by SAP, see the SAP Fiori apps reference library or the documentation of the
corresponding SAP Fiori app.

For analytical apps that are launched using a KPI tile that your company created, ask the responsible
developer.

If you want to determine the OData service name by yourself:

In the SAP Smart Business modeler apps, use the KPI Workspace app to look for the relevant KPI. The
names of the KPI tile and the KPI name might differ slightly.

Page 5 of 8
In the KPI, look for the evaluation. The evaluation contains the URL of the OData service, such as
/sap/opu/…<service>.

Procedure
1. Run transaction Activate and maintain services (/IWFND/MAINT_SERVICE) on the front-end
server.
2. Choose Add Service.
3. Enter the system alias of your back-end system.
4. In the External Service Name field, enter the technical name of the OData service for your app
without the version number.
5. For more information on the OData service per app, see the corresponding section under the
app implementation information in the SAP Fiori apps reference library.
6. In the Version field, enter the version number.
7. Choose Get Services.
8. Choose Add Selected Services.
9. Enter a technical name for the service in your customer namespace.
10. Assign a package or choose Local Object.
11. Choose Execute to save the service.
12. On the Activate and maintain services screen, check whether the system alias is maintained
correctly. If not, delete the alias and add the correct one.
13. Call the OData service once.

Activating ICF Services of SAPUI5 Application

On the front-end server, activate the ICF service that is specifically delivered for the SAP Fiori app you
want to implement. This is because, for security reasons, all Internet Communication Framework (ICF)
services are made available in an inactive state. Note that for security reasons, we recommend that you
only activate the services for the apps you want to use.

Prerequisites
For each app, see the technical name of the corresponding ICF service in the SAP Fiori app
documentation.

Procedure
1. You can activate the ICF services for each app manually, as given below. To activate an ICF
service, proceed as follows:
2. On the front-end server, start transaction Maintain Services (SICF).
3. Press F8.
4. Navigate to default_host sap bc ui5_ui5 sap.
5. In this node, navigate to the SAPUI5 application for your app.
6. To activate the service (SAPUI5 application), choose Service/Host Activate.

Page 6 of 8
Creating PFCG Role
You must perform this task and the following role-related task to provide users with the UI access to
apps and the start authorizations for the activated OData services used by the apps.

Prerequisites
You have activated the OData service and called it at least once before assigning start authorizations.

Context
We recommend adding the relevant catalog and the start authorizations for the activated OData
services that are used by the apps in the catalog to the role menu of the same PFCG role. Thereby, you
keep the UI access provided with the catalogs together with the required start authorizations. The
system determines the OData services for a catalog and automatically includes the start authorizations
when the catalog is added to the role menu.

Adding single OData service authorizations provides additional security, especially if the front-end server
is set up as a separate hub. By specifying the services explicitly in the role menu, you control which
requests on behalf of a user can pass SAP Gateway.

Alternatively, it is possible to authorize all activated OData services by specifying a wildcard for the start
authorization check on the front-end server (S_SERVICE = * (asterisk)).

Caution
If you use a wildcard, users can call all activated services. We therefore recommend not using wildcard
authorizations in productive environments but adding single OData service authorizations.

Procedure

1. Open transaction Role Maintenance (PFCG).

2. Create a new single role and assign the following in the role menu:
 Type Catalog
 Catalog Provider Fiori Launchpad Catalogs
 Catalog ID
 Optional (if the users should see the tiles in a group already on the SAP Fiori launchpad
start page): Type Group, Group ID
3. Alternatively, you can copy the template business role delivered by SAP, which already contains
the catalog and group, as sample content to your customer namespace.
To automatically enter the OData services, if available:
 Select the Local Front-End Server radio button.
 Mark the Include Applications checkbox.

Page 7 of 8
 4. To manually enter the OData services, for example, analytical apps that are launched by using a
KPI tile, do the following:
 Add the following in the (new or copied) role menu for each of the OData services:
 Type Authorization Default
 Authorization Default TADIR Service
 Object Type IWSG – Gateway: Service Groups Metadata
 Select TADIR Service using value help for the object name with <name of activated
service>.
 Enter the name as follows: <technical name>_<four-digit version number with leading
zeros>.
5. Save the role menu and go to the role authorization. Change the authorization data and adapt
the generated authorizations accordingly.
6. Generate the authorization profile and save it.

Assigning Roles to Users

Assign roles to users. Each role includes catalogs, groups, and OData start authorizations.

Procedure
In transaction Role Maintenance (PFCG) on the User tab, assign the role containing the catalogs, groups,
and OData start authorizations to a user by specifying the user ID.

The specified user gets access to the apps in the catalogs and the start authorizations for the respective
OData services.

Page 8 of 8