Scribd
Upload
14 views5 pages

How To Create Security Roles For SAP FIORI Tiles Via PFCG in Gateway - Frontend System - LinkedIn

Uploaded by

media 4rax
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views5 pages

How To Create Security Roles For SAP FIORI Tiles Via PFCG in Gateway - Frontend System - LinkedIn

Uploaded by

media 4rax
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Try Premium

Home My Network Jobs Messaging Notifications Me For Business ₹0

How to create security Roles


for SAP FIORI Tiles via PFCG
in Gateway/Frontend
system
Komal Sharma
Expert Sécurité SAP / SAP Security
Consultant

June 12, 2019

In order to use and secure SAP Fiori applications being a


security analyst we need to create roles in gateway
system. If client has embedded approach we create all
roles in one system.

First I would like to discuss about types of FIORI


deployment. There are two approaches for Fiori
implementation:

Central Hub Deployment - This means that


approach,Gateway/Frontend server and your Backend
system (ERP) resides on different servers. These OData
services are registered on the Front-End Server via a
Trusted-RFC ABAP Connection.
Embedded Deployment - One server with backend and
frontend components. It is not recommended by SAP
specifically for customers who have multiple backend
systems. The main consequence is that for multiple
business suite system requires Gateway to be configured
multiple times. It is usually used for sandbox purpose only
or for certain S/4HANA landscapes.

Creation of Roles

In this scenario we have two systems frontend/gateway


and Backend separately but we will create role only in
gateway system. To create role in Frontend or Gateway we
would need Catalog ID and Group ID.

SAP provides some standard role bases fiori apps we can


use these standard roles. In Fiori apps library home page -
-> SAP Fiori apps for SAP Business Suite--> by roles -->
Employee - HR Info . Here we can see all employee related
apps under the role SAP_HR_BCR_EMPLOYEE_T.

In case if we don't have role name, we can search catalog


ID and group ID for that particular Tile for example 'My
Leave Requests' via fiori apps library also. Then we create
role for app in PFCG .

1. Go to transaction PFCG , enter role name. Click on 'Single


Role'

No alt text provided for this image

2. Enter a description for role then save the role.

No alt text provided for this image

4. Go to Menu tab, change the context from Transaction


to SAP Fiori Tile Catalog. Put Catalog ID then click on
continue.

No alt text provided for this image

Now you can see it in Role menu, if you double click on


Node , you can see details of this node on right side.

No alt text provided for this image

5. Again look for Group ID under menu tab click on Group


ID then continue.

No alt text provided for this image

Now you can see both catalog provider and group


provider in role menu.
No alt text provided for this image

6. Now when role is ready, assign this role to user under


User tab. lick on the Save button. After doing User
Comparison we can see User tab in green color.

No alt text provided for this image

Note: In order to see the Tile without error, along with


catalog and group launchpad users must have the PFCG
role SAP_UI2_USER_700 assigned.

7. Login into fiori via URl and look for tile in fiori
launchpad which you have assigned to user. We can see
Tile 'My Leave Requests'. Here we see some extra Tiles
also just because we used standard catalog ID. In this
standard catalog we have all these Tiles.If you make
custom Catalog Id , Group (in SAP Fiori Launchpad
Designer)you can put only required Tiles in your custom
catalog and group.

No alt text provided for this image

Conclusion: We learnt how to create SAP security roles for


FIORI tiles. This way, the user can see the tiles, but she still
needs business data. To access business data users must
have authorizations S_RFCACL in backend system with
same user ID as in front-end system and of course the
corresponding business roles. The PFCG role on the Front-
End Server needs the catalog for the start authorization
and the group for Tile display at the SAP Fiori Launchpad.

I hope the blog is useful for fellow enthusiasts. Any


questions or comments are always welcome and I am
available for further discussions on FIORI topics.

Report this article

Comments

140 · 11 comments

Like Comment Share

Add a comment…
Most relevant

Varun Biswas • 3rd+ 2y


SAP Technical Lead @ Nitto Avecia | Driving SAP In…

Hi, we have not discussed adding default R3T authorization values in


SU24. Not all business//Fiori roles may allow users access to the
tiles/groups catalgoes just by adding the roles. Correct?

Like Reply

Mari Muttu • 3rd+ 2y


Sap Security

How to check services which is missing in Fiori Launch pad.


And how we rectify it?

Like · 1 Reply

Robert R. Soria • 2nd 3y


Senior SAP Security Consultant for / SAP ECC / S4 …

Hi Komal, thank you very much. I´m reading the SAP ADM945
Manual and your explanation is so very clear, concise and easy to
understand.

Thank You

Like Reply

Surya Theja Appala • 2nd 5y


Manager at Accenture

Thank you Komal for the blog and your explanation is very easy to
understand for beginners as well.
A small correction:

…more
"Note: In order to see the Tile without error, along with catalog and

Like Reply

Wouter van Heddeghem • 3rd+ 5y


Senior SAP S/4HANA Finance Consultant + Dutch …

Great blog Komal Sharma !

Like · 1 Reply · 1 Reply

Komal Sharma Author 5y


Expert Sécurité SAP / SAP Security Consultant

Thank you for your feedback and encouragement.

Like Reply

SIVA D. • 2nd 5y
SAP Security, GRC, Risk Compliance, SAP Auditing, …

Simply super..

Like Reply

Narayana S • 2nd 5y
Senior Technical Specialist at IBM

Thank you Komal Sharma for sharing the useful information..pls


share User admin topic in FIORI

Like Reply
Ahmed Thameem • 2nd 5y
Enjoyed this article?
Financial Controller | Inhouse SAP Security | Financi…

Follow
Thank you for to never
the useful missKomal
information an update.
Sharma

Like Reply

Aniruddh Dubey • 2nd 5y


Application Development Team Lead at Accenture |…
Komal Sharma
Nice one komal..Its useful
Expert Sécurité SAP / SAP Security Consultant
Like Reply

Follow
Nakul Goyal • 3rd+ 5y
𝐋𝐞𝐚𝐝 𝐂𝐨𝐧𝐬𝐮𝐥𝐭𝐚𝐧𝐭 - SAP BTP UI5/FIORI @ 𝐆𝐞𝐧𝐩𝐚𝐜𝐭 …

Very useful. Thanks

More articles for you Like Reply

SAP Dedicated Server Fully Pre- SAP Fiori应用的三种部署方式 Supercharge the Fiori App
Configured Setup Demo Data End- Jerry Wang Support tool with automatic SAP
User Transactions HANA Studio… Note search and more
SAP Online Remote Server Access SAP … Innovative add-ons for SAP

2 · 1 comment · 5 reposts 25 · 1 comment · 6 reposts

You might also like