SAP SECURITY

SAP Security & GRC made easy

Creating a Fiori Role

by

Let's walk through the process of creating a Fiori role that grants access to a Fiori catalog and group, making them visible on a user’s Fiori launchpad.

Fiori Catalog for Role
Fiori Group For Role

Step 1: Identify the Required Fiori Catalog and Group

Before creating the role, identify the Fiori catalog and Fiori group that need to be assigned. You can find their technical names in the Fiori Launchpad Designer, as shown in the screenshots below. These technical names are essential when configuring the role.

  • Fiori Catalog for Role
  • Fiori Group for Role

For this example, we will create a PFCG role that includes:

  • Catalog: SAP_EPM_BC_PURCHASER_T
  • Group: SAP_EPM_BCG_PURCHASER_T

When creating custom catalogs or groups, it's good practice to use a naming convention that clearly links roles to their corresponding catalogs and groups. In this case, we name the role ZSAP_EPM_BC_PURCHASER_T and describe it as Purchaser (EPM) – Content, aligning it with the catalog’s name and description.

Step 2: Create the Fiori Role in PFCG

Add the Fiori Catalog

  • In the Menu tab of the PFCG role, add the catalog using its technical name (SAP_EPM_BC_PURCHASER_T).

  • Ensure the "Include applications" checkbox is selected. This will automatically add the services corresponding to the tile apps in the catalog.

⚠️ In older SAP versions, web services might need to be added manually. Always verify that the required services are included in the role menu.

                                                    Fiori Role Showing Services Included in the Catalog 


                                                                                       Assign Fiori Group to Role

 

Add the Fiori Group

Once the catalog is added, include the corresponding Fiori Group (SAP_EPM_BCG_PURCHASER_T) in the role menu.

After these steps, your PFCG role should contain the Fiori catalog, group, and associated services, as shown in the screenshot below.

                              PFCG Role with Fiori Catalog, Group and Services Added to the Role menu

Step 3: Maintain Role Authorizations

  1. Navigate to the Authorizations tab and generate the profile.
  2. The necessary authorization objects are automatically pulled into the role based on SU24 entries.
If additional objects are required during security testing, update the SU24 entries and merge them into the role using Expert Mode.

🚫 Manually adding objects should be avoided, just like in ECC or R/3.

                                         Fiori role showing authorization objects pulled in through SU24 entries 


Step 4: Assign Required Authorization Objects

In addition to catalog-specific services, users need general access authorizations to log into the Fiori Launchpad. The following services and authorization objects should be included in the general Fiori access role:

Services:

  • /UI2/INTEROP, ZINTEROP_0001
  • /UI2/LAUNCHPAD
  • /UI2/PAGE_BUILDER_PERS, ZPAGE_BUILDER_PERS_0001

Authorization Objects:

  • S_PB_CHIPACTVT = 03, CHIP_NAME = X-SAP-UI2-CHIP*, X-SAP-UI2-PAGE*
  • /UI2/CHIPACTVT = 03, /UI2/CHIP = X-SAP-UI2-CHIP*, X-SAP-UI2-PAGE*
  • S_USER_GRPACTVT = 03

Final Step: Testing the Role

  1. Assign the newly created PFCG role to a test user.
  2. Log in to the Fiori Launchpad.
  3. Verify that the assigned apps appear on the home screen.

With these steps completed, users will have access to the required Fiori catalog and group, ensuring seamless navigation within the Fiori Launchpad. 🚀

By

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)