Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Fiori LL20 - Role and Authorization settings for SAP Fiori launchpad

masa_139
Product and Topic Expert
Product and Topic Expert
‎07-09-2015 10:39 AM

Please feel free to edit this document and add your tips.

SAP Fiori Lessons Learned 20. Role and Authorization settings for SAP Fiori launchpad

Background:

I see many consultants had issues accessing Fiori launchpad because authorizations were not assigned.

Help documents:

Frontend server:

    Administrator: SAP Fiori launchpad Designer

  • Z_SAP_UI2_ADMIN_700 (Role)
  • R3TR IWSG ZINTEROP_0001 (Menu Authorization default)
  • R3TR IWSG ZPAGE_BUILDER_PERS_0001 (Menu Authorization default)
  • R3TR IWSG ZPAGE_BUILDER_CONF_0001 (Menu Authorization default)
  • R3TR IWSG ZPAGE_BUILDER_CUST_0001 (Menu Authorization default)
  • R3TR IWSG ZTRANSPORT_0001 (Menu Authorization default)
  • /IWFND/RT_ADMIN (Authorization Template)
  • Add authorization objects listed in the Authorizations - SAP NetWeaver User Interface Services - SAP Library.

    Runtime User: SAP Fiori launchpad

  • Z_SAP_UI2_USER_700 (Role)
  • R3TR IWSG ZINTEROP_0001 (Menu Authorization default)
  • R3TR IWSG ZPAGE_BUILDER_PERS_0001 (Menu Authorization default)
  • /IWFND/RT_GW_USER (Authorization Template)
  • S_PB_CHIP(Authorization Object)
  • /UI2/CHIP (Authorization Object)
  • S_SERVICE (Authorization Object)
  • App specific OData service. For example R3TR IWSG GBAPP_POAPPROVAL_0001 (Find it in the Fiori Apps Library)
  • App specific Catalog Role SAP_MM_BC_BUYER_X1 (Find it in the Fiori Apps Library)
  • App specific Group RoleAP_MM_BCR_BUYER_X1 (Find it in the Fiori Apps Library)

Backend server:

    Administrator:

  • IWBEP/RT_BEP_ADM(Authorization Template)
  • S_RFCACL (Authorization Object)

    Runtime User:

  • /IWBEP/RT_MGW_USR (Authorization template)
  • S_RFCACL (Authorization Object)
  • App specific OData role. SAP_MM_PO_APV_APP (Find it in the Fiori Apps Library)

Steps: Example setting for runtime user role in the Frontend server.

Step 1. Copy the role SAP_UI2_USER_700 to Z_SAP_UI2_USER_700

Step 2. Add authorization default in the menu tab

Note: R3TR IWSG is for Hub deployment. R3TR IWSV is for embedded deployment.

Step 3. Add Gateway authorizations from template in the authorization tab.

Edit -> Insert Authorizations -> From Template ...

Please find authorization template name in User, Developer, and Administrator Roles - SAP GatewayFoundation (SAP_GWFND) - SAP Library

Step 4. Manually add additional authorization objects

Please find the list of authorization objects in Authorizations - SAP NetWeaver User Interface Services - SAP Library.

Step 5. Add App specific OData service. For example R3TR IWSG GBAPP_POAPPROVAL_0001 (Find it in the Fiori Apps Library)

Step 6. Add App specific Catalog Role SAP_MM_BC_BUYER_X1 (Find it in the Fiori Apps Library)

Step 7. Add App specific Group Role SAP_MM_BCR_BUYER_X1 (Find it in the Fiori Apps Library)

How to check missing authorizations:

  • Transaction SU53 - Just shows last failed authorization
  • Transaction ST01 - You can take authorization trace
10 Comments
Labels in this area
Popular Blog Posts