3.3    User Authorizations and Management

Two primary processes are involved in providing access in SAP Fiori:

1. Authentication process
   Proves that users are allowed to access the servers.
2. Authorization process
   Determines whether the person who is logged in has access to a specific app or to perform a specific action.

In this section, we’ll look at the various user authorization steps for SAP Fiori launchpad, SAP Gateway, and different SAP Fiori apps.

But before we begin our discussion of authorizations, let’s review user management.

3.3.1    User Management

A couple of user management tools are provided for both AS Java and AS ABAP. You’ll use the following transaction codes while working with user management in SAP Fiori:

• Transaction SU01: User Maintenance (user management for AS ABAP)
• Transaction PFCG: Profile Generator (to create roles and assign authorizations to users)

There are a couple of important considerations to note from a user management perspective:

• The user must exist in the following systems:
  • SAP Gateway front-end server for all app types
  • SAP Business Suite ABAP back-end server for all app types
  • SAP HANA database for fact sheet and analytical apps
• User names must be the same in both the ABAP system and the SAP HANA database. If you’re planning to implement all three types of apps, make sure the user name complies with the stricter restriction rules from SAP HANA.
• If your deployment is embedded, it isn’t necessary to create users in an additional system.
• You can use Central User Administration (CUA) to synchronize users in the back-end and the front-end systems to ensure user names in both systems match.

3.3.2    User Authorization

With a better understanding of how users are managed, let’s look at the different user authorizations required.

SAP Fiori Launchpad

SAP Fiori launchpad is the entry point for all SAP Fiori apps. After users are authenticated, they can see and access those SAP Fiori apps that have been assigned by an administrator to the catalog designed for the user’s role.

SAP delivers business roles for users of SAP Fiori apps. Every business role provides access to a sample of apps relevant for specific business users. For example, the PFCG role for the business catalog of the My Quotations app gives the user access to the My Quotations app (see Figure 3.7). Therefore, for a user to see this app in SAP Fiori launchpad, the administrator must assign the business catalog role to that user. In Chapter 4, Section 4.4, we’ll discuss these roles and authorizations in greater detail. The SAP Fiori launchpad catalog and the UI PFCG roles bundle all front-end privileges required for the execution of the apps.

Figure 3.7 shows an app-specific (My Quotation app) implementation help page from the SAP Fiori apps reference library.

Figure 3.7    Roles for My Quotations App

SAP Gateway

After the user is authorized to see an app in SAP Fiori launchpad, the next step is to give authorizations to run/start OData services. The SAP Gateway-level authorization is used to set up authorizations to start OData services to run an app. Figure 3.8 shows start authorizations for one of the services.

Figure 3.8    Adding OData Service Permissions

Transactional and Fact Sheet Apps

Like the front-end PFCG role for the business catalog covered previously, SAP delivers back-end PFCG roles for every transactional app and fact sheet app; for example, the My Quotations app (refer to Figure 3.7) is delivered with a back-end authorization role (PFCG) for the technical catalog. These roles include references to the corresponding OData services, which are required to run the apps.

Transactional App Roles

Roles for the transactional apps don’t comprise authorizations for business data to be displayed in the app. These authorizations are provided by the customer.

For the user to access this transactional app, the administrator must assign both the back-end and front-end roles to the user. We’ll discuss this topic further in Chapter 4, Section 4.3 and Section 4.4.

Fact Sheet Apps

For fact sheet apps, in addition to the OData service authorization, you need to authorize users’ access to the underlying search models. You can find the search model entries in the Authorizations tab of Transaction PFCG (Role Maintenance). Follow these steps:

1. From your ABAP back-end server, run Transaction PFCG.
2. Enter a role name—for example, “SAP_SD_SALESORDER_APP”—and click .
3. Go to the Authorization tab, and click . You should now see the screen shown in Figure 3.9.

Figure 3.9    Fact Sheet Authorizations

You must add entries to the S_ESH_CONN authorization object in the Basis: Administration subtree. Fill in the following fields (see Figure 3.9):

• Request of Search Connector
  This value is the request for which a user receives search results.
• Search Connector ID
  This is the ID of the search connectors that the user will be allowed to explore.
• System ID
  This is the system ID that the user will be allowed to explore.
• Client
  This is the client taken into account during the search.

We’ll discuss this in further detail in Chapter 4, Section 4.3.2.

Analytical Apps

For a user to read KPI data, an SAP Fiori analytical app needs to be granted to app-specific roles in the SAP HANA server. For example, Figure 3.10 shows the role for a cash position app that is assigned to a user.

Figure 3.10    SAP HANA App-Specific Roles