SAP Fiori Launchpad Roles and Authorizations

     Posted in BASIS, Fiori, NetWeaver, SAP

Frontend server:

Administrator: SAP Fiori launchpad Designer

  • Z_SAP_UI2_ADMIN_700 (Role)
  • R3TR IWSG ZINTEROP_0001 (Menu Authorization default)
  • R3TR IWSG ZPAGE_BUILDER_PERS_0001 (Menu Authorization default)
  • R3TR IWSG ZPAGE_BUILDER_CONF_0001 (Menu Authorization default)
  • R3TR IWSG ZPAGE_BUILDER_CUST_0001 (Menu Authorization default)
  • R3TR IWSG ZTRANSPORT_0001 (Menu Authorization default)
  • /IWFND/RT_ADMIN (Authorization Template)
  • Add authorization objects listed in the Authorizations – SAP NetWeaver User Interface Services – SAP Library.

Runtime User: SAP Fiori launchpad

  • Z_SAP_UI2_USER_700 (Role)
  • R3TR IWSG ZINTEROP_0001 (Menu Authorization default)
  • R3TR IWSG ZPAGE_BUILDER_PERS_0001 (Menu Authorization default)
  • /IWFND/RT_GW_USER (Authorization Template)
  • S_PB_CHIP(Authorization Object)
  • /UI2/CHIP (Authorization Object)
  • S_SERVICE (Authorization Object)
  • App specific OData service. For example R3TR IWSG GBAPP_POAPPROVAL_0001 (Find it in the Fiori Apps Library)
  • App specific Catalog Role SAP_MM_BC_BUYER_X1 (Find it in the Fiori Apps Library)
  • App specific Group RoleAP_MM_BCR_BUYER_X1 (Find it in the Fiori Apps Library)

 

Backend server:

Administrator:

  • IWBEP/RT_BEP_ADM(Authorization Template)
  • S_RFCACL (Authorization Object)

Runtime User:

  • /IWBEP/RT_MGW_USR (Authorization template)
  • S_RFCACL (Authorization Object)
  • App specific OData role. SAP_MM_PO_APV_APP (Find it in the Fiori Apps Library)

 

Steps: Example setting for runtime user role in the Frontend server.

Step 1. Copy the role SAP_UI2_USER_700 to Z_SAP_UI2_USER_700

Step 2. Add authorization default in the menu tab

sap-fiori-launchpad-roles-andauthorizations-1

Note: R3TR IWSG is for Hub deployment. R3TR IWSV is for embedded deployment.

Step 3. Add Gateway authorizations from template in the authorization tab.

Edit -> Insert Authorizations -> From Template …
Please find authorization template name in User, Developer, and Administrator Roles – SAP GatewayFoundation (SAP_GWFND) – SAP Library

sap-fiori-launchpad-roles-andauthorizations-2

sap-fiori-launchpad-roles-andauthorizations-3

Step 4. Manually add additional authorization objects

Please find the list of authorization objects in Authorizations – SAP NetWeaver User Interface Services – SAP Library.

sap-fiori-launchpad-roles-andauthorizations-4

Step 5. Add App specific OData service. For example R3TR IWSG GBAPP_POAPPROVAL_0001 (Find it in the Fiori Apps Library)

Step 6. Add App specific Catalog Role SAP_MM_BC_BUYER_X1 (Find it in the Fiori Apps Library)

Step 7. Add App specific Group Role SAP_MM_BCR_BUYER_X1 (Find it in the Fiori Apps Library)

 

How to check missing authorizations:

  • Transaction SU53 – Just shows last failed authorization
  • Transaction ST01 – You can take authorization trace

 

Help documents:

 

 

 

Author: