Authorizations

Use

User interface add-on for SAP NetWeaver uses the authorization concept provided by the SAP NetWeaver AS for ABAP. Therefore, the recommendations and guidelines for authorizations that are described in the SAP NetWeaver AS for ABAP Security Guide also apply to UI add-on for SAP NetWeaver.

In the SAP NetWeaver authorization concept, authorizations are assigned to users based on roles. To maintain roles, use SU25 and SU24 to copy and maintain authorization default values and the profile generator (transaction PFCG) on the AS ABAP.

Role and Authorization Concept for the User Interface Add-On for SAP NetWeaver

To use OData services provided by UI add-on for SAP NetWeaver, users must have the following authorizations:

  • In the back-end system, assign users to a role that includes authorizations for the respective service. Example roles for administrators in the back-end system are described below.

  • In the SAP Gateway system, assign users to a role that is mapped to the respective SAP System Alias in Customizing for the respective service (activity Activate and Maintain Services in Customizing for Gateway OData Channel). For more information, see the SAP Gateway Security Guide.

Example Administrator Role

The following table shows the example role for the administrator provided by the UI add-on for SAP NetWeaver that explains how roles for administrators can be configured.

Role

Description

SAP_UI2_ADMIN

Example administration role for OData services that are available for back-end systems based on SAP NetWeaver 7.0 and higher.

SAP_UI2_ADMIN is a composite role containing the following release-dependent roles:

  • SAP_UI2_ADMIN_700 for SAP NetWeaver 7.0

  • SAP_UI2_ADMIN_702 for SAP NetWeaver 7.0 enhancement package 2

  • SAP_UI2_ADMIN_731 for SAP NetWeaver 7.0 enhancement package 3 and SAP NetWeaver 7.3 enhancement package 1

In the role menu, this example role contains authorizations for the following services:

  • /UI2/LAUNCHPAD
  • /UI2/PAGE_BUILDER_CONF
  • /UI2/PAGE_BUILDER_CUST
  • /UI2/PAGE_BUILDER_PERS
  • /UI2/INTEROP
  • /UI2/TRANSPORT
  • /UI2/USER_FEEDBACK_SETUP

With this role administrators can execute the SAP Fiori launchpad designer.

The authorization objects will be added to the user’s authorization profile according to the services assigned to the user’s role menu.

If you develop applications that use OData services provided by the UI add-on for SAP NetWeaver, you can check the trace for the services that you use using Maintain Authorization Defaults (transaction SU24), and adapt the authorization default data depending on the requirements of your application.

For more information, see the SAP NetWeaver documentation on SAP Help Portal at http://help.sap.com/nw_platform Start of the navigation pathSecurity Guide Next navigation step Security Guides for SAP NetWeaver Functional Units Next navigation step Security Guides for the Application Server Next navigation step Security Guides for the AS ABAP Next navigation step SAP NetWeaver Application Server ABAP Security Guide Next navigation step SAP Authorization Concept Next navigation step From the Programmed Authorization Check to a RoleEnd of the navigation path.

Standard Authorization Objects

The following table shows the security-relevant authorization objects that are used by the UI add-on for SAP NetWeaver:

Authorization Object

Field

Value

Description

S_PB_CHIP

ACTIVITY

All activities

This authorization object is important for accessing the page builder. You can use these values in roles for administrators who should be able to configure, customize, and personalize pages.

CHIP_NAME

None
/UI2/CHIP ACTIVITY

All activities

This authorization object is important for accessing the page builder. You can use these values in roles for administrators who should be able to configure, customize, and personalize pages.

Activity 06 is required for running the following reports:
  • Report /UI2/INVALIDATE_CLIENT_CACHES
  • Transaction /UI2/INVAL_CACHES

For end users, restrict the activities to 03 (display) and 16 (execute).
/UI2/CHIP X-SAP-UI2*
S_SERVICE SRV_NAME   This is a hashed value. Each service has its own hash value, that is, you can restrict the access to the system on system level. If you need the linkage of hash value to object catalog entry, refer to table USOBHASH.
SRV_TYPE HT Hash type
S_CTS_ADMI CTS_ADMFCT TABL All these authorization objects are needed for different aspects of adding development objects to a transport request.
S_CTS_SADM CTS_ADMFCT TABL
S_SYS_RWBO ACTVT 01
TTYPE CUST, DTRA
S_TRANSPRT ACTVT 01, 03
TTYPE CUST, DTRA, TASK
S_DEVELOP ACTVT 01, 02, 03, 06, 16
DEVCLASS *
OBJNAME
OBJTYPE WDCC
S_WDR_P13N OBJNAME
For Portal scenarios, authorization object /UI2/SRVC is available to restrict access to specific SAP Fiori launchpad catalogs and groups.

For more information, see SAP NetWeaver Portal documentation at Start of the navigation pathhttp://help.sap.com/netweaver Next navigation step SAP NetWeaver Portal Next navigation step Implementing Advanced Portal Scenarios Next navigation step SAP Fiori Launchpad on Portal Next navigation step Configuring SAP Fiori Launchpad on Portal Next navigation step Remote ContentEnd of the navigation path

Example User Role

The table below shows the example role for the end user provided by the UI add-on for SAP NetWeaver that explains how roles for users can be configured:

Role

Description

SAP_UI2_USER_700

 Example user role for OData services that are available for back-end systems based on SAP NetWeaver 7.0 Enhancement Package 3 and higher.

In the role menu, this example role contains authorizations for the following services:

  • /UI2/PAGE_BUILDER_PERS
  • /UI2/INTEROP
  • /UI2/LAUNCHPAD

With this role the user can execute the SAP Fiori launchpad on the Personalization level. For example, users have the following options:

  • Adding tiles

  • Deleting tiles

  • Navigation

  • Create groups

  • Personalize tile position

With this role the user does not have any authorization to execute the SAP Fiori launchpad designer.

The authorization objects will be added to the user’s authorization profile according to the services assigned to the user’s role menu.

Standard Authorization Objects

The following table shows the security-relevant authorization objects that are used by the UI add-on for SAP NetWeaver:

Authorization Object

Field

Value

Description

S_PB_CHIP

ACTIVITY

03 and 16

This authorization object is important for accessing the page builder. You can use these values in roles for users who should be able to display pages.

CHIP_NAME

X-SAP-WD-CHIP*
/UI2/CHIP ACTIVITY

All activities

This authorization object is important for accessing the page builder.

You can use these values in roles for users who should be able to delete and add tiles on personalize pages.

For end users, restrict the activities to 03 (display) and 16 (execute).
/UI2/CHIP X-SAP-UI2*
S_SERVICE SRV_NAME
  • /UI2/PAGE_BUILDER_PERS
  • /UI2/INTEROP
  • /UI2/LAUNCHPAD
 This is a hashed value. Each service has its own hash value, that is, you can restrict the access to the system on system level. If you need the linkage of hash value to object catalog entry, refer to table USOBHASH.
SRV_TYPE HT Hash type

Assigning Catalog Pages in Role Maintenance

As a role administrator, you can now assign catalogs to user roles in Role Maintenance (transaction PFCG) using new role menu type Catalog.