Show TOC

Configuring Roles with Launchpad Start AuthorizationsLocate this document in the navigation structure

Users need authorization roles to run the SAP Fiori launchpad (as an end user) and the SAP Fiori launchpad designer (as an administrator). When users have these roles, they can access the catalogs and groups assigned to the roles by a role administrator. As a role administrator, you assign the necessary authorization roles and adjust them according to your needs.

Context

When you configure authorization roles, it is important that you perform the steps in the following order:

  • First activate the services in SAP Gateway.

  • Call each service once.

  • Configure roles correctly in Role Maintenance.

Procedure

  1. Activate the services in SAP Gateway using Activate and Maintain Services (transaction /IWFND/MAINT_SERVICE).
  2. Call each service once in SAP Gateway by choosing Call Browser.
  3. In Role Maintenance (transaction PFCG), copy the roles SAP_UI2_ADMIN and SAP_UI2_USER_700 to your customer namespace.

    SAP_UI2_ADMIN is a composite role containing the following release-dependent roles:

    • SAP_UI2_ADMIN_700 for SAP NetWeaver 7.0

    • SAP_UI2_ADMIN_702 for SAP NetWeaver 7.0 enhancement package 2

    • SAP_UI2_ADMIN_731 for SAP NetWeaver 7.0 enhancement package 3 and SAP NetWeaver 7.3 enhancement package 1

    • SAP_UI2_ADMIN_750 for software component version SAP_UI 750 in SAP NetWeaver

  4. Add additional authorization default entries in the copied roles for the TADIR Service. On the Menu tab, choose Insert Node and select Authorization Default.
  5. In the Service dialog that opens, proceed as follows and repeat these steps for each service:
    1. Select TADIR Service and specify the following values:
      • Program ID:R3TR
      • Object Type: IWSG
      • Object Name: Use the value help to select the correct object name. The value help lists the technical service names for all the objects that you activated in the customizing activity Service Maintenance of SAP NetWeaver Gateway.
    2. The external service names in SAP Gateway are as follows:
      • ZSAP_UI2_ADMIN_700
        • ZINTEROP_0001
        • ZPAGE_BUILDER_PERS_0001
        • ZPAGE_BUILDER_CUST_0001
        • ZPAGE_BUILDER_CONF_0001
        • ZTRANSPORT_0001
      • ZSAP_UI2_USER_700
        • ZINTEROP_0001
        • ZPAGE_BUILDER_PERS_0001
  6. (Optional) Role SAP_UI2_ADMIN_700 contains authorizations for transaction /UI2/FEEDBACK_SETUP. If you do not want to configure the option to give feedback, you should remove the transaction from this role. See Security Aspects for the Configuration of the Option to Give Feedback.
  7. On the Authorizations tab, generate the authorization profiles. Choose Change Authorization Data and generate the authorization objects.
    To ensure that authorization profiles are generated correctly, use Upgrade Tool for Profile Generator (transaction SU25) to copy the default authorization values by SAP to your customer namespace.
  8. Assign end users of the SAP Fiori launchpad to the user role and assign administrators of the SAP Fiori launchpad designer to the admin role.