Show TOC

Back-End Server: Assign OData Service Authorization to UsersLocate this document in the navigation structure


The authorizations required for a particular application are provided via the OData service of the application. This includes the start authorizations for the service in the back-end system and the business authorizations for accessing business data displayed in the app. By adding the OData service to the menu of back-end PFCG roles, you add the start authorization and the authorization proposals for the business authorizations. You can adjust these according to your needs.

We recommend adding all services required by the apps in a certain catalog to the same role. This role can be either an existing role that fits to the scope of the catalog or a new role. If you add the services to an existing role, the authorization proposals have to be merged with the authorization values already defined in the role. You can consider using existing roles if the following applies:

  • The same users assigned to the role shall get access to the respective SAP Fiori apps.

  • The business authorizations already defined in the role and those that you define for the SAP Fiori apps do not contradict.

  1. Run transaction Role Maintenance (PFCG) and create a new PFCG role or edit an existing role.

  2. On the Menu tab, open the menu of the pushbutton for adding objects (+ pushbutton) and choose the object type Authorization Default.

  3. From the Authorization Default menu, choose TADIR Service and enter the following data:

    • Program ID: R3TR

    • Object Type: IWSV

  4. In the table, enter the name of the OData service.

    For more information about the OData service for your app, see the app-specific documentation in the section SAP Fiori Apps.

  5. Repeat steps 2 to 4 for all services of the catalogs that you want to authorize with the role.

  6. On the Authorization tab, choose the pushbutton next to Profile Name to generate the authorization profile for the role.

  7. Choose Change Authorization Data.

  8. Choose Save and then Generate.

  9. Run transaction User Maintenance (SU01) and assign the role to the user.

If the user does not yet have the business authorizations required to use the app, perform the following steps:

  1. Open transaction User Maintenance (SU01).

  2. On the Authorization tab, choose Generate Profile next to the profile name.

  3. Choose Maintain Authorization Data.

  4. On the Authorization Details screen, choose the Generate symbol.

Additional Steps for Fact Sheets

In addition to the OData service authorizations, the delivered back-end roles for fact sheets contain authorizations for the underlying search models. You can find the search model entries in transaction Role Maintenance (PFCG) under the Authorizations tab.

You must add entries to the authorization object S_ESH_CONN in the subtree Basis: Administration. Fill the following fields:

  • Request of Search Connector

  • Search Connector ID

  • System ID

  • Client

You can enter a wildcard (*) in all four fields. Reason: The SAP-delivered authorization restrictions on search model level (field Template_Name) are sufficient for search requests running in only one system and one client, as currently supported by SAP Fiori search.