Users need the start authorizations for the activated OData services to launch a certain SAP Fiori app. You find the service(s) used per app in the app-specific documentation in the section SAP Fiori Apps.
For analytical apps: Only if the app-specific documentation mentions specific OData services, you must activate them and add start authorizations.
We recommend adding the start authorizations to the role on the ABAP front-end server for all services used by the apps in the catalogs assigned to the role. Thereby, you keep the UI access provided with the catalogs together with the needed start authorizations. Adding single OData service authorizations provides additional security, especially if the front-end server is set up as a separate hub. By specifying the services explicitly in the role menu, you control which requests on behalf of a user can pass SAP Gateway.
As an alternative, it is possible to authorize all activated OData services by specifying a wildcard for the start authorization check on the front-end server (S_SERVICE = * (asterisk)).
If you use a wildcard, users can call all activated services. We therefore recommend not using wildcard authorizations in productive environments but adding single OData service authorizations.
You have activated the OData service and have called it at least once before assigning start authorizations. For more information, see Front-End Server: Activate OData Services.
You have created the role on the front-end server with launchpad catalogs and groups. For more information, see Create PFCG Role on Front-End and Assign Catalogs and Groups.
To add OData start authorizations to the role on the front-end server, proceed as follows:
In the Role Maintenance transaction (PFCG), edit the role.
On the Menu tab, open the menu of the pushbutton for adding objects (+ pushbutton). Choose the object type Authorization Default.
In the Service window, choose TADIR Service from the menu for the Authorization Default. Specify the following values:
Program ID: R3TR
Object Type: IWSG
In the table, enter the name of the OData service you have activated for your app. For more information about the OData services per app, see the app-specific documentation in the section SAP Fiori Apps.
Enter the name as follows: <technical name>_<four-digit version number with leading zeros>, for example, ZLEAVEREQUEST_0002.
On the Authorization tab, choose the pushbutton next to Profile Name to generate the authorization profile for the role.
Choose Change Authorization Data, and then Generate.
Repeat these steps for all services used by the apps included in the role via the assigned catalogs.