Users need authorization roles to run the SAP Fiori launchpad (as an end user) and the
SAP Fiori launchpad designer (as an administrator). When users have these roles, they can
access the catalogs and groups assigned to the roles by a role administrator. As a role
administrator, you assign the necessary authorization roles and adjust them according to
your needs.
Context
When you configure authorization roles, it is important that you perform the steps in the
following order:
Procedure
- Activate the services in SAP Gateway using
Activate and Maintain Services (transaction
/IWFND/MAINT_SERVICE).
- Call each service once in SAP Gateway by choosing
Call Browser.
- In Role Maintenance (transaction
PFCG), copy the roles
SAP_UI2_ADMIN and
SAP_UI2_USER_700 to your customer
namespace.
SAP_UI2_ADMIN is a composite role
containing the following release-dependent roles:
-
SAP_UI2_ADMIN_700 for SAP
NetWeaver 7.0
-
SAP_UI2_ADMIN_702 for SAP
NetWeaver 7.0 enhancement package 2
-
SAP_UI2_ADMIN_731 for SAP
NetWeaver 7.0 enhancement package 3 and SAP NetWeaver 7.3
enhancement package 1
-
SAP_UI2_ADMIN_750 for
software component version SAP_UI 750 in SAP NetWeaver
- Add additional authorization default entries in the copied roles for the
TADIR Service. On the Menu
tab, choose and select Authorization Default.
- In the Service dialog that opens, proceed as follows and
repeat these steps for each service:
- Select TADIR Service and specify the following
values:
- Program ID:R3TR
- Object Type: IWSG
- Object Name: Use the value help to select
the correct object name. The value help lists the technical
service names for all the objects that you activated in the
customizing activity Service Maintenance of SAP
NetWeaver Gateway.
- The external service names in SAP Gateway are as
follows:
- ZSAP_UI2_ADMIN_700
- ZINTEROP_0001
- ZPAGE_BUILDER_PERS_0001
- ZPAGE_BUILDER_CUST_0001
- ZPAGE_BUILDER_CONF_0001
- ZTRANSPORT_0001
- ZSAP_UI2_USER_700
- ZINTEROP_0001
- ZPAGE_BUILDER_PERS_0001
- (Optional) Role SAP_UI2_ADMIN_700
contains authorizations for transaction
/UI2/FEEDBACK_SETUP. If you do not
want to configure the option to give feedback, you should remove the transaction
from this role. See Security Aspects for the Configuration of the Option to Give Feedback.
- On the Authorizations tab, generate the authorization
profiles. Choose Change Authorization Data and generate
the authorization objects.
To ensure that authorization profiles are generated correctly, use
Upgrade Tool for Profile Generator (transaction
SU25) to copy the default
authorization values by SAP to your customer namespace.
- Assign end users of the SAP Fiori launchpad to the user role and assign
administrators of the SAP Fiori launchpad designer to the admin role.