Show TOC

Authorizations and Roles for Transactional Apps Locate this document in the navigation structure


The authorization and role concept for transactional apps consists of authorizations and roles in SAP NetWeaver Gateway and the ABAP back-end server.

Authorizations and Roles in SAP NetWeaver Gateway

Fiori applications communicate with the ABAP back end through OData services, which must be activated during system installation. In addition to authorization in the back-end system, users must be granted authorization to access the HTML 5-based Fiori applications and the OData services in SAP NetWeaver Gateway. Fiori applications therefore require users and roles in SAP NetWeaver Gateway. A Gateway PFCG role contains start authorizations for OData Services. SAP will not deliver these roles to customers.

To enable back-end OData service execution of the Fiori application, a role with authorization object S_SERVICE (Check at Start of External Services) with the corresponding service name has to be created and assigned to the user in SAP NetWeaver Gateway.

  1. Activate the app-specific OData service while configuring SAP NetWeaver Gateway.

    The name of the activated service is required later to maintain the authorization.

  2. In transaction PFCG, create a service-specific or app-specific role with authorization object S_SERVICE. Do not specify further authorization values. Exit authorization maintenance.

  3. On the menu tab, insert a node into the role menu by choosing Authorization Default TADIR Service. Enter the following values:

    • R3TR

    • IWSG

    • <activated service name>

  4. Generate the profile in authorization maintenance.

  5. Assign the new role to the SAP Fiori app user.

After you create the SAP NetWeaver Gateway PFCG roles, you must identify the corresponding roles in the ABAP back-end server for execution of the OData services and define the corresponding profiles for the SAP NetWeaver Gateway roles.

Authorizations and Roles in the ABAP Back-End Server

For transactional applications, ABAP back-end users with corresponding roles and authorizations are necessary. SAP delivers back-end PFCG roles for every transactional application. Theses roles provide authorizations for the OData service of the apps. Observe that the roles for the transactional apps do not comprise authorizations for business data to be displayed in the app. It is assumed that these authorizations will be provided by the customer.

For every role, authorizations need to be granted according to the customer’s roles and authorization concept. To copy and adjust the roles delivered by SAP and to assign users to these roles the following steps, proceed as follows:

  1. Execute transaction SU25 to transfer information about the relevant OData services from SU22 to SU24.

    This step is required to prevent data overwriting during import of updates.

  2. Copy the application specific roles with the corresponding business authorizations to your namespace.

  3. Adapt the authorizations of the roles in transaction PFCG according to your authorization concept.

  4. Assign application users to these adapted roles in transaction SU01.

Note Note

User names in the ABAP back-end server must be identical to the corresponding user names in the ABAP front-end server. User mapping is not supported. For this purpose, you can use Central User Administration (CUA) or identity management systems.

End of the note.

More Information

For information about authorizations in SAP NetWeaver Gateway, see   Configuration and Deployment Information   Configuration Guide   OData Channel Configuration   User, Developer and Administrator Authorizations  .

For information about authorizations and roles required for the ABAP front-end server, see Setup of Catalogs, Groups, and Roles in the Fiori Launchpad.

For information about authorizations and roles required for the ABAP back-end server, see Roles, Users, and Authorizations on Back-End Server (Transaction.