Show TOC

 Authorizations and Roles for Transactional Apps and Fact Sheets Locate this document in the navigation structure

 

The authorization and role concept for transactional apps and fact sheets consists of authorizations and roles in SAP NetWeaver Gateway and the ABAP back-end server.

Authorizations and Roles in SAP NetWeaver Gateway

Fiori applications communicate with the ABAP back end through OData services, which must be activated during system installation. In addition to authorization in the back-end system, users must be granted authorization to access the HTML 5-based Fiori applications and the OData services in SAP NetWeaver Gateway. Fiori applications therefore require users and roles in SAP NetWeaver Gateway. A Gateway PFCG role contains start authorizations for OData Services. SAP will not deliver these roles to customers.

To enable back-end OData service execution of the Fiori application, a role with authorization object S_SERVICE(Check at Start of External Services) with the corresponding service name has to be created and assigned to the user in SAP NetWeaver Gateway.

  1. Activate the app-specific OData service while configuring SAP NetWeaver Gateway.

    The name of the activated service is required later to maintain the authorization.

  2. In transaction PFCG, create a service-specific or app-specific role with authorization object S_SERVICE. Do not specify further authorization values. Exit authorization maintenance.

  3. On the menu tab, insert a node into the role menu by choosing Authorization Default TADIR Service. Enter the following values:

    • R3TR

    • IWSG

    • <activated service name>

  4. Generate the profile in authorization maintenance.

  5. Assign the new role to the SAP Fiori app user.

After you create the SAP NetWeaver Gateway PFCG roles, you must identify the corresponding roles in the ABAP back-end server for execution of the OData services and define the corresponding profiles for the SAP NetWeaver Gateway roles.

Authorizations and Roles in the Front-End Server

For fact sheets only, users need authorizations for business server pages (BSP) on the front-end server. SAP delivers one front-end authorization role for each component. Copy the roles you require to your namespace and assign users to roles.

Authorizations and Roles in the ABAP Back-End Server

For transactional applications and fact sheets, ABAP back-end users with corresponding roles and authorizations are necessary. SAP delivers back-end PFCG roles for every transactional application and fact sheet.

Theses roles provide authorizations for the OData service of the apps. Observe that the roles for the transactional apps do not comprise authorizations for business data to be displayed in the app. It is assumed that these authorizations will be provided by the customer.

The back-end roles for fact sheets contain authorizations to display business data, and furthermore they include the search models related to the fact sheets.

SAP delivers back-end roles for each transactional application and fact sheet. For every role, authorizations need to be granted according to the customer’s roles and authorization concept.

To copy and adjust the roles delivered by SAP and to assign users to these roles, proceed as follows:

  1. Generate authorization profiles based on the OData service reference.

    For more information, see the SAP Help Portal at   http://help.sap.com/nw74   Application Help   Function-Oriented View   Security   Identity Management   User and Role Administration of Application Server ABAP   Configuration of User and Role Administration   First Installation Procedure  .

    This step is required to prevent data overwriting during import of updates.

  2. Copy the application-specific roles with the corresponding business authorizations to your namespace.

  3. Adapt the authorizations of the roles in transaction PFCG according to your authorization concept.

  4. Assign application users to these adapted roles in transaction SU01.

Note Note

User names in the ABAP back-end server must be identical to the corresponding user names in the ABAP front-end server. User mapping is not supported. For this purpose, you can use Central User Administration (CUA) or identity management systems.

End of the note.

More Information

For information about authorizations in SAP NetWeaver Gateway for SAP NetWeaver 7.31, see the SAP Library for SAP NetWeaver Gateway on SAP Help Portal at   http://help.sap.com/nwgateway20   Support Package Stack 07   SAP NetWeaver Gateway   SAP NetWeaver Gateway Configuration Guide   OData Channel Configuration   User, Developer and Administrator Authorizations  .

For information about authorizations in SAP NetWeaver Gateway for SAP NetWeaver 7.40, see the SAP Help Portal at   http://help.sap.com/nw74   Application Help   Function-Oriented View   SAP NetWeaver Gateway Foundation (SAP_GWFND)   SAP NetWeaver Gateway Foundation Configuration Guide   OData Channel Configuration   User, Developer and Administrator Authorizations  .

For information about authorizations and roles required for the ABAP front-end server, see Setup of Catalogs, Groups, and Roles in the Fiori Launchpad.

For information about authorizations and roles required for the ABAP back-end server (SAP Fiori Design transactional apps and Factsheet apps), see Roles, Users, and Authorizations on ABAP Back-End Server.