Show TOC

Setup of RolesLocate this document in the navigation structure

Use

You use PFCG roles to assign the following entities to the users:

Setup of Roles in ABAP Systems

SAP Fiori UI Entities and Authorization Entities on the Front-End Server

Assign the following once for the SAP Fiori Launchpad and for each back-end system:

  • Launchpad authorizations

    End users need authorizations to run the SAP Fiori launchpad; administrators need additional authorizations to run the SAP Fiori launchpad designer. This includes the start authorizations for the activated service metadata and the corresponding start authorizations, and, in addition, application logic authorizations for the UI2 OData services.

    SAP delivers template roles for Launchpad access, such as SAP_UI2_USER_700.

    For more information, see Assign Role with Launchpad Start Authorization to End Users.

  • General OData authorizations

    The authorizations required to use the SAP Gateway runtime.

    SAP delivers authorization templates for accessing the Gateway runtime, such as \IWFND\RT_GW_USER.

  • Trusted RFC back-end connectivity authorizations

    The S_RFC and S_RFCACL authorizations required to access the back-end system over a trusted RFC connection.

Assign the following for each catalog or group of SAP Fiori apps:

  • Catalogs

    A catalog is a set of apps that you want to make available for one role. You define catalogs in the SAP Fiori Launchpad Designer. The catalogs define the SAP Fiori apps that a user can start using the target mappings. Catalogs are assigned in the PFCG role menu. For more information, see Setup of Catalogs, Groups, and Roles in the SAP Fiori Launchpad.

    SAP delivers template catalogs called business catalogs. For the actual name, see the SAP Fiori app implementation documentation.

  • Groups

    A group defines the apps in the tiles that are shown on the launchpad directly when the user starts the launchpad. Groups are assigned in the PFCG role menu.

    SAP delivers template groups called business catalog group. For the actual name, see the SAP Fiori app implementation documentation.

  • App-specific authorizations

    The start authorizations for the model provider of the activated OData services. For the OData services the SAP Fiori app use, see the SAP Fiori app implementation documentation.

    If the service is not activated, it needs to be activated and tested once, before it can be assigned in the PFCG role menu in the TADIR object type IWSG.

    For more information, see Add Start Authorizations for OData Services to Role on Front-End.

  • PFCG roles

    PFCG roles contain references to the entities mentioned above:

    • SAP Fiori UI entities: The role menu contains the catalogs and groups to provide users with UI content.

    • Authorizations: The S_SERVICE authorizations for the model provider of the OData services of each SAP Fiori app, as referenced by the catalog or group.

    • SAP delivers template roles called business PFCG roles, which refer to the corresponding template business catalogs and business catalog groups.

    • As the model provider of the OData services is available only after the OData service is activated, there is no template PFCG role. Thus, the app-specific authorizations (S_SERVICE) must be assigned manually.

Authorization Entities in the Back-End System

Assign the following once for each back-end system:

  • Back-end connectivity authorizations

    The S_RFC and S_RFCACL authorizations are required to access the trusted RFC on the back-end system.

    These authorizations have to match those of the front-end server.

Assign the following for each catalog or group of SAP Fiori apps:

  • App-specific authorizations

    On the back-end system, the OData services that the SAP Fiori apps use are implemented. Therefore, the users need to have start authorization for the OData service’s data provider, and all the authorizations to retrieve data by that OData service’s data provider.

  • PFCG roles

    By adding the OData service’s data provider to the role menu, you authorize the user to access data over an SAP Fiori app. The data provider is assigned in the PFCG role menu using the TADIR object type IWSG.

    SAP delivers template roles that refer to the OData service’s data provider for an SAP Fiori app, which are listed in the implementation documentation for the app.

Example

Employee

The SAP_HCM_BCR_EMPLOYEE_X1 business role provides a template role for the Employee self-services.

In transaction PFCG, the role menu refers to the SAP_HCM_BC_EMPLOYEE_X1 business catalog, and the corresponding SAP_HCM_BCG_EMPLOYEE_X1 group.

In the launchpad designer, the tiles that are configured for that catalog are My Timesheet, My Paystubs, My Benefits, and My Leave Requests. The target mappings also refer to these apps, without additional targets to fact sheets.

  • createTimeEntry (My Timesheet transactional app)

  • displayPayslip (My Paystubs transactional app)

  • displayBenefitPlan (My Benefits transactional app)

  • createLeaveRequest (My Leave Requests transactional app)

The following OData services are required:

  • My Timesheet: SRA002_TIMESHEET_SRV (version 1)

  • My Paystubs: SRA006_SRV (version 1)

  • My Benefits: SRA007_BENEFITS_SRV (version 1)

  • My Leave Requests: /GBHCM/LEAVEREQUEST (version 2)

To create a PFCG role on the front-end server

  1. In transaction PFCG, create a new single role and assign the following in the role’s menu:

    • Type Catalog, Catalog Provider Fiori Launchpad Catalogs, Catalog ID SAP_HCM_BC_EMPLOYEE_X1

    • Optional (if the users should see the tiles in a group already on the Launchpad start page): Type Group, Group ID SAP_HCM_BCG_EMPLOYEE_X1.

    Alternatively, you can copy the SAP_HCM_BCR_EMPLOYEE_X1 template business role, which already contains the catalog and the group.

  2. Add the following in the (new or copied) role’s menu for each of the four OData services:

    • Type Authorization Default, Authorization Default TADIR Service, Object Type IWSG – Gateway: Service Groups Metadata

    • Select TADIR Service using the value help for the object name with <name of activated service>, where by default (depending on the service activation):

      • ZSRA002_TIMESHEET_SRV_0001

      • ZSRA006_SRV_0001

      • ZSRA007_BENEFITS_0001

      • ZLEAVEREQUEST_0002

  3. Save the role menu, and go to the role’s authorization, change the authorization data, and adopt the generated authorizations accordingly.

  4. Generate the authorization profile and save it.

To extend an existing PFCG role (may be empty) on the back-end system:

  1. In transaction PFCG, edit the role and assign the following in the role menu for each of the four OData services:

    Type Authorization Default, Authorization Default TADIR Service, Object Type IWSG – Gateway: Service Groups Metadata

    Select TADIR Service using the value help for the following object names:

    • SRA002_TIMESHEET_SRV 0001

    • SRA006_SRV 0001

    • SRA007_BENEFITS 0001

    • /GBHCM/LEAVEREQUEST 0002

  2. Save the role menu, and go to the role’s authorization, change the authorization data, and adopt the generated authorizations accordingly

  3. Generate the authorization profile and save it.

Setup of Roles in SAP HANA Systems
Note

This section applies to analytical SAP Fiori apps.

Analytical SAP Fiori apps are based on SAP HANA Live.

For more information about authorization, see the section Authorizations in the Administrator’s Guide for SAP HANA Live on SAP Help Portal at http://help.sap.com/businesssuiteStart of the navigation path Integration & Analytics Information Next navigation step SAP HANA Live for SAP ERP Next navigation step Installation, Security, Configuration, and Operations Information Next navigation step Administrator’s Guide Next navigation step Security End of the navigation path.

Recommendation

To synchronize authorizations from existing back-end system PFCG roles to SAP HANA Live analytic privileges, use the SAP HANA Live Authorization Assistant.

Build SAP HANA roles that match the corresponding back-end system PFCG roles from the generated analytic privileges.