Show TOC

 App Implementation: Frequently Used Roles

System Landscape Requirements

Before you can start to implement the app, ensure that your system landscape has been set up to enable SAP Fiori and that this system landscape already includes the front-end components and back-end components for your app:

SAP Fiori System Landscape Options

Setup of SAP Fiori System Landscape with SAP HANA XS

Configuration of Front-End Server

Configuration of SAP Fiori Infrastructure

Back-End Components (Product Version Stack)

SAP Access Control 10.0 SPS 15

SAP Access Control 10.1 SPS 7

SAP HANA Content Component Delivered with (Product Version Stack)

SAP Smart Business 1.0 for SAP solutions for GRC SPS 6

VDM Contained (Product Version Stack)

SAP HANA Live 1.0 for SAP solutions for GRC SPS 9

Front-End Components Delivered with (Product Version Stack)

SAP Smart Business 1.0 for SAP solutions for GRC SPS 6

Instance: Frontend Serv. Cont. GRC Analy.

Software Component Version: UIHGRC01 100

Tile Type for Launching App

The Frequently Used Roles analytical app is launched using a KPI tile.

Required SAP Notes

For the All Access Requests app, the following SAP Notes must be implemented:

Back-End/Front-End Server

SAP Note Number

Description

General Note

1938011Information published on SAP site

SAP Smart Business for access control management

Implementation Tasks

The following sections list tasks that have to be performed to implement the Frequently Used Roles tile. The tables contain the tile-specific data required for these tasks.

You can find the data required to perform these tasks in the SAP Fiori apps reference library at https://fioriappslibrary.hana.ondemand.com/sap/fix/externalViewer/index.html?appId=F0564Information published on SAP site

HANA Server: Assign SAP HANA Roles to Users and Roles

You can find the data required to perform this step in the SAP Fiori apps reference library at https://www.sap.com/fiori-apps-libraryInformation published on SAP site.

SAP HANA Role

Needed for ...

sap.hba.r.grc.roles::SAP_SMART_BUSINESS_ACCESS_CONTROL_MANAGER

Read access to KPI data (views and XS OData services)

sap.hba.apps.grcia.s.roles::SAP_GRC_ROLE_ANALYST

Navigation to Role Analytics app

As a prerequisite for read-access to KPI definition, ensure you have assigned the generic role Smart Business Runtime Role (sap.hba.r.sb.core.roles::SAP_SMART_BUSINESS_RUNTIME) to all users or roles.

As a prerequisite for KPI modeling, ensure you have assigned the generic role Smart Business Administration Role (sap.hba.r.sb.core.roles::SAP_SMART_BUSINESS_MODELER) to specific users (e.g. key user, administrator).

For more information about SAP HANA roles, see Assigning Roles for Accessing SAP HANA Data.

HANA Server: Generate and Assign Analytic Privileges to Users and Roles

You can find the KPI data required to perform these steps in the SAP Fiori apps reference library at https://www.sap.com/fiori-apps-libraryInformation published on SAP site.

Needed for

How to generate?

Access to KPI data (only views)

To be generated by the customer using SAP HANA Live Authorization Assistant.

Access to KPI definition in KPI catalog

To be assigned by the customer using SAP Smart Business modeler app Manage KPI Authorizations.

You can find the KPI data required to perform this step in the SAP Fiori apps reference library at https://www.sap.com/fiori-apps-libraryInformation published on SAP site.

Needed for

How to generate?

Access to business data (only views)

To be generated by the customer using SAP HANA Live Authorization Assistant.

Front-End Server: Activate SAP UI5 application

UI5 Application

Technical Name

Generic Drill-down Application

/default_host/sap/bc/ui5_ui5/ui2/ushell

For more information about how to activate the SAP UI5 application (ICF service), see Front-End Server: Activate ICF Services of SAP UI5 Application.

Front-End Server: Enable App for Access in SAP Fiori Launchpad

Component

Technical Name

Application-specific Business Role

SAP_KPIFRW4_TCR_A

This is the application-specific Business Role required to launch the Role Analytics app.

The SAP Fiori launchpad is the entry point to SAP Fiori apps. From a user perspective, it displays those SAP Fiori apps that have been assigned to the catalog designed for this user's role.

This presupposes that an administrator has made the necessary assignments in the launchpad designer to enable a user's access to the respective SAP Fiori apps in the SAP Fiori launchpad. For more information, see Setup of Catalogs, Groups, and Roles in the SAP Fiori Launchpad.

SAP delivers technical catalogs for groups of SAP Fiori apps as repositories to create your own catalogs in the launchpad designer. Along with these catalogs, more technical content is delivered for each SAP Fiori app. You can find the delivered technical content for each SAP Fiori app in the SAP Fiori apps reference library.

Front-End and Back-End Server: Assign ODATA Service Authorizations to Users

To restrict access to OData services to specific users, you have to assign roles (including OData service authorization for the app) to your users. You have to make the assignment on the back-end and on the front-end server:

You must assign OData service authorizations for the KPI to your users.

Caution Caution

Several authorization default values are connected to the OData service. To ensure that all these default values are assigned to a user, you have to follow the instructions given under the documentation links provided.

End of the caution.

Make the assignment on the back-end server and on the front-end server:

OData Service (Version Number)

Back-end Server: Delivered Authorization Role (PFCG Role)

Front-End Server: Authorization Role

sap.hba.apps.grcia.s.odata::grcia.xsodata

sap.hba.apps.grcia.s.roles::SAP_GRC_ROLE_ANALYST

Note Note

In addition, this role contains authorizations to display the related business data.

End of the note.

Use an existing role or create a new one.