Existing users are relevant for the ABAP back-end system. The authorizations required for a particular application are provided via the OData service of the application. This includes the start authorizations for the service (that is, the data provider) in the back-end system and the authorization proposals for accessing business data displayed in the app. By adding the OData service to the menu of back-end PFCG roles, you add the start authorization and the authorization proposals.
We recommend that you add all services required by the apps in a certain catalog to the same role. This role can be either an existing role, which fits to the scope of the catalog, or a new role.
You find the OData service used by the app in the app-specific documentation in the section SAP Fiori Apps. SAP delivers a sample PFCG role per app with the OData service added to the role menu.
You find the OData service used by the fact sheet in the app-specific documentation in the section SAP Fiori Apps. SAP delivers a sample PFCG role per fact sheet with the OData service added to the role menu.
The authorization proposals for fact sheets include the search models related to the fact sheets.
Fact sheets correspond to business objects. Unlike transactional apps, they are not visible as tiles but started using target mappings from other applications. By clicking on a business object representation in an app, like “Customer” in the transactional app “Check Price and Availability”, users navigate to the corresponding fact sheet. This also applies to fact sheets, for example, the purchase order fact sheet includes intent-based navigation to related contracts. For these related business objects, search model authorizations are included in the authorization proposals of the OData service for the original fact sheet.
In the example above, the PFCG role for the purchase order fact sheet includes the authorization for the contract search model. Users with the back-end PFCG role for the purchase order fact sheet are thus enabled to see the following:
Tiles for contracts in purchase order fact sheets
Contracts as search results in the SAP Fiori search
These users, however, do not necessarily have the authorization for the OData service corresponding to the contract business object. Therefore, they may not be able to navigate to the contract fact sheet.
Check the underlying search models for a fact sheet. These search models have corresponding fact sheets with corresponding back-end PFCG roles as well.
To prevent situations where users arrive at a “dead end” in the fact sheet navigation, assign these second-level back-end PFCG authorizations to them, as long as the users are supposed to see the related data.
Then, to enable a deeper navigation, consider the second-level fact sheets and the required roles for their related search models, and so on.
For analytical apps that provide insight-to-action features, a back-end role is needed for those transactional apps and fact sheets that the user can navigate to.
User names in the SAP HANA XS system of the analytical app must be identical to the user names of the corresponding ABAP back-end servers providing the data for the transactional apps and fact sheets used for insight-to-action features. User mapping is not supported. For this purpose, you can use Central User Administration (CUA) or identity management systems.