Authorization Concept and Recommendations

Dependencies between SAP Fiori UI Entities, OData Services, and Authorizations

The figure below shows the dependencies between the entities:

• The SAP Fiori UI entities that define which SAP Fiori apps are displayed to the user.

• The OData services that retrieve the dynamic data to be displayed from the business logic for the SAP Fiori apps.

• The authorizations required for the business logic of the SAP Fiori apps.

Figure 1: Dependencies Between UI Entities and Authorizations for SAP Fiori Apps

Sequence When Starting an SAP Fiori App

• When the user starts the SAP Fiori launchpad, the launchpad displays the app tiles that are assigned to catalogs and organized in groups.

  A launchpad-specific OData service resolves the catalogs and groups a user is assigned to: This service resolves the user’s catalog and group assignments using the PFCG roles the user belongs to, by collecting the corresponding catalog and group entries in the PFCG role menu.

• To start an SAP Fiori app, the user chooses a tile. The tile resolves the technical SAP Fiori app implementation to be started using a target mapping.

• The tiles and target mappings of a catalog or group, which then determine the technical SAP Fiori app implementation, are maintained in the SAP Fiori Launchpad Designer.

• When a user’s browser loads an SAP Fiori app, the app retrieves its dynamic data from the HTTP endpoint of the app-specific OData service on the front-end server. SAP Gateway translates the HTTP request to a trusted RFC call to the Gateway enablement of the back-end system, which then retrieves the data by calling the relevant business logic.

• The user requires authorizations for the app-specific OData service, that is, the start authorizations for the service on front-end server and in the back-end system and the business authorizations required by the business logic. You maintain the authorizations in the PFCG roles, by assigning the corresponding authorization defaults in the PCFG role menu. When the PFCG generates the corresponding authorization profiles, it resolves the authorizations using the authorization profiles.

Templates

SAP provides the following templates:

• For the UI entities

  • Business catalogs, naming convention …_BC_...

  • Business groups, naming convention …_BCG_...

  For the actual names, see the SAP Fiori App implementation documentation.

• For the PFCG roles on the front-end server

  Business PFCG Roles, naming convention …_BCR_... that refer to the template catalogs and groups

• For the back-end system

  • Template PFCG roles per SAP Fiori app

    The template PFCG roles refer to the authorization defaults of the OData service of the app.

  • For fact sheets, the authorization defaults also include the authorizations for the Embedded Search connectors.

  • Authorization defaults for the OData service’s data provider

Organizing SAP Fiori UI Entities and Their Corresponding Authorizations

• Define the catalogs as smallest entities that are assigned and authorized for your users.

• Derive groups from the catalogs where required. Groups define the initial UI content that the user can personalize.

• Create PFCG roles on the front-end server and add the catalogs and corresponding groups. Thus, you define the UI access to the apps in the catalogs for the users who are assigned the respective role.

• Add the start authorizations for the activated OData services model provider to the PFCG roles. Add all services required by the apps in the catalogs assigned to the role. Thus, you keep together the UI access provided with the catalog and the required model provider start authorizations.

• In the back-end system, add the authorization defaults for the OData service data provider either to an existing or to a new, SAP Fiori-specific, PFCG role. Add all OData service data providers required by the apps in a certain catalog or group to the same role.