Scribd
Upload
985 views9 pages

SAP Fiori Security Roles Guide

This document describes how to create security roles for SAP Fiori tiles using the Profile and Role Administration (PFCG) tool in a gateway/frontend system. It discusses the two approaches for Fiori implementation - central hub deployment and embedded deployment. It then provides a step-by-step process for creating a role in the PFCG, assigning the role to a user, and viewing the associated tile in the Fiori launchpad. The role grants access to both the tile catalog and group to display the tile.

Uploaded by

sekoy20122827
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
985 views9 pages

SAP Fiori Security Roles Guide

This document describes how to create security roles for SAP Fiori tiles using the Profile and Role Administration (PFCG) tool in a gateway/frontend system. It discusses the two approaches for Fiori implementation - central hub deployment and embedded deployment. It then provides a step-by-step process for creating a role in the PFCG, assigning the role to a user, and viewing the associated tile in the Fiori launchpad. The role grants access to both the tile catalog and group to display the tile.

Uploaded by

sekoy20122827
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
  • Introduction to Creating Security Roles
  • Embedded Deployment
  • Creation of Roles
  • Role Configuration Steps
  • Assigning Roles
  • Conclusion
  • User Comments and Interaction
  • Related Articles

12/11/21, 7:10 PM (1) How to create security Roles for SAP FIORI Tiles via PFCG in Gateway/Frontend system

Gateway/Frontend system | LinkedIn

Home My Network Jobs

How to create security Roles


for SAP FIORI Tiles via PFCG in
Gateway/Frontend system
Published on June 12, 2019

Komal Sharma
18 articles
Following
SAP Security and Support

In order to use and secure SAP Fiori applications being a security


analyst we need to create roles in gateway system. If client has
embedded approach we create all roles in one system.

First I would like to discuss about types of FIORI deployment. There


are two approaches for Fiori implementation:

https://www.linkedin.com/pulse/how-create-security-roles-sap-fiori-tiles-via-pfcg-system-sharma/ 1/9
12/11/21, 7:10 PM (1) How to create security Roles for SAP FIORI Tiles via PFCG in Gateway/Frontend system | LinkedIn

Central Hub Deployment - This means that


Home My Network Jobs
approach,Gateway/Frontend server and your Backend system (ERP)
resides on different servers. These OData services are registered on the
Front-End Server via a Trusted-RFC ABAP Connection.

Embedded Deployment - One server with backend and frontend


components. It is not recommended by SAP specifically for customers
who have multiple backend systems. The main consequence is that for
multiple business suite system requires Gateway to be configured
multiple times. It is usually used for sandbox purpose only or for
certain S/4HANA landscapes.

Creation of Roles

In this scenario we have two systems frontend/gateway and Backend


separately but we will create role only in gateway system. To create
role in Frontend or Gateway we would need Catalog ID and Group ID.

SAP provides some standard role bases fiori apps we can use these
standard roles. In Fiori apps library home page --> SAP Fiori apps for
SAP Business Suite--> by roles --> Employee - HR Info . Here we can

https://www.linkedin.com/pulse/how-create-security-roles-sap-fiori-tiles-via-pfcg-system-sharma/ 2/9
12/11/21, 7:10 PM (1) How to create security Roles for SAP FIORI Tiles via PFCG in Gateway/Frontend system | LinkedIn

see all employee related apps under the role


Home My Network Jobs
SAP_HR_BCR_EMPLOYEE_T.

In case if we don't have role name, we can search catalog ID and group
ID for that particular Tile for example 'My Leave Requests' via fiori
apps library also. Then we create role for app in PFCG .

1. Go to transaction PFCG , enter role name. Click on 'Single Role'

2. Enter a description for role then save the role.

https://www.linkedin.com/pulse/how-create-security-roles-sap-fiori-tiles-via-pfcg-system-sharma/ 3/9
12/11/21, 7:10 PM (1) How to create security Roles for SAP FIORI Tiles via PFCG in Gateway/Frontend system | LinkedIn

4. Go to Menu tab, change the context from Transaction to SAP Fiori


Home My Network Jobs
Tile Catalog. Put Catalog ID then click on continue.

Now you can see it in Role menu, if you double click on Node , you
can see details of this node on right side.

5. Again look for Group ID under menu tab click on Group ID then
continue.

Now you can see both catalog provider and group provider in role
menu.

https://www.linkedin.com/pulse/how-create-security-roles-sap-fiori-tiles-via-pfcg-system-sharma/ 4/9
12/11/21, 7:10 PM (1) How to create security Roles for SAP FIORI Tiles via PFCG in Gateway/Frontend system | LinkedIn

Home My Network Jobs

6. Now when role is ready, assign this role to user under User tab. lick
on the Save button. After doing User Comparison we can see User tab
in green color.

Note: In order to see the Tile without error, along with catalog and
group launchpad users must have the PFCG role SAP_UI2_USER_700
assigned.

7.  Login into fiori via URl and look for tile in fiori launchpad which
you have assigned to user. We can see Tile 'My Leave Requests'. Here
we see some extra Tiles also just because we used standard catalog ID.
In this standard catalog we have all these Tiles.If you make custom
Catalog Id , Group (in SAP Fiori Launchpad Designer)you can put only
required Tiles in your custom catalog and group.

https://www.linkedin.com/pulse/how-create-security-roles-sap-fiori-tiles-via-pfcg-system-sharma/ 5/9
12/11/21, 7:10 PM (1) How to create security Roles for SAP FIORI Tiles via PFCG in Gateway/Frontend system | LinkedIn

Home My Network Jobs

Conclusion: We learnt how to create SAP security roles for FIORI


tiles. This way, the user can see the tiles, but she still needs business
data. To access business data users must have authorizations
S_RFCACL in backend system with same user ID as in front-end
system and of course the corresponding business roles. The PFCG role
on the Front-End Server needs the catalog for the start authorization
and the group for Tile display at the SAP Fiori Launchpad.

I hope the blog is useful for fellow enthusiasts. Any questions or


comments are always welcome and I am available for further
discussions on FIORI topics.

Report this

Published by
Komal Sharma 18 articles Following
SAP Security and Support
Published • 2y

How to create security Roles for SAP FIORI Tiles via PFCG in Frontend System. #sapfiori
#FIORI #Frontend #Gateway #PFCG #sapsecurity

Like Comment Share


132 · 9 comments

https://www.linkedin.com/pulse/how-create-security-roles-sap-fiori-tiles-via-pfcg-system-sharma/ 6/9
12/11/21, 7:10 PM (1) How to create security Roles for SAP FIORI Tiles via PFCG in Gateway/Frontend system | LinkedIn

Reactions
Home My Network Jobs

9 Comments
Most relevant


Add a comment…

Wouter van Heddeghem • Following 2y


I share SAP knowledge and create free posts for SAP jobseekers. 658,000 SAP
Professionals follow me on LinkedIn.

Great blog Komal Sharma !

Like ·
1 Reply · 1 Reply

Komal Sharma •
1st 2y
SAP Security and Support

Thank you for your feedback and encouragement.

Like Reply

Robert Soria •
1st 7mo
Senior SAP Security Consultant / Security in Fiori /

Hi Komal, thank you very much. I´m reading the SAP ADM945 Manual and your
explanation is so very clear, concise and easy to understand.

Thank You

Like Reply
Load more comments

Komal Sharma
SAP Security and Support

Following

https://www.linkedin.com/pulse/how-create-security-roles-sap-fiori-tiles-via-pfcg-system-sharma/ 7/9
12/11/21, 7:10 PM (1) How to create security Roles for SAP FIORI Tiles via PFCG in Gateway/Frontend system | LinkedIn

More from Komal Sharma


Home My Network Jobs

SAP Authorization Objects S_TCODE,


P_TCODE, Q_TCODE & I_TCODE

Komal Sharma on LinkedIn

Difference between SAP


Authorization Objects S_TCODE and
S_USER_TCD
Komal Sharma on LinkedIn

Basic Authorizations for End User to


access SAP Fiori Launchpad

Komal Sharma on LinkedIn

SAP Fiori Launchpad Designer -


Create custom Catalogs and Groups

https://www.linkedin.com/pulse/how-create-security-roles-sap-fiori-tiles-via-pfcg-system-sharma/ 8/9
12/11/21, 7:10 PM (1) How to create security Roles for SAP FIORI Tiles via PFCG in Gateway/Frontend system | LinkedIn

Komal Sharma on LinkedIn


Home My Network Jobs

See all 18 articles

https://www.linkedin.com/pulse/how-create-security-roles-sap-fiori-tiles-via-pfcg-system-sharma/ 9/9

You might also like