Scribd
Upload
20 views29 pages

S4 HANA App Conig - V1

This document discusses security considerations for SAP S4 HANA Fiori applications. It covers activating and registering Fiori apps and OData services, designing roles for access, and differences between analytical and transactional Fiori apps.

Uploaded by

Bhargav Sriram
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
20 views29 pages

S4 HANA App Conig - V1

This document discusses security considerations for SAP S4 HANA Fiori applications. It covers activating and registering Fiori apps and OData services, designing roles for access, and differences between analytical and transactional Fiori apps.

Uploaded by

Bhargav Sriram
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 29

SAP S4 HANA SECURITY

AGENDA
 Architecture – Security perspective
 Activating Fiori application,
 Registering and activating O - Data service
 Role design for Fiori applications
 Launching Fiori – Analytical/Fiori – Transactional Apps
 Difference between Fiori – Analytical/Fiori – Transactional
 Fact sheets – Navigation / Role Design
 BI Query – Role design
 CDS views – Role design
 SAP GUI Apps
 Web Dynpro apps
 Launching custom transactions as SAP GUI Apps
 End user role design
 Issues
SAP Fiori Applications for S4 HANA on Premise

Fiori Apps
• Transactional apps- Task Based access :
• Access to tasks like change, create or entire processes with guided navigation as well as reused components
for shared features
• Analytical apps- Insight to Action:
• Visual Overview over a complex topic for monitoring or tracking purposes.
• Object pages-Search and Explore:
• View on essential information about an object and contextual navigational between related Objects (former
Factsheets)

Legacy
• Non SAP UI5 Apps- Harmonized SAP GUI for HTML & Webdynpro Applications in SAP Fiori Look and
feel.
SAP Fiori Search
• Contextual Search- The SAP Fiori Launchpad offers an enterprise search function that searches across all
apps and business objects, such as materials, customers, and maintenance plans.

CDS View
• HANA CDS View can exposed in Fiori launchpad.
SAP S/4 HANA Architecture – Security perspective
Fiori Server

Group Catalog Target Mapping


UI5 Application

Catalog inserted in the role


Group inserted in role

Fiori Role
IWSG
Registered O –
Data Service
Any DB

S4 HANA Server
Fiori Launch pad-

RFC
End user

S4 HANA
Role
IWSV
O – Data Service

HANA DB
 SAP Fiori SAPUI5 apps are not only nice looking user interfaces, they also work with business data coming from the
respective S/4HANA Back-End Server.

 The business data is transferred via the OData protocol. The OData service itself is in most of the cases part of the
S/4HANA ABAP Stack (Back-End Server). These OData services are registered on the Front- End Server via a Trusted-
RFC ABAP Connection.

The SAP Fiori Launchpad Designer is a web based tool in the Front-End Server to create, configure and customize
catalogs, groups and tiles.

 In the SAP Fiori Launchpad the tile is displayed in a group. This group is maintained on the Front-End Server. The tile
definitions (title, subtitle, icon, ...) are defined in the catalog, as well as the target mappings. The target mapping points to
the implementation of the SAP Fiori app.

 In order to not only see the tile and start the SAP Fiori app but also to get business data from the OData service, a
specific OData authorization is necessary. Therefore the PFCG Front-End role with the catalog and group also needs the
OData start authorization to call the Back-End server.

 In addition a specific PFCG Back-End role with the execute and access authorization of the OData service is needed.

 A SAP Fiori user needs an ABAP user on the Front-End- and Back-End Server with different authorizations.
SAP S4 HANA – Fiori Implementation scenarios

Central hub deployment Central hub deployment Embedded deployment


Development in backend Development in SAP Gateway Hub Development in Backend

Service Service
Service
Implementation
MPC&DPC
SAP Gateway Hub SAP Gateway Hub

RFC Service
Service Service
Implementation Implementation
MPC&DPC MPC&DPC
SAP Business Suite Backend SAP Business Suite Backend SAP Business Suite Backend

In this tutorial we will be dealing with Central hub deployment with service implementation in the backend
system.
LAUNCHING FIORI APPS – TRANSACTIONAL/ANALYTICAL

 Identify the technical information from the Fiori Apps library


 Activate the BSP application
 Activate the O-Data Service
 Create business catalog and group
 Create reference of the tile & target mapping to the business catalog from technical catalog
 Create frontend roles and backend roles
FIORI LAUNCHPAD DESIGNER CATALOG VIEW

Target Search through


Tile Definition Catalog name
Mapping tile definition

Favorite
Catalogs

Search through
catalogs

Create a new
catalog
FIORI LAUNCHPAD DESIGNER GROUP VIEW

Group name

Search through
groups

Add new tile


Create a new
group
Odata Authorizations

Client Group
Tile

FES
Group
Tile PFCG Frontend Role

Catalog
Tile Target mapping OData Start
authorization(IWSG)

SAP UI5 Fiori Fiori – PFCG


Gateway IWSG
Any app integration
DB
RFC
BES

PFCG Backend Role


Gateway IWSV ABAP
OData execute
HAN authorization(IWSV)
A DB
F I O R I A P P - I D E N T I F Y T H E T E C H N I C A L I N F O R M AT I O N F R O M T H E F I O R I A P P S L I B R A RY

Select exact version of S4 HANA


system

Following information can be


inferred from the apps library
UI5 Application, O – Data service,
UI5 application & Technical catalog

 UI5 Application
 O – Data Service
 Technical catalog
 Target mapping
FIORI APP – ACTIVATE THE BSP APPLICATIONS

Execute the transaction SICF


 Key in the exact location
of the BSP application
 Activate the service
FIORI APP – ACTIVATE O – DATA SERVICE

Click on Add service

Execute tcode
/n/iwfnd/error_log

O – Data
service
registered and
activated

Activate O – Data services specific to the app


CREATE BUSINESS CATALOG(BC) & BUSINESS GROUP(BG)

Create a new business catalog and group in the admin launch pad if required
FIORI APP - COPY THE TILE FROM TECHNICAL CATALOG TO THE BUSINESS CATALOG

 In the admin launch


pad open the technical
catalog
 Drag the tile to the
business
(ZTEST_BC1) catalog
from the technical
catalog
(SAP_TC_FIN_CM_C
OMMON)
F I O R I A P P - C R E AT E R E F E R E N C E O F T H E T I L E & TA R G E T M A P P I N G T O T H E B U S I N E S S C ATA L O G F R O M T E C H N I C A L C ATA L O G

In admin launch pad

 Key in the technical


catalog.
 Under target
mapping, identify the
semantic object and
action specific to the
fact sheet.
 Copy it to the
Business catalog by
clicking on create
reference and specify
the business catalog
FIORI APP – CHECK TARGET MAPPING IN THE BUSINESS CATALOG

Check whether the app and target


mapping are properly mapped to the
business catalog
FIORI APP - ROLE DESIGN – FRONT END

In FIORI system at the role


level, refresh the catalog so
that the new added service
popup

Registered O- Data service is by default


fetched by the business catalog at the role
level after doing the refresh
Hash value for the registered O- Data service is maintained at the role level in S_SERVICE Object,
which is used for O- Data start authorizations
Fiori APP - Role design – BACK END S4 HANA Sytem
FACT SHEET – IDENTIFY THE TECHNICAL INFORMATION FROM FIORI APPS
LIBRARY

In Fiori Apps Library


 Select the exact app id
& Version
 Under configuration
section . Make a note
of the following
 O – Data service
 Technical catalog
 UI5 application
FACT SHEET - FIORI APPLICATION ACTIVATION

Execute transaction
SICF

Activate Application

Path to the Fiori


application
FACT SHEET - O- DATA SERVICE ACTIVATION

Click on Add Service

Execute transaction
/n/iwfnd/maint_ser
vice

O – Data Service Registered and Activate the O- DATA Service specific to the
Activated Fact sheet
FACTSHEET - CREATE REFERENCE OF THE TILE & TARGET MAPPING TO
THE BUSINESS CATALOG FROM TECHNICAL CATALOG

In admin launch pad


 Key in the technical catalog.
 Under target mapping identify
the semantic object and action
specific to the fact sheet .
 Copy it to the Business catalog
by clicking on target mapping
and specify the business catalog
FACT SHEET – CHECK TARGET MAPPING IN THE BUSINESS CATALOG

Check whether the target


mapping has been properly
maintained in the business
catalog
FACT SHEET - ROLE DESIGN

In FIORI system at the role


level, refresh the catalog so
that the new added service
popup

Registered O- Data service is by default


fetched by the business catalog at the role
level after doing the refresh
Hash value for the registered O- Data service is maintained at the role level in S_SERVICE Object,
which is used for O- Data start authorizations
ADDITIONAL CONFIGURATION
FOR FACT SHEET
 find the search connector specific to the fact sheet in
Fiori apps library and make sure the connector is active in
ESH_COCKPIT in the backend system ( S4 HANA)

You might also like