Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Fiori authorization concept

Former Member
0 Kudos

I am trying to understand the authorization concept of SAP Fiori and i would be thankful if anyone can help here

- In each app i see things like business catalog role, business catalog group, business role, technical role and technical catalog

I am failing to understand what's their purpose exactly, let's for example select the Check Price and Availability App

App Implementation: Check Price and Availability - SAP Fiori Apps for Lower Back-End Releases - SAP ...

It list SAP_SD_PRAV_MON_APP as a backend authorization role and SAP_SD_BCR_FIELDSALESREP_X1 as the frontend authorization role. So if i assign just those two to my fiori user should this be enough? 

Do i need to assign:

1) Technical Role

2) Business catalog

3) Technical Catalog

4) Business catalog group



And one last thing, i need a backend standard ABAP role for SD for example, right?


Thank you in advance




8 REPLIES 8

SandipAgarwalla
Active Contributor
0 Kudos

It list SAP_SD_PRAV_MON_APP as a backend authorization role and

SAP_SD_BCR_FIELDSALESREP_X1 as the frontend authorization role. So if i assign just those two to my fiori user should this be enough?


Yes - this should be enough..



You just need to assign BUsiness role on front end and backend auth on backend..


And one last thing, i need a backend standard ABAP role for SD for example, right?


Yes, you might need if you have further authorization for the sales orders

0 Kudos

Ok i checked SAP_SD_BCR_FIELDSALESREP_X1 - it already has business catalog and business group assigned and also the ODATA service


So what's the purpose of the frontend SAP_SD_TCR_T_X1 technical role if i don't have to assign it?


In the backend i have checked SAP_SD_PRAV_MON_APP it only has a service SRA016.


I am wondering if it is fine to go with SAP_ALL instead of business role just as a starting point?

masa_139
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Yavor,

There are 3 roles. For example, SD Check and Price Availability app.

You can check role details in PFCG transaction. Please note that Roles have menu objects and authorization objects.

Backend: SAP_SD_PRAV_MON_APP - Menu Object for OData Service

Frontend: Business Role - SAP_SD_BCR_FIELDSALESREP_X1 - Menu object for Group. User will get SD group tiles n launchpad as default.

Frontend: Technical Role: SAP_SD_TCR_T_X1 - Menu Object for Catalog. Users can search SD tiles from catalogs

Regards, Masa

SAP Customer Experience Group - CEG

0 Kudos

So if i got this correctly - with the business role they get the tiles assigned automatically and with the technical Role they will not have anything on the frontpage, but can search the catalogs and add them by themselves? Does this only work if Fiori search is setup correctly?

masa_139
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Yavor,

Please share your test results. Do you have any runtime issue?

Regards, Masa

SAP Customer Experience Group - CEG

0 Kudos

Hi Masayuki

I am getting this image with an eye icons, not sure what's wrong

There are lot of errors in SU53

What roles/profiles i have missed assigning, i guess i can go for sapall but i want to find out my mistake here

masa_139
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Yavor,

It clearly says authorizations are missing.

I think the root cause was you have not followed the configuration documents.

Configuring Authorization Roles - User Interface Add-On for SAP NetWeaver - SAP Library

Regards, Masa

SAP Customer Experience Group - CEG

0 Kudos

the user already had the roles specified in the document

I have checked and neither the admin nor the user role have the object S_DEVELOP, S_PB_CHIP and /UI2/CHIP though

the GW_ADMIN user role has the S_DEVELOP but not the other obejcts

I assigned both GW_ADMIN and GW_USER role to the fioriuser and now i can see the tiles

However in SU53 the S_PB_CHIP and /UI2/CHIP errors remain as they are not in any role

I went ahead and inserted them to the UI_ADMIN_700 user and now all errors seem to have gone away

There is a note that mentions similar issue http://service.sap.com/sap/support/notes/1944725

but we are on SAPK-74009INSAPUI already

Now that i click on check price and availability it empty due to missing SD configuration but it works apparently.

However seems one more service needs to be activated as i got also the following error in /IWFND/ERROR_LOG - no service found for namespace, service name for SRA021_SRV

Anyway i am on the right track now