SAP S4 HANA SECURITY

AGENDA
 Architecture – Security perspective
 Activating Fiori application,
 Registering and activating O - Data service
 Role design for Fiori applications
 Launching Fiori – Analytical/Fiori – Transactional Apps
 Difference between Fiori – Analytical/Fiori – Transactional
 Fact sheets – Navigation / Role Design
 BI Query – Role design
 CDS views – Role design
 SAP GUI Apps
 Web Dynpro apps
 Launching custom transactions as SAP GUI Apps
 End user role design
 Issues
 SAP Fiori Applications for S4 HANA on Premise

Fiori Apps
• Transactional apps- Task Based access :
• Access to tasks like change, create or entire processes with guided navigation as well as reused components
for shared features
• Analytical apps- Insight to Action:
• Visual Overview over a complex topic for monitoring or tracking purposes.
• Object pages-Search and Explore:
• View on essential information about an object and contextual navigational between related Objects (former
Factsheets)

Legacy
• Non SAP UI5 Apps- Harmonized SAP GUI for HTML & Webdynpro Applications in SAP Fiori Look and
feel.
SAP Fiori Search
• Contextual Search- The SAP Fiori Launchpad offers an enterprise search function that searches across all
apps and business objects, such as materials, customers, and maintenance plans.

CDS View
• HANA CDS View can exposed in Fiori launchpad.
 SAP S/4 HANA Architecture – Security perspective
Fiori Server

Group Catalog Target Mapping

UI5 Application

Catalog inserted in the role

Group inserted in role

Fiori Role
IWSG
Registered O –
Data Service
Any DB

S4 HANA Server
Fiori Launch pad-

RFC
End user

S4 HANA
Role
IWSV
O – Data Service

HANA DB
 SAP Fiori SAPUI5 apps are not only nice looking user interfaces, they also work with business data coming from the
respective S/4HANA Back-End Server.

 The business data is transferred via the OData protocol. The OData service itself is in most of the cases part of the
S/4HANA ABAP Stack (Back-End Server). These OData services are registered on the Front- End Server via a Trusted-
RFC ABAP Connection.

The SAP Fiori Launchpad Designer is a web based tool in the Front-End Server to create, configure and customize
catalogs, groups and tiles.

 In the SAP Fiori Launchpad the tile is displayed in a group. This group is maintained on the Front-End Server. The tile
definitions (title, subtitle, icon, ...) are defined in the catalog, as well as the target mappings. The target mapping points to
the implementation of the SAP Fiori app.

 In order to not only see the tile and start the SAP Fiori app but also to get business data from the OData service, a
specific OData authorization is necessary. Therefore the PFCG Front-End role with the catalog and group also needs the
OData start authorization to call the Back-End server.

 In addition a specific PFCG Back-End role with the execute and access authorization of the OData service is needed.

 A SAP Fiori user needs an ABAP user on the Front-End- and Back-End Server with different authorizations.
 SAP S4 HANA – Fiori Implementation scenarios

Central hub deployment Central hub deployment Embedded deployment

Development in backend Development in SAP Gateway Hub Development in Backend

Service Service
Service
Implementation
MPC&DPC
SAP Gateway Hub SAP Gateway Hub

RFC Service
Service Service
Implementation Implementation
MPC&DPC MPC&DPC
SAP Business Suite Backend SAP Business Suite Backend SAP Business Suite Backend

In this tutorial we will be dealing with Central hub deployment with service implementation in the backend
system.
LAUNCHING FIORI APPS – TRANSACTIONAL/ANALYTICAL

 Identify the technical information from the Fiori Apps library

 Activate the BSP application
 Activate the O-Data Service
 Create business catalog and group
 Create reference of the tile & target mapping to the business catalog from technical catalog
 Create frontend roles and backend roles
 FIORI LAUNCHPAD DESIGNER CATALOG VIEW

Target Search through

Tile Definition Catalog name
Mapping tile definition

Favorite
Catalogs

Search through
catalogs

Create a new
catalog
 FIORI LAUNCHPAD DESIGNER GROUP VIEW

Group name

Search through
groups

Add new tile

Create a new
group
 Odata Authorizations

Client Group
Tile

FES
Group
Tile PFCG Frontend Role

Catalog
Tile Target mapping OData Start
authorization(IWSG)

SAP UI5 Fiori Fiori – PFCG

Gateway IWSG
Any app integration
DB
RFC
BES

PFCG Backend Role

Gateway IWSV ABAP
OData execute
HAN authorization(IWSV)
A DB
 F I O R I A P P - I D E N T I F Y T H E T E C H N I C A L I N F O R M AT I O N F R O M T H E F I O R I A P P S L I B R A RY

Select exact version of S4 HANA

system

Following information can be

inferred from the apps library
UI5 Application, O – Data service,
UI5 application & Technical catalog

 UI5 Application
 O – Data Service
 Technical catalog
 Target mapping
 FIORI APP – ACTIVATE THE BSP APPLICATIONS

Execute the transaction SICF

 Key in the exact location
of the BSP application
 Activate the service
 FIORI APP – ACTIVATE O – DATA SERVICE

Click on Add service

Execute tcode
/n/iwfnd/error_log

O – Data
service
registered and
activated

Activate O – Data services specific to the app

CREATE BUSINESS CATALOG(BC) & BUSINESS GROUP(BG)

Create a new business catalog and group in the admin launch pad if required
 FIORI APP - COPY THE TILE FROM TECHNICAL CATALOG TO THE BUSINESS CATALOG

 In the admin launch

pad open the technical
catalog
 Drag the tile to the
business
(ZTEST_BC1) catalog
from the technical
catalog
(SAP_TC_FIN_CM_C
OMMON)
 F I O R I A P P - C R E AT E R E F E R E N C E O F T H E T I L E & TA R G E T M A P P I N G T O T H E B U S I N E S S C ATA L O G F R O M T E C H N I C A L C ATA L O G

In admin launch pad

 Key in the technical

catalog.
 Under target
mapping, identify the
semantic object and
action specific to the
fact sheet.
 Copy it to the
Business catalog by
clicking on create
reference and specify
the business catalog
FIORI APP – CHECK TARGET MAPPING IN THE BUSINESS CATALOG

Check whether the app and target

mapping are properly mapped to the
business catalog
FIORI APP - ROLE DESIGN – FRONT END

In FIORI system at the role

level, refresh the catalog so
that the new added service
popup

Registered O- Data service is by default

fetched by the business catalog at the role
level after doing the refresh
Hash value for the registered O- Data service is maintained at the role level in S_SERVICE Object,
which is used for O- Data start authorizations
Fiori APP - Role design – BACK END S4 HANA Sytem
FACT SHEET – IDENTIFY THE TECHNICAL INFORMATION FROM FIORI APPS
LIBRARY

In Fiori Apps Library

 Select the exact app id
& Version
 Under configuration
section . Make a note
of the following
 O – Data service
 Technical catalog
 UI5 application
 FACT SHEET - FIORI APPLICATION ACTIVATION

Execute transaction
SICF

Activate Application

Path to the Fiori

application
 FACT SHEET - O- DATA SERVICE ACTIVATION

Click on Add Service

Execute transaction
/n/iwfnd/maint_ser
vice

O – Data Service Registered and Activate the O- DATA Service specific to the
Activated Fact sheet
 FACTSHEET - CREATE REFERENCE OF THE TILE & TARGET MAPPING TO
THE BUSINESS CATALOG FROM TECHNICAL CATALOG

In admin launch pad

 Key in the technical catalog.
 Under target mapping identify
the semantic object and action
specific to the fact sheet .
 Copy it to the Business catalog
by clicking on target mapping
and specify the business catalog
 FACT SHEET – CHECK TARGET MAPPING IN THE BUSINESS CATALOG

Check whether the target

mapping has been properly
maintained in the business
catalog
FACT SHEET - ROLE DESIGN

In FIORI system at the role

level, refresh the catalog so
that the new added service
popup

Registered O- Data service is by default

fetched by the business catalog at the role
level after doing the refresh
Hash value for the registered O- Data service is maintained at the role level in S_SERVICE Object,
which is used for O- Data start authorizations
ADDITIONAL CONFIGURATION
FOR FACT SHEET
 find the search connector specific to the fact sheet in
Fiori apps library and make sure the connector is active in
ESH_COCKPIT in the backend system ( S4 HANA)