How To: Find, integrate and authorize Fiori apps

Posted byK1203130620Posted inAllgemein, Fiori, SAP authorizationsTags:

Fiori gives SAP a modern face. Users no longer have to control their work via transaction codes, but simply click on the corresponding tile in the Fiori Launchpad. But how does the right tile get to the right user and how do we ensure that they see the right data in the tile – and only the right data? We answer these questions today in the Fiori how-to.

Our example case: The general ledger is to be managed via Fiori tiles in the future. To have a starting point, we begin with transaction FS00 (G/L account master data maintenance).

1. Find the right Fiori app

To find out which Fiori app replaces transaction FS00, the Fiori library is the first point of reference.

Click on “All apps” on the left. A search mask opens. Here you can search specifically for apps or Fiori catalogs if you already know them. However, you can also simply search for keywords or – as in our case – for transaction codes.

So enter FS00 in the search mask. You will receive all Fiori apps that implement this transaction code. For our example, select “Manage G/L Account Master Data (Version 2)”.

The detailed view of the app opens. At the top, select the system you are working with (SAP Business Suite, SAP S/4HANA, SAP S/4HANA Cloud) and then open the “Implementation Information” tab. Here you must select the system version you are using. Finally, under “Configuration” you will find all the information you need to integrate the app into your SAP system.

You need:

  • The business catalog that contains the app (for our example SAP_SFIN_BC_GL_MD_MAINT)
  • The business group that allows access to the app via the home screen of the Fiori Launchpad (for our example SAP_SFIN_BCG_MASTER_DATA)

2. Making the Fiori app available for end users

In order for the employees in the specialist department to be able to use the app, you must integrate it into the corresponding SAP role.

Important: If you use two different systems as backend and frontend systems, the role(s) must be adapted in both systems.

Extend front-end role

Select a suitable single role or create one. Then add the business catalog and the business group to the role.

To do this, click on the “Transaction” button in the bottom right-hand corner (gray triangle) of the role menu (PFCG). A selection menu opens. Select “SAP Fiori Tile Catalog” and enter the name of the business catalog that you are copying from the Fiori library in the next window. Attention: In the box above the field for the catalog ID, you must specify where the catalog can be found. Select “Local Front-End Server” here. Now add the group from the Fiori library in the same way (SAP Fiori Tile Group).

Good to know: The Fiori groups are not necessary to access a Fiori app. However, only the apps that belong to a group assigned to the user are displayed on the home screen of the Fiori launchpad. So if you forget to add the correct group to the role, the user can search for and find the app via the Appfinder (as long as the corresponding catalog is in the user’s role). However, they will not see it directly on the home screen.

However, the Fiori catalog and group are only half the battle. For Fiori apps to work in principle, you also need to install and define/authorize some general services and an authorization object in advance. These are

  • /UI2/PAGE_BUILDER_CONF (admin)
  • /UI2/PAGE_BUILDER_CUST (admin)
  • /UI2/PAGE_BUILDER_PERS (admin and user)
  • /UI2/TRANSPORT (admin)
  • /UI2/INTEROP (admin and user)
  • /UI2/EASY_ACCESS_MENU (user)
  • /UI2/USER_MENU (user)
  • /UI2/CHIP (ACTVT: 03, 16, /UI2/CHIP: X-SAP-UI2*)

Extend backend role

You do not need the group in the backend system. However, you must also assign the business catalog here. If the user opens the app in the frontend, they will only receive data that they can work with if the catalog has also been added to the backend role.

This also works via services. The Fiori catalog comes with two types of services: IWSG for the frontend and IWSV for the backend.

Find or build a corresponding backend role and add the catalog.

Please note: The procedure here differs depending on whether the front and back ends run on the same or two different systems.

If you are using a shared system, add the catalog via the role menu as described above. If you are using two different systems, you will probably get an error message if you try to add the catalog via the menu. This is because the catalog is not available locally, but must be fetched from the front-end server via an RFC connection. So click on the gray triangle of the “Transactions” button in the role menu, select “Fiori Tile Catalog” and click on “Remote Front-End Server” in the next window before inserting the name of the catalog. In the next window, select the connection for your front-end system.

The system now also pulls the corresponding IWSV service into the backend with the catalog. Your role also receives the necessary technical authorization objects, which you now need to define.

Important: Make sure that the authorization object S_RFC is present and correctly defined in the backend role. If S_RFC is not present, the app, which is always called up in the frontend system, cannot display and process any data because this comes from the backend system. Only the S_RFC object allows the user to establish a connection between the two systems. The backend role also requires the S_RFCACL object. It defines the two communicating systems (frontend and backend) as “trusted” and “trusting” and ensures that the connection works without the user having to log in to each system individually with their password.

3. Test the Fiori app

Now comes the interesting part of the job (or the frustrating part – the two are sometimes very close together). You have to test whether the user can find and use the Fiori app as planned. You have two options for this test:

  1. Assign your own user in the front-end and back-end system the roles that the corresponding end user has and in which the new Fiori catalog hangs.
  2. Set up a test user that has the same roles and authorizations as the end user. Here too: in the front-end and back-end system.

Call up the Fiori Launchpad with the test user or with your own added user from the front-end system (transaction code: /UI2/FLP). You should now see a “Master Data” tab there – this is the SAP_SFIN_BCG_MASTER_DATA group that you added to your role earlier. Clicking on it should display a whole series of apps, including the “Manage G/L Account Master Data” app. Click on it.

In the very best case, the screen for G/L account master data maintenance opens in the browser. Then you are finished at this point. Congratulations!

4. Analyze and rectify errors

Far more frequently, however, the whole thing does not work so smoothly. If the app does not open, does not open completely or displays an error message, you first need to find out where the problem lies.

Tip: If Fiori apps do not work correctly, this is very often due to a missing or incorrectly stored service.

If the error message itself is not meaningful enough, use the developer tools in the browser (F12) for a more detailed analysis.

Correcting service errors

If the problem is due to a lack of service, you have two options:

  1. The service is available but not yet activated.
  2. The service is not yet available in your system.

This can be checked by searching for the missing service via the transactions SICF and /UI2/MAINT_SERVICE. If the service exists in the system but has not yet been activated, it will be grayed out in the SICF. In this case, activate it via: right mouse button – Activate service.

But be careful: In your company, this may be a matter for the Basis. So please clarify beforehand whether or not you are authorized to activate the service yourself.

Tip: It is not only the name of the service in the SICF that must match the name you see in the error message in the developer tools. Make sure that the storage path is also identical.

If the service does not yet exist in the system, you can add it via /UI2/Maint_Service (“Add Service” button). However, the following also applies here: In most cases, this is a matter for Basis. Please clarify beforehand whether you are allowed to add a service yourself.

Tip: Don’t just look at the service name, but also take a closer look at the column next to it. Here you can see which version of the service is available in your system. In our example, the OData service FAC_MANAGE_GLACCOUNT_SRV was available in the system as version 1, but the app requires version 2.

Test the app again once you have added and activated the service. Important: The service must also be available in both the frontend and the backend. If in doubt, move it from the original system to the other using an RFC connection.

Other error messages may prevent the app from working. For example, transactions that are required to run an app may be missing from your system. However, these error messages occur less frequently and are almost always a case for our colleagues at the base.

2 thoughts on “How To: Find, integrate and authorize Fiori apps

  1. Pingback: Fiori 3.0: What Spaces, Pages and Sections are all about – idemus solutions
  2. Pingback: S/4HANA: Which Fiori app replaces which transaction? - idemus solutions

Leave a Reply

Your email address will not be published. Required fields are marked *