Tools such as the SUIM or authorization traces in the SAP GUI are often not helpful for Fiori applications when it comes to error analysis. In this article, you will learn which tools and methods you can use instead to analyze and resolve authorization problems in Fiori apps.
SAP Fiori applications run in the browser and access the backend via the SAP Gateway. As a result, the analysis and troubleshooting methods for authorizations differ significantly from classic SAP GUI transactions.
While the user has a better, more modern user experience in the best case scenario, the change in technology can be a challenge for authorizers. Not only are Fiori errors often based on completely different causes than we are used to with GUI applications. The tools you can use for analysis also differ.
Fiori error analysis: the most important transactions
Sometimes the problem doesn’t need extensive technical analysis. If users cannot open Fiori apps, cannot see any data or their Launchpad does not display what it should, first check the user’s roles as usual.
Do the roles contain the necessary business catalogs and spaces? You can analyze this directly in the SAP GUI using the following transactions:
- /UI2/FLPCM (Fiori Launchpad Content Manager client-independent) or /UI2/FLPCM_CUST (client-dependent): Shows an overview of the business catalogs and their content. Here you can also see which apps are installed in which catalog.
- /UI2/FLC: Used to analyze the catalog and group assignment to roles (old Fiori world).
- PFCG: Search for the catalogs and Spaces in the role menu. Here you should also see the oData services that have landed in the role with the business catalog.
- SUIM: You can search for “startable authorizations” or “applications in the role menu” in the SUIM via the Roles menu item. Startable authorizations are oData services, for example. So if you know which oData service is required, you can use it to display all the roles in which it is installed. “Applications in the role menu” allows you to search for specific catalogs and spaces.
- /UI2/RSP_LIST: Lists roles with associated start authorizations for Fiori apps. Great overview to see at a glance which Fiori elements are built into a role – from the catalog to Spaces and Pages to the individual app including description texts Fiori ID.
- SICF: Used to activate and analyze errors in Fiori relevant ICF services. You can also activate or deactivate services here (note: this is often a matter for the base. So clarify the responsibilities beforehand).
- /IWFND/MAINT_SERVIC: Displays all data on oData services. Here you can not only activate and deactivate services. You can also check and assign system aliases, check service metadata and start test runs.
F12: Developer Tools in the browser
As Fiori apps run in the browser, the developer tools in the browser are the first port of call for finding the cause of the error. Open the faulty Fiori app and start the developer tools by pressing the F12 key. Now perform the action in the app until the error occurs. Then go through the individual tabs within the developer tools to identify possible causes of the error:
- Network tab: The HTTP requests to the gateway are logged here. Failed requests (e.g. status code 403 for “Forbidden”) indicate missing authorizations.
- Console: JavaScript error messages can provide information about problems with OData services or incorrect configurations. If this is the case, the ID of the service that is missing or not activated is also displayed here.
- Application-Tab: Speichert Informationen zu Cookies und Sessions, die für die Anmeldung und Navigation wichtig sind. Manchmal ist auch bei Fiori-Fehlern die Lösung so einfach wie banal: Cache leeren hilft.
Transaction /IWFND/ERROR_LOG (SAP Gateway error protocol)
If you cannot get any further with the developer tools, you can also use transaction /IWFND/ERROR_LOG in the SAP GUI. It displays errors that occur when accessing the SAP Gateway. In particular, authorization errors are logged here with HTTP status codes and technical details.
Important columns:
- Error message: Contains details of the authorization problem.
- User: Indicates which user is affected.
- Service name: Shows which OData service is affected.
- Error message code: Usually an HTTP error such as 403 (Forbidden) or 401 (Unauthorized).
- Result: Shows which RFC calls fail and which authorization objects are checked.
In addition to the error log, you can also use the standard authorization traces and the error logs via the SU53. They are often not meaningful on their own, but can provide an initial indication. Missing oData services would also be ejected in it, especially in the form of a failed authorization check on the S_SERVICE object.
Good to know: The field values for the services are specified as hash values in S_SERVICE. However, to check whether a service is installed in a role or whether it is active in the system at all, you need its name. To find out the name for the hash value from the trace, you can use the USOBHASH table.
Fiori error analysis: typical authorization problems
Fiori works differently to ABAP authorizations, but in the end you just need to know where to look. Many errors can be traced back to the same causes and are comparatively easy to solve.
Fiori app does not load or shows errors
If a user opens a Fiori app and it does not load or displays error messages, there often is a problem with the OData services.
Solution:
- Use the Developer Tools in the browser, the STAUTHTRACE, the SU53 or the transaction /IWFND/ERROR_LOG to check whether authorizations for certain oData services are missing.
- If a service is missing: Use transactions /IWFND/MAINT_SERVICE or SICF to check whether the service is available and active in the system.
- If the services are available and active, you can add the service directly to the role menu via the PFCG.
Fiori app is not displayed
If a Fiori app is not displayed in the Launchpad, permissions for the catalog or the Space are often missing.
Solution:
- transaction /UI2/RSP_LIST or the Fiori Content Manager (transaction /UI2/FLC or the corresponding app in the Launchpad). This allows you to check in which catalog and in which roles the app is installed.
- If the app is not installed, it must be installed in a suitable business catalog before it can be added to the menu of a suitable role.
- If the app is installed in one or more roles: Use SU01, SUIM or PFC to check whether the user with whom the error occurs is supplied with one of these roles. If not: Supply via SU01, PFCG or an IDM tool.
Fiori error analysis for missing data in apps
If the Fiori app starts but does not load any data, backend authorizations are often missing.
Solution:
- Analyze STAUTHTRACE or SU53.
- Check which authorization objects (e.g. S_TABU_DIS, S_RFC) have run into errors. Add the missing authorizations in a backend role and assign them to the user.