511772021 [SAP Securit for SIGHANA - How Adling Business Catalogs to the Role Meru automates authorization maintenance | SAP Blogs Community ‘Aska Question Write a Blog Post Technical Articles Colleen Hebbert ‘August 21,2020 8 minute read SAP Security for S/4HANA — How Adding Business Catalogs to the Role Menu automates authorization maintenance Hi RSS teed Like 7 likes 3,022 Views 3.Comments If you are not familiar with managing roles and authorizations in SAP S/4HANA then you might like to have a look at an excellent blog series by Jocelyn Dart before reading this one. A great one to start with is SAP Fiori for SAP S/4HANA - Adding Custom Content to Business Roles (click here). ‘Transaction PFCG authorization role menu has the “smarts” to facilitate and simplify authorization maintenance for Fiori Catalog access. With some exceptions (see below), role administrators only need to add the Fiori Catalog to the menu before they maintain the authorization data, The system will automatically determine the required authorizations for OData Services (IWSG for the Front- End System, IWSV for the Backend System, or both for Embedded), SAP GUI Transaction Codes, ABAP Web Dynpro applications, and SAP Web Client Ul executables. The arrow next to the catalog can be expanded out to show the imported menu items. These items are read only and cannot be removed directly from the role menu nor can they be maintained. This blog provides some technical information and tips to leverage this automation. The aim is to simplify your security authorization role build whereby you add the business catalogs and then maintain the authorization hitpslblogssap.com/20200802/sap-secury-for--than jow-adding-business-calalogs-1o-the-ole-menu-aulomates-authorsation-maintenance! 1/13si1772024 ‘SAP Secu for SIAHANA - How Adding Business Catalogs tothe Role Meru automates authorization maintenance | SAP Blogs data (and hey, if your SU24 is complete — this is where we map default authorizations proposals to executables = you have minimal work to do this in this space as well). Expected This Got This So | Did This Q * = _ _ 5 Ra) |= |= [Ebner onsue |) IIe TE a ieee = gees + [ Anatjics for General Ledger GB pogo Gv tees [Bente eae Alley Hee dma aes eee So pee ae “Ape sk (you didn't have to do that....) How do | make the values default into the menu from the catalog? The following pre-requisites are required for the authorization values to be imported from your SAP Fiori business catalogs to your security authorization roles. + SAP Fiori foundation is already active + SAP Fiori apps have been activated + System Aliases have been maintained (e.g. Transaction SM30 maintenance view V_ALIASMAP) + Include Applications checkbox is selected when the SAP Fiori business catalog is added to the authorization role (see screen shot below) + You have the correct authorizations for transaction PFCG to add Catalogs to roles and read the catalog information (in addition the usual authorizations for create, change of $_USER* objects) Authorizations Access S_USER_TCD ‘You will most likely need full access (asterisk) as a check is performed to add every executable within the business (Authorizations: catalog to the authorization role menu. If the object is Transactions in Roles) restricted, then added $SERVICESS is required for all Obata services S_RFCACL (Authorization You will need this is you have a Hub model (your Gateway Check for RFC User (eg. system is separate to your backend). Do not enable full Trusted System)) access. S_RFC (Authorization You will require the following RFC authorizations to Check for RFC Access) search for business catalogs and refresh the menu hitpsslblogssap.com/20200802/sap-secury-or--chan jow-adding-business-calalogs-1o-the-ole-menu-aulomates-authorsation-maintenance! 2113511772021 [SAP Security for SIGHANA - How Adaling Business Catalogs tothe Role Meru automates authorization maintenance | SAP Blogs /UI2/CATALOG_PFCG PFCG nodetype ‘Catalog’ 7UI2/CATALOG_PFCG_APP_GRP_DTL Provide details of sub-applications of the CHIP catalog /UI2/CATALOG_PFCG_CHANGE Change Chip Catalog /UI2/CATALOG_PFCG_CREATE Create Chip Catalog /UI2/CATALOG_PFCG_DISPLAY _ Display Chip Catalog /UI2/CATALOG_PFCG_EXECUTE Call Fiori Launchpad Designer From PFCG /UI2/CAT_PROV_ID_SH Search Help Exit for CHIP Name Tip: if you do not have the /UI2/CATALOG_PFCG_CREATE RFC you will receive a ‘Catalog does not exist’ message when trying to add the catalog to the menu. I copied the SAP Standard Business Role so why didn't it work? The SAP Standard Business Role template was built and added to your system before the pre-requisite configuration and app activation was completed. hitpsslblogssap.com/2020/08/21lsap-secury-for-sthana-how-adding-business-calalogs-o-he-rle-menu-aulomates-authorisalon-nainenancel 19si1772024 ‘SAP Secu for SIAHANA - How Adding Business Catalogs tothe Role Meru automates authorization maintenance | SAP Blogs ‘Alos, the copy function in transaction PFCG does exactly (and only that) that! The SAP Standard Role didn’t, have the values which means your custom authorization role won't have them either. You need to fix the menu to import the values. Alternatively, you might have prepared a load file to mass create your authorization Roles. You can use transaction code SUIM “Search for Applications in Role Menu” to identify the Fiori Catalogs in the SAP Business Role menu and then use mass creation program PRGN_CREATE_FIORI_FRONTENDROLE. When taking this approach, the catalog menus will be read, and all menu items automatically imported (so long as pre-requisites have been met). Refer to blog: Mass maintenance of Business Roles for SAP Fiori launchpad for information: https: //blogs.sap.com/2018/09/03/fiori-for-s4hana-mass-maintenance-of-business-roles-for-sap-fiori- launchpad/ What should | do if the target mappings have changed? Catalogs must be adjusted in the authorization role menu whenever the target mappings are changed. You do not need to delete and re-add the catalog to the menu when updated have been made (good news)! Navigate to Transaction Code PFCG in edit mode > Select Role > Menu Tab > Select updated Catalog > Right Click > Choose Details. Ai AEE Siete (Sic niog Pete BUD TALON Foland (RROD [= Ebnnn 1) LHC ert ene F oo ‘Rteramcoe| ote Bera 20130] opt ince nee towte Romeo orton HoveDown hitpslblogssap.com/20200802/sap-secury-for--thansi1772024 ‘SAP Secu for SIAHANA - How Adding Business Catalogs tothe Role Meru automates authorization maintenance | SAP Blogs So long as you met the prerequisites (especially include application selected and you have the right authorizations), the catalog will be re-read and PFCG will calculate the required changes. The “Application in Catalog” will provide you with + Line is highlighted in Red with a Minus (-) Sign — items that will be removed from the menu (target mapping was removed or changed, or application deactivated) which will result in less access + Line is highlighted in Green with Plus (+) Sign ~ items that are new (target mapping added to catalog or underlying application activation issue fixed) which will result in more access + Line is highlighted in Blue with Equal (=) Sign - the value was in the catalog in PFCG before the comparison and there is no change. You will need to press the green tick to accept the changes. The PFCG menu catalog will now show the updated menu items. Before maintaining the authorisations, you will need to save the changes to the menu. The Authorization tab will turn red when you press save if you had any additions or removals. If the Authorizations tab shows a red traffic icon you will now need to adjust the role authorizations (another “smart” in transaction PFCG is to compare timestamps between authorization role menu updates and last time authorization data was maintained or generated). Are you concerned there are a lot of updates to make and it'll fake ages doing it manually? Good news, we have a mass tool that can help you out. 'SE38 Program PRGN_COMPARE_ROLE_MENU can be used to mass compared the authorization role menu. hitpsblogssap.com/2020/08/21lsap-secury-for-s-thana-how-adding-business-calalogs-o-the-rle-menu-aulomates-authorisalon-naintenancel S19,si72024 [SAP Securit for SIGHANA - How Adling Business Catalogs tothe Role Meru automates authorization maintenance | SAP Blogs Role 2TEST to | Type of Application Group CCAT_PROVIDER SAP Fiori Tile Catalog ¥ to z Evaluation of SCC4 setting not active) You can enter multiple authorization roles as well as choosing which catalogs are to be refreshed. When you execute the report, you will see the changes that the menu refresh has identified. You will then need to choose Adapt Menu to update the menu items and choose Yes to the confirmation prompt. Daserren Zest ete DEnm cme SEF OLED Sestak 4/0 teri Bhan onsen pe a ap RT in ona 7 =a BPP tig 2 BC BCOROES,.O9 SnCu ins ES ERGROTMROLGOUTCLEST Ss (Once updates have been made, you can then mass generate the menu, or maintain the authorization role individually. hitpssblogssap.com/2020/08/21lsap-secury-for-sthana-how-adding-business-calalogs-c-he-rle-menu-aulomates-authrisalon-nainenancel 6/19,511772021 [SAP Securit for SIGHANA - How Adding Business Catalogs tothe Role Meru automates authorization maintenance | SAP Blogs ltritn Aniline Grote he et Drie frie erie BGrmenewn STF PAEDT st Set cht 8/20 Bete hore E Sain tect" Tole_ Tee “ean gee ain * hatrtre Corea ni 2B thy IBC. O Ea oem Sts NEDA MSLGEUTQY C8 ce i : ci But then how do | know which role authorizations need to be maintained? If you find there are several administrators involved in maintaining Fiori Catalogs and authorization Roles, it can get confusing as to know if your roles are fully maintained. When menu items are changed, the Authorization tab will show a red traffic light until the authorizations have been maintained. SAP GUI transaction SUPC Mass Role Generation is useful to check which authorization roles require menu authorization adjustments. This transaction can be executed in display mode and provide the report of authorization status from the roles entered in the selection criteria EL ER @ A authorization Data FBfMerge SyrAuthorization Data TiAuthorization Data Role SpRole EA Status ProfileRole (Created ‘Modified ‘StatusText Prof. Name 07/13/2020 07/13/2020 No authorization data How do | know what items were added or removed (what if someone else is making changes)? More good news - transaction PFCG change documents will capture what has been added or removed via the catalog hitpsblogssap.com/2020/08/21lsap-secury-for-sthana-how-adding-business-calalogs-o-he-rle-menu-aulomates-authorisalon-nainenancel 7/19,511772021 [SAP Securit for SIGHANA - How Adling Business Catalogs to the Role Meru automates authorization maintenance | SAP Blogs SUIM > Change Documents > Roles > Or PFCG > Display Role > Utilities > Display Changes Enter the selection criteria and choose Change Documents > Other Objects in Menu and execute the for selected roles Display Change Documents for Role Administration & fe Parameters Role Name Changed By From Date [07/13/2020] From Time {o0:00:00] To Date [07/13/2020 To Time [23:59:59] Change Document Number | ] {_JRespect Archive Data Change Documents } Overview of Change Documents O’Create and Delete Roles O)Role Description (©)Single Roles in Comp. Roles ) Transactions in Role Menu ) Other Objects in Role Menu You will see all changes to the menu with the Action or Added or Removed. Business Catalogs, Fiori Groups, and the menu items relating to the target mappings will appear. The change documents will all start with “OTSERVICE” even ifit was a transaction code removed from the catalog hntpsslblogssap.com/2020/08/21/sap-secury-for-sthana-how-adding-business-calalogs-o-he-rle-menu-aulomates-authrisalon-naintenancel 13511772021 [SAP Securit for SIGHANA - How Adling Business Catalogs to the Role Meru automates authorization maintenance | SAP Blogs Number of Selected Roles: 1 an = tse _ISecuny (0713202003140) Tip: table USOBHASH can be used to map the GUID S_SERVICE value back to the OData Service Name. What if our SAP Fiori frontend server is Standalone (hub) That's okay - the PFCG “smarts” apply to both Standalone(Hub) and Embedded. PFCG “smarts” even know: what should go in the Front-End authorization Role versus the Back-End authorization Role The key difference: you will need to have RFC connections established and include the RFC destination for a backend authorization role in to remote-read the catalog information. And, you will need to build 2 authorization roles - one in each system with both containing the business catalogs. hitpsblogssap.com/2020/08/21lsap-secury-for-sthana-how-adding-business-calalogs-o-he-rle-menu-aulomates-authrisalon-naintenancel 9/19511772021 [SAP Securit for SIGHANA - How Adding Business Catalogs to the Role Meru automates authorization maintenance | SAP Blogs 59 Rhomerrole Elinerrance ole Role 1254_FORCHASING OFFICER Description Purchasing Officer Target Sistem — BB No destination Description | ["Drgplications | W authorizations | BWuser Personalization V CV_ATTACHMENT. 5 IWSV C_PURCHASEO VSV C_PURRE ISITIONITEM_FS_SRV _PURREQUISITION F Hey what were those exceptions you mentioned at the start of this blog? The following exceptions will require the role administrator to assign additional executables to the role menu: 1 Default OData Services - the base authorization role for the user will require default services to access Fiori Launchpad that are not linked to a target mapping 2, OBN Menu Items or other menu parameters - Items that have been imported via the Catalog are read only. Attributes cannot be maintained in the menu. Older style programs may use Object Based Navigations or need other authorization role menu item settings (e.g. webdynpros may contain parameters). These items will need to be manually added to the role menu (and can be marked as invisible to hide from SAP User Menu, etc) 3. SAP Fiori LO Apps. e.g. SAP Access Control Request Access App - the Fiori Application was built prior to the planned integration. Additional OData services are part of the application but not automatically added to the authorization role. In these situations, the role administrator must add the menu items in addition the Business Catalog. Ongoing maintenance will require the administrator to review the menu and determine if items should remain. hitpslblogssap.com/20200802/sap-secury-for--than jow-adding-business-calalogs-1o-the-ole-menu-aulomates-authorsation-maintenance! 10/13511772021 [SAP Securit for SIGHANA - How Adling Business Catalogs to the Role Meru automates authorization maintenance | SAP Blogs For example, underlying application is removed from the catalog and the manually added item should also be removed. ‘As another tip, it can help to create a folder in the PFCG menu with the App Name, add those additional items in (you then know why they are manually in the authorization role) and set them to invisible (avoid appearing in user menus if the SAP User Menu services is enabled in Fiori Launchpad or users have SAPGUI backend access, Becoming a SAP Fiori for SAP S/4HANA guru Please let us know by commenting below if you've found this blog helpful or noticed other “smarts” to help build authorization roles for Fiori access. You'll find much more on our SAP Fi ‘Sponsored by the S/4HANA RIG hitpslblogssap.com/20200802/sap-secury-for--than jow-adding-business-calalogs-to-the-ole-menu-aulomates-authorsation-maintenance! 11/13511772021 [SAP Securit for SIGHANA - How Adling Business Catalogs to the Role Meru automates authorization maintenance | SAP Blogs Assigned tags SAP Flori for SAP S/4HANA | NWABAPUser Administration and Authorization | SAP Fiori | SAP Flori front-end server | SAPFioritools | View more, Related Blog Fosts ‘SAP Fiori for SAP S/4HANA — Understanding SAP Business Roles By Jocelyn Dart , Jul08, 2020 ‘SAP Fiori for SAP S/4HANA — How SAP Business Roles simplify refining SAP User Experience By Jocelyn Dart , Jul 31, 2020 Flor for S/4HANA ~ Mass maintenance of Business Roles for SAP Fiori launchpad By Hannes Detloo , Sep 03, 2018 Related Questions ‘Adding "X-SAP-UI-ADCAT" type catalogs to a role in PFCG for "Without role assignment” fiori apps By Abdallah MOHEB EL-DIN , Nov 24, 2016 New gateway server and security role/catalog considerations By Lakshmi Priya , Dec 18, 2017 ‘S/4Hana Standard Smart Business generic Drill Down Analytical App Implementation By Ravi Singh , Oct 23, 2019 3.Comments You must be Logged on to comment or reply to a post. (@ BALASA MANUUNATH ‘August 24, 2020 at 8:19 am Nice document ike} hntpsblogssap.com/2020/08/21lsap-secury-for-sthana-how-adding-business-calalogs-o-the-rle-menu-aulomates-authrisalon-naintenancal 12/19,511772021 [SAP Securit for SIGHANA - How Adling Business Catalogs to the Role Meru automates authorization maintenance | SAP Blogs Q senBerkerera October 21, 2020 at 12:11 pm Thank you! 0 Q Matricu Lawnikx December 2, 2020 at 5:36 pm Thank you, I'm trying to use PRGN_COMPARE_ROLE,_MENU to populate business roles with authorizations (in the Menu tab of PFCG, the authorizations subitems for catalogs are currently missing). The program doesn't find any change when | run a comparison (status is OK) so it does nothing when I click “Adapt menu”, However when I right click > Details on a tile catalog in PFCG, it is correctly populated with new authorizations. How to do this en-masse ? Edit: I've used task list SAP_FIORI_CONTENT_ACTIVATION (STCO1) to generate copies of SAP_BR_* roles. The new roles have the proper authorization objects for each tile group. Privacy Terms of Use Legal Disclosure Copyright Trademark Cookie Preferences Newsletter Support hitpslblogssap.com/20200802/sap-secury-for--than rle-menuraulomates-authorisaton-naintenance! 13/13, jow-adding-business-calalogs-to-th