Professional Documents
Culture Documents
SAP_UI2_ADMIN
SAP_UI2_USER
SAP_ESH_ADMIN
SAP_ESH_DISPLAY_QUERY_LOG
SAP_ESH_REORG_QUERY_LOG
SAP_BR_ANALYTICS_SPECIALIST
You have installed the SAP Smart Business modeler apps on the front-end server and on the
SAP HANA server.
Your front-end user is assigned the PFCG role /UI2/SAP_KPIMOD_TCR_S.
Your SAP HANA user is assigned the roles
sap.hba.r.sb.core.roles::SAP_SMART_BUSINESS_MODELER and
sap.hba.r.sb.core.roles::SAP_SMART_BUSINESS_RUNTIME.
Open Security folder -> User -> AdminUser. Click on granted roles and assign the
following roles:
o sap.hba.r.sb. core.roles::SAP_SMART_BUSINESS_MODELER
o sap.hba.r.sb.core.roles::SAP_SMART_BUSINESS_RUNTIME
o sap.hba.apps.kpi.s.roles::SAP_SMART_BUSINESS_ MODELER
o sap.hba.apps.kpi.s.roles::SAP_SMART_BUSINESS_RUNTIME
o KPI_SPECIFIC_HANA_ROLE (You can find the role from FIORI Apps library)
Open EndUser. Click on granted roles and assign the following roles:
o sap.hba.r.sb.core.roles::SAP_SMART_BUSINESS_RUNTIME
o sap.hba.apps.kpi.s.roles::SAP_SMART_BUSINESS_RUNTIME
o KPI_SPECIFIC_HANA_ROLE (You can find the role from FIORI Apps library)
Now login to Gateway server from SAP GUI and execute transaction SU01.
Enter “AdminUser” and click on edit, navigate to roles tab and assign the following roles:
o /UI2/ SAP_KPIFRW5_TCR_S
o /UI2/SAP_KPIMOD_TCR_S (For KPI Modeler)
o KPI_SPECIFIC_PFCG_ROLE(You can find the role from FIORI Apps
library)
Launch SAP FIORI Launchpad with AdminUser
Now for the “EndUser” go to su01 transaction in your gateway server and assign
the following roles
o /UI2/ SAP_KPIFRW5_TCR_S
o KPI_SPECIFIC_PFCG_ROLE(You can find the role from FIORI Apps library)
Security team has to assign these roles to Fiori developer, then he will get all the above tiles in his
Launchpad to configure KPI Modeler related tasks.
SAP_UI2_ADMIN
SAP_UI2_USER
SAP_ESH_ADMIN
SAP_ESH_DISPLAY_QUERY_LOG
SAP_ESH_REORG_QUERY_LOG
End users
Create a developer role based on the available templates for all users that are to carry out
development tasks such as creating services. Use the developer role /IWBEP/RT_MGW_DSP for
accessing a remote system from the Service Builder (transaction SEGW) at design time.
S_ICF_ADM - Without this authorization, a user would not be able to deploy a UI5 application
to the Gateway.