Front-End Server Roles
If front-end server hub (standalone) deployment is used, PFCG roles providing UI access and start authorizations for activated OData services must be created on the front-end server system.
The PFCG role on the FES needs the catalog for the start authorization and the space for displaying it on the SAP Fiori Launchpad home screen.
Hint
We recommend that you add a catalog to the role menu instead of adding individual OData services. The system determines the OData services for a catalog and automatically includes the start authorizations when adding the catalog to the role menu.
However, this is not always the case and adding single OData service authorizations provides additional security, especially if the FES is set up as a separate hub. By specifying the services explicitly in the role menu, you control which requests on behalf of a user can pass SAP Gateway.
Back-End Server Roles
To view the tile, start the SAP Fiori app, and to get business data from the OData service, a specific OData authorization is necessary.
Therefore the PFCG front-end role with the catalog and space also needs the OData start authorization to call the back-end server.
In addition, a specific PFCG back-end role with the required execute and data access authorizations is needed.
Note
We recommend that you organize the roles on the BES according to the roles on the FES for the sake of consistency of the catalog content.
The authorizations required for a particular application are provided by the OData service of the SAP Fiori apps. This includes the start authorizations for the service or the application in the back-end system and the business authorizations for accessing the business data that is displayed in the app. By adding the catalog to the menu of back-end PFCG roles, the OData services, the start authorization, and the authorization proposals for the business authorizations will be included automatically. You can adjust these as required.
Both, the OData start authorization on the FES and the OData access authorization on the BES can include SU24 authorization defaults.
SU24 authorization defaults for IWSG objects only includes start authorizations. The default for IWSV objects mostly include business functional authorization objects which are used within the OData service execution.
SAP Fiori legacy apps such as Web Dynpro or SAP GUI for HTML apps need an HTTP / HTTPS connection directly to the back-end server (BES).
However, legacy apps still need to be part of a business catalog, which is going to be assigned to the PFCG role. Also, based on the business catalog, SAP Fiori spaces and pages can be created, which will display the tile of the legacy app.
In the PFCG role, start authorizations and the required execute and data access authorizations must be maintained.
SAP Fiori legacy apps have the SU24 authorization proposals of the called transaction or WebDynpro application only on the BES system.
