Restricting the Enterprise Search

Objective

After completing this lesson, you will be able to manage Restrictions for Enterprise Search.

Restricting the Enterprise Search

Overview

When users want to search for data in the SAP Fiori launchpad, the SAP Fiori search accesses the SAP HANA enterprise search, SAP Enterprise search helps you find apps and central business objects from the search bar. This is a search solution providing unified, comprehensive, and secure real-time access to enterprise data and information from within and outside of a company. The search returns both structured data (business objects) and unstructured data (HTML files, presentations, documents) from SAP systems and other search providers and allows direct access to the associated applications and actions.

Illustration on SAP Fiori System Architecture – Enterprise Search.

Every application that uses SAP AS ABAP as its underlying technology platform can use Enterprise Search as the technology for basic searches. Enterprise Search allows you to search all structured data in an application in a unified way. Enterprise Search contains tools for creating and changing search models.

SAP HANA is the database used for Enterprise Search. Enterprise Search enables direct search access to your business data stored in the tables in SAP HANA.

Activation of the Enterprise Search – Fundamentals

The Enterprise Search is activated for each client individually. Mainly it should be executed on clients with SAP Fiori usage and extended need for search capabilities.

Illustration on activation of the Enterprise Search.

The necessary steps to enable the SAP Fiori search in the SAP Fiori launchpad are part of the task list for activating SAP Enterprise Search. The task list, SAP_ESH_INITIAL_SETUP_WRK_CLIENT, provides the automatic initial setup of Enterprise Search in the work client.

Note

The user who executes the enterprise search setup tasks owns the administrator role SAP_ESH_LOCAL_ADMIN or a role which has at least all authority objects of the role SAP_ESH_LOCAL_ADMIN.

The search for business objects is enabled through corresponding search models.

Since the search connectors are searching with a specific scope only relevant models are beneficial for the user. Based on the used applications the relevant search connectors can be found in different places:

  • SAP Fiori Apps Reference Library
  • SAP Notes
  • SAP Standard Business Roles
  • ESH Modeler

A collection made from all of these different sources should be used to get all the relevant search models.

As an example the selection of search models using the SAP Fiori Apps Reference Library is shown on the figure below. Based on the used applications the relevant search connectors can be found in the SAP Fiori Apps Reference Library. Therefore select all relevant apps for the role you want to limit the cope of the search and aggregate them.

Screenshots on selecting models for the Enterprise Search – SAP Fiori Apps.

Restriction of the Enterprise Search

Illustration on restricting the Search Object Access in the SAP Fiori Launchpad.

Enabling access to all search connectors might have a bad influence on the performance of the system. Not every user needs access to all search connectors. Restricting the Enterprise Search restricts access to the necessary search connectors.

This can be achieved by restricting the authorizations for the authorization objects S_ESH_CONN and SDDLVIEW.

As an example we look at the enterprise search models used in the SAP Fiori app Material Documents Overview

Each classical search model has a corresponding CDS based search model. The following table provides an overview of the search models:

Example for Search Model

Model NameClassical ModelCDS Based Model
Material DocumentMATERIAL_DOCUMENT_HESH_S_MATDOC
Physical InventoryMATERIAL_INVENTORY_HESH_S_PHYSINVTRY

The required authorizations for the search models are part of the authorization defaults:

R3TR IWSV MMIM_MATDOC_OV_SRV 0001

When creating roles, depending on what search model will be used, the following authorizations shall be taken over into the role:

Authorizations for Search Model

Search ModelAuthorization ObjectField Name and Value
MATERIAL_DOCUMENT_HS_ESH_CONNTEMPL_NAME =

MATERIAL_DOCUMENT_H

MATERIAL_INVENTORY_HS_ESH_CONNTEMPL_NAME =

MATERIAL_INVENTORY_H

ESH_S_MATDOCSDDLVIEWDDLSCRNAME =

ESH_S_MATDOC

ESH_S_PHYSINVTRYSDDLVIEWDDLSCRNAME =

PHYSINVTRY

Screenshots on default authorization values for Search Model.
Screenshots on limiting authorizations in profile.

Another Example for enterprise search models in Bank Relationship Management is shown in SAP Note 2847374 - Enterprise Search Models in Bank Relationship Management: Availability of CDS based search models in SAP S/4HANA 1909.

Illustration on Enterprise Search Setup Approach.

​To ensure a proper restriction of the Enterprise Search please make sure:

  • All manifestations of the S_ESH_CONN and SDDLVIEW authorization objects are restricted
  • The user has no SAP_ALL authorization profile
  • The authorizations in standard SAP Business Roles are set accordingly

Practice System Exercise: Check Restrictions for Enterprise Search

Select Start Exercise to start the simulation.

ExerciseStart Exercise

Note

If you have access to a practice system, you can now execute this exercise.

Business Example

You want to check the restrictions for SAP Enterprise Search.

Steps

  1. In Google Chrome, open the SAP Fiori Reference Library.

    1. In the Microsoft Windows start menu, choose Google Chrome.

    2. In Google Chrome, go to Bookmarks.

    3. In Bookmarks, choose SAP FioriSAP Fiori Apps Reference Library.

  2. Search for the app Display G/L Account Balances and check for which OData service the user will require PFCG authorization.

    1. In the SAP Fiori Apps Reference Library, choose SAP Fiori Apps for SAP S/4HANA.

    2. Choose All Apps.

    3. In the Search field, enter Material Documents Overview.

    4. Choose Material Documents Overview.

    5. Below the subtitle, select the release version SAP S/4HANA 2023 latest FPS.

    6. Select the IMPLEMENTATION INFORMATION tab.

    7. Expand Configuration.

    8. Check for which OData service the user requires the PFCG authorization .

      Result

      The user requires PFCG authorization for the the OData services MMIM_MATDOC_OV_SRV and MMIM_GR_CANCELLATION_SRV.

Task 1: Check the proposals for authorization objects S_ESH_CONN and SDDLVIEW

You want to check the authorization default values for authorization objects S_ESH_CONN and SDDLVIEW in back-end system S4D.

Steps

  1. Log on to the SAP GUI of the system S4D.

    FieldValue
    Usertrain-##
    Password

    Custom password

    1. Choose SAP Logon.

    2. Select 10 DevelopmentS4D SAP GUI non-SNC [PAS].

    3. Choose Log On.

  2. Check the authorization proposals for implemented OData service MMIM_MATDOC_OV_SRV.

    1. Start the transaction SU24.

    2. In the Type of Application field, choose SAP Gateway Business Suite Enablement - Service.

    3. In the Object Name field, choose the input help (F4).

    4. Expand the Restrictions area and enter MMIM_MATDOC_OV_SRV* in the Object Name field.

    5. Choose Start Search.

    6. Select the search result R3TR IWSV MMIM_MATDOC_OV_SRV 0001.

    7. Choose Copy.

    8. Choose Execute (F8).

      Result

      The result list shows the list of data access objects on the back-end server S4D for the service R3TR IWSV MMIM_MATDOC_OV_SRV0001. Among others it also displays the authorization default values for authorization objects S_ESH_CONN and SDDLVIEW .

Task 2: Check the authorization proposals in profile

You want to check the authorization proposals for authorization objects S_ESH_CONN and SDDLVIEW in the role ADM945_##_BR_INVENTORY.

Steps

  1. Check the authorization proposals in the profile of role ADM945_##_BR_INVENTORY.

    1. Start the Role Maintenance transaction PFCG.

    2. In the Role field, enter ADM945_##_BR_INVENTORY.

    3. Choose Change.

    4. Go to the Authorizations tab.

    5. Choose Change Authorization Data.

      Result

      The pop displays that several IWSG and IWSV services which were proposed due to the Manage Banks app will be removed. The IWSG and IWSV services which were proposed due to the Manage Banks - Cash Management app will be added. This is because you removed an SAPUI5 application in the catalog and added another one.

    6. Expand the following nodes: Object class AAAB, Authorization Object SDDLVIEW and Authorizat. 00.

    7. Check the values for the authorization fields.

    8. Expand the following nodes: Object class BC_A, Authorization Object S_ESH_CONN and Authorizat. 00.

    9. Check the values for the authorization fields.

    10. Choose Back (F3).

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn