Assigning Permissions to Users

The SAP Fiori Launchpad and SAP Fiori apps are an essential component to SAP S/4HANA Cloud Private Edition. After installation, there should be no need for general business users to use the SAP GUI Easy Access menu to complete their job tasks through transaction codes, as all apps to complete daily business tasks will be available in the launchpad based on the user's assigned business role.

For new implementations (not system conversions) of SAP S/4HANA Cloud Private Edition, SAP completes the technical setup activities for the necessary systems. This includes:

• Installation of application-specific packages in respective SAP systems
• SAP Fiori launchpad setup for 1 client per SAP S/4HANA system, including activation of predefined sample SAP Fiori apps for initial launchpad validation

• Enabling relevant Fiori apps for all customer business processes
• Implementing customer-specific configurations to apps

The settings for the SAP Fiori Launchpad are configured at three layers, two by an SAP Fiori Administrator and one by the individual user:

• The Cross Client Configuration Layer (Fiori Administrator).
• The Client-specific Customizing Layer (Fiori Administrator). This layer takes the components configured at the Configuration layer, and decouples them once edited, making them client-specific.
• The Personalization Layer (End Users via the User Action Menu). It is important to note that users cannot give themselves access to anything, they can only add, remove and reorganize tiles they have been given access to via catalogs. They are simply making the launchpad more useful to themselves by changing the display of tiles, much like adding favorites in SAP GUI, though through a different process.

The object that provides the content for all SAP Fiori Launchpads is the Catalog. There are two varieties of catalog, each with a specific purpose. The Technical Catalogs delivered by SAP are organized by solution area and contain the actual technical definition of the app tile and pathway to launch the app (known as the Tile and Target Mapping or App Descriptor). The Business Catalogs delivered by SAP are organized by job role, but don't contain new definitions. Business Catalogs are made up of references to the App Descriptors defined in the Technical Catalog. When utilizing the SAP delivered Fiori Launchpad applications, the Fiori Administrator will need to create business catalogs to fit each job role, either through a single catalog or multiple catalogs.

Using the recommended tools, Technical Catalogs are created only at the Configuration layer. Business Catalogs can be created at the Configuration or Customizing layer.  

For setting up and organizing the default display, the Fiori Administrator should use the Spaces and Pages concept introduced in SAP S/4HANA 1909. This superseded the concept of Groups beginning with SAP S/4HANA 2021, which had been used since the first releases of the SAP Fiori Launchpad.  Spaces and Pages are configured using a pair of Fiori Applications. They are always configured at the Customizing layer.

To grant access to the applications, users are granted Business Roles, created via PFCG. The normal process would be as follows:

1. Create a Business Catalog
2. Create a Business Role
3. Assign the Catalog to the Role
4. Create a Space and one or more Pages
5. Assign the Space to the Role
6. Add apps to and configure on Pages

When configuring the various objects, there may be more than one tool available. Though all tools are supported, using the newer tools is recommended. As of SAP S/4HANA 2021 and later, the most recent tools to use for creating the various objects are as follows:

• Technical Catalogs: SAP Fiori Launchpad Application Manager (/UI2/FLPAM)
• Business Catalogs: SAP Fiori Launchpad Content Manager (/UI2/FLPCM_CONF - Configuration Layer; /UI2/FLPCM_CUST - Customizing Layer)
• Spaces: Manage Launchpad Spaces Fiori application
• Pages: Manage Launchpad Pages Fiori application
• Groups: Groups are deprecated as of SAP S/4HANA 2021. If it is necessary to manage them, the SAP Fiori Launchpad Designer is the only option.
• Roles: Roles are created and managed using the Role Maintenance transaction (PFCG).

The SAP Fiori Launchpad Designer may be used to create any variety of catalog at either level. This tools has been superseded by both the FLP Application Manager and FLP Content Manager, but still may be used for certain configurations and various Launchpad configuration options. This is covered in the SAP Fiori - Foundation course, UX100.

Role Maintenance (transaction code PFCG) in the SAP GUI enables you to manage role and authorization data. A role is created by the Profile Generator (PFCG) and provides access to transactions, reports, web applications, etc. that are necessary for someone to complete their job tasks in a particular business area (e.g. Sales Representative). Within each role, you can also view and maintain user assignments. The structure for the Profile Generator is formed by the roles, which are based on the organizational structure of the company. User Maintenance (SU01) in the SAP GUI enables you to assign a role to a user.

In Role Maintenance, you can:

• Change and assign roles
• Create roles
• Create composite roles
• Transport and distribute roles

In order to give users the capability to use any SAP Fiori Launchpad applications, there are several basic steps to the process.

1. First, any users that should use the SAP Fiori Launchpad need to be assigned the SAP Fiori Foundation User role created as a part of Rapid Activation Procedure.
2. Next, a Business Catalog(s) should be created that will have all of the apps needed for a particular job role. There are many different ways to organize the apps whether one catalog per job role or many small catalogs (or anything in between) This tends to be a customer specific choice as part of an overall security policy.
3. Once the catalog is defined, it is recommended to create a User Role using transaction code PFCG, then assign the Business Catalog(s) to that role. This will enable a smoother Space / Page creation process and can point out any potential issues due to lack of app access. It is also acceptable to create the User Role first, then the Business Catalog(s), then assign the Catalog(s) to the role.
4. Following the assignment, the Authorization objects for the various applications in the Catalogs will added to the User Role. These authorization objects for all SAP Fiori Launchpad apps in the associated Catalogs will be maintained within the User Role. At this point, if the role is assigned to users, then the users will have access to the SAP Fiori Launchpad applications. The applications will not automatically display in the Launchpad itself, the user will either need to launch them via the app search functionality in the launchpad or add the Tiles via Personalization.
5. Next is the process of defining the default display for the applications. This can be done through Groups or Spaces and Pages, both are supported. However, as of SAP S/4HANA 2021, Groups are deprecated, and Spaces and Pages are recommended. This allows for multiple organizational layers. For example a Space could be created to cover all Analytics apps, with a Page devoted to each functional area and Sections within a page dedicated to specific areas of interest like payment information or various looks at items in stock. Groups are nearly identical to a single Page structure with each Group being a section on a specific page. A further benefit is shown during definition of the pages with in the Space.
6. Once a Space and at least one corresponding Page has been created to display the SAP Fiori Launchpad applications in the Business Catalog, the Space should be assigned to the User Role. This should be done before adding the application tiles to the Page. This will enable a check while adding the tiles to the Page. SAP Fiori Launchpad application tiles from Business Catalogs assigned to the same User Role as the Page's parent Space will available to add with no other extra steps to see them. If it is necessary to add application tiles from Business Catalogs that are not currently assigned to the same User Role as the Page's parent Space, then extra steps are required. In addition, the apps in the Manage Launchpad Pages app will show as "Out Of Context". This indicates it can't be verified that the users will be able to see those app tiles because they are in a Business Catalog not associated with the role.

If the decision is made to use groups, there is no context check and any tile from any catalog can be added to any group. It is more difficult to determine where catalog access is causing issues with tiles not displaying as there is no check for context within the role when creating the groups. As they have been deprecated, Spaces and Pages should be used.

When configuring the Business Catalogs and Spaces/Pages for access and display respectively, it is the combination of the two that allows the user to see the SAP Fiori Launchpad application Tile automatically in their Launchpad. The Business Catalog, once assigned to a role will allow the access to and control the usage of the application. Assigning the catalog to the role assigns all the authorization objects, similar to assigning a transaction code to a role. These authorization objects are maintained within the role, controlling the access.

The Page will have the SAP Fiori Launchpad application tiles, organized in sections. The page will be associated with a Space, which is assigned to the role. The Page, via it's parent Space simply allows the application tiles to be shown, if the user has the Business Catalog with the tile reference assigned to a role they have.

More simply put, by way of the role, the Catalog will control the access to the app, the Space/Page will allow for automatic display when access is granted via the catalog.

The process for assigning a Business Catalog, or Space to a role is similar to assigning a Transaction to a role:

1. In PFCG, edit the Role
2. Select the Menu tab
3. Select the button labeled "Transaction" (though the button is actually named "Insert Node" as you will see from the tool tip when you hover over it with a cursor)
4. Select the dropdown arrow on the right of the button
5. From the menu, select SAP Fiori Launchpad, then the appropriate component (Launchpad Catalog for Business Catalogs, Launchpad Space for a Space).
   Note

   Pages are not directly assigned to a role, they are assigned via the Space they are associated with.

6. Select the Business Catalog or Space and Save when finished.

Following the assignment of any Catalog, the authorizations will automatically be added by default. To maintain these authorizations, select the Authorizations tab and maintain the authorizations in a similar fashion to how they are maintained for transactions.

The applications and transactions used to create and maintain catalogs can be launched via transaction codes or by saving the URLs as bookmarks. However, the Manage Launchpad Spaces and Manage Launchpad Spaces applications must be launched via tiles.

Beginning with SAP_UI 7.55, the SAP_FLP_ADMIN role contains two Business Catalogs and one Space and that will make SAP Fiori Launchpad application tiles available for all of the various tools used in configuration of Technical Catalogs, Business Catalogs, and Spaces/Pages for each supported tool.

• The SAP Fiori Launchpad Admin Business Catalog (ID: SAP_BASIS_BC_UI_FLA) contains tiles for the SAP Fiori Launchpad Designer (both layers), the SAP Fiori Launchpad Content Manager (both layers), and the SAP Fiori App Manager (only exists for cross client Configuration layer).
• The SAP Fiori Launchpad Design Business Catalog (ID: SAP_BASIS_BC_UI_FLD) contains the Manage Launchpad Spaces and Manage Launchpad Pages apps and the Create Launchpad Pages from Groups app, which is used to migrate existing groups to a page in a particular space.

As with the delivered catalogs, which provide access to the application tiles, there is a space delivered to ensure these applications will display in the SAP Fiori Launchpad by default.

The SAP Fiori Launchpad Space (ID: SAP_BASIS_SP_UI_FLP) is assigned to the SAP_FLP_ADMIN role in addition to the catalogs.