Skip to Content
avatar image
Former Member

Fiori launchpad: authorization/role question

Hello everyone,

I am new to SCN and am amazed by the wealth of information that is available here! We are currently doing a small project within our company for HCM Fiori apps, based on this experience we plan on implementing Fiori in other areas of our organization. I have a question about the Fiori launchpad authorizations.

P.S. - I have tried to reach through all the blogs and the content here, I feel like I am missing something very basic. If there is something I have missed

Our system set up(trusted RFC etc.) is complete, our gateway and ECC systems are on different servers. We installed all add-ons, actualy things worked quite seamlessly as we were following all the documents step by step. We created the following roles:

On Gateway:

Z_GW_USER - /IWFND/RT_GW_USER and  S_SERVICE(users + admin)

Z_GW_ADM - /IWFND/RT_ADMIN, S_DEVELOP, /UI2/CHIP, S_CTC_ADM(admin)

Z_UI_ADM - Copy SAP_UI2_ADMIN_700 and add IWSG. Auths. for ZINTEROP*, ZPAGE_BUILDER_CONF*,  ZPAGE_BUILDER_CUST*,

ZPAGE_BUILDER_PERS*, ZTRANSPORT* (admin)

Z_UI_USER - Copy SAP_UI2_USER_700 and add IWSG auths for: ZINTEROP* and • ZPAGE_BUILDER_PERS* (user)

Z_TIMESHEET_BUS - Copy SAP_HR_BCR_EMPLOYEE_T and add. Auth for ZHCM_TIMESHEET_MAN_SRV(user)

Z_TIMESHEET_TECH - Copy SAP_HR_TCR_T and add auths. for timesheet service -> document said that this role is in the backend, but we actually could not find it in the backend(user)

Z_HCM_FIORI - role with Z catalog and Z group added(see below)

On ECC:

Z_RFC_USER - S_RFC and S_RFCACL(user)

Z_HR_START - start auths. for HCM_TIMESHEET_MAN oData service(IWSV auths.) (user)

The problem is, when we assign these roles to an end user, the Fiori launchpad is blank. We have another generic role that we assign to end users, when we assign this role, all HCM apps show up and the custom catalog also shows up -> I don't think this issue is related to technical config. as the apps are working when they show up.

Our requirement is - users should only see 2 apps "My Timesheet" and "Leave request" I created another catalog and group with only these apps and created a new role on gateway with the relevant catalog and group added(Z_HCM_FIORI), but it did not help.

So we either see ALL HCM apps, or nothing. See screenshots below. How can I reach a point where users only see these 2 apps, and I as launchpad admin can add apps later to the catalog and group and they automatically start showing up.

No apps:

All apps show,custom catalog also shows:

Is there something we are doing wrong here?

Regards,

Brian

no apps.JPG (32.0 kB)
all apps.JPG (66.5 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

8 Answers

  • Oct 29, 2015 at 09:05 AM

    Hi Brian;

    See if you are getting any console errors in browser. or any errors in the netweaver gateway.

    Second thing is please check SU53 and ST01 traces (switch on the traces first) for this user.

    third is clear all the caches and then try again.


    1.Clear the server http cache

    Go to the transaction SMICM. Goto -> HTTP plugin -> Server cache -> Invalidate Locally and Globally.

    2. Clear metadata cache

    Transaction: /IWFND/CACHE_CLEANUP on Gateway

    Transaction: /IWBEP/CACHE_CLEANUP on Backend and Gateway

    3. Synchronize chip cache

    Run the report /UI2/CHIP_SYNCHRONIZE_CACHE. Make sure there is no error in the table /UI2/CHIP_CHDR

    Run the report /UI2/DELETE_CACHE_AFTER_IMP.

    /UI2/DELETE_CACHE

    4. Run cache buster

    Run the report /UI5/UPDATE_CACHEBUSTER.

    5. Clear local browser cache


    Regards,

    Sarbjeet Singh

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 29, 2015 at 01:00 PM

    Hi Brian

    Click on the toaster above on the left.

    Regards

    Raquel

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 30, 2015 at 12:43 AM

    Thank you Sarbjeet and Raquel for the ideas, but these did not solve the problem.

    Are we doing something wrong with authorizations? If we copy the SAP provided business roles, and assign to our users, does that not mean that we will see all applications as part of SAP provided catalog?

    If we delete these apps from the SAP provided catalogs, they should disappear from the launch pad, correct?

    I feel like we are missing something from an auth. perspective. How would you approach the requirement to only show 2 apps to the user?

    Best,

    Brian

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Brian;

      to just show the tiles, Just the below roles should be enough

      Z_GW_USER

      Z_UI_USER

      Z_HCM_FIORI

      Z_TIMESHEET_BUS

      If it is not showing the required tiles after assigning these roles and there is no error in console and authorization trace.

      Please check your role Z_HCM_FIORI once again. I guess the catalog is not added here.

      and also check whether you have added the tile in the custom group from your custom catalog not from standard catalog.

      Regards,

      Sarbjeet Singh

  • avatar image
    Former Member
    Nov 02, 2015 at 10:32 AM

    Hi ,

    Could you please assign Fiori launchpad service backend  System alias name should be "Local ".

    below are the services

    ZINTEROP*, ZPAGE_BUILDER_CONF*,  ZPAGE_BUILDER_CUST*,

    ZPAGE_BUILDER_PERS*, ZTRANSPORT*

    T-code : /iwfnd/maint_service there you need to select service and give the system alais name in "LOCAL"

    and try it.

    I hope it will be solve your problem.

    kind regards,

    Rajesh Neelakantam

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 09, 2015 at 06:32 PM

    Sarbjeet and Rajesh,

    Thank you for the comments. The system alias for those services have been set to LOCAL, so I am not sure if that is the problem.

    Former Member - I ran all cache deletion reports that you mentioned, the only 2 things I was unable to perform was run the report in our backend ECC.

    So, we have a user testuser1 that only has the auths. you menionted, we see NO tiles in the launchpad. I checked the role, it has the catalog and the group, see below screenshot.

    I ran transaction stauthtrace and I see below error - No authorization group is user master record, object S_USER_GRP.

    I will work with the authorization team to assign this auth. object, but I was under the impression that these roles should be enough to display only 2 tiles to the end user.

    Do you have any other suggestions as to why we might not be able to see only 2 tiles in the Launchpad?

    Best,

    Brian


    hcm fiori role.JPG (81.7 kB)
    stauthtrace.JPG (116.1 kB)
    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      All,

      Here is a quick update, we ran some reports to invalidate cache /UI2/INVAIDATE_GLOBAL_CACHES and now we are in a much worse position.

      We don't see any tiles in the Launchpad anymore. Individual apps when access via app URL work fine. Can someone please help us?

      In Launchpad designer, we see a bunch of "Reference lost" . All these looked fine earlier and there were a lot of catalogs that are now absent. See below screenshots.

      Best,

      Brian

  • avatar image
    Former Member
    Nov 10, 2015 at 02:35 AM

    All,

    As another update, when we launch the designer URL with SCOPE=CONF, we are able to see at least the standard catalogs, but we don't see these when we launch it with SCOPE=CUST.

    It seems like something happened after we invalidated the global caches.

    Regards,

    Brian

    Add comment
    10|10000 characters needed characters exceeded

    • hi Brian;

      As Masa pointed out, have you applied all the required notes as per your UI Addon sp level?

      Also, please share if you see any browser console error when screen is not loading any catalogs.

      regards,

      Sarbjeet Singh

  • Nov 11, 2015 at 06:04 AM

    Hi Brian,

    The authorization tab is not in green colour.

    Please look into it.

    Regards,

    Bharani

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 19, 2015 at 01:52 PM

    Hey, Brian, can you tell me which guide did you follow with implementation procedure?

    thank you!

    Add comment
    10|10000 characters needed characters exceeded