Skip to Content
Aug 20, 2018 at 11:05 AM

Security in Fiori - Catalog Level Vs Business logic Level


Hello Fiori Experts,

I am exploring a bit on Central Hub Architecture to deploy the Fiori applications on the launchpad in the Central Hub System which would call the business application logic in the backend system (non-HANA ERP system).

In this particular context; I am looking for a way to control the security on the business application logic. As per my understanding there are two users involved in the central hub architecture.

1. The user who logs on to the Fiori launch pad and with the help of catalogs assigned to him, he can access the relevant Apps. This is done in PFCG in the Central Hub System.

2. There is a RFC user id that calls the OData as a service which executes the OData Data Provider Methods that has the business application logic to operate on the data ( could be insert / read / delete etc., ).

Since there are multiple users involved in the process who log on to the application; I am looking for a way to control the back end security. For example - User 1 should only operate on sales area that belongs to him and he shouldn't touch the data that belongs to User 2 who maybe is allocated to a different sales area. Since the RFC user is common for both - is this even possible ?

I see the following Help document and if I notice the orange colored path - they talk about PFCG roles for Front end and back end. So, Is there a way to handle the above scenario and if yes - it this also applicable for Central Hub architecture ?

Fiori Authorization Concepts and Recommendations

Does it also mean, there is a standard way to pass the user id who is accessing the Fiori app to the backend system to control the necessary business application level data security ?

Highly appreciate your feedback on this !

Babu Kilari