cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Security in Fiori - Catalog Level Vs Business logic Level

Go to solution
babu_kilari4
Active Contributor

on ‎08-20-2018 12:05 PM

0 Kudos

Hello Fiori Experts,

I am exploring a bit on Central Hub Architecture to deploy the Fiori applications on the launchpad in the Central Hub System which would call the business application logic in the backend system (non-HANA ERP system).

In this particular context; I am looking for a way to control the security on the business application logic. As per my understanding there are two users involved in the central hub architecture.

1. The user who logs on to the Fiori launch pad and with the help of catalogs assigned to him, he can access the relevant Apps. This is done in PFCG in the Central Hub System.

2. There is a RFC user id that calls the OData as a service which executes the OData Data Provider Methods that has the business application logic to operate on the data ( could be insert / read / delete etc., ).

Since there are multiple users involved in the process who log on to the application; I am looking for a way to control the back end security. For example - User 1 should only operate on sales area that belongs to him and he shouldn't touch the data that belongs to User 2 who maybe is allocated to a different sales area. Since the RFC user is common for both - is this even possible ?

I see the following Help document and if I notice the orange colored path - they talk about PFCG roles for Front end and back end. So, Is there a way to handle the above scenario and if yes - it this also applicable for Central Hub architecture ?

Fiori Authorization Concepts and Recommendations

Does it also mean, there is a standard way to pass the user id who is accessing the Fiori app to the backend system to control the necessary business application level data security ?

Highly appreciate your feedback on this !

Cheers,
Babu Kilari


Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

saurabh_vakil
Active Contributor
‎08-20-2018 3:11 PM

Hard coding a common RFC user in the RFC destination is not the recommended/correct way. In the Logon & Security tab of your type 3 RFC Destination there is a Current User checkbox which should be checked - this way the OData service calls from the front-end to back-end system are executed by propagating the front-end user id to the back-end system and only data relevant to the user is shown.

Check point 2f given here - Establish a Connection from Back-End System to Front-End Server

Show replies
Show replies
babu_kilari4
Active Contributor
‎08-20-2018 8:36 PM
0 Kudos
Thank you very much for the quick response. I overlooked that little checkbox.

gregorw
Active Contributor
‎08-22-2018 5:47 PM
0 Kudos

Generally that is called a Trusted RFC Connection. Make sure that you implement the RFC_ACL Authorization object in the backend for users that call from the FES.

matthias_b2
Participant
‎08-21-2020 1:10 PM
0 Kudos

Hello Saurabh,

we are facing the same issue as described here. But, as we use the SAP Cloud Platform, we have no direct end user access to the RFC. Rather, the Cloud Platform authenticates against SAP via a system user.

Is there any "best practices" in this scenario?

Best regards,
Matthias

EDIT: Issue was solved via Principal Propagation.

Answers (0)

Ask a Question