Skip to Content

Security in Fiori - Catalog Level Vs Business logic Level

Hello Fiori Experts,

I am exploring a bit on Central Hub Architecture to deploy the Fiori applications on the launchpad in the Central Hub System which would call the business application logic in the backend system (non-HANA ERP system).

In this particular context; I am looking for a way to control the security on the business application logic. As per my understanding there are two users involved in the central hub architecture.

1. The user who logs on to the Fiori launch pad and with the help of catalogs assigned to him, he can access the relevant Apps. This is done in PFCG in the Central Hub System.

2. There is a RFC user id that calls the OData as a service which executes the OData Data Provider Methods that has the business application logic to operate on the data ( could be insert / read / delete etc., ).

Since there are multiple users involved in the process who log on to the application; I am looking for a way to control the back end security. For example - User 1 should only operate on sales area that belongs to him and he shouldn't touch the data that belongs to User 2 who maybe is allocated to a different sales area. Since the RFC user is common for both - is this even possible ?

I see the following Help document and if I notice the orange colored path - they talk about PFCG roles for Front end and back end. So, Is there a way to handle the above scenario and if yes - it this also applicable for Central Hub architecture ?

Fiori Authorization Concepts and Recommendations

Does it also mean, there is a standard way to pass the user id who is accessing the Fiori app to the backend system to control the necessary business application level data security ?

Highly appreciate your feedback on this !

Cheers,
Babu Kilari


Add a comment
10|10000 characters needed characters exceeded

Related questions

1 Answer

  • Best Answer
    Posted on Aug 20, 2018 at 02:11 PM

    Hard coding a common RFC user in the RFC destination is not the recommended/correct way. In the Logon & Security tab of your type 3 RFC Destination there is a Current User checkbox which should be checked - this way the OData service calls from the front-end to back-end system are executed by propagating the front-end user id to the back-end system and only data relevant to the user is shown.

    Check point 2f given here - Establish a Connection from Back-End System to Front-End Server

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.