Skip to Content

Fiori Designer Designer - User seeings apps in catalogs with no access - Target Mappings

I am opening a question but also giving the answer for the problem.

I just came up with a critical error in the customer I work for - IMHO due to a SAP bad design in the Fiori Launchpad Designer (Fiori on NetWeaver, not on Cloud).

Scenario
There are many "2.0" apps in HCM. e.g. "My Leave Requests" has a newer version which is a different app called "My Leave Requests 2.0"

The problem
Customer is gradually activating those 2.0 apps and for that they did are not delivering those to the end users yet. In order to not give authorization to these new apps to the final users, the customer separated the "1.0" apps from the "2.0" apps in different catalogs. However, final users could still see and open "2.0 apps" even **without having rights to the calalog(s) containing this apps**. It's important to say that all apps are in the same Fiori Group. It should not be a problem as the catalogs are different ones.

Why that happens?
Because of 2 technical decisions from SAP:
1) The new apps uses the same target mapping from their older version. So if app "My Leave Requests" uses target mapping LeaveRequest-manage, its newer version "My Leave Requests 2.0" uses the same target mapping LeaveRequest-manage
2) What **really** defines what the users has access to is NOT the access to the catalogs but the target mappings available inside the catalogs he/she has access to. So If the user has access to catalogs C1 and inside it you can find target mappings "Foo-display" and "Bar-manage" you might have a problem like I had. If you have a different catalogs say C2 that coincidentially have a target mapping "Foo-display" (linked with a different tile and app) the user will see that other app even without having access to catalogs C2

Solution
We changed the target mappings for all 2.0 apps so they become different to the 1.0 apps. This might break some navigation between the apps but it's a temporary fix until we officially launch the 2.0 apps to final users

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Jan 11 at 12:45 AM

    HI Fabio,

    Interesting...

    Actually looking at the Fiori apps library information I see that

    • My Leave Requests uses Leave Request-createLeaveRequest
    • My Leave Requests (Version 2) uses Leave Request-manage
    • My Leave Requests (Version 3/Fiori 2.0) uses Leave Request-manage

    However Version 2 and Version 3 have different technical application ids.

    Also since these are the same software package, we would not expect both versions to be able to be run side by side in the same system... that gets messy as the configuration is shared. Unless you are using 2 different systems - 1 for the new apps, 1 for the old??? If there are separate systems involved they should also have separate system aliases defined in the target mapping... or are you reusing the same system alias somehow??

    Did you raise a SAP Incident for this? If not I would recommend doing so.

    You will need to clarify a few things.... please include these in the Incident.

    Firstly versions - everything is as ever dependent on versions versions versions... especially:

    1. Which solution e.g. Business Suite or S/4HANA? and it's version
    2. Which SAPUI5 version?
    3. Which web browser & on what device ? (semantic

    Secondly behaviours... again these are dependent on versions... I've added some comments on what I would expect in the latest FLP version (I'm using S/4HANA 1809 FPS0 and SAPUI5 1.56 at the moment):

    • Were the users security roles completely separate? That is, each using a different catalog with no SAP_ALL or other generic authorizations that might have resulted in more access than desired. For starters if the apps are being held in different systems, then I would expect to separate the access that way
    • When you say they could see the new apps... do you mean they could see duplicate tiles - to both old and new apps? Do they see that in their groups or in their catalogs (e.g. in the App Finder or both)? I would not expect them to see tiles for the new apps as new versions of apps typically have a separate app id & ICF start node. These should be automatically hidden if the user does not have access.
    • When you say they could see the new apps... do you mean that when they clicked on their "old" tile it started the "new" version of the app? This would indicate a Semantic object + action intent confusion is occurring
    • Did the user get any error when they tried to open the new app, e.g. "could not open app" ? That is what I would expect as a minimum - as they don't

    Finally, have you run the /UI2/FLIA Intent Analysis for that user and what did it reveal for the Semantic object + action combination? If not please do so and include that in the SAP Incident.

    Generally speaking what I see is most new Fiori app versions have a different app id & different ICF node to the old versions. However HCM apps are some of the earliest & one of the few (along with My Inbox) that apply to both Business Suite or S/4HANA so this may be specific to those apps. In which case it would be an issue for the app owner.

    However as part of the move towards Fiori 3 design some of these aspects around FLP catalog management are currently being revisited so getting this feedback in NOW would be really helpful to adjusting the generic approach & advice to all app owners where needed.

    As a mentor, you know you can also reach out to me directly... we might be able to do some advocacy here. Please raise the incident first though so we get all the facts recorded and a deeper assessment of what's happening & why.

    Rgds

    Jocelyn

    Add comment
    10|10000 characters needed characters exceeded

  • Jan 10 at 06:01 PM

    I wonder if someone can tell is this is by design or should be considered a bug.

    Jocelyn Dart or Masayuki Sekihara

    Add comment
    10|10000 characters needed characters exceeded