Freelancers
Cancel
 Sign In
Join Now

This blog intends to provide reference and details on S/4 HANA Fiori applications usage – analytics, reports that are accessed via Fiori Launchpad (FLP). Further, also serves as a Best Practices to follow in order to pass Audit and compliance and S/4 HANA security role restrictions.

One of the very important factors for Audit and Compliance is to assess the transactions/t-codes executed by the users.

  1. User Statistics
  2. User reporting
  3. KPI Metrics

From the traditional days of users using SAP R/3, to ECC to S/4 HANA, many of SAP customers are implementing or are already live with S/4 HANA (Fiori apps) with users moving on to leveraging Fiori Launchpad (FLP) with transaction/s getting replaced by Fiori application (app/s).

And, the focus now shifting on Tracking/Monitoring SAP Fiori application/s Usage launched by the business/end-users on Fiori Launchpad – FLP (front end UI screen)

One of the way, is by installing the “Apps usage report for SAP Fiori launchpad” by downloading the transport from GitHub:

Fiori tracker – GitHub

There are various ways to measure User Data and Reporting Statistics. Below are some key transactions that are available under SAP ECC and some under S/4 HANA systems:

  • ST03, ST03N
  • SM19, SM20
  • Program – /IWFND/R_METERING_VIEW
  • Report –   /IWFND/R_METERING_AGGREGATE
  • Function- /IWFND/METERING_AUDIT
  • Report –    /IWFND/R_METERING_DELETE

SAP UI5 – BSP application – Fiori Usage Reporting

The solution I am going to discuss is for (onPremise FLP) where it will provide – Fiori application usage specifics using SAP UI5 – Business Server Page (BSP repository). The SAPUI5 Repository technically bases on the BSP repository of the ABAP server.

SAP UI5 in other words, is also well known as coding language for SAP Fiori. It is a technology for developing responsive web applications. The SAPUI5 ABAP repository uses BSP applications to store SAPUI5 apps, components, and libraries.

Details on can be found here in this article given by SAP:

SAP UI5 and BSP Repository

Further, SAPUI5 libraries make available a set of types, interfaces, controls and elements. For binary files it uses  the MIME objects within BSP application.

These kind of apps depend very heavily on the corresponding OData services and need to ensure they are maintained within SU24 and active status.

And, also popularly called as “UI5 BSP app consuming Odata services

Pre-requisites and Versions needed:

SAP Fiori for SAP S/4HANA 1909 FPS01

SAP Fiori for SAP S/4HANA 2020 FPS02

SAP Fiori for SAP S/4HANA 2021 FPS00/01

SAP_UI 7.54 / 7.55 / 7.56

Relevance OSS notes:

https://launchpad.support.sap.com/#/notes/2935911

https://launchpad.support.sap.com/#/notes/3067553

SAP S/4HANA 2021 with embedded SAP Fiori frontend server (FES – 2021)  

The following graph shows the integration of an embedded SAP Fiori frontend server (FES) deployment model with various FLP attributes running on S4 HANA backend.

S/4HANA 1909 the minimum FES version is SAP FES 6.0.

For SAP S/4HANA 2020 the minimum FES version is SAP FES 2020

For SAP S/4HANA 2021 the minimum FES version is SAP FES 2021 – S4CORE 106

S/4%20HANA%202021%20embedded%20model%20-%20FES

Diagram 1: S/4 HANA 2021 embedded model – FES

 

Relevance Services

SICF - Check for for UI5 custom component under the following path:
SAPUI5 Application Handler SAPUI5 Application called via HTTP out of SAPUI5 repository -
/default_host/sap/bc/ui5_ui5/sap/
BUSINESS SERVER PAGES (BSP) RUNTIME - 
/default_host/sap/bc/bsp/sap/

Example - YFIORIUSAGE

- Ensure it's activated (Active Status)

Process Cycle – Package Repository

In the below graph, I have shown the key integral elements within ABAP – Object Navigator that contributes as an “Input Source” to Fiori Usage Reporting.

                                                         Diagram 2: Process Cycle 

Key (Primary) Table

Y_FIORIUSAGE – Primary table which is used to provide inputs to FLP application usage report, the below diagram provides with the key attributes of this table

Destination%20Fiori%20Usage%20table%20-%20Output

Diagram 3: Destination Fiori Usage table – Output

Program – Y_FIORIUSG_RPRT

Classes

  • Data Provider Base Class
  • Super Class (Abstract Data Push Provider)
  • Data Provider Secondary Class (Sub-Class)
  • Methods

Structure – Fiori Usage Line

Types – Inheritance:

  • /IWBEP/IF_MGW_APPL_SRV_RUNTIME SAP Gateway Application Interface
  • /IWBEP/IF_MGW_CORE_SRV_RUNTIME OData Channel – Core Runtime Interface – Framework
  • /IWBEP/IF_MGW_CONV_SRV_RUNTIME OData Channel – Application Convenience Interface

Other Tables

/UI2/ITEM Personalization service container item

Key backend Transactions

Below listed are some of the key ABAP backend transactions from configuration and validations purpose:

  • /UI2/FLP – SAP Fiori Launchpad
  • SE80 – ABAP Workbench
  • SICF – Services
  • SU24 – Gateway Services Maintenance
  • PFCG – Role Maintenance
  • SE16 – Table
  • SM37 – Function Module
  • SE38 – Program Source Code
  • SE11 – ABAP Dictionary
  • /IWFND/MAINT_SERVICE – Activate and Maintain Services

Complete Deployment Solution

Along with the custom package, there will be 2 custom services (R3TR IWSG and IWSV) provided as mentioned in the below “Audit and Compliance” section.

Provide access to the services via security roles

Once all of the above given configuration is in place and all the relevance services are activated, launch the below to fetch the Fiori usage analytics report:

https://<<localhost>>:<<portnumber>>/sap/bc/ui5_ui5/sap/UI5_BSP App/index.html

https://<<localhost>>:<<portnumber>>/sap/bc/ui5_ui5/sap/YFIORIUSAGE/index.html

                                        Diagram 4: Working deployment model 

 

How to achieve Audit and Compliance

Run the above deployment model working with Internal Audit team to get their “Buy-In” and also run SOD report and show them the below restriction criteria on how the security and controls setup was achieved.

Restriction of the Fiori Usage Report

As a best practice, limit the UI5 BSP application access to the following users/teams:

  1. Security Team
  2. Basis Team
  3. Finance Operational Support Team
  4. Audit Team

Activate and Maintain Services using SICF and /IWFND/MAINT_SERVICE transactions:

SU24 

  • Application Type 14 – SAP Gateway: Service Groups Metadata
  • Application Type 15 – SAP Gateway Business Suite Enablement – Service

PFCG 

Sync the above 2 services within the ABAP PFCG security role and maintain the appropriate profile status.

  • Execute transaction – PFCG, create a new role and within “Menu” navigate to “Authorization Default”
  • Add Service Type 14 and 15 from the drop down menu

Following will be added –

Authorization object: S_SERVICE

Service Type: HT TADIR Service

Program ID: R3TR

Object Type: IWSV and IWSG

And, Fiori Launchpad specific security authorizations

GRC Ruleset Synchronization

Below is the Trace result upon executing the above UI5 BSP app

SAP Gateway: Service Groups Metadata Y_FIORIUSG_SRV_0001 CL_START_AUTH_CHECK===========CP 0

Authorization check successful S_SERVICE SRV_NAME <<Alpha Numeric Values>> 

SRV_TYPE – HT

Run the Rep. Object Sync jobs to sync the updates

GRAC_REPOSITORY_OBJECT_SYNC

GRAC_OBJ_MANUAL_SYNC

GRAC_PFCG_AUTHORIZATION_SYNC

GRAC_AC_REPOSITORY_OBJECT_SYNC

Key Authorization objects and values needed for Config purposes:

—authority check——-
AUTHORITY-CHECK OBJECT ‘S_TABU_DIS’
ID ‘ACTVT’     FIELD ’03’     ” Activity: 03: Display
ID ‘DICBERCLS’ FIELD ‘IWAD’.  ” Authorization Group: IWF Admin

———authority check——-
AUTHORITY-CHECK OBJECT ‘S_TABU_DIS’
ID ‘ACTVT’     FIELD ’02’     ” Activity: 02: Create, change, or delete table entries
ID ‘DICBERCLS’ FIELD ‘IWAD’.  ” Authorization Group: IWF Admin

 

Conclusion:

Key things to keep in mind as I wrap up this blog –

While implementing this solution, coordination from the following teams and support will be needed from SAP in delivering customization of the package –

  1. ABAP development team
  2. Functional team
  3. Security team
  4. Basis team
  5. SAP Support

Best Practices – 

Appropriate SAP Fiori Software versions, SP and relevance OSS notes are applied

Identify key business process areas

Assess SOX relevance financial data and reporting apps

UI5 package deployment in SBX/DEV

Limit the access for Fiori usage report to IT, support users in PROD

Create a separate security role with the custom services

Import the UI5 package BSP repository via transports to higher landscape

Maintain and activate the services in SICF and /IWFND/MAINT_SERVICE

Define ITGC-SOX control and owner for this usage report

Have Quarterly check-point to assess the users validity for this report

 

Please feel free to post your questions or go through the below SAP Community – Q&A for Fiori – S/4 HANA relevance topics.

SAP Community – Fiori for SAP S/4HANA (Q&A)

You can also find my other blog post on “White Paper: SAP BTP Security integration w.r.t – S/4 HANA Security and Controls

sap-btp-cloud-foundry-security-integration-strategy-white-paper-w.r.t-s-4-hana-security-and-controls-best-practices-via-identity-authentication-services-ias-cloud/

Please share your thoughts or comments on this blog post, thank you for your time in going through this blog once again.

 

Tags: SAP Fiori for SAP S/4HANA SAP Fiori Launchpad SAP S/4HANA SAP S/4HANA Embedded Analytics SAPUI5 UI Business Server Pages (BSP)
Sara Sampaio

Sara Sampaio

Author Since: March 10, 2022

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x