This is a how-to blog post and part of our blog series on Understanding Business Roles.
In this blog post we compare and contrast using familiar SAP GUI transaction tools such as PFCG, versus mass maintenance tools such as Mass Maintenance of Business Roles for SAP Fiori launchpad. You will see how the SAP Fiori launchpad content manager works for custom business roles just as it does for SAP Business Roles.
There are a few tools available for creating custom business roles.
For example, you can create your business role manually using PFCG or via mass maintenance programs as explained in Mass Maintenance of Business Roles for SAP Fiori launchpad.
In practice, the mass maintenance programs are easier and scale better.
You can use a simple scenario to compare and contrast the effort by combining catalogs from 2 different business roles.
You have a business role called a Maintenance Monitor. This person reviews your equipment and facilities and makes maintenance requests on behalf of others. They do not make the repairs themselves, however they need to be able to see what maintenance requests have already been submitted or are in progress to avoid creating duplicate requests where maintenance is already planned.
There is no exact fit to SAP Business Roles, however you see that the SAP Business Roles Employee – Maintenance Info and Maintenance Technician contain some business catalogs with all of the SAP Fiori apps and classic user interfaces (SAP GUI, ABAP Web Dynpro for HTML, Web Client UI) that you need.
You decide to create a new custom business role that combines the relevant business catalogs from the SAP Business Roles.
Tip: The screenshots below were taken in a SAP S/4HANA 1909 FPS02 system, with SAP Fiori frontend server is in embedded mode.
Important: Note the effort below for is duplicated for both approaches when using SAP Fiori frontend server in standalone(hub) mode, as roles and authorizations have frontend and backend components.
Summary flow for creating a custom business role
The overall flow for creating a custom business role is:
- Identify the launchpad content you want to bring into your business role
- Verify that the content is active & ready to use, and to see if any adjustments are needed
- Adjust content (where needed)
- Create a new security authorizations role to represent your custom business role.
- Assign business catalogs to your role.
- Generate the authorizations needed to access the launchpad content
Tip: You can optionally refine the authorizations later as needed.
In the simple example in this blog post:
- The launchpad content are whole business catalogs
- A decision was taken that the content is ok to use as-is, so you will not find the adjust content step. That will be covered in a future blog in the series.
Identify business catalogs
You start by looking at the closest fit SAP Business Roles, and their related business catalogs that contain the SAP Fiori apps and classic UIs as explained in How SAP Business Roles simplify refining SAP User Experience.
Into your new Maintenance Monitor role, you want to combine:
- The business catalog SAP_EAM_BC_MREQ from the SAP Business Role Employee – Maintenance Info (SAP_BR_EMPLOYEE_MAINTENANCE), which grants the SAP Fiori app F1511 Request Maintenance
- The business catalog SAP_EAM_BC_TL_MW from the SAP Business Role Maintenance Technician (SAP_BR_MAINTENANCE_TECHNICIAN), which grants the SAP Fiori app F2661 Find Maintenance Task List and Operations along with related apps to see further details of the maintenance tasks and operations on equipment and facilities
You can see the discovery in the SAP Fiori apps library to find the apps in the business catalog SAP_EAM_BC_TL_MW as of SAP S/4HANA 1909 FPS02.
Apps in the catalog SAP_EAM_BC_TL_MW as of SAP S/4HANA 1909 FPS02
Before you create your new business role, you will also need to check your prerequisites.
You will need:
- Access to read SAP Fiori catalogs, e.g. security role SAP_UI2_FIORI_CATALOGS_READ
- Access to run the SAP GUI transaction codes PFCG, SU01 (to assign a user), and SA38 (to run the program)
- A Fiori User role that grants business users access to the SAP Fiori launchpad, such as the Z_FIORI_FOUNDATION_USER role created by the Fiori Foundation task list SAP_FIORI_FOUNDATION_S4
- Your SAP Fiori launchpad URL to test your custom business role
Verify launchpad content is active
Before you start combining the catalogs into a custom business role, you should verify if the content is active and therefore ready to use. Only active content will launch correctly from the SAP Fiori launchpad. Only active content will generate authorizations correctly.
You can activate the content before or after you create your custom business role. The important thing is to know whether the content is active, as this impacts on deriving authorizations.
The SAP Fiori launchpad content manager provides an easy way to verify your content, from both the Roles tab and the Catalogs tab. Simply select the role or catalog you want to verify, and use the Check Services button to confirm what has been activated.
You use the GUI transaction /UI2/FLPCM_CUST (client-independent) or /UI2/FLPCM_CONF (cross-client) to start the Fiori launchpad content manager. In the Roles tab you search for the roles you want to combine. Select the role to see the catalogs in the role. Then select Check Services button to see if the related catalogs are active and ready to use.
Check Services for a role in SAP Fiori launchpad content manager
Check Services will see a horizontal traffic light (red/yellow/green) indicator for Service Activation Status to indicate if content is:
- Red – not active
- Yellow – partially active with some issue still to be resolved
- Green – active
All services active (green light) for a business role
If something is not active you will also be given some hints on what is missing – you can see an example below.
Important: Check Services is also available for custom business catalogs and custom business roles.
If for some reason the content is not active you will need to activate the content before finalizing your authorizations and before testing your new role.
You can activate the content before building the business role, e.g. by activating the source SAP Business Roles using rapid activation. However in a development environment there may be valid reasons for not activating the SAP Business Role. In this case, you can activate the content after the building the business role by activating using your new business role itself using the task list SAP_FIORI_FCM_CONTENT_ACTIVATION as explained in Further enhancements of SAP Fiori launchpad content manager tool now available.
Manual creation of a new custom role
You can manually create the custom business role using transaction PFCG.
From the SAP Fiori launchpad content manager Roles tab, or from the Roles containing Catalog table in the Catalogs tab, use the Open in PFCG option.
The flow for manual creation of a custom role is:
- In transaction PFCG, create your new role in the custom namespace.
- In the Menu tab, manually assign Fiori Tile Catalogs to the role one by one.
- Go to the Authorizations tab and generate the authorization profile.
Important: In the examples below, this process is shown using a SAP Fiori frontend server in embedded mode. If your SAP Fiori frontend server is in standalone (hub) mode, authorizations are split between the frontend and the backend, so you will need to repeat this in the backend using the “Remote front-end server” option when entering the catalog ids.
Taking the example, you decide to start by copying the SAP Business Role SAP_BR_EMPLOYEE_MAINTENANCE to your custom role.
Tip: Alternatively you could create a new empty role and then add the just the catalog to the role. The main difference with starting by copying a SAP Business Role is that you at least get its business catalogs defaulted in as a starting point. You can also pick up any business groups as your default launchpad layout.
Enter original role name and press Copy button in GUI Transaction PFCG
Your custom role needs to be in the customer namespace. You decide to call it ZI_BR_MAINTENANCE_MONITOR. You use Copy All to copy across all the related subcomponents of the role.
Name the copied role and Copy All subcomponents of the role
You edit the role to change the description and press Save. You have to press Save before you make further changes, you will be prompted to save if you forget.
Enter the role description and Save your new, empty business role
You go to the Menu tab to add the additional catalog from the Maintenance Technician role. You select the Add Transaction button menu and change it to Add SAP Fiori Tile Catalog.
Selecting the Add Fiori Tile Catalog option in the Menu tab
You select your catalog provider Fiori Launchpad Catalogs. You select your local SAP Fiori front-end catalog id.
Important: You need to use the dropdown button on catalog id to get the full internal technical name of the catalog. Alternatively you can use a wildcard * to enter a partial name such as SAP_EAM* and then select the catalog from the dropdown value list.
You make sure the Include Applications checkbox is marked. This is necessary to ensure all the related application authorizations are derived. You press Continue.
Selecting the catalog provider, catalog, and Include Applications checkbox
Now both business catalogs are assigned and you can expand them to see the related catalogs.
Expanding business catalogs in the Menu tab of PFCG to see the assigned content
Lastly you need to generate the authorizations related to these apps. So you move to the Authorizations tab and use the Change Authorization Data button to generate the authorization profile manually.
PFCG Authorizations tab and Change Authorizations button
Tip: Generating the authorizations works much the same as in SAP Business Suite.
Once the Authorization profile is saved you can now assign the role to users.
This process works however the assigning of catalogs to the role and adjusting the authorizations quickly becomes tedious with only a few catalogs. It doesn’t scale well.
Mass Maintenance creation of a new custom role
The easier option is to use the mass maintenance programs to generate a new role using a selection list of catalogs. You can even use the mass maintenance programs to create multiple custom roles at the same time.
Start the execution program PRGN_CREATE_FIORI_FRONTENDROLE using GUI transaction SA38.
Executing program PRGN_CREATE_FIORI_FRONTENDROLE using GUI transaction SA38
Important: If your SAP Fiori frontend server is in standalone (hub) mode, the authorizations are split between the frontend and backend servers so you will also need to repeat all of this in the backend using program PRGN_CREATE_FIORI_BACKENDROLE to complete the role.
You have a few different options for running the program, e.g. you can upload a list of desired role to catalog assignments from a tab-delimited file; you can use the program to create, change(append), or change(replace) custom business roles. You can find all the options in the program documentation using the “i” (information) button.
For your simple Maintenance Monitor example, you select the Create option and the Without Template option. You also select the option Delete and Recreate Profile and Authorizations, as this will do all the hard work of profile generation for you. You press Execute.
Selecting the options to Create a new role without template and with automatic authorization profile generation
You use the Append Row button to add 2 rows and enter your role name and the 2 catalogs you want to assign to it. Remember the role name has to be in the customer namespace – you decide to use ZM_BR_MAINTENANCE_MONITOR. Then press Enter to validate the catalogs.
Tip: If you want to add some business groups to default your launchpad layout for the role, you can do that by adding additional lines with type of entry GROUP_PROVIDER and the business group id as the name of the menu entry.
Entering the list of business catalogs to be assigned to business catalogs
Now all you need to do is press Execute to create the role.You should see a dialog showing a green square indicator to confirm your role was created successfully.
Success dialog showing business role has been created successfully
Review the role in transaction PFCG and you will find the role has been created with just a few clicks, ready to assign to a test user id. Even the Authorizations have been created for you.
Generated role in transaction PFCG, business catalogs expanded to show content is assigned
When you review the authorizations, you will see by default complete authorizations are given to apps and their associated data. This includes access to all of the SAP Fiori apps, ABAP Web Dynpro applications, SAP GUI transaction codes, and Web Client Uis contained in the business catalogs. You can refine the data access afterwards where needed e.g. to limit access to specific companies, plants, functional locations, cost centers, equipment types, etc.
Generated role in transaction PFCG, showing generated authorizations
So you have now learned that the mass maintenance tools are much easier to work with than individual maintenance in transaction PFCG.
Find more information on the mass maintenance generation programs in blog post Mass maintenance of Business Roles for SAP Fiori launchpad
Testing and further refining your custom business role
At this point you now have a custom business role represented by your new custom security role.
You can assign the custom business role to business users, e.g. using GUI transaction PFCG or SU01.
Important: Don’t forget the user will also need generic access to the SAP Fiori launchpad – you can use the Fiori User role created by the Fiori Foundation task list
For example you can create a user id MAINTMONITOR with the assigned roles:
- Z_FIORI_FOUNDATION_USER to give access to the SAP Fiori launchpad
- ZM_BR_MAINTENANCE_MONITOR to give the custom business role
Finally you can go to your SAP Fiori launchpad to test your new business role using your test user.
Important: Remember at this stage you have not added any tiles to the home page. So the home page will be empty. This is fine – remember this is just layout which you adjust later through groups, spaces and pages, or personalization.
SAP Fiori launchpad with the new business role, home page is empty as groups have not been assigned
You can see the assigned catalogs and related apps by going to the App Finder. From the App Finder you can launch the apps by selecting the tiles, or use the pin icon to add them to your home page.
For example you can launch the SAP Fiori app F1511 Request Maintenance to try it out.
F1511 Request Maintenance app launched from the App Finder
What else can you do?
You can access apps via app to app navigation, e.g. where hyperlinks lead you from one app to another. You can see this in the SAP Fiori app F2661 Find Maintenance Task List and Operations
F2661 Find Maintenance Task List and Operations app showing links to other apps
You can access the apps via the Fiori Search.
Accessing maintenance apps via Fiori Search
You can access the apps via the Home/App Title button.
Accessing maintenance apps via the Home/App Title button
Once you are satisfied that everything is working as expected, you can further refine your role, e.g. adjusting the generated authorizations to limit access to data.
Reviewing your custom business role and other next steps
You can review your new role in the SAP Fiori launchpad content manager, in the same way that you reviewed the original SAP Business Roles.
Custom business role and related catalogs shown in the SAP Fiori launchpad content manager
If your apps were not ready, you can activate them now using the task list SAP_FIORI_FCM_CONTENT_ACTIVATION. Don’t forget to adjust your authorizations afterwards.
Becoming a SAP Fiori for SAP S/4HANA guru
You’ll find much more on our SAP Fiori for SAP S/4HANA wiki
Brought to you by the S/4HANA RIG