This blog we will discuss an approach to activate SAP delivered Best Practice Business Role (SAP_BR*) using Task-List SAP_FIORI_FCM CONTENT_ACTIVATION into a Custom Business Roles following designed role naming nomenclature. This is an extension of my previous blog SAP Fiori – SAP Business Role Activation using Task-List SAP_FIORI_CONTENT_ACTIVATION | SAP Blogs. The Business role given by SAP is basically a shell role with links to Spaces and Pages, Groups, and Catalogs. This Task-List works when SAP_BR* roles is copied into Custom Business Role, when this role is activated using the task-list, it and will bring in all related components automatically. In this blog I will outline comprehensive approach (Step-by-Step) to activate the SAP Business Role SAP_BR_GL_ACCOUNTANT as an example as a copied Custom Business Role. This blog will be very useful for Basis and Security team members within an organization.

The use of task list SAP_FIORI_FCM_CONTENT_ACTIVATION is recommended for Development systems as it allows you to activate SAP Standard Fiori Roles as a custom SAP Fiori role. In this case, as you should use this task list for activation in your Development system, the roles you should feed into the task list must ideally be custom roles which were obtained because of the exploration conducted in the Sandbox system. Feeding custom roles to this task list will help you activate only the content you wish to have in your Production environment and generate specific transports containing that selected content. The role generated by sing Task-List can be the maintained as desired using the transaction PFCG

SAP has provided various Task-List to simplify creating and maintain roles within Fiori. These Task-List have made things very easy for security team members to manage role development based on customer needs and which is within the scope and requirements. In this blog I will cover the Task-List which are primarily used to convert SAP delivered Best Practice Business Roles with nomenclature starting with SAP_BR*. Since this is an extension of my previous blog. The SAP have given more than 500 Business role which companies can adapt to a given requirements. These are pre-configured roles given by SAP and can be adapted as required. This Task-list involves first copying the SAP delivered Role into ZXXXX.. naming standard followed by activation, which will activate the required associated OData and ICF services automatically and giving the option to maintain the role manually. This process also eliminates issue faced during developing like missing authorization, OData services etc. In one of my projects, we used this process to create over 150 roles within a day. To do the same, we had to create an Excel File which detailed the SAP delivered Business Role name and all the attributes which were copied into Custom Roles with desired output. SAP GUI script was created to accomplish the task to copy SAP_BR* role. Once the task was completed, the task-list option was utilized to update the custom Business role.

Note: The SAP_BR*consists of both Groups plus Spaces and Pages concepts. Following S/4HANA 2020 SAP has announced deprecation of SAP Group concept and have introduced more refined Spaces and Pages concept which adheres to orders of tiles as it appears in Fiori Launchpad.

Note: This task list can be executed multiple times as many times as needed in your Development system as the number of apps to be active depends on your project scope, thus you can generate multiple transports or use dedicated transport to capture the required services activate during role activation from this task list.

*Note: As this task list expects you to feed custom business roles, these custom roles are not added to the transport created by the task list. You should create new transports to capture roles, this can be done using any method but in our project, we used Mass Transport option for moving the roles within the landscape.

In our case we have embedded SAP S/4 HANA 2020 FSP02 installed, for which SAP has given the following information from SAP Fiori Library.

The SAP provide two task-List for activation of Business Role as shown below:

  • SAP_FIORI_CONTENT_ACTIVATION (Used for SAP Delivered Content SAP_BR*)
  • SAP_FIORI_HCM_CONTENT_ACTIVATION (Used for custom content roles)

For this blog, we will be using the Task-List SAP_FIORI_FCM_CONTENT_ACTIVATION.

Pre-Requisite

It is assumed that basis team have already implement the Task-List SAP_FIORI_FOUNDATION_S4. Since this blog is extension of my precious blog for the given SAP Business Roles SAP_BR_GL_ACCOUNTANT role and as a result all the OData and ICF have been activated. The Business role can be copied into a follows naming convention. In our case the role will be called ZFMU:BR_GL_ACCOUNANT:XXXXXX. This is a Master Role with following nomenclature:

  • Z                >>         Custom Name Space
  • F                >>         Fiori
  • M               >>         Master Role
  • XXXXXX    >>        Company Code or Plant or Sales org Etc.

Basis team should have already generated Package (SE80) and the respected Transports (SE10), in our case we will be using Local Object option.

In this task-list you can use single or multiple Business Roles to be activated. For easier maintenances, in our project we clubbed all Functional related Business roles together like RTR, PTP team etc., This method provides tremendous saving time with no error. This Task-List can activate all the following types of Apps:

  • UI5 (SAP Fiori App)
  • UI5 (SAP Fiori App)
  • GUI (GUI Transaction)
  • WDA (ABAP Web Dynpro Application)
  • WCF (Web Client UI Framework)
  • URL (URL)

Note: Task-List can be run multiple times until everything is activated. If there is an error the Task-List can be executed again till everything is green. For one of my projects where Business Roles were within the scope, the activation was done In Development environment.

In this task list you can activate one or more set of Business role. The Business role with new naming convention should already exist in the desired and is a mandatory step. The custom Business Role attribute are as follows and shown below:

Role Name:                ZFMU:BR_GL_ACCOUNTANT: XXXXXX

Role Description: CBR:GLOBAL:FIN:RTR:MASTER:UPDATE/CHANGE:- General Ledger Accountant

CBR:                                    Custom Business Role

FIN:                                     Finance

RTR:                                    Record to Report

Note: Business catalog contains no ISWG/IWSV components data as we copied a Shell role into a custom role

Task-List: SAP_FIORI_HCM_CONTENT_ACTIVATION Process

Use the T-Code STC01 to activate the Task-List for custom business role. The custom business role can be activated manually as well as using the Task-List. I will show both ways for clarity. Manual activation is laborious and time consuming, whereas task-list is fast and accurate. In both cases the system pulls all authorization maintained in SU24 automatically. The task-list SAP_FIORI FCM_CONTENT_ACTIVATION, when executed bring in SU24 data into the PFCG roles, the respected Fiori components IWSG/IWSV, associated authorization objects along with Org Hierarchy details and furthermore, gives the option for security team members to maintain open fields manually in both cases. The Org hierarchy can be also maintained. In our case since it is a Master Role, we will give all Org values as a blank.

Method: Manual

For manual updating the role open the role ZFMU:BR_GL_ACCOUNTANT: XXXXXX by using the T-Code: PGCG and selecting the Business Catalog. Right click the Launchpad Business Catalog >> General Ledger – Master data for Charts of Accounts >> as shown blow

Select the option >> Details >> which opens >> Change SAP Fiori Launchpad Catalog >> screen

In SAP Fiori launchpad Catalog screen, select the option >> Include Applications >> this will bring all the information maintained for the desired Business catalog.

Scroll Down

The above screen list some of the SAP GUI Transaction APPs like FS04, FSP4, FSS4, OB58, and S_ALR_*87012308 along with the Fiori Apps

To proceed further click the icon >> Continue   >> and the selected Business Catalogs is updated with desired content as shown below by expanding the Business Catalog >> General Ledger – Master data for Charts of Accounts >>.

Note: To shows complete details click the icon >> Switch on Technical Names >>

The above screen data can be checked and validated by using the selected Business Catalog and executing the FLP Content Manager: Client Specific T-Code: /N/UI2/FLPCM_CUST

The above screen shows the Business catalogs with both GUI and SAP Fiori Apps and matches the data within the PFCG role. This process needs to be done for all the Business Catalogs. Once completed, save the role, and follow the regular process for creating any single role.

Using Task-List

To use the Task-list we can now use the T-Code: STC01 to activate the Task-List SAP_FIORI_FCM_CONTENT_ACTIVATION.

When executed the initial screen appears which needs to be maintained. Here we can use single or multiple roles to be activated at a given instance.

For every Task within the Task-List to be performed SAP has provided couple of options like Help, Parameter and Parameter Description. It is a good practice to read the documentation. The options under the Parameter tab needs to be defined and populated.

Here we can select are roles for activating by selecting under >> FIORI Confirm/Select Roles for FLP content Activation >> Parameter >> entering the role name and using the >> filter >> option.

Note: We can select multiples roles here, for our example we are using single roles

Now click Save and go back will give you option to save the selection.

By clicking >> Yes >>, the role is selected and at the bottom it shows >> Selection Saved >> Click Go back option

Now leave everything as it is. You can de-select the option >> Set transport options for to be activated OData Services >> as for this role the associated services have already been activated. I left selected as we will not be transporting these services.

Note: Make sure >> Update Role Menu (PFCG>> is always selected

The final screen is as shown above. After completing the configuration, the task list can be executed by clicking >> Execution >>. Since we have only one role, we will use dialog mode to execute for many roles a background of execution mode can be adopted. You can run the task list in dialog or background mode.

At the bottom of the screen, it shows >> Task list run execution ended with Status ‘Finished with warning’ >> with warning, this is fine and acceptable. The task-list was executed successfully. In our case everything was fine. You can also check Logs by clicking the icon >> Logs >>

Now check the Custom Business roles in PFCG and check if it got updated

The Menu tab >> Menu >> is green, which means all catalog data have been updated and activated with the desired IWSG/IWSV components which are needed for Tile/App to function properly as can be seen in the above screen. The authorization Tab >> Authorization >> is red, meaning we need to maintain the authorization within the role.

Go to the tab >> Authorization >> Maintain the profile >> save the Role and Click >> Change Authorization Data >>.

In the Define Organization Levels input screen, nothing is maintained. Maintain blank values as shown below as this is a Master Role

Close the above window by clicking Save

Now, here maintain the Authorization Objects based on input provided by Business /Functional team. The object S_SERVICE object is activated, and HASH values have also been generated as seen as shown below.

Now generate the role with the open field value and give it to test User to do positive and negative testing. Click the >> Generate >> option

Click the >> Generate >> option

At the bottom of the screen, it shows >> Profile(s) were updated >>. Now assign the Custom Business Role to the test user T251_GLAC

The Test user has following roles

The Test user T251_GLAC logs into the development system for testing by launching Fiori Launchpad URL

Click on option >> Log On >>

.

Test user could successfully log into the development system

Click the option 

Click the option >> APP Finder >>.

Open the App >> Manage Charts Of Accounts

The App is working successfully

Using T-Code: /N/UI2/FLPCA we can obtain list of tiles and apps

 

Note: In one of our projects, we did club related custom business role based on scope together to activate the roles. This is done by selecting the option >> FIORI Enter List of SAP Business Roles to be activated (Optional)>>. Here we can add as many roles needed by cutting and pasting and using the icon >> Upload from Clipboard >>.

Summary:

In this second series of blogs, I have shown steps needed to activate SAP delivered best practice business starting with SA_BR* nomenclature and using the Task-List SAP_FIORI_FCM_CONTENT ACTIVATION., where the authorization fields and Org values are updated by what is maintained in SU24. Security team can then update the objects with values as per business need. Here the SAP delivered business role is copied into Custom Business role with proper naming convention. Business team should be given AGR_1251 data for the role to updates values and TOBJ table data for description of Authorization Objects.

 

Additional Reading

Updated tasklist available for SAP Gateway service activation | SAP Blogs

SAP Fiori for S/4HANA – Rapid Activation Task List Updates and Quick Guide | SAP Blogs

SAP Fiori for SAP S/4HANA – SAP Fiori Security Design Fundamentals | SAP Blogs

New Installation of S/4HANA 1909FPS0 – Part 4 – Rapid Activation for Fiori | SAP Blogs

SAP Fiori for SAP S/4HANA – Combining business catalogs into custom business roles | SAP Blogs

Hope, you would like the blog and would appreciate any comments and provide some feedback.

 

Sara Sampaio

Sara Sampaio

Author Since: March 10, 2022

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x