To use SAP Fiori apps, users need app-specific SAP Fiori user interface (UI) entities and authorizations. You assign these types of entities to users by means of PFCG roles.
SAP Fiori launchpad is the access point to apps on mobile or desktop devices. To use SAP Fiori apps, users need the following app-specific types of entities:
UI
The SAP Fiori UI entities define which SAP Fiori apps are displayed to the user. The apps are organized through catalogs and groups.
Authorizations
The authorizations that are required to use SAP Fiori launchpad, to start SAP Fiori apps, and to use the business logic and data of the apps.
Dependencies between SAP Fiori UI Entities, OData Services, and Authorizations
The SAP Fiori UI entities that define which SAP Fiori apps are displayed to the user
The OData services that retrieve the dynamic data to be displayed from the business logic for the SAP Fiori apps
The authorizations required to start and to use the business logic of the SAP Fiori apps. These authorizations are defined by the OData services.
UI Entities
we use UI Entities to organize apps that are displayed to users.
- Catalog
A catalog is a set of apps that you
want to make available and authorize for your users. The users can browse
through the catalog, choose apps from the catalog, and add them to the entry
page of their SAP Fiori launchpad.
Technically, apps are represented by
the following:
- KPI tiles to launch the app
- App launcher tiles to
launch the app
Note
Only the apps that can be accessed
directly from the entry page of the SAP Fiori launchpad have an app launcher
tile.
- Target mappings referencing
the actual navigation targets
Note
For launching apps either using a
tile or using navigation, users require a target mapping. We recommend that you
add the tiles and corresponding target mappings to the same catalog.
- Group
Groups define the SAP Fiori launchpad
entry page. The apps in the group are a subset of apps that are assigned to one
or several catalogs. Which tiles are displayed on a user’s entry page depends
on the catalogs and groups assigned to the user’s roles. If a group contains
apps that are not assigned to the user by catalogs, the app is not displayed on
the user’s entry page. In addition, if configured, the user can personalize the
entry page by adding or removing apps to pre-delivered groups or self-defined
group.
You maintain catalogs and groups in
the launchpad designer. SAP delivers technical catalogs which contain apps per
application area. In addition, SAP delivers business catalogs and business
groups as sample collection of apps relevant for a business role.
As an administrator, you can use the
technical catalogs as repository to create your own role-specific business
catalogs and groups. For more information, see Maintaining Business Catalogs and Business Groups.
PFCG Roles
You use PFCG roles
to assign the UI entities and authorizations to the users:
- PFCG roles on the front-end
server
By adding the catalogs to the role
menu, you include the apps in the catalog that is available to the users. By
adding groups, you define the SAP Fiori launchpad entry page.
To start the apps, users require the
start authorizations for the model provider of the activated OData services. To
get these start authorizations, you add the OData services to the PFCG role
menu. For the OData services the SAP Fiori apps use, see the SAP Fiori app
documentation.
If available, the system determines
the OData services for a catalog and automatically includes the start
authorizations when adding the catalog to the role menu.
For more information, see Create PFCG Role on Front-End and Assign Launchpad
Catalogs and Groups.
- PFCG roles on the back-end
server
On the back-end server, the OData
services that the SAP Fiori apps use are implemented. Therefore, the users need
to have start authorization for the OData service’s data provider, and all the
business authorizations for accessing business data displayed in the app.
For object pages, the authorization
defaults also include the authorizations for the SAP Fiori search connectors.
The OData services carry the authorization defaults for the business
authorizations as suggested by SAP.
To get the authorizations, you add
the OData services to the PFCG role menu. This adds the start authorizations
and the authorization defaults for the business authorizations of the
applications to the role. If available, we recommend adding the catalog to the
role menu to automatically determine the OData services included in the
catalog. With that, you can organize the update of authorizations when the
catalog changes. In the figure above, the dotted arrow pointing from the menu
of the PFCG role on the back-end to the catalog on the front-end illustrates
this recommendation
For more information, see Create PFCG Role on Back End.
Sequence When
Starting an SAP Fiori App
- When the user starts the SAP
Fiori launchpad, the launchpad displays the app tiles that are assigned to
users via catalogs and organized in groups.
A launchpad-specific OData service
resolves the catalogs and groups a user is assigned to: This service resolves
the user’s catalog and group assignments using the PFCG roles the user belongs
to on front-end server, by collecting the corresponding catalog and group
entries in the PFCG role menu.
- To start an SAP Fiori app,
the user chooses a tile. The tile resolves the technical SAP Fiori app
implementation to be started using a target mapping.
The tiles and target mappings of a
catalog or group, which then determine the technical SAP Fiori app
implementation, are maintained in the SAP Fiori launchpad designer.
- When a user’s browser loads
an SAP Fiori app, the app retrieves its dynamic data from the HTTP
endpoint of the app-specific OData service on the front-end server. SAP
Gateway translates the HTTP request to a trusted RFC call to
the SAP Gateway enablement of the back-end server, which then
retrieves the data by calling the relevant business logic.
The user requires authorizations for
the app-specific OData service, that is, the start authorizations for the
service on the front-end server and in the back-end server and the business
authorizations required by the business logic.
Rupesh Chavan