SAP Fiori – SAP Business Role Activation using Task-List SAP_FIORI_CONTENT_ACTIVATION

In this blog, we will discuss an approach to activate SAP delivered Best Practice Business Role (SAP_BR*) using Task-List SAP_FIORI_CONTENT_ACTIVATION. This is a shell role with links to Spaces and Pages, Groups, and Catalogs. This Task-List when used will create a copy of Business role and will bring in all related components. In this blog I will outline comprehensive approach (Step-by-Step) to activate the Business Role SAP_BR_GL_ACCOUNTANT as an example. This blog will be very useful for Basis and security team members within an organization.

SAP has provided various Task-List to simplify creating and maintain roles within Fiori. These Task-List have made things very easy for security team members to manage role development task. In this blog I will cover the Task-List which are primarily used to convert SAP delivered Best Practice Business Roles with nomenclature starting with SAP_BR*. SAP have given more than 500 Business role which companies can adapt to a given requirements. These are pre-configured Roles given by SAP and can be adapted as required. This Task-list involves first copying SAP delivered Role into Z naming standard followed by activation of the required associated OData and ICF services automatically and generating the role with option to create test user for testing the role. This process also eliminates issue faced during developing like missing authorization, OData services etc. In one of my projects, we used this process to create over 150 roles within a day. To do the same, we had to create an Excel File which detailed the SAP delivered Business Role name and all the attributes which were copied into Custom Roles. Once the required Business roles were activated, SAP GUI script was developed to update the custom Business Role Descriptions to match the given. requirements.

Note: The SAP_BR*consists of both Groups plus Spaces and Pages concepts. Following S/4HANA 2020 SAP has announced deprecation of SAP Group concept and have introduced more refined Spaces and Pages concept which adheres to orders of tiles as it appears in Fiori Launchpad.

In our case we have embedded SAP S/4 HANA 2020 FSP02 installed, for which SAP has given the following information from SAP Fiori Library.

Figure%201%3A%20SAP%20Fiori%20Reference%20Library

Figure 1: SAP Fiori Reference Library

The SAP provide two task-List for activation of Business Role as shown below:

  • SAP_FIORI_CONTENT_ACTIVATION (Used for SAP Delivered Content SAP_BR*)
  • SAP_FIORI_HCM_CONTENT_ACTIVATION (Used for custom content roles)

For this blog, we will be using the Task-List SAP_FIORI_CONTENT_ACTIVATION.

Furthermore, I will also be publishing another blog for using Task-List SAP_FIORI_HCM_CONTENT_ACTIVATION soon.

Pre-Requisite

It is assumed that basis team have already implement the Task-List SAP_FIORI_FOUNDATION_S4. This will enable to activate all apps within the Business Roles. In this task list you can use single or multiple Business Roles to be activated. For easier maintenances, in our project we clubbed all Functional related Business roles together, like RTR, PTP team etc., This method provides tremendous saving time with no error. This Task-List can activate all the following types of Apps:

  • UI5 (SAP Fiori App)
  • UI5 (SAP Fiori App)
  • GUI (GUI Transaction)
  • WDA (ABAP Web Dynpro Application)
  • WCF (Web Client UI Framework)
  • URL (URL)

Note: Task-List can be run multiple times until everything is activated. If there is an error the Task-List can be run again till everything is green. For initial development in Sandbox the task list SAP_FIORI_CONTENT_ACTIVATION is very handy as this activated all associated Authorization objects which are maintained in SU24 and populated the Org hierarchy with * values. This Task-List also activate all the associated OData and ICF services automatically. The roles are generated automatically and if required it will create a unique Test User ID also. This task list works only with SAP_BR* Business Roles only and not Custom Roles. Rather Custom roles do not show in the filter option.

For this to work Basis team needs to generate a Package (SE80) and the respected Transports (SE10), in our case we will be using Local Object option.

In our case, we will use an example of SAP delivered role SAP_BR_GL_ACCOUNTANT. This role is basically a Shell role with reference to associated Tiles/Apps, Groups along with Spaces and Pages. No authorization is maintained as seen below screen shot.

Figure%202%3A%20SAP%20Business%20Role%3A%20SAP_BR_GL_ACCOUNATANT%20and%20Associated%20Business%20Catalog

Figure 2: SAP Business Role: SAP_BR_GL_ACCOUNATANT and Associated Business Catalog

The launchpad Catalog SAP_SFIN_BC_GL_REVPOACCR highlighted above does not have any underlying IWSG/IWSV components visible, when the same is expanded. The Authorization tab is also empty and is red and nothing is maintained as shown below:

Figure%203%3A%20Authorization%20Tab%20with%20no%20data

Figure 3: Authorization Tab with no data

Case 1: Task-List SAP_FIORI_CONTENT_ACTIVATION

Use the T-Code STC01 to activate the Task-List. But before using the task-list, it is good practice to check if relevant OData and ICF services have been activated. In our project Basis team had activated most of the services. To check the underline services, use the T-code: /N/UI2/FLPCM_CUST.

Figure%204%3A%20T-Code%20/N/UI2/FLPCM_CUST%20Screen

Figure 4: T-Code /N/UI2/FLPCM_CUST Screen

Enter the desired role name and click >> Go >>.

Now, check the service by clicking as shown below:

Figure%205%3A%20Checking%20Business%20Roles%20Services

Figure 5: Checking Business Roles Services

Figure%206%3A%20Business%20Role%20associated%20OData%20Services%20needs%20to%20be%20activated

Figure 6: Business Role associated OData Services needs to be activated

Many OData Services are not activated and the same can be downloaded by using the icon into Excel File and remove duplicate.

Similarly Check ICF service by selecting the Tab >> ICF Services

Figure%207%3A%20Business%20Role%20associated%20ICF%20Services

Figure 7: Business Role associated ICF Services

All ICF Service are maintained and green.

Tip: It is recommended to activate all the associated OData service before proceeding with activating the role. This can be done by using Mass update of ODATA Service of OData service via a task list called SAP_GATEWAY_ACTIVATE_ODATA_SERV.

Figure%208%3A%20Input%20screen%20for%20Task-List%20SAP_GATEWAY_ACTIVATE_ODATA_SERV

Figure 8: Input screen for Task-List SAP_GATEWAY_ACTIVATE_ODATA_SERV

Figure%209%3A%20Co-deployed%20Only%20selected

Figure 9: Co-deployed Only selected

The Final Screen is as follows:

Figure%2010%20Final%20screen%20for%20SAP_GATEWAY_ACTIVATE_ODATA_SERV%20Task-List%20+%20Activated

Figure 10 Final screen for SAP_GATEWAY_ACTIVATE_ODATA_SERV Task-List + Activated

Now Execute and all OData services are activated and green.

Figure%2011%3A%20All%20OData%20Services%20Activated

Figure 11: All OData Services Activated

All the services are green we can now use the T-Code: STC01 to activate the Task-List SAP_FIORI_CONTENT_ACTIVATION.

Figure%2012%3A%20T-Code%20STC01%20Initial%20Screen

Figure 12: T-Code STC01 Initial Screen

When executed the initial screen appears which needs to be maintained. Here we can use single or multiple roles to be activated at a given instance.

Figure%2013%3A%20Input%20screen%20for%20Task-List%20SAP_FIORI_CONTENT_ACTIVATION

Figure 13: Input screen for Task-List SAP_FIORI_CONTENT_ACTIVATION

For every Task within the Task-List to be performed SAP has provided couple of options like Help, Parameter and Parameter Description. It is a good practice to read the documentation. The options under the Parameter tab needs to be defined and populated.

For example, Under the Task Description >> FIORI Select/Confirm SAP Business Roles for FLP content activation >> we can select the help option >> Display Icon >> to review documentation and it also shows under Parameter Description under the given system there are 502 roles.

Figure%2014%3A%20Documentation%20within%20the%20Task-List

Figure 14: Documentation within the Task-List

Here we can select are roles for activating by selecting the >> Parameter Option Icon >> entering the role name and using the >>filter option>> icon.

Note: We can select multiples roles here, for our example we are using single roles.

Figure%2015%3A%20Business%20Role%20Selection%20Screen

Figure 15: Business Role Selection Screen

Select the desired role:

Figure%2016%3A%20One%20Business%20Role%20selected

Figure 16: One Business Role selected

Now click save icon and go back will give you option to save the selection.

Figure%2017%3A%20Saving%20the%20role%20selected

Figure 17: Saving the role selected

By clicking >> Yes>>, the role is selected.

Figure%2018%3A%20Role%20saved%20for%20Task-List

Figure 18: Role saved for Task-List

We need to create role in proper naming convention, under task Description >> Generate new Business Roles with Prefix >> the prefix to be added to the role has already been defined by SAP >> Prefix: Z >> the same can be maintained by clicking the icon under the Parameter

Figure%2019%3A%20Prefix%20Update%20screen%20for%20SAP%20Business%20Role

Figure 19: Prefix Update screen for SAP Business Role

Enter ZFS for prefix. It is limited to only three characters:

  • Z       >>          Custom Name Space
  • F       >>          Fiori Role
  • S      >>          Single role

Figure%2020%3A%20Updated%20Role%20Prefix

Figure 20: Updated Role Prefix

Click go back option and the Prefix option is updated.

Figure%2021%3A%20Task%20List%20showing%20Prefix%20added

Figure 21: Task List showing Prefix added

  • Enter the prefix and the package how the OData services should be created (Leave as it for now).
  • By default, the services are created with prefix Z in package $tmp. (Leave as it for now).
  • If a transportable package is chosen, a workbench request and a customizing request are necessary.
  • The workbench request records data for the OData and ICF service while the customizing request records the system alias assignment to the OData service.
  • You can either create new request and task for your user or select an existing.

Figure%2022%3A%20Screen%20to%20define%20Package%20and%20Transport

Figure 22: Screen to define Package and Transport

Note: Here package needs to be already existing to be used, no action needs to be taken on this screen.

Now, select the option >> Create Users with generated Business Roles (SU01)>>.

Figure%2023%3A%20Define%20Test-User%20Screen

Figure 23: Define Test-User Screen

Here we can maintain the User Type, Password, and Add. Role Assignment.

Figure%2024%3A%20Define%20password%20and%20additional%20role%20for%20Test%20user

Figure 24: Define password and additional role for Test user

Figure%2025%3A%20Task-List%20updated%20with%20test%20user%20information

Figure 25: Task-List updated with test user information

In the option >> FIORI Activate OData Services (/IWFND/MAINT_SERVICE >> leave as it because we have already activated the desired OData and ICF Services.

The final screen is as shown above. After completing the configuration, the task list can be executed by clicking execute. Since we have only one role, we use dialog mode to execute for many roles a background of execution can be adopted. You can run the task list in dialog or background mode.

Once again check the logs to see if everything was successful, or if any errors have occurred.  If you do see any errors or warnings, check the composite note which might give a hint on the root cause.

Click Execute and at bottom of the screen it shows that the task is running.

Figure%2026%3A%20Task-List%20executed%20successfully

Figure 26: Task-List executed successfully

Since the role ZFS_BR_GL_ACCOUNTANT got created need to check and validate the role in PFCG to determine, if the desired IWSG/IWSV components show up.

Figure%2027%3A%20PFCG%20screen%20shot%20of%20the%20new%20Business%20Role%20created%20by%20using%20Task-List

Figure 27: PFCG screen shot of the new Business Role created by using Task-List

The role description highlights the role information, and all tabs are green. Expanding the tab >>Menu >> shows the Catalogs that have been activated with the desired IWSG/IWSV components which are needed for Tiles/Apps to function properly.

Figure%2028%3A%20Shows%20IWSG/IWSV%20Components%20in%20the%20New%20Business%20Role%20created

Figure 28: Shows IWSG/IWSV Components in the New Business Role created

Checking the tab >> Authorization >> everything has been maintained and activated and S_SERVICE object is also seen as shown below:

Figure%2029%3A%20Role%20showing%20the%20object%20S_SERVICE%20generated

Figure 29: Role showing the object S_SERVICE generated

In the above screen any open value for any object has been maintained with * value. Select the option >> Organization levels ..>> the Org values are maintained * in the screen below:

Figure%2030%3A%20Organization%20field%20maintained%20for%20the%20new%20Business%20Role

Figure 30: Organization field maintained for the new Business Role

Now check for the user in the tab >> User >> it created the user.

Figure%2031%3A%20Test-User%20information

Figure 31: Test-User information

Verify and validate the user has two roles assigned in T-Code: SU01.

Figure%2032%3A%20Roles%20assigned%20to%20the%20Test-User

Figure 32: Roles assigned to the Test-User

Now, log in as the test user T251_GLAC to check if the desired Catalog and Tiles show up using T-Code: /N/UI2/FLP and launching Fiori Launchpad

Figure%2033%3A%20Test-User%20Logged%20in%20successfully%20into%20Fiori%20Launchpad

Figure 33: Test-User Logged in successfully into Fiori Launchpad

The Tiles/Apps are visible for the test user T251_GLAC. The role has 135 Tiles/Apps.

By Selecting >> APP Finder >> option, the user can see related Catalogs and associated Tiles/Apps.

Figure%2034%3A%20List%20of%20catalogs%2C%20Tile%20/Apps%20within%20the%20Business%20Role

Figure 34: List of catalogs, Tile /Apps within the Business Role

Note:

In our project we did club roles based on scope together to activate the roles. This is done by selecting the option >> FIORI Enter List of SAP Business Roles to be activated (Optional)>>. Here we can add as many roles needed by cutting and pasting and using the icon >>Upload from Clipboard>>.

Figure%2035%3A%20Inserting%20multiple%20Roles%20into%20Task-List

Figure 35: Inserting multiple Roles into Task-List

The Final screen will look like below:

Figure%2036%3A%20Multiple%20Role%20Selection%20final%20screen

Figure 36: Multiple Roles Selection final screen

Summary:

In this first series of blogs, I have shown steps needed to activate SAP delivered best practice business starting with SA_BR* nomenclature.

Additional Reading

Updated tasklist available for SAP Gateway service activation | SAP Blogs

SAP Fiori for S/4HANA – Rapid Activation Task List Updates and Quick Guide | SAP Blogs

SAP Fiori for SAP S/4HANA – SAP Fiori Security Design Fundamentals | SAP Blogs

New Installation of S/4HANA 1909FPS0 – Part 4 – Rapid Activation for Fiori | SAP Blogs

SAP Fiori for SAP S/4HANA – Combining business catalogs into custom business roles | SAP Blogs

Hope, you would like the blog and would appreciate any comments and provide some feedback.