Financial Management Blogs by SAP
Get financial management insights from blog posts by SAP experts. Find and share tips on how to increase efficiency, reduce risk, and optimize working capital.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to incorporate SAP Fiori APP[FAPP] and Service[SVC] in the ruleset.

japneet_singh2
Active Participant
‎07-12-2021 1:36 PM

  1. The first step is to identify what all Service[SVC] s are associated with SAP Fiori APP[FAPP] . You can check the same on SAP Fiori APP[FAPP]
    url: https://fioriAPP[FAPP] slibrary.hana.ondemand.com/sap/fix/externalViewer/#/home

  2. Search for the SAP Fiori APP[FAPP] . As an example, I am taking the standard SAP Fiori APP[FAPP] “Manage outgoing checks”.

  3. Click on Implementation Information and check the associated OData Service[SVC] s. Refer to the screenshot below for more details.


 

  1. There could be more than 1 Odata Service[SVC] associated with the SAP Fiori APP[FAPP] . In such a scenario, choose the one which is most relevant. Which in this case is “FAP_OUTGOING_CHECKS_SRV”.

  2. Once the SAP Fiori APP[FAPP] and Odata Service[SVC]  is identified, we need to add the SAP Fiori APP[FAPP]  and/or Odata Service[SVC]  in the Actions tab of the Function and click Enter.
    Note: To create rules for Service[SVC], you need to run the Authorization Sync for S4HANA System. To create rules for Fiori APP[FAPP], you need to run the Authorization Sync for Fiori / Gateway System.



  1. The SAP Fiori APP[FAPP] will not have any permissions. The permissions are associated with Service[SVC] . If you only add SAP Fiori APP[FAPP]  in the action’s tabs, the permission tab will be empty.Odata Service[SVC] are available in Action Search like normal Transaction Codes. You can simply go to Function and search for the Service[SVC]. The moment you add the Odata Service[SVC]  in the Action tab of Function, all the associated SU24 Permissions will come automatically in Permission Tab.

    Note: Specific naming conventions are to be followed to create Rules for SAP Fiori APP[FAPP]  and Service[SVC]. Refer to note 2655122 - Prefix / Abbreviation requires Action for creating & running risk analysis.



  1. Now depending on the type of Risk you want to create; you can follow the Approach mentioned below.



  • Risk: SAP Fiori APP[FAPP] VS SAP Fiori APP[FAPP] (Action Level Risk).
    Add SAP Fiori APP[FAPP] 1 in Function 1 and the SAP Fiori APP[FAPP] 2 in Function 2. Maintain Function 1 and 2 in Risk 1 and Generate the rules. While running the risk analysis, the system will only check if the user/ role has access to conflicting SAP Fiori APP[FAPP] s. Running risk analysis against the risk will only yield action Risks.



  • Risk: Odata Service[SVC] VS Service[SVC] (Action and Permission Level Risk). 
    Add Service[SVC] 1 in Function 1 and the Odata Service[SVC]  2 in Function 2. Maintain Function 1 and 2 in Risk 1 and Generate the rules. While running the risk analysis, the system will only check if the user/ role has access to conflicting Service[SVC] s.
    Running risk analysis against the risk will yield action as well as permission Risks. 

  • Risk: SAP Fiori APP[FAPP] and Odata Service[SVC]  combination vs SAP Fiori APP[FAPP]  and Odata Service[SVC] (Action and Permission Level Risk).
    You want to check the violations at a granular level. You want to identify the risk for SAP Fiori APP[APP] and Corresponding Odata Service[SVC]. Kindly follow the steps mentioned below.



  1. In the Actions tab, Maintain the SAP Fiori APP[FAPP]. The permissions will be blank as SAP Fiori APP[FAPP] does not have any permission. The permission is associated with Service[SVC].

  2. In the permission tab, you need to manually copy and paste the permission of the Service[SVC]. For example, For the SAP Fiori APP[FAPP] “Manage outgoing Check (Outgoingcheck-Managelineitems)”, we need to maintain permission from Odata Service[SVC] “FAP_OUTGOING_CHECKS_SRV” against the SAP Fiori APP[FAPP]. Once we have pasted the authorization, we need to link the Odata Service[SVC] with the SAP Fiori APP[FAPP]  and that is done by maintaining the Hash value of the Odata Service[SVC] against the SAP Fiori APP[FAPP]. The line item highlighted in the screenshot below is the linkage for the Odata Service[SVC]  with the SAP Fiori APP[FAPP].

  3. The same process needs to be followed in the other conflicting function.

  4. Once done, Generate the rules.
    Running Risk analysis against this Risk will yield action as well as permission Risks.


I have taken an example of a standard SAP Fiori APP[FAPP], in the case you want to add the standard SAP Fiori APP[FAPP] in another Standard Function or want to add a custom SAP Fiori APP[FAPP], kindly follow the step mentioned below.

  1. The First step is to fetch the Hash Value of the Odata Service[SVC]. This can be fetched from the table USOBHASH in the S4 system.

  2. Once you have the Hash Value, you can fetch the authorization data from the table USOBT.

  3. You can download the authorizations and use the same as per the process mentioned above.


 

Important KBA:

  • 2681886 - Instructions to create custom Risk for Fiori APP[FAPP] s or ODATA Service[SVC] s in addition to SAP Standard Ruleset

  • 265512

  • 2 - Prefix / Abbreviation requires with Action for creating & running risk analysis


Important Blog:

https://blogs.sap.com/2020/01/17/running-risk-analysis-for-the-sap-s-4hana-and-sap-fiori-system./
9 Comments
gopinathreddy_amuri
Explorer
‎07-12-2021 6:05 PM
Very Good Information and well explained, thanks japneet.singh2 !
former_member362982
Explorer
‎07-12-2021 6:46 PM
Excellent Blog Japneet !! It was very helpful. Thanks Much.
japneet_singh2
Active Participant
‎07-13-2021 8:48 AM
0 Kudos
Thanks Gopinath.
japneet_singh2
Active Participant
‎07-13-2021 8:49 AM
0 Kudos
You welcome Parveen.
koustavpandit
Discoverer
‎07-13-2021 3:56 PM
0 Kudos
Excellent Blog Japneet!

1 question, how do we add a Fiori app that does have odata service (apps like Webdynpro or SAP GUI) to GRC function so that its permission are auto-filled from SU24.
former_member226273
Active Participant
‎08-16-2021 7:53 AM
0 Kudos
Great blog Japneet ! Very informative and helpful.
plaban_sahoo6
Contributor
‎01-23-2022 5:52 AM
0 Kudos
Hi Japneet,

Thank you for the blog post. Could you please clarify the below.i do not have access at the moment.Hence cannot look at the SU24 data of Odata service.

If S_SERVICE is already available as tagged to the OdataService, it should automatically appear as Permission, like other auth. objects.

However, if it is not already available(i do not think so) or is marked Check-No, then it makes sense to add it.

Also, you have mentioned that "...The moment you add the Odata Service[SVC]  in the Action tab of Function, all the associated SU24 Permissions will come automatically in Permission Tab.". But in point 2 you have mentioned "...In the permission tab, you need to manually copy and paste the permission of the Service[SVC]..."

Would you like to clarify this

Regards

Plaban

 

 
sidzmail
Explorer
‎08-31-2023 5:29 AM
0 Kudos
Hello Japneet,

 

Thanks for sharing the excellent document. I do have a query : In the Permission level report, we are getting the SVC details and not the Fiori app id and description. Is there a way to include them as well?
grandhisandeep
Discoverer
13 hours ago
0 Kudos

Hi Japneet,

How do we incorporate G4BA service in ruleset? and also how to incorporate the GUI based Fiori apps in ruleset as they are not having any Odata services but they do have Sematic Object action.

Are we supposed to add [FAPP]SematicObject-action at Action level for these GUI based Fiori apps and permissions related to the same T-code from SU24?

Or is there any other for the same?

Please provide your inputs

Thank you!

 

Popular Blog Posts