Send your request Join Sii

The SAP FIORI environment has been available on the market for many years. Yet, still, in almost every project I’ve been involved in, many users prefer using the standard SAP GUI interface – an interface whose current form dates back to the early 1990s!

When I ask users and business consultants why this is the case, I often receive responses like, “Oh, it’s just what I’m used to, and with FIORI, it’s just problems – I have access, but I can’t see the applications,” “Something’s always not working, the tiles won’t open, I get browser errors – so I prefer to quickly check things in the GUI,” “In the GUI, I can see everything, but here in FIORI, I don’t see the data, it’s not finding anything.”

Many users immediately associate these types of problems with something complicated, something where analyzing the cause will take a long time and may even require development work. So, they choose the shortcut of going back to the SAP GUI interface, which has already passed its prime and, in terms of visual appeal, data presentation/analysis, and overall capabilities, actually falls short of FIORI applications in almost every way.

To demystify the image of SAP FIORI as an environment where identifying the causes of problems with the visibility or functionality of FIORI tiles seems complicated and time-consuming, in this article, I will describe the causes and solutions for the most common issues – which, as it turns out, are mostly very simple to resolve and don’t require a lot of time. I will also present useful tools for analyzing problem causes, collecting and tracking application logs, and identifying where we can finally fix our application issues.

SAP FIORI – application access architecture

Simply put, SAP FIORI is an overlay for the SAP ERP system – currently most often S/4 HANA, where it serves as the foundational solution. FIORI is built on the SAPUI5 framework based on HTML5, CSS, and JavaScript technologies. This allows FIORI applications to be developed and customized using modern web technologies.

However, the data and applications are still retrieved from the SAP S/4 HANA system, which is based on the ABAP language and with which FIORI is directly integrated. In the current approach, the SAP FIORI Embedded configuration is used, meaning that both the frontend and backend operate within a single SAP system. Below is a diagram of the SAP FIORI application access architecture:

SAP FIORI application access architecture (diagram inspired by the webinar SAP Fiori Security – authorization debugging)
Fig. 1 SAP FIORI application access architecture (diagram inspired by the webinar SAP Fiori Security – authorization debugging)

Layers of integration

As shown in the graphic above, there are three main layers of this integration:

  • Backend Server (BES) – this is the business logic layer we can assume to be our S/4 HANA system. In this layer, business roles are assigned to users. These roles contain information about FIORI applications, such as the catalogs they are located in, OData services (IWSV), ABAP transactions they use, Web Dynpro applications, etc.
  • SAP Frontend Server (FES) – to put it simply, this is what happens in the background of the FIORI environment itself. In this layer, requests for access to the Backend system are sent through the SAP Gateway. This layer also contains access roles with information such as catalogs, groups, and OData services (IWSG).
  • SAP FIORI Launchpad (FLP) is the final layer – visual, directly accessible, and visible to the user. This is where the user launches and views FIORI applications.

At first glance, it’s easy to guess that problems can arise at any of these layers.

The most common problems

Let’s look at the most common issues and their causes.

Attention! Before we continue 😊 The article describes situations where a user theoretically should already have access to specific SAP FIORI applications yet still encounters issues with their visibility or functionality. I also assume that the reader is familiar with transactions such as SUIM, SU01, and PFCG to be able to find the role with the missing authorization object (resulting, for example, from SU53 logs) and assign it to the user, modify the selected existing role, or create a new role in the SAP system.

To remind you, there are two ways to verify if a user already has the appropriate role that theoretically should give them access to a specific FIORI application:

  • For standard SAP FIORI applications, open the publicly accessible SAP FIORI Apps Library, select the category “All apps,” choose the appropriate SAP system version, and in the “Configuration” tab, check the “Business Role(s)” table for the list of roles that grant access to the selected application. Then, in the SU01 or PFCG transaction, verify if the user already has this role assigned.
SAP Fiori apps reference library – list of roles with access to FIORI applications
Fig. 2 SAP Fiori apps reference library – list of roles with access to FIORI applications
  • For both standard and custom SAP FIORI applications, open the transaction /n/UI2/FLPCM_CUST in SAP GUI, go to the “Tiles/Target Mappings” tab, and enter the exact name of your FIORI tile (case sensitivity and spaces matter!). Select it and choose the “Show usage in Roles” option. Then, in the SU01 or PFCG transaction, verify if the user already has this role assigned.
Launchpad content manager – list of roles with access to FIORI applications
Fig. 3 Launchpad content manager – list of roles with access to FIORI applications

It’s also worth checking whether the FIORI application you searched for is in the FIORI catalog in the form of (Tile+TM) and whether this catalog is assigned to the FIORI role that the user has or wants to assign to them. To verify this, follow the same steps as in the previous points, but at the end, choose the “Show usage in Roles” option, check the “Reference Details” column, and in the PFCG transaction, ensure that the catalog is assigned to the role that the user has or that you want to assign to them.

Launchpad content manager – list of catalogs containing Tile + TM
Fig. 4 Launchpad content manager – list of catalogs containing Tile + TM

If a given application’s information (Tile + TM) is not available in any catalog, then the missing Tile or TM element must be added to the appropriate FIORI catalog. However, this is a topic for a completely separate article.

For now, I’ve left a link to the SAP Documentation that describes similar cases: SAP Fiori Launchpad Content Manager.

Errors when opening a FIORI tile

Scenario 1.

In the SAP Launchpad, we found the FIORI application we are interested in. We want to open it, but it takes a very long time, and eventually, instead of the application window, we get a 403/404 browser error – an example of such an error is shown below:

Error 403 – application fails to load – no access to content
Fig. 5 Error 403 – application fails to load – no access to content

This indicates that an OData service (a service that communicates between the front and backend) is not functioning correctly, is inactive, or has not been implemented in the system. To analyze and fix this, follow these steps:

Step 1. Run the transaction /n/UI2/FLPCM_CUST

Step 2. In the “Tiles/Target Mappings” tab, find the application in question, select it, and choose the option Services -> Check and Show Services. Check the oData V2 Services and oData V4 Services tabs. Below are screenshots from the transaction:

Launchpad Content Manager – Check and Show Services
Fig. 6 Launchpad Content Manager – Check and Show Services
Launchpad Content Manager – list of application services
Fig. 7 Launchpad Content Manager – list of application services

If any of the OData services in these tabs have a red status (inactive), you should:

  • go to the transaction /n/IWFND/MAINT_SERVICE, find the inactive OData service in the External Service Name column, select it, and activate it in the ICF Services window at the bottom left by choosing ICF Node -> Activate:
Activate and Maintain Services - activating the OData service
Fig. 8 Activate and Maintain Services – activating the OData service

If the service status does not change and you receive a system message stating that the service cannot be activated, select ICF Node –> Configure SICF. You will be redirected to the SICF transaction,directly to the tree of objects containing the service. If it is deactivated (grayed out), right-click on it and choose Activate Service, then confirm by selecting the second option, Yes, in the next window, as shown in the screenshots below:

Activate and maintain services – navigating to SICF configuration
Fig. 9 Activate and maintain services – navigating to SICF configuration
Define Services – aktywacja serwisu ICF
Fig. 10 Define services – activating the ICF service

It will now be active when you return to your service in the /n/IWFND/MAINT_SERVICE transaction. Its status will also change to “green” in the OData tabs in the /n/UI2/FLPCM_CUST transaction mentioned at the beginning of Step 2.

Once the services are implemented and activated, return to your service in the /n/IWFND/MAINT_SERVICE transaction, where it will now be active. Its status will also change to “green” in the OData tabs in the /n/UI2/FLPCM_CUST transaction mentioned at the beginning of Step 2.

Step 3. Test the application’s functionality in the SAP FIORI Launchpad, preferably after refreshing the page, clearing the browser’s cookies/cache, or logging back into SAP FIORI.

Scenario 2.

In the SAP Launchpad, we found the FIORI application we are interested in. We want to open it, but it takes a very long time, and eventually, instead of the application window, we receive a 403/500 browser error – request failed, for example:

Error – issue with loading the UI5 component
Fig. 11 Error – issue with loading the UI5 component

You should proceed in the same way as in Scenario 1, with the difference that in Step 2, you need to check the ICF Services tab. If any ICF service is inactive, you should select it and choose the Define Services option, and then activate the ICF service in the same way as in Scenario 1 – Step 2, when the system redirected us to the SICF transaction:

Launchpad content manager – inactive ICF service
Fig. 12 Launchpad Content Manager – inactive ICF service
Define services – activating the ICF service
Fig. 13 Define services – activating the ICF service

The 403/500 error – Request Failed or Component Failed may also have a direct authorization-related cause in the SAP S/4 HANA system. The user may not have the necessary authorizations for the S_RFCACL authorization object, which we can diagnose using the SU53, STAUTHTRACE, or App Support (in FIORI) transactions. I will mention these tools further in the article.

Scenario 3.

The steps taken in Scenarios 1 and 2 did not help, and additionally, we are receiving the following message:

Error – problem loading content – UI5 component
Fig. 14 Error – problem loading content – UI5 component

This means that the application still cannot locate a particular oData service and, consequently, the ICF service as well. To verify this, you should perform Step 1 and Step 2 from Scenario 1 and check if the number of oData V2 and V4 services matches the documentation for this application in the FIORI Library. Any service that is missing should be added similarly to Scenario 1, Step 2(b).

SAP Fiori Apps Reference – information about ICF and oData services used by the application
Fig. 15 SAP Fiori Apps Reference – information about ICF and oData services used by the application

Authorization errors in CDS views

CDS (Core Data Services) views in SAP allow the creation of advanced, efficient, and complex data models and application logic at the database level. These views can be accessed via SAP FIORI. Still, access to the mentioned data models (Virtual Data Model) in CDS views is always controlled through a combination of the following authorizations:

  • Classic authorization object checks – through authorization checks in ABAP code, such as objects (S_TCODE, S_START, S_SERVICE, SDDLVIEW, etc.) – occur when the application is started.
  • User authorization verification at the CDS view data source level happens dynamically while using the view as it fetches additional data. Permissions in the CDS view code are continually compared to the user authorizations in PFCG.

Below is a diagram comparing the classic approach to authorization verification for ABAP-based applications with the DCL approach for CDS views:

omparision of standard ABAP approach with DCL approach for CDS views (diagram inspired from webinar SAP Fiori Security – Authorization Debugging)
Fig. 16 Comparision of standard ABAP approach with DCL approach for CDS views (diagram inspired from webinar SAP Fiori Security – Authorization Debugging)

The DCL (Data Control Language) approach defines what data a user can view, depending on their permissions. It is mainly used to restrict access to data at the record level (row-level security) and at the column level (column-level security) in CDS data models.

Once defined, authorization rules are automatically applied to all queries using the given CDS view, ensuring consistency and reducing the risk of errors. This allows for dynamic and context-sensitive data access adjustments based on user attributes, which is harder to achieve with the classic approach.

Due to their more flexible and efficient operation, CDS views and the DCL approach are also increasingly used in standard SAP transactions. An example is the Display Material (MM03) application.

User tracking and simulation of data access in CDS

In transaction STAUTHTRACE, I initiated user tracking to verify which authorizations I am attempting to use. After starting the Display Material (MM03) application, I received the following logs:

System Trace for authorization checks – logs with results of individual authorizations – including CDS views
Fig. 17 System Trace for authorization checks – logs with results of individual authorizations – including CDS views

As seen in the CDS Entity column, there is information that some of the data displayed to me in the Display Material (MM03) application comes from a CDS view, and access to this data is authorized at the CDS view level. An important note is that such information will not be available in SU53!

Therefore, for more detailed verification of logs/authorization errors, it is also advisable to use transaction STAUTHTRACE. Furthermore, from the logs, I can directly navigate to the CDS Access Control application, allowing me to verify what is being checked in the CDS view to display the appropriate data. Below is an example of the previously invoked view:

CDS access control – database script for CDS view with authorization query
Fig. 18 CDS access control – database script for CDS view with authorization query

As shown, there is a fragment of code that, at the CDS view level, compares the values of authorization objects provided here with the authorization objects held by the user currently viewing the CDS view and decides whether the specific data set can be displayed.

In the example above, this data set pertains to access to product groups (object M_MATE_MAT, field: BEGRU). The CDS view checks what access the user has to the object and displays data only for those product groups (BEGRU) where the user has the activity values 03 (display) and F4 (display in value help).

Therefore, unlike the classic approach, the system does not check every activity field value (ACTVT) value for the data product groups from the BEGRU field in the ABAP script. Instead, it “fetches” the user’s accesses (activities) to the values in the BEGRU field and, at the database script level, checks if these values are among those specified in the CDS view query. If they are, the data is displayed. A beneficial tool for verifying what data a specific user can access in a view is the CDS Access Control Runtime Simulator (SACM):

Access Control Management – tool selection screen
Fig. 19 Access Control Management – tool selection screen
CDS Access Control Runtime Simulator – Access Simulation Selection screen for a selected user
Fig. 20 CDS Access Control Runtime Simulator – Access Simulation Selection screen for a selected user
ACM Runtime Simulator – results of Access Simulation to CDS view for a user with full access
Fig. 21 ACM Runtime Simulator – results of Access Simulation to CDS view for a user with full access
ACM Runtime Simulator – results of Access Simulation to CDS view for a user with limited access
Fig. 22 ACM Runtime Simulator – results of Access Simulation to CDS view for a user with limited access

In Fig. 20, it is clear that my user can access all data in this view. However, in Fig. 21, a user with different roles can only access one product group marked as XYZ. Only data for this product group will be displayed to them in the application using this CDS view.

This is very useful when a user cannot see some data and receives no authorization error, nor does it appear in SU53. In such cases, combining STAUTHTRACE and SACM tools significantly eases the problem analysis.

Error analysis tools + most commonly detected errors

SU53

This is a tool that hardly needs an introduction; it is an absolute classic for analyzing authorization issues in both ABAP and FIORI systems 😊

In the context of FIORI application functionality, the most common problem is the lack of user authorization for the relevant services (e.g., ODATA) defined in the authorization object S_SERVICE. This will cause issues with opening applications or even result in a lack of access to specific data or options.

Below is an example of such logs in transaction SU53:

Example errors related to lack of access to oData Services in authorization Object S_SERVICE
Fig. 23 Example errors related to lack of access to oData Services in authorization Object S_SERVICE

To resolve this, you need to either find a role that already contains the object with that value (e.g., using transaction SUIM) or add this value to the S_SERVICE object in an existing role using transaction PFCG:

Transaction PFCG – adding oData Services as values to the authorization Object S_SERVICE in a role
Fig. 24 Transaction PFCG – adding oData Services as values to the authorization Object S_SERVICE in a role

A limitation of SU53 is that it does not provide logs for all types of authorization errors; for example, it does not include logs for errors related to CDS view authorizations defined at the CDS view code level.

TIP! As soon as you know that a FIORI application has been affected and check the logs in SU53, it is advisable to save them immediately, as they are only visible for a limited time. This way, you avoid asking the user to “regenerate” the error 😊 Alternatively, you can ask the user to download and send us the logs.

App Support

Simplified, this is the equivalent of SU53 but available directly from the SAP FIORI Launchpad. However, this application is not available by default; it must be activated, and the FIORI catalog must be added to the roles we select in SAP. The application appears as follows:

Main screen of the App Support Application
Fig. 25 Main screen of the App Support Application (Source: SAP Fiori for SAP S/4HANA – 10 health checks for the SAP Fiori launchpad]

SAP documentation on how to activate the application for users: Setting Up App Support.

STAUTHTRACE

This tool allows you to track which authorization objects are checked during specific user operations. This helps identify which authorizations are required and which are causing problems. You can select the range of users for whom you want to enable tracing and specify the operations you want to track:

System Trace for Authorization Checks – STAUTHTRACE
Fig. 26 System Trace for Authorization Checks – STAUTHTRACE

This tool will also indicate errors related to permissions for CDS views.

/n/IWFND/ERROR_LOG

This diagnostic tool allows verification of error logs during the processing of oData service requests – errors related to communication between SAP Gateway and the backend system, including data processing issues:

SAP Gateway Error Log – frontend
Fig. 27 SAP Gateway Error Log – Frontend

/n/IWBEP/ERROR_LOG

Similar to the previous tool, it allows verification of error logs during oData request processing, but on the backend side. It also helps analyze errors related to the RFC authorization object – S_RFCACL mentioned earlier:

SAP Backend Error Log
Fig. 28 SAP Backend Error Log

ST22

A transaction used for analyzing ABAP errors. It is included here because sometimes what initially appears to be an authorization error may not be one 😊 For example, if a user receives an unclear error message that suggests a lack of access. There are no error logs in transaction SU53; it is worth checking logs in transaction ST22 to determine if it is an ABAP/developer error:

ABAP Runtime Errors – ST22
Fig. 29 ABAP Runtime Errors – ST22

Browser Developer Tools (Chrome, Firefox, Edge, Opera, etc.)

Many things in SAP FIORI occur at the browser level, so using built-in developer tools and their consoles can help pinpoint the source of potential problems – verify what request was made and which service/function caused the error. Below is a screenshot of an example error and the information that can be read from the developer tool:

DevTools in Google Chrome – Highlighted Segment Indicating a Problem with a Specific oData Service
Fig. 30 DevTools in Google Chrome – Highlighted Segment Indicating a Problem with a Specific oData Service

Additional useful tools

  • /UI5/APP_INDEX_CALCULATE – this transaction generates or recreates the SAPUI5 application index, which is crucial after deploying new Fiori applications, system updates, or changes in application configuration. Using this transaction is often recommended when facing issues with displaying Fiori applications, such as missing applications or availability problems—especially if changes have been made.
  • /n/IWFND/CACHE_CLEANUP – in case of issues with oData services or Fiori applications, such as malfunctioning applications or missing or outdated data, this transaction can help restore proper functioning by clearing the cache, forcing the system to reload current data from the backend.
  • SM20 (Security Audit Log) – used to review user logs, such as their transactions.
  • SLG1 – Used to review system logs triggered by the user, such as in a specific transaction or program.
  • HTTP Trace Tools – various tools for monitoring HTTP or oData requests in the context of SAP FIORI applications. You can review detailed information about each request, such as the method (GET, POST, PUT, DELETE), headers, body, response status, response time, and more.

Other errors

Edit Home Page – accessing the application
Fig. 31 Edit Home Page – accessing the application

Summary

Although managing the access and visibility of applications and data within the SAP FIORI environment may seem challenging, knowing the right tools and common issues can greatly simplify the process.

It is helpful to prepare a so-called task list with potential problems, solutions, and instructions to address them and systematically apply it when the cause is unclear. Over time, this approach becomes second nature, and you can identify and resolve issues in just a few minutes. Additionally, in today’s world, it is beneficial to utilize AI-powered tools that can provide valuable insights and even offer step-by-step solutions. I hope this article proves helpful and aids in the rapid resolution of common issues, ultimately encouraging end-users to use FIORI applications instead of the traditional GUI 😊

***

If you are interested in SAP topics, also take a look at other articles by our specialists.


5/5 ( vote: 1)
Rating:
5/5 ( vote: 1)
Author
Avatar
Mateusz Palus

He has been associated with the IT industry for 8 years, specializing in SAP system administration (SAP BASIS), focusing on Authorization & Security. His main responsibility is providing direct support to clients, ensuring they have the appropriate access, and maintaining the systems. Privately, he is interested in sports history, particularly football, and in broader aspects of pop culture, including film and music

Leave a comment

Your email address will not be published. Required fields are marked *

You might also like

More articles

Don't miss out

Subscribe to our blog and receive information about the latest posts.

Get an offer

If you have any questions or would like to learn more about our offer, feel free to contact us.

Send your request Send your request

Natalia Competency Center Director

Get an offer

Join Sii

Find the job that's right for you. Check out open positions and apply.

Apply Apply

Paweł Process Owner

Join Sii

SUBMIT

Ta treść jest dostępna tylko w jednej wersji językowej.
Nastąpi przekierowanie do strony głównej.

Czy chcesz opuścić tę stronę?