SAP FIORI \u2013 application access architecture<\/strong><\/h2>\n\n\n\nSimply put, SAP FIORI is an overlay for the SAP ERP system \u2013 currently most often S\/4 HANA, where it serves as the foundational solution. FIORI is built on the SAPUI5 framework based on HTML5, CSS, and JavaScript technologies. This allows FIORI applications to be developed and customized using modern web technologies.<\/p>\n\n\n\n
However, the data and applications are still retrieved from the SAP S\/4 HANA system, which is based on the ABAP language and with which FIORI is directly integrated. In the current approach, the SAP FIORI Embedded configuration is used, meaning that both the frontend and backend operate within a single SAP system. Below is a diagram of the SAP FIORI application access architecture:<\/p>\n\n\n\n![\"SAP](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-01-EN-Architektura-dostepu-do-aplikacji-SAP-FIORI-1024x724.jpg\")
<\/a>Fig. 1 SAP FIORI application access architecture (diagram inspired by the webinar SAP Fiori Security \u2013 authorization debugging<\/a>)<\/figcaption><\/figure>\n\n\n\nLayers of integration<\/strong><\/h3>\n\n\n\nAs shown in the graphic above, there are three main layers of this integration:<\/p>\n\n\n\n
\n- Backend Server (BES)<\/strong> \u2013 this is the business logic layer we can assume to be our S\/4 HANA system. In this layer, business roles are assigned to users. These roles contain information about FIORI applications, such as the catalogs they are located in, OData services (IWSV), ABAP transactions they use, Web Dynpro applications, etc.<\/li>\n\n\n\n
- SAP Frontend Server (FES<\/strong>) \u2013 to put it simply, this is what happens in the background of the FIORI environment itself. In this layer, requests for access to the Backend system are sent through the SAP Gateway. This layer also contains access roles with information such as catalogs, groups, and OData services (IWSG).<\/li>\n\n\n\n
- SAP FIORI Launchpad (FLP)<\/strong> is the final layer \u2013 visual, directly accessible, and visible to the user. This is where the user launches and views FIORI applications.<\/li>\n<\/ul>\n\n\n\n
At first glance, it’s easy to guess that problems can arise at any of these layers.<\/p>\n\n\n\n
The most common problems<\/strong><\/h3>\n\n\n\nLet’s look at the most common issues and their causes.<\/p>\n\n\n\n
Attention!<\/strong> Before we continue \ud83d\ude0a The article describes situations where a user theoretically should already have access to specific SAP FIORI applications yet still encounters issues with their visibility or functionality. I also assume that the reader is familiar with transactions such as SUIM, SU01, and PFCG to be able to find the role with the missing authorization object (resulting, for example, from SU53 logs) and assign it to the user, modify the selected existing role, or create a new role in the SAP system.<\/p>\n\n\n\nTo remind you, there are two ways to verify if a user already has the appropriate role that theoretically should give them access to a specific FIORI application:<\/p>\n\n\n\n
\n- For standard SAP FIORI applications, open the publicly accessible SAP FIORI Apps Library<\/a>, select the category “All apps,” choose the appropriate SAP system version, and in the “Configuration” tab, check the “Business Role(s)” table for the list of roles that grant access to the selected application. Then, in the SU01 or PFCG transaction, verify if the user already has this role assigned.<\/li>\n<\/ul>\n\n\n\n
![\"SAP](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-02-SAP-Fiori-Apps-Reference-Library-lista-rol-z-dostepem-do-aplikacji-FIORI-1024x482.png\")
<\/a>Fig. 2 SAP Fiori apps reference library \u2013 list of roles with access to FIORI applications<\/figcaption><\/figure>\n\n\n\n\n- For both standard and custom SAP FIORI applications, open the transaction \/n\/UI2\/FLPCM_CUST<\/strong> in SAP GUI, go to the “Tiles\/Target Mappings” tab, and enter the exact name of your FIORI tile (case sensitivity and spaces matter!). Select it and choose the “Show usage in Roles”<\/strong> option. Then, in the SU01 or PFCG transaction, verify if the user already has this role assigned.<\/li>\n<\/ul>\n\n\n\n
![\"Launchpad](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-03-Launchpad-Content-Manager-lista-rol-z-dostepem-do-aplikacji-FIORI-1024x523.png\")
<\/a>Fig. 3 Launchpad content manager \u2013 list of roles with access to FIORI applications<\/figcaption><\/figure>\n\n\n\nIt’s also worth checking whether the FIORI application you searched for is in the FIORI catalog in the form of (Tile+TM) and whether this catalog is assigned to the FIORI role that the user has or wants to assign to them. To verify this, follow the same steps as in the previous points, but at the end, choose the “Show usage in Roles<\/strong>” option, check the “Reference Details<\/strong>” column, and in the PFCG transaction, ensure that the catalog is assigned to the role that the user has or that you want to assign to them.<\/p>\n\n\n\n![\"Launchpad](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-04-Launchpad-Content-Manager-lista-katalogow-zawierajacych-Tile-TM-1024x523.png\")
<\/a>Fig. 4 Launchpad content manager \u2013 list of catalogs containing Tile + TM<\/figcaption><\/figure>\n\n\n\nIf a given application’s information (Tile + TM) is not available in any catalog, then the missing Tile or TM element must be added to the appropriate FIORI catalog. However, this is a topic for a completely separate article. <\/p>\n\n\n\n
For now, I’ve left a link to the SAP Documentation that describes similar cases: SAP Fiori Launchpad Content Manager<\/a>.<\/p>\n\n\n\nErrors when opening a FIORI tile<\/strong><\/h2>\n\n\n\nScenario 1.<\/strong><\/h3>\n\n\n\nIn the SAP Launchpad, we found the FIORI application we are interested in. We want to open it, but it takes a very long time, and eventually, instead of the application window, we get a 403\/404 browser error \u2013 an example of such an error is shown below:<\/p>\n\n\n\n![\"Error](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-05-Blad-403-aplikacja-nie-wczytuje-sie-brak-dostepu-do-zawartosci-1024x477.png\")
<\/a>Fig. 5 Error 403 \u2013 application fails to load \u2013 no access to content<\/figcaption><\/figure>\n\n\n\nThis indicates that an OData service (a service that communicates between the front and backend) is not functioning correctly, is inactive, or has not been implemented in the system. To analyze and fix this, follow these steps:<\/p>\n\n\n\n
Step 1. Run the transaction \/n\/UI2\/FLPCM_CUST<\/strong> <\/p>\n\n\n\nStep 2. In the “Tiles\/Target Mappings<\/strong>” tab, find the application in question, select it, and choose the option Services -> Check and Show Services<\/strong>. Check the oData V2 Services<\/strong> and oData V4 Services<\/strong> tabs. Below are screenshots from the transaction:<\/p>\n\n\n\n![\"Launchpad](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-06-Launchpad-Content-Manager-Check-and-Show-Services-1024x522.png\")
<\/a>Fig. 6 Launchpad Content Manager \u2013 Check and Show Services<\/figcaption><\/figure>\n\n\n\n![\"Launchpad](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-07-Launchpad-Content-Manager-lista-serwisow-aplikacji-1024x522.png\")
<\/a>Fig. 7 Launchpad Content Manager \u2013 list of application services<\/figcaption><\/figure>\n\n\n\nIf any of the OData services in these tabs have a red status (inactive), you should:<\/p>\n\n\n\n
\n- go to the transaction \/n\/IWFND\/MAINT_SERVICE<\/strong>, find the inactive OData service in the External Service Name<\/strong> column, select it, and activate it in the ICF Services window at the bottom left by choosing ICF Node -> Activate<\/strong>:<\/li>\n<\/ul>\n\n\n\n
![\"Activate](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-08-Activate-and-Maintain-Services-aktywacja-serwisu-oData-1024x527.png\")
<\/a>Fig. 8 Activate and Maintain Services – activating the OData service<\/figcaption><\/figure>\n\n\n\nIf the service status does not change and you receive a system message stating that the service cannot be activated, select ICF Node \u2013> Configure SICF<\/strong>. You will be redirected to the SICF<\/strong> transaction,directly to the tree of objects containing the service. If it is deactivated (grayed out), right-click on it and choose Activate Service<\/strong>, then confirm by selecting the second option, Yes,<\/strong> in the next window, as shown in the screenshots below:<\/p>\n\n\n\n![\"Activate](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-09-Activate-and-Maintain-Services-przejscie-do-konfiguracji-SICF-1024x526.png\")
<\/a>Fig. 9 Activate and maintain services \u2013 navigating to SICF configuration<\/figcaption><\/figure>\n\n\n\n![\"Define](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-10-Define-Services-aktywacja-serwisu-ICF-1024x473.png\")
<\/a>Fig. 10 Define services \u2013 activating the ICF service<\/figcaption><\/figure>\n\n\n\nIt will now be active when you return to your service in the \/n\/IWFND\/MAINT_SERVICE transaction. Its status will also change to “green” in the OData tabs in the \/n\/UI2\/FLPCM_CUST<\/strong> transaction mentioned at the beginning of Step 2.<\/p>\n\n\n\n\n- go to the \/n\/IWFND\/MAINT_SERVICE<\/strong> transaction and search for the inactive OData service in the External Service Name<\/strong> column. It has not been implemented in your system if you cannot find it. How can you implement it? Refer to the following articles:\n
\n- for oData V2: SAP Note 2525224 \u2013 Missing OData Service when Attempting to Add Service in \/IWFND\/MAINT_SERVICES<\/a> and Activate OData Services for Sana SAP Fiori Apps<\/a><\/li>\n\n\n\n
- for oData V4: Publish\/Activate an oData V4 Service Group in SAP<\/a> and OData V4 Service Catalog<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Once the services are implemented and activated, return to your service in the \/n\/IWFND\/MAINT_SERVICE<\/strong> transaction, where it will now be active. Its status will also change to “green” in the OData tabs in the \/n\/UI2\/FLPCM_CUST<\/strong> transaction mentioned at the beginning of Step 2.<\/p>\n\n\n\nStep 3<\/strong>. Test the application’s functionality in the SAP FIORI Launchpad, preferably after refreshing the page, clearing the browser’s cookies\/cache, or logging back into SAP FIORI.<\/p>\n\n\n\nScenario 2.<\/strong><\/h3>\n\n\n\nIn the SAP Launchpad, we found the FIORI application we are interested in. We want to open it, but it takes a very long time, and eventually, instead of the application window, we receive a 403\/500 browser error \u2013 request failed, for example:<\/p>\n\n\n\n![\"Error](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-11-Blad-problem-z-zaladowaniem-komponentu-UI5-1024x493.png\")
<\/a>Fig. 11 Error \u2013 issue with loading the UI5 component<\/figcaption><\/figure>\n\n\n\nYou should proceed in the same way as in Scenario 1, with the difference that in Step 2, you need to check the ICF Services<\/strong> tab. If any ICF service is inactive, you should select it and choose the Define Services<\/strong> option, and then activate the ICF service in the same way as in Scenario 1 \u2013 Step 2, when the system redirected us to the SICF transaction:<\/p>\n\n\n\n![\"Launchpad](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-12-Launchpad-Content-Manager-nieaktywny-serwis-ICF-1024x526.png\")
<\/a>Fig. 12 Launchpad Content Manager \u2013 inactive ICF service<\/figcaption><\/figure>\n\n\n\n![\"Define](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-13-Define-Services-aktywacja-serwisu-ICF-1024x502.png\")
<\/a>Fig. 13 Define services \u2013 activating the ICF service<\/figcaption><\/figure>\n\n\n\nThe 403\/500 error \u2013 Request Failed or Component Failed may also have a direct authorization-related cause in the SAP S\/4 HANA system. The user may not have the necessary authorizations for the S_RFCACL<\/strong> authorization object, which we can diagnose using the SU53, STAUTHTRACE, or App Support (in FIORI) transactions. I will mention these tools further in the article.<\/p>\n\n\n\nScenario 3.<\/strong><\/h3>\n\n\n\nThe steps taken in Scenarios 1 and 2 did not help, and additionally, we are receiving the following message:<\/p>\n\n\n\n![\"Error](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-14-Blad-problem-z-zaladowniem-zawartosci-komponentu-UI5.png\")
<\/a>Fig. 14 Error \u2013 problem loading content \u2013 UI5 component<\/figcaption><\/figure>\n\n\n\nThis means that the application still cannot locate a particular oData service and, consequently, the ICF service as well. To verify this, you should perform Step 1 and Step 2 from Scenario 1 and check if the number of oData V2 and V4 services matches the documentation for this application in the FIORI Library.<\/a> Any service that is missing should be added similarly to Scenario 1, Step 2(b).<\/p>\n\n\n\n![\"SAP](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-15-SAP-Fiori-Apps-Reference-informacje-o-uzywanych-przez-aplikacje-serwisach-ICF-i-oData-1024x486.png\")
<\/a>Fig. 15 SAP Fiori Apps Reference \u2013 information about ICF and oData services used by the application<\/figcaption><\/figure>\n\n\n\n![\"job](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/12\/praca-k-EN-3.jpg\")
<\/a><\/figure>\n\n\n\nAuthorization errors in CDS views<\/strong><\/h2>\n\n\n\nCDS (Core Data Services) views in SAP allow the creation of advanced, efficient, and complex data models and application logic at the database level. These views can be accessed via SAP FIORI. Still, access to the mentioned data models (Virtual Data Model) in CDS views is always controlled through a combination of the following authorizations:<\/p>\n\n\n\n
\n- Classic authorization object checks \u2013 through authorization checks in ABAP code, such as objects (S_TCODE, S_START, S_SERVICE, SDDLVIEW, etc.) \u2013 occur when the application is started.<\/li>\n\n\n\n
- User authorization verification at the CDS view data source level happens dynamically while using the view as it fetches additional data. Permissions in the CDS view code are continually compared to the user authorizations in PFCG.<\/li>\n<\/ul>\n\n\n\n
Below is a diagram comparing the classic approach to authorization verification for ABAP-based applications with the DCL approach for CDS views:<\/p>\n\n\n\n![\"omparision](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-16-EN-Porownanie-standardowego-podejscia-ABAP-z-podejsciem-DCL-dla-widokow-CDS-1-1024x724.jpg\")
<\/a>Fig. 16 Comparision of standard ABAP approach with DCL approach for CDS views (diagram inspired from webinar SAP Fiori Security \u2013 Authorization Debugging<\/a>)<\/figcaption><\/figure>\n\n\n\nThe DCL (Data Control Language)<\/strong> approach defines what data a user can view, depending on their permissions. It is mainly used to restrict access to data at the record level (row-level security) and at the column level (column-level security) in CDS data models.<\/p>\n\n\n\nOnce defined, authorization rules are automatically applied to all queries using the given CDS view, ensuring consistency and reducing the risk of errors. This allows for dynamic and context-sensitive data access adjustments based on user attributes, which is harder to achieve with the classic approach.<\/p>\n\n\n\n
Due to their more flexible and efficient operation, CDS views and the DCL approach are also increasingly used in standard SAP transactions. An example is the Display Material (MM03) application.<\/p>\n\n\n\n
User tracking<\/strong> and simulation of data access in CDS<\/h3>\n\n\n\nIn transaction STAUTHTRACE<\/strong>, I initiated user tracking to verify which authorizations I am attempting to use. After starting the Display Material (MM03) application, I received the following logs:<\/p>\n\n\n\n![\"System](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-17-System-Trace-for-Authorization-Checks-logi-z-rezultatami-poszczegolnych-autoryzacji-rowniez-do-widokow-CDS-1024x522.png\")
<\/a>Fig. 17 System Trace for authorization checks \u2013 logs with results of individual authorizations \u2013 including CDS views<\/figcaption><\/figure>\n\n\n\nAs seen in the CDS Entity column, there is information that some of the data displayed to me in the Display Material (MM03) application comes from a CDS view, and access to this data is authorized at the CDS view level. An important note is that such information will not be available in SU53!<\/p>\n\n\n\n
Therefore, for more detailed verification of logs\/authorization errors, it is also advisable to use transaction STAUTHTRACE. Furthermore, from the logs, I can directly navigate to the CDS Access Control application, allowing me to verify what is being checked in the CDS view to display the appropriate data. Below is an example of the previously invoked view:<\/p>\n\n\n\n![\"CDS](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-18-CDS-Access-Control-skrypt-bazodanowy-dla-widoku-CDS-z-zapytaniem-o-autoryzacje-1024x666.png\")
<\/a>Fig. 18 CDS access control \u2013 database script for CDS view with authorization query<\/figcaption><\/figure>\n\n\n\nAs shown, there is a fragment of code that, at the CDS view level, compares the values of authorization objects provided here with the authorization objects held by the user currently viewing the CDS view and decides whether the specific data set can be displayed.<\/p>\n\n\n\n
In the example above, this data set pertains to access to product groups (object M_MATE_MAT, field: BEGRU). The CDS view checks what access the user has to the object and displays data only for those product groups (BEGRU) where the user has the activity values 03 (display) and F4 (display in value help).<\/p>\n\n\n\n
Therefore, unlike the classic approach, the system does not check every activity field value (ACTVT) value for the data product groups from the BEGRU field in the ABAP script. Instead, it “fetches” the user’s accesses (activities) to the values in the BEGRU field and, at the database script level, checks if these values are among those specified in the CDS view query. If they are, the data is displayed. A beneficial tool for verifying what data a specific user can access in a view is the CDS Access Control Runtime Simulator (SACM):<\/strong><\/p>\n\n\n\n![\"Access](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-19-Access-Control-Management-ekran-wyboru-narzedzia-1024x290.png\")
<\/a>Fig. 19 Access Control Management \u2013 tool selection screen<\/figcaption><\/figure>\n\n\n\n![\"CDS](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-20-CDS-Access-Control-Runtime-Simulator-ekran-wyboru-symulacji-dostepow-CDS-dla-wybranego-uzytkownika.png\")
<\/a>Fig. 20 CDS Access Control Runtime Simulator \u2013 Access Simulation Selection screen for a selected user<\/figcaption><\/figure>\n\n\n\n![\"ACM](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-21-ACM-Runtime-Simulator-rezultaty-symulacji-dostepow-do-widoku-CDS-uzytkownika-z-pelnym-dostepem-1024x398.png\")
<\/a>Fig. 21 ACM Runtime Simulator \u2013 results of Access Simulation to CDS view for a user with full access<\/figcaption><\/figure>\n\n\n\n![\"ACM](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-22-ACM-Runtime-Simulator-rezultaty-symulacji-dostepow-do-widoku-CDS-uzytkownika-z-ograniczonym-dostepem-1024x398.png\")
<\/a>Fig. 22 ACM Runtime Simulator \u2013 results of Access Simulation to CDS view for a user with limited access<\/figcaption><\/figure>\n\n\n\nIn Fig. 20, it is clear that my user can access all data in this view. However, in Fig. 21, a user with different roles can only access one product group marked as XYZ. Only data for this product group will be displayed to them in the application using this CDS view.<\/p>\n\n\n\n
This is very useful when a user cannot see some data and receives no authorization error, nor does it appear in SU53. In such cases, combining STAUTHTRACE and SACM tools significantly eases the problem analysis.<\/p>\n\n\n\n
Error analysis tools + most commonly detected errors<\/strong><\/h2>\n\n\n\nSU53<\/strong><\/h3>\n\n\n\nThis is a tool that hardly needs an introduction; it is an absolute classic for analyzing authorization issues in both ABAP and FIORI systems \ud83d\ude0a<\/strong><\/p>\n\n\n\nIn the context of FIORI application functionality, the most common problem is the lack of user authorization for the relevant services (e.g., ODATA) defined in the authorization object S_SERVICE. This will cause issues with opening applications or even result in a lack of access to specific data or options.<\/p>\n\n\n\n
Below is an example of such logs in transaction SU53:<\/p>\n\n\n\n![\"Example](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-23-Przykladowe-bledy-zwiazane-z-brakiem-dostepu-do-serwisow-oData-w-obiekcie-autoryzacyjnym-S_SERVICE-1024x371.png\")
<\/a>Fig. 23 Example errors related to lack of access to oData Services in authorization Object S_SERVICE<\/figcaption><\/figure>\n\n\n\nTo resolve this, you need to either find a role that already contains the object with that value (e.g., using transaction SUIM) or add this value to the S_SERVICE object in an existing role using transaction PFCG:<\/p>\n\n\n\n![\"Transaction](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-24-Transakcja-PFCG-dodawnie-serwisow-oData-jako-wartosci-do-obiektu-autoryzacyjnego-S_SERVICE-w-roli-1024x690.png\")
<\/a>Fig. 24 Transaction PFCG \u2013 adding oData Services as values to the authorization Object S_SERVICE in a role<\/figcaption><\/figure>\n\n\n\nA limitation of SU53 is that it does not provide logs for all types of authorization errors; for example, it does not include logs for errors related to CDS view authorizations defined at the CDS view code level. <\/p>\n\n\n\n
TIP!<\/strong> As soon as you know that a FIORI application has been affected and check the logs in SU53, it is advisable to save them immediately, as they are only visible for a limited time. This way, you avoid asking the user to “regenerate” the error \ud83d\ude0a Alternatively, you can ask the user to download and send us the logs.<\/p>\n\n\n\nApp Support<\/strong><\/h3>\n\n\n\nSimplified, this is the equivalent of SU53 but available directly from the SAP FIORI Launchpad. However, this application is not available by default; it must be activated, and the FIORI catalog must be added to the roles we select in SAP. The application appears as follows:<\/p>\n\n\n\n![\"Main](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-25-Ekran-glowny-aplikacji-App-Support-1024x518.png\")
<\/a>Fig. 25 Main screen of the App Support Application (Source: SAP Fiori for SAP S\/4HANA \u2013 10 health checks for the SAP Fiori launchpad<\/strong><\/a>]<\/figcaption><\/figure>\n\n\n\nSAP documentation on how to activate the application for users: Setting Up App Support<\/a>.<\/p>\n\n\n\nSTAUTHTRACE<\/strong><\/h3>\n\n\n\nThis tool allows you to track which authorization objects are checked during specific user operations. This helps identify which authorizations are required and which are causing problems. You can select the range of users for whom you want to enable tracing and specify the operations you want to track:<\/p>\n\n\n\n![\"System](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-26-System-Trace-for-Authorization-Checks-STAUTHTRACE.png\")
<\/a>Fig. 26 System Trace for Authorization Checks \u2013 STAUTHTRACE<\/figcaption><\/figure>\n\n\n\nThis tool will also indicate errors related to permissions for CDS views.<\/p>\n\n\n\n
\/n\/IWFND\/ERROR_LOG<\/strong><\/h3>\n\n\n\nThis diagnostic tool allows verification of error logs during the processing of oData service requests \u2013 errors related to communication between SAP Gateway and the backend system, including data processing issues:<\/p>\n\n\n\n![\"SAP](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-27-SAP-Gateway-Error-Log-Frontend-1024x497.png\")
<\/a>Fig. 27 SAP Gateway Error Log \u2013 Frontend<\/figcaption><\/figure>\n\n\n\n\/n\/IWBEP\/ERROR_LOG<\/strong><\/h3>\n\n\n\nSimilar to the previous tool, it allows verification of error logs during oData request processing, but on the backend side. It also helps analyze errors related to the RFC authorization object – S_RFCACL mentioned earlier:<\/p>\n\n\n\n![\"SAP](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-28-SAP-Backend-Error-Log-1024x516.png\")
<\/a>Fig. 28 SAP Backend Error Log<\/figcaption><\/figure>\n\n\n\nST22<\/strong><\/h3>\n\n\n\nA transaction used for analyzing ABAP errors. It is included here because sometimes what initially appears to be an authorization error may not be one \ud83d\ude0a For example, if a user receives an unclear error message that suggests a lack of access. There are no error logs in transaction SU53; it is worth checking logs in transaction ST22 to determine if it is an ABAP\/developer error:<\/p>\n\n\n\n![\"ABAP](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-29-ABAP-Runtime-Errors-ST22.png\")
<\/a>Fig. 29 ABAP Runtime Errors \u2013 ST22<\/figcaption><\/figure>\n\n\n\nBrowser Developer Tools (Chrome, Firefox, Edge, Opera, etc.)<\/strong><\/h3>\n\n\n\nMany things in SAP FIORI occur at the browser level, so using built-in developer tools and their consoles can help pinpoint the source of potential problems \u2013 verify what request was made and which service\/function caused the error. Below is a screenshot of an example error and the information that can be read from the developer tool:<\/p>\n\n\n\n![\"DevTools](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-30-DevTools-w-przegladarce-Google-Chrome-zaznaczony-fragment-wskazuje-na-problem-z-konkretnym-serwisem-oData-1024x400.png\")
<\/a>Fig. 30 DevTools in Google Chrome \u2013 Highlighted Segment Indicating a Problem with a Specific oData Service<\/figcaption><\/figure>\n\n\n\nAdditional useful tools<\/strong><\/h3>\n\n\n\n\n- \/UI5\/APP_INDEX_CALCULATE<\/strong> \u2013 this transaction generates or recreates the SAPUI5 application index, which is crucial after deploying new Fiori applications, system updates, or changes in application configuration. Using this transaction is often recommended when facing issues with displaying Fiori applications, such as missing applications or availability problems\u2014especially if changes have been made.<\/li>\n\n\n\n
- \/n\/IWFND\/CACHE_CLEANUP<\/strong> \u2013 in case of issues with oData services or Fiori applications, such as malfunctioning applications or missing or outdated data, this transaction can help restore proper functioning by clearing the cache, forcing the system to reload current data from the backend.<\/li>\n\n\n\n
- SM20 (Security Audit Log)<\/strong> \u2013 used to review user logs, such as their transactions.<\/li>\n\n\n\n
- SLG1 \u2013 Used to review system logs triggered by the user, such as in a specific transaction or program.<\/li>\n\n\n\n
- HTTP Trace Tools \u2013 various tools for monitoring HTTP or oData requests in the context of SAP FIORI applications. You can review detailed information about each request, such as the <\/strong>method (GET, POST, PUT, DELETE), headers, body, response status, response time, and more.<\/li>\n<\/ul>\n\n\n\n
\n \n ![\"\"](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2026\/04\/Blog-SAP-Desktop_.jpg\")
\n <\/picture>\n \n \n Sii x SAP<\/h2>\n <\/div>\n
\n As an SAP Silver Partner, we have many years of experience in implementing ERP solutions in companies of various scales and process complexities.\n <\/p>\n \n SAP offering<\/span>\n <\/a>\n <\/div>\n<\/div>\n\n\n\nOther errors<\/strong><\/h2>\n\n\n\n\n- Incorrectly assigned or missing system alias during the creation\/configuration of a new FIORI application, specifically for the services supporting it. This results in the application not being visible in the FIORI environment. For more information and examples, refer to: SAP Community – No System Alias found for Service ” and user,”<\/strong><\/a> and SAP Note 3245402 – OData Service throws an error: System alias ‘ ‘ does not exist<\/a><\/li>\n\n\n\n
- Users hide applications themselves \u2013 if users can personalize groups in the FIORI system, users often experiment with the system or accidentally hide tiles from the FIORI application view. This can be done using the Edit Home Page option by clicking on their avatar in SAP FIORI:<\/li>\n<\/ul>\n\n\n\n
![\"Edit](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-31-Edit-Home-Page-wejscie-do-aplikacji.png\")
<\/a>Fig. 31 Edit Home Page \u2013 accessing the application<\/figcaption><\/figure>\n\n\n\n
![\"SAP](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2024\/09\/Ryc.-01-EN-Architektura-dostepu-do-aplikacji-SAP-FIORI-scaled.jpg\")
<\/a>Layers of integration<\/strong><\/h3>\n\n\n\nAs shown in the graphic above, there are three main layers of this integration:<\/p>\n\n\n\n
\n- Backend Server (BES)<\/strong> \u2013 this is the business logic layer we can assume to be our S\/4 HANA system. In this layer, business roles are assigned to users. These roles contain information about FIORI applications, such as the catalogs they are located in, OData services (IWSV), ABAP transactions they use, Web Dynpro applications, etc.<\/li>\n\n\n\n
- SAP Frontend Server (FES<\/strong>) \u2013 to put it simply, this is what happens in the background of the FIORI environment itself. In this layer, requests for access to the Backend system are sent through the SAP Gateway. This layer also contains access roles with information such as catalogs, groups, and OData services (IWSG).<\/li>\n\n\n\n
- SAP FIORI Launchpad (FLP)<\/strong> is the final layer \u2013 visual, directly accessible, and visible to the user. This is where the user launches and views FIORI applications.<\/li>\n<\/ul>\n\n\n\n
At first glance, it’s easy to guess that problems can arise at any of these layers.<\/p>\n\n\n\n
The most common problems<\/strong><\/h3>\n\n\n\nLet’s look at the most common issues and their causes.<\/p>\n\n\n\n
Attention!<\/strong> Before we continue \ud83d\ude0a The article describes situations where a user theoretically should already have access to specific SAP FIORI applications yet still encounters issues with their visibility or functionality. I also assume that the reader is familiar with transactions such as SUIM, SU01, and PFCG to be able to find the role with the missing authorization object (resulting, for example, from SU53 logs) and assign it to the user, modify the selected existing role, or create a new role in the SAP system.<\/p>\n\n\n\nTo remind you, there are two ways to verify if a user already has the appropriate role that theoretically should give them access to a specific FIORI application:<\/p>\n\n\n\n
\n- For standard SAP FIORI applications, open the publicly accessible SAP FIORI Apps Library<\/a>, select the category “All apps,” choose the appropriate SAP system version, and in the “Configuration” tab, check the “Business Role(s)” table for the list of roles that grant access to the selected application. Then, in the SU01 or PFCG transaction, verify if the user already has this role assigned.<\/li>\n<\/ul>\n\n\n\n
<\/a>Fig. 2 SAP Fiori apps reference library \u2013 list of roles with access to FIORI applications<\/figcaption><\/figure>\n\n\n\n\n- For both standard and custom SAP FIORI applications, open the transaction \/n\/UI2\/FLPCM_CUST<\/strong> in SAP GUI, go to the “Tiles\/Target Mappings” tab, and enter the exact name of your FIORI tile (case sensitivity and spaces matter!). Select it and choose the “Show usage in Roles”<\/strong> option. Then, in the SU01 or PFCG transaction, verify if the user already has this role assigned.<\/li>\n<\/ul>\n\n\n\n
<\/a>Fig. 3 Launchpad content manager \u2013 list of roles with access to FIORI applications<\/figcaption><\/figure>\n\n\n\nIt’s also worth checking whether the FIORI application you searched for is in the FIORI catalog in the form of (Tile+TM) and whether this catalog is assigned to the FIORI role that the user has or wants to assign to them. To verify this, follow the same steps as in the previous points, but at the end, choose the “Show usage in Roles<\/strong>” option, check the “Reference Details<\/strong>” column, and in the PFCG transaction, ensure that the catalog is assigned to the role that the user has or that you want to assign to them.<\/p>\n\n\n\n<\/a>Fig. 4 Launchpad content manager \u2013 list of catalogs containing Tile + TM<\/figcaption><\/figure>\n\n\n\nIf a given application’s information (Tile + TM) is not available in any catalog, then the missing Tile or TM element must be added to the appropriate FIORI catalog. However, this is a topic for a completely separate article. <\/p>\n\n\n\n
For now, I’ve left a link to the SAP Documentation that describes similar cases: SAP Fiori Launchpad Content Manager<\/a>.<\/p>\n\n\n\nErrors when opening a FIORI tile<\/strong><\/h2>\n\n\n\nScenario 1.<\/strong><\/h3>\n\n\n\nIn the SAP Launchpad, we found the FIORI application we are interested in. We want to open it, but it takes a very long time, and eventually, instead of the application window, we get a 403\/404 browser error \u2013 an example of such an error is shown below:<\/p>\n\n\n\n<\/a>Fig. 5 Error 403 \u2013 application fails to load \u2013 no access to content<\/figcaption><\/figure>\n\n\n\nThis indicates that an OData service (a service that communicates between the front and backend) is not functioning correctly, is inactive, or has not been implemented in the system. To analyze and fix this, follow these steps:<\/p>\n\n\n\n
Step 1. Run the transaction \/n\/UI2\/FLPCM_CUST<\/strong> <\/p>\n\n\n\nStep 2. In the “Tiles\/Target Mappings<\/strong>” tab, find the application in question, select it, and choose the option Services -> Check and Show Services<\/strong>. Check the oData V2 Services<\/strong> and oData V4 Services<\/strong> tabs. Below are screenshots from the transaction:<\/p>\n\n\n\n<\/a>Fig. 6 Launchpad Content Manager \u2013 Check and Show Services<\/figcaption><\/figure>\n\n\n\n<\/a>Fig. 7 Launchpad Content Manager \u2013 list of application services<\/figcaption><\/figure>\n\n\n\nIf any of the OData services in these tabs have a red status (inactive), you should:<\/p>\n\n\n\n
\n- go to the transaction \/n\/IWFND\/MAINT_SERVICE<\/strong>, find the inactive OData service in the External Service Name<\/strong> column, select it, and activate it in the ICF Services window at the bottom left by choosing ICF Node -> Activate<\/strong>:<\/li>\n<\/ul>\n\n\n\n
<\/a>Fig. 8 Activate and Maintain Services – activating the OData service<\/figcaption><\/figure>\n\n\n\nIf the service status does not change and you receive a system message stating that the service cannot be activated, select ICF Node \u2013> Configure SICF<\/strong>. You will be redirected to the SICF<\/strong> transaction,directly to the tree of objects containing the service. If it is deactivated (grayed out), right-click on it and choose Activate Service<\/strong>, then confirm by selecting the second option, Yes,<\/strong> in the next window, as shown in the screenshots below:<\/p>\n\n\n\n<\/a>Fig. 9 Activate and maintain services \u2013 navigating to SICF configuration<\/figcaption><\/figure>\n\n\n\n<\/a>Fig. 10 Define services \u2013 activating the ICF service<\/figcaption><\/figure>\n\n\n\nIt will now be active when you return to your service in the \/n\/IWFND\/MAINT_SERVICE transaction. Its status will also change to “green” in the OData tabs in the \/n\/UI2\/FLPCM_CUST<\/strong> transaction mentioned at the beginning of Step 2.<\/p>\n\n\n\n\n- go to the \/n\/IWFND\/MAINT_SERVICE<\/strong> transaction and search for the inactive OData service in the External Service Name<\/strong> column. It has not been implemented in your system if you cannot find it. How can you implement it? Refer to the following articles:\n
\n- for oData V2: SAP Note 2525224 \u2013 Missing OData Service when Attempting to Add Service in \/IWFND\/MAINT_SERVICES<\/a> and Activate OData Services for Sana SAP Fiori Apps<\/a><\/li>\n\n\n\n
- for oData V4: Publish\/Activate an oData V4 Service Group in SAP<\/a> and OData V4 Service Catalog<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Once the services are implemented and activated, return to your service in the \/n\/IWFND\/MAINT_SERVICE<\/strong> transaction, where it will now be active. Its status will also change to “green” in the OData tabs in the \/n\/UI2\/FLPCM_CUST<\/strong> transaction mentioned at the beginning of Step 2.<\/p>\n\n\n\nStep 3<\/strong>. Test the application’s functionality in the SAP FIORI Launchpad, preferably after refreshing the page, clearing the browser’s cookies\/cache, or logging back into SAP FIORI.<\/p>\n\n\n\nScenario 2.<\/strong><\/h3>\n\n\n\nIn the SAP Launchpad, we found the FIORI application we are interested in. We want to open it, but it takes a very long time, and eventually, instead of the application window, we receive a 403\/500 browser error \u2013 request failed, for example:<\/p>\n\n\n\n<\/a>Fig. 11 Error \u2013 issue with loading the UI5 component<\/figcaption><\/figure>\n\n\n\nYou should proceed in the same way as in Scenario 1, with the difference that in Step 2, you need to check the ICF Services<\/strong> tab. If any ICF service is inactive, you should select it and choose the Define Services<\/strong> option, and then activate the ICF service in the same way as in Scenario 1 \u2013 Step 2, when the system redirected us to the SICF transaction:<\/p>\n\n\n\n<\/a>Fig. 12 Launchpad Content Manager \u2013 inactive ICF service<\/figcaption><\/figure>\n\n\n\n<\/a>Fig. 13 Define services \u2013 activating the ICF service<\/figcaption><\/figure>\n\n\n\nThe 403\/500 error \u2013 Request Failed or Component Failed may also have a direct authorization-related cause in the SAP S\/4 HANA system. The user may not have the necessary authorizations for the S_RFCACL<\/strong> authorization object, which we can diagnose using the SU53, STAUTHTRACE, or App Support (in FIORI) transactions. I will mention these tools further in the article.<\/p>\n\n\n\nScenario 3.<\/strong><\/h3>\n\n\n\nThe steps taken in Scenarios 1 and 2 did not help, and additionally, we are receiving the following message:<\/p>\n\n\n\n<\/a>Fig. 14 Error \u2013 problem loading content \u2013 UI5 component<\/figcaption><\/figure>\n\n\n\nThis means that the application still cannot locate a particular oData service and, consequently, the ICF service as well. To verify this, you should perform Step 1 and Step 2 from Scenario 1 and check if the number of oData V2 and V4 services matches the documentation for this application in the FIORI Library.<\/a> Any service that is missing should be added similarly to Scenario 1, Step 2(b).<\/p>\n\n\n\n<\/a>Fig. 15 SAP Fiori Apps Reference \u2013 information about ICF and oData services used by the application<\/figcaption><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\nAuthorization errors in CDS views<\/strong><\/h2>\n\n\n\nCDS (Core Data Services) views in SAP allow the creation of advanced, efficient, and complex data models and application logic at the database level. These views can be accessed via SAP FIORI. Still, access to the mentioned data models (Virtual Data Model) in CDS views is always controlled through a combination of the following authorizations:<\/p>\n\n\n\n
\n- Classic authorization object checks \u2013 through authorization checks in ABAP code, such as objects (S_TCODE, S_START, S_SERVICE, SDDLVIEW, etc.) \u2013 occur when the application is started.<\/li>\n\n\n\n
- User authorization verification at the CDS view data source level happens dynamically while using the view as it fetches additional data. Permissions in the CDS view code are continually compared to the user authorizations in PFCG.<\/li>\n<\/ul>\n\n\n\n
Below is a diagram comparing the classic approach to authorization verification for ABAP-based applications with the DCL approach for CDS views:<\/p>\n\n\n\n<\/a>Fig. 16 Comparision of standard ABAP approach with DCL approach for CDS views (diagram inspired from webinar SAP Fiori Security \u2013 Authorization Debugging<\/a>)<\/figcaption><\/figure>\n\n\n\nThe DCL (Data Control Language)<\/strong> approach defines what data a user can view, depending on their permissions. It is mainly used to restrict access to data at the record level (row-level security) and at the column level (column-level security) in CDS data models.<\/p>\n\n\n\nOnce defined, authorization rules are automatically applied to all queries using the given CDS view, ensuring consistency and reducing the risk of errors. This allows for dynamic and context-sensitive data access adjustments based on user attributes, which is harder to achieve with the classic approach.<\/p>\n\n\n\n
Due to their more flexible and efficient operation, CDS views and the DCL approach are also increasingly used in standard SAP transactions. An example is the Display Material (MM03) application.<\/p>\n\n\n\n
User tracking<\/strong> and simulation of data access in CDS<\/h3>\n\n\n\nIn transaction STAUTHTRACE<\/strong>, I initiated user tracking to verify which authorizations I am attempting to use. After starting the Display Material (MM03) application, I received the following logs:<\/p>\n\n\n\n<\/a>Fig. 17 System Trace for authorization checks \u2013 logs with results of individual authorizations \u2013 including CDS views<\/figcaption><\/figure>\n\n\n\nAs seen in the CDS Entity column, there is information that some of the data displayed to me in the Display Material (MM03) application comes from a CDS view, and access to this data is authorized at the CDS view level. An important note is that such information will not be available in SU53!<\/p>\n\n\n\n
Therefore, for more detailed verification of logs\/authorization errors, it is also advisable to use transaction STAUTHTRACE. Furthermore, from the logs, I can directly navigate to the CDS Access Control application, allowing me to verify what is being checked in the CDS view to display the appropriate data. Below is an example of the previously invoked view:<\/p>\n\n\n\n<\/a>Fig. 18 CDS access control \u2013 database script for CDS view with authorization query<\/figcaption><\/figure>\n\n\n\nAs shown, there is a fragment of code that, at the CDS view level, compares the values of authorization objects provided here with the authorization objects held by the user currently viewing the CDS view and decides whether the specific data set can be displayed.<\/p>\n\n\n\n
In the example above, this data set pertains to access to product groups (object M_MATE_MAT, field: BEGRU). The CDS view checks what access the user has to the object and displays data only for those product groups (BEGRU) where the user has the activity values 03 (display) and F4 (display in value help).<\/p>\n\n\n\n
Therefore, unlike the classic approach, the system does not check every activity field value (ACTVT) value for the data product groups from the BEGRU field in the ABAP script. Instead, it “fetches” the user’s accesses (activities) to the values in the BEGRU field and, at the database script level, checks if these values are among those specified in the CDS view query. If they are, the data is displayed. A beneficial tool for verifying what data a specific user can access in a view is the CDS Access Control Runtime Simulator (SACM):<\/strong><\/p>\n\n\n\n<\/a>Fig. 19 Access Control Management \u2013 tool selection screen<\/figcaption><\/figure>\n\n\n\n<\/a>Fig. 20 CDS Access Control Runtime Simulator \u2013 Access Simulation Selection screen for a selected user<\/figcaption><\/figure>\n\n\n\n<\/a>Fig. 21 ACM Runtime Simulator \u2013 results of Access Simulation to CDS view for a user with full access<\/figcaption><\/figure>\n\n\n\n<\/a>Fig. 22 ACM Runtime Simulator \u2013 results of Access Simulation to CDS view for a user with limited access<\/figcaption><\/figure>\n\n\n\nIn Fig. 20, it is clear that my user can access all data in this view. However, in Fig. 21, a user with different roles can only access one product group marked as XYZ. Only data for this product group will be displayed to them in the application using this CDS view.<\/p>\n\n\n\n
This is very useful when a user cannot see some data and receives no authorization error, nor does it appear in SU53. In such cases, combining STAUTHTRACE and SACM tools significantly eases the problem analysis.<\/p>\n\n\n\n
Error analysis tools + most commonly detected errors<\/strong><\/h2>\n\n\n\nSU53<\/strong><\/h3>\n\n\n\nThis is a tool that hardly needs an introduction; it is an absolute classic for analyzing authorization issues in both ABAP and FIORI systems \ud83d\ude0a<\/strong><\/p>\n\n\n\nIn the context of FIORI application functionality, the most common problem is the lack of user authorization for the relevant services (e.g., ODATA) defined in the authorization object S_SERVICE. This will cause issues with opening applications or even result in a lack of access to specific data or options.<\/p>\n\n\n\n
Below is an example of such logs in transaction SU53:<\/p>\n\n\n\n<\/a>Fig. 23 Example errors related to lack of access to oData Services in authorization Object S_SERVICE<\/figcaption><\/figure>\n\n\n\nTo resolve this, you need to either find a role that already contains the object with that value (e.g., using transaction SUIM) or add this value to the S_SERVICE object in an existing role using transaction PFCG:<\/p>\n\n\n\n<\/a>Fig. 24 Transaction PFCG \u2013 adding oData Services as values to the authorization Object S_SERVICE in a role<\/figcaption><\/figure>\n\n\n\nA limitation of SU53 is that it does not provide logs for all types of authorization errors; for example, it does not include logs for errors related to CDS view authorizations defined at the CDS view code level. <\/p>\n\n\n\n
TIP!<\/strong> As soon as you know that a FIORI application has been affected and check the logs in SU53, it is advisable to save them immediately, as they are only visible for a limited time. This way, you avoid asking the user to “regenerate” the error \ud83d\ude0a Alternatively, you can ask the user to download and send us the logs.<\/p>\n\n\n\nApp Support<\/strong><\/h3>\n\n\n\nSimplified, this is the equivalent of SU53 but available directly from the SAP FIORI Launchpad. However, this application is not available by default; it must be activated, and the FIORI catalog must be added to the roles we select in SAP. The application appears as follows:<\/p>\n\n\n\n<\/a>Fig. 25 Main screen of the App Support Application (Source: SAP Fiori for SAP S\/4HANA \u2013 10 health checks for the SAP Fiori launchpad<\/strong><\/a>]<\/figcaption><\/figure>\n\n\n\nSAP documentation on how to activate the application for users: Setting Up App Support<\/a>.<\/p>\n\n\n\nSTAUTHTRACE<\/strong><\/h3>\n\n\n\nThis tool allows you to track which authorization objects are checked during specific user operations. This helps identify which authorizations are required and which are causing problems. You can select the range of users for whom you want to enable tracing and specify the operations you want to track:<\/p>\n\n\n\n<\/a>Fig. 26 System Trace for Authorization Checks \u2013 STAUTHTRACE<\/figcaption><\/figure>\n\n\n\nThis tool will also indicate errors related to permissions for CDS views.<\/p>\n\n\n\n
\/n\/IWFND\/ERROR_LOG<\/strong><\/h3>\n\n\n\nThis diagnostic tool allows verification of error logs during the processing of oData service requests \u2013 errors related to communication between SAP Gateway and the backend system, including data processing issues:<\/p>\n\n\n\n<\/a>Fig. 27 SAP Gateway Error Log \u2013 Frontend<\/figcaption><\/figure>\n\n\n\n\/n\/IWBEP\/ERROR_LOG<\/strong><\/h3>\n\n\n\nSimilar to the previous tool, it allows verification of error logs during oData request processing, but on the backend side. It also helps analyze errors related to the RFC authorization object – S_RFCACL mentioned earlier:<\/p>\n\n\n\n<\/a>Fig. 28 SAP Backend Error Log<\/figcaption><\/figure>\n\n\n\nST22<\/strong><\/h3>\n\n\n\nA transaction used for analyzing ABAP errors. It is included here because sometimes what initially appears to be an authorization error may not be one \ud83d\ude0a For example, if a user receives an unclear error message that suggests a lack of access. There are no error logs in transaction SU53; it is worth checking logs in transaction ST22 to determine if it is an ABAP\/developer error:<\/p>\n\n\n\n<\/a>Fig. 29 ABAP Runtime Errors \u2013 ST22<\/figcaption><\/figure>\n\n\n\nBrowser Developer Tools (Chrome, Firefox, Edge, Opera, etc.)<\/strong><\/h3>\n\n\n\nMany things in SAP FIORI occur at the browser level, so using built-in developer tools and their consoles can help pinpoint the source of potential problems \u2013 verify what request was made and which service\/function caused the error. Below is a screenshot of an example error and the information that can be read from the developer tool:<\/p>\n\n\n\n<\/a>Fig. 30 DevTools in Google Chrome \u2013 Highlighted Segment Indicating a Problem with a Specific oData Service<\/figcaption><\/figure>\n\n\n\nAdditional useful tools<\/strong><\/h3>\n\n\n\n\n- \/UI5\/APP_INDEX_CALCULATE<\/strong> \u2013 this transaction generates or recreates the SAPUI5 application index, which is crucial after deploying new Fiori applications, system updates, or changes in application configuration. Using this transaction is often recommended when facing issues with displaying Fiori applications, such as missing applications or availability problems\u2014especially if changes have been made.<\/li>\n\n\n\n
- \/n\/IWFND\/CACHE_CLEANUP<\/strong> \u2013 in case of issues with oData services or Fiori applications, such as malfunctioning applications or missing or outdated data, this transaction can help restore proper functioning by clearing the cache, forcing the system to reload current data from the backend.<\/li>\n\n\n\n
- SM20 (Security Audit Log)<\/strong> \u2013 used to review user logs, such as their transactions.<\/li>\n\n\n\n
- SLG1 \u2013 Used to review system logs triggered by the user, such as in a specific transaction or program.<\/li>\n\n\n\n
- HTTP Trace Tools \u2013 various tools for monitoring HTTP or oData requests in the context of SAP FIORI applications. You can review detailed information about each request, such as the <\/strong>method (GET, POST, PUT, DELETE), headers, body, response status, response time, and more.<\/li>\n<\/ul>\n\n\n\n
\n \n \n <\/picture>\n \n \n Sii x SAP<\/h2>\n <\/div>\n
\n As an SAP Silver Partner, we have many years of experience in implementing ERP solutions in companies of various scales and process complexities.\n <\/p>\n \n SAP offering<\/span>\n <\/a>\n <\/div>\n<\/div>\n\n\n\nOther errors<\/strong><\/h2>\n\n\n\n\n- Incorrectly assigned or missing system alias during the creation\/configuration of a new FIORI application, specifically for the services supporting it. This results in the application not being visible in the FIORI environment. For more information and examples, refer to: SAP Community – No System Alias found for Service ” and user,”<\/strong><\/a> and SAP Note 3245402 – OData Service throws an error: System alias ‘ ‘ does not exist<\/a><\/li>\n\n\n\n
- Users hide applications themselves \u2013 if users can personalize groups in the FIORI system, users often experiment with the system or accidentally hide tiles from the FIORI application view. This can be done using the Edit Home Page option by clicking on their avatar in SAP FIORI:<\/li>\n<\/ul>\n\n\n\n
<\/a>Fig. 31 Edit Home Page \u2013 accessing the application<\/figcaption><\/figure>\n\n\n\n
At first glance, it’s easy to guess that problems can arise at any of these layers.<\/p>\n\n\n\n
The most common problems<\/strong><\/h3>\n\n\n\nLet’s look at the most common issues and their causes.<\/p>\n\n\n\n
Attention!<\/strong> Before we continue \ud83d\ude0a The article describes situations where a user theoretically should already have access to specific SAP FIORI applications yet still encounters issues with their visibility or functionality. I also assume that the reader is familiar with transactions such as SUIM, SU01, and PFCG to be able to find the role with the missing authorization object (resulting, for example, from SU53 logs) and assign it to the user, modify the selected existing role, or create a new role in the SAP system.<\/p>\n\n\n\nTo remind you, there are two ways to verify if a user already has the appropriate role that theoretically should give them access to a specific FIORI application:<\/p>\n\n\n\n
\n- For standard SAP FIORI applications, open the publicly accessible SAP FIORI Apps Library<\/a>, select the category “All apps,” choose the appropriate SAP system version, and in the “Configuration” tab, check the “Business Role(s)” table for the list of roles that grant access to the selected application. Then, in the SU01 or PFCG transaction, verify if the user already has this role assigned.<\/li>\n<\/ul>\n\n\n\n
<\/a>Fig. 2 SAP Fiori apps reference library \u2013 list of roles with access to FIORI applications<\/figcaption><\/figure>\n\n\n\n\n- For both standard and custom SAP FIORI applications, open the transaction \/n\/UI2\/FLPCM_CUST<\/strong> in SAP GUI, go to the “Tiles\/Target Mappings” tab, and enter the exact name of your FIORI tile (case sensitivity and spaces matter!). Select it and choose the “Show usage in Roles”<\/strong> option. Then, in the SU01 or PFCG transaction, verify if the user already has this role assigned.<\/li>\n<\/ul>\n\n\n\n
<\/a>Fig. 3 Launchpad content manager \u2013 list of roles with access to FIORI applications<\/figcaption><\/figure>\n\n\n\nIt’s also worth checking whether the FIORI application you searched for is in the FIORI catalog in the form of (Tile+TM) and whether this catalog is assigned to the FIORI role that the user has or wants to assign to them. To verify this, follow the same steps as in the previous points, but at the end, choose the “Show usage in Roles<\/strong>” option, check the “Reference Details<\/strong>” column, and in the PFCG transaction, ensure that the catalog is assigned to the role that the user has or that you want to assign to them.<\/p>\n\n\n\n<\/a>Fig. 4 Launchpad content manager \u2013 list of catalogs containing Tile + TM<\/figcaption><\/figure>\n\n\n\nIf a given application’s information (Tile + TM) is not available in any catalog, then the missing Tile or TM element must be added to the appropriate FIORI catalog. However, this is a topic for a completely separate article. <\/p>\n\n\n\n
For now, I’ve left a link to the SAP Documentation that describes similar cases: SAP Fiori Launchpad Content Manager<\/a>.<\/p>\n\n\n\nErrors when opening a FIORI tile<\/strong><\/h2>\n\n\n\nScenario 1.<\/strong><\/h3>\n\n\n\nIn the SAP Launchpad, we found the FIORI application we are interested in. We want to open it, but it takes a very long time, and eventually, instead of the application window, we get a 403\/404 browser error \u2013 an example of such an error is shown below:<\/p>\n\n\n\n<\/a>Fig. 5 Error 403 \u2013 application fails to load \u2013 no access to content<\/figcaption><\/figure>\n\n\n\nThis indicates that an OData service (a service that communicates between the front and backend) is not functioning correctly, is inactive, or has not been implemented in the system. To analyze and fix this, follow these steps:<\/p>\n\n\n\n
Step 1. Run the transaction \/n\/UI2\/FLPCM_CUST<\/strong> <\/p>\n\n\n\nStep 2. In the “Tiles\/Target Mappings<\/strong>” tab, find the application in question, select it, and choose the option Services -> Check and Show Services<\/strong>. Check the oData V2 Services<\/strong> and oData V4 Services<\/strong> tabs. Below are screenshots from the transaction:<\/p>\n\n\n\n<\/a>Fig. 6 Launchpad Content Manager \u2013 Check and Show Services<\/figcaption><\/figure>\n\n\n\n<\/a>Fig. 7 Launchpad Content Manager \u2013 list of application services<\/figcaption><\/figure>\n\n\n\nIf any of the OData services in these tabs have a red status (inactive), you should:<\/p>\n\n\n\n
\n- go to the transaction \/n\/IWFND\/MAINT_SERVICE<\/strong>, find the inactive OData service in the External Service Name<\/strong> column, select it, and activate it in the ICF Services window at the bottom left by choosing ICF Node -> Activate<\/strong>:<\/li>\n<\/ul>\n\n\n\n
<\/a>Fig. 8 Activate and Maintain Services – activating the OData service<\/figcaption><\/figure>\n\n\n\nIf the service status does not change and you receive a system message stating that the service cannot be activated, select ICF Node \u2013> Configure SICF<\/strong>. You will be redirected to the SICF<\/strong> transaction,directly to the tree of objects containing the service. If it is deactivated (grayed out), right-click on it and choose Activate Service<\/strong>, then confirm by selecting the second option, Yes,<\/strong> in the next window, as shown in the screenshots below:<\/p>\n\n\n\n<\/a>Fig. 9 Activate and maintain services \u2013 navigating to SICF configuration<\/figcaption><\/figure>\n\n\n\n<\/a>Fig. 10 Define services \u2013 activating the ICF service<\/figcaption><\/figure>\n\n\n\nIt will now be active when you return to your service in the \/n\/IWFND\/MAINT_SERVICE transaction. Its status will also change to “green” in the OData tabs in the \/n\/UI2\/FLPCM_CUST<\/strong> transaction mentioned at the beginning of Step 2.<\/p>\n\n\n\n\n- go to the \/n\/IWFND\/MAINT_SERVICE<\/strong> transaction and search for the inactive OData service in the External Service Name<\/strong> column. It has not been implemented in your system if you cannot find it. How can you implement it? Refer to the following articles:\n
\n- for oData V2: SAP Note 2525224 \u2013 Missing OData Service when Attempting to Add Service in \/IWFND\/MAINT_SERVICES<\/a> and Activate OData Services for Sana SAP Fiori Apps<\/a><\/li>\n\n\n\n
- for oData V4: Publish\/Activate an oData V4 Service Group in SAP<\/a> and OData V4 Service Catalog<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Once the services are implemented and activated, return to your service in the \/n\/IWFND\/MAINT_SERVICE<\/strong> transaction, where it will now be active. Its status will also change to “green” in the OData tabs in the \/n\/UI2\/FLPCM_CUST<\/strong> transaction mentioned at the beginning of Step 2.<\/p>\n\n\n\nStep 3<\/strong>. Test the application’s functionality in the SAP FIORI Launchpad, preferably after refreshing the page, clearing the browser’s cookies\/cache, or logging back into SAP FIORI.<\/p>\n\n\n\nScenario 2.<\/strong><\/h3>\n\n\n\nIn the SAP Launchpad, we found the FIORI application we are interested in. We want to open it, but it takes a very long time, and eventually, instead of the application window, we receive a 403\/500 browser error \u2013 request failed, for example:<\/p>\n\n\n\n<\/a>Fig. 11 Error \u2013 issue with loading the UI5 component<\/figcaption><\/figure>\n\n\n\nYou should proceed in the same way as in Scenario 1, with the difference that in Step 2, you need to check the ICF Services<\/strong> tab. If any ICF service is inactive, you should select it and choose the Define Services<\/strong> option, and then activate the ICF service in the same way as in Scenario 1 \u2013 Step 2, when the system redirected us to the SICF transaction:<\/p>\n\n\n\n<\/a>Fig. 12 Launchpad Content Manager \u2013 inactive ICF service<\/figcaption><\/figure>\n\n\n\n<\/a>Fig. 13 Define services \u2013 activating the ICF service<\/figcaption><\/figure>\n\n\n\nThe 403\/500 error \u2013 Request Failed or Component Failed may also have a direct authorization-related cause in the SAP S\/4 HANA system. The user may not have the necessary authorizations for the S_RFCACL<\/strong> authorization object, which we can diagnose using the SU53, STAUTHTRACE, or App Support (in FIORI) transactions. I will mention these tools further in the article.<\/p>\n\n\n\nScenario 3.<\/strong><\/h3>\n\n\n\nThe steps taken in Scenarios 1 and 2 did not help, and additionally, we are receiving the following message:<\/p>\n\n\n\n<\/a>Fig. 14 Error \u2013 problem loading content \u2013 UI5 component<\/figcaption><\/figure>\n\n\n\nThis means that the application still cannot locate a particular oData service and, consequently, the ICF service as well. To verify this, you should perform Step 1 and Step 2 from Scenario 1 and check if the number of oData V2 and V4 services matches the documentation for this application in the FIORI Library.<\/a> Any service that is missing should be added similarly to Scenario 1, Step 2(b).<\/p>\n\n\n\n<\/a>Fig. 15 SAP Fiori Apps Reference \u2013 information about ICF and oData services used by the application<\/figcaption><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\nAuthorization errors in CDS views<\/strong><\/h2>\n\n\n\nCDS (Core Data Services) views in SAP allow the creation of advanced, efficient, and complex data models and application logic at the database level. These views can be accessed via SAP FIORI. Still, access to the mentioned data models (Virtual Data Model) in CDS views is always controlled through a combination of the following authorizations:<\/p>\n\n\n\n
\n- Classic authorization object checks \u2013 through authorization checks in ABAP code, such as objects (S_TCODE, S_START, S_SERVICE, SDDLVIEW, etc.) \u2013 occur when the application is started.<\/li>\n\n\n\n
- User authorization verification at the CDS view data source level happens dynamically while using the view as it fetches additional data. Permissions in the CDS view code are continually compared to the user authorizations in PFCG.<\/li>\n<\/ul>\n\n\n\n
Below is a diagram comparing the classic approach to authorization verification for ABAP-based applications with the DCL approach for CDS views:<\/p>\n\n\n\n<\/a>Fig. 16 Comparision of standard ABAP approach with DCL approach for CDS views (diagram inspired from webinar SAP Fiori Security \u2013 Authorization Debugging<\/a>)<\/figcaption><\/figure>\n\n\n\nThe DCL (Data Control Language)<\/strong> approach defines what data a user can view, depending on their permissions. It is mainly used to restrict access to data at the record level (row-level security) and at the column level (column-level security) in CDS data models.<\/p>\n\n\n\nOnce defined, authorization rules are automatically applied to all queries using the given CDS view, ensuring consistency and reducing the risk of errors. This allows for dynamic and context-sensitive data access adjustments based on user attributes, which is harder to achieve with the classic approach.<\/p>\n\n\n\n
Due to their more flexible and efficient operation, CDS views and the DCL approach are also increasingly used in standard SAP transactions. An example is the Display Material (MM03) application.<\/p>\n\n\n\n
User tracking<\/strong> and simulation of data access in CDS<\/h3>\n\n\n\nIn transaction STAUTHTRACE<\/strong>, I initiated user tracking to verify which authorizations I am attempting to use. After starting the Display Material (MM03) application, I received the following logs:<\/p>\n\n\n\n<\/a>Fig. 17 System Trace for authorization checks \u2013 logs with results of individual authorizations \u2013 including CDS views<\/figcaption><\/figure>\n\n\n\nAs seen in the CDS Entity column, there is information that some of the data displayed to me in the Display Material (MM03) application comes from a CDS view, and access to this data is authorized at the CDS view level. An important note is that such information will not be available in SU53!<\/p>\n\n\n\n
Therefore, for more detailed verification of logs\/authorization errors, it is also advisable to use transaction STAUTHTRACE. Furthermore, from the logs, I can directly navigate to the CDS Access Control application, allowing me to verify what is being checked in the CDS view to display the appropriate data. Below is an example of the previously invoked view:<\/p>\n\n\n\n<\/a>Fig. 18 CDS access control \u2013 database script for CDS view with authorization query<\/figcaption><\/figure>\n\n\n\nAs shown, there is a fragment of code that, at the CDS view level, compares the values of authorization objects provided here with the authorization objects held by the user currently viewing the CDS view and decides whether the specific data set can be displayed.<\/p>\n\n\n\n
In the example above, this data set pertains to access to product groups (object M_MATE_MAT, field: BEGRU). The CDS view checks what access the user has to the object and displays data only for those product groups (BEGRU) where the user has the activity values 03 (display) and F4 (display in value help).<\/p>\n\n\n\n
Therefore, unlike the classic approach, the system does not check every activity field value (ACTVT) value for the data product groups from the BEGRU field in the ABAP script. Instead, it “fetches” the user’s accesses (activities) to the values in the BEGRU field and, at the database script level, checks if these values are among those specified in the CDS view query. If they are, the data is displayed. A beneficial tool for verifying what data a specific user can access in a view is the CDS Access Control Runtime Simulator (SACM):<\/strong><\/p>\n\n\n\n<\/a>Fig. 19 Access Control Management \u2013 tool selection screen<\/figcaption><\/figure>\n\n\n\n<\/a>Fig. 20 CDS Access Control Runtime Simulator \u2013 Access Simulation Selection screen for a selected user<\/figcaption><\/figure>\n\n\n\n<\/a>Fig. 21 ACM Runtime Simulator \u2013 results of Access Simulation to CDS view for a user with full access<\/figcaption><\/figure>\n\n\n\n<\/a>Fig. 22 ACM Runtime Simulator \u2013 results of Access Simulation to CDS view for a user with limited access<\/figcaption><\/figure>\n\n\n\nIn Fig. 20, it is clear that my user can access all data in this view. However, in Fig. 21, a user with different roles can only access one product group marked as XYZ. Only data for this product group will be displayed to them in the application using this CDS view.<\/p>\n\n\n\n
This is very useful when a user cannot see some data and receives no authorization error, nor does it appear in SU53. In such cases, combining STAUTHTRACE and SACM tools significantly eases the problem analysis.<\/p>\n\n\n\n
Error analysis tools + most commonly detected errors<\/strong><\/h2>\n\n\n\nSU53<\/strong><\/h3>\n\n\n\nThis is a tool that hardly needs an introduction; it is an absolute classic for analyzing authorization issues in both ABAP and FIORI systems \ud83d\ude0a<\/strong><\/p>\n\n\n\nIn the context of FIORI application functionality, the most common problem is the lack of user authorization for the relevant services (e.g., ODATA) defined in the authorization object S_SERVICE. This will cause issues with opening applications or even result in a lack of access to specific data or options.<\/p>\n\n\n\n
Below is an example of such logs in transaction SU53:<\/p>\n\n\n\n<\/a>Fig. 23 Example errors related to lack of access to oData Services in authorization Object S_SERVICE<\/figcaption><\/figure>\n\n\n\nTo resolve this, you need to either find a role that already contains the object with that value (e.g., using transaction SUIM) or add this value to the S_SERVICE object in an existing role using transaction PFCG:<\/p>\n\n\n\n<\/a>Fig. 24 Transaction PFCG \u2013 adding oData Services as values to the authorization Object S_SERVICE in a role<\/figcaption><\/figure>\n\n\n\nA limitation of SU53 is that it does not provide logs for all types of authorization errors; for example, it does not include logs for errors related to CDS view authorizations defined at the CDS view code level. <\/p>\n\n\n\n
TIP!<\/strong> As soon as you know that a FIORI application has been affected and check the logs in SU53, it is advisable to save them immediately, as they are only visible for a limited time. This way, you avoid asking the user to “regenerate” the error \ud83d\ude0a Alternatively, you can ask the user to download and send us the logs.<\/p>\n\n\n\nApp Support<\/strong><\/h3>\n\n\n\nSimplified, this is the equivalent of SU53 but available directly from the SAP FIORI Launchpad. However, this application is not available by default; it must be activated, and the FIORI catalog must be added to the roles we select in SAP. The application appears as follows:<\/p>\n\n\n\n<\/a>Fig. 25 Main screen of the App Support Application (Source: SAP Fiori for SAP S\/4HANA \u2013 10 health checks for the SAP Fiori launchpad<\/strong><\/a>]<\/figcaption><\/figure>\n\n\n\nSAP documentation on how to activate the application for users: Setting Up App Support<\/a>.<\/p>\n\n\n\nSTAUTHTRACE<\/strong><\/h3>\n\n\n\nThis tool allows you to track which authorization objects are checked during specific user operations. This helps identify which authorizations are required and which are causing problems. You can select the range of users for whom you want to enable tracing and specify the operations you want to track:<\/p>\n\n\n\n<\/a>Fig. 26 System Trace for Authorization Checks \u2013 STAUTHTRACE<\/figcaption><\/figure>\n\n\n\nThis tool will also indicate errors related to permissions for CDS views.<\/p>\n\n\n\n
\/n\/IWFND\/ERROR_LOG<\/strong><\/h3>\n\n\n\nThis diagnostic tool allows verification of error logs during the processing of oData service requests \u2013 errors related to communication between SAP Gateway and the backend system, including data processing issues:<\/p>\n\n\n\n<\/a>Fig. 27 SAP Gateway Error Log \u2013 Frontend<\/figcaption><\/figure>\n\n\n\n\/n\/IWBEP\/ERROR_LOG<\/strong><\/h3>\n\n\n\nSimilar to the previous tool, it allows verification of error logs during oData request processing, but on the backend side. It also helps analyze errors related to the RFC authorization object – S_RFCACL mentioned earlier:<\/p>\n\n\n\n<\/a>Fig. 28 SAP Backend Error Log<\/figcaption><\/figure>\n\n\n\nST22<\/strong><\/h3>\n\n\n\nA transaction used for analyzing ABAP errors. It is included here because sometimes what initially appears to be an authorization error may not be one \ud83d\ude0a For example, if a user receives an unclear error message that suggests a lack of access. There are no error logs in transaction SU53; it is worth checking logs in transaction ST22 to determine if it is an ABAP\/developer error:<\/p>\n\n\n\n<\/a>Fig. 29 ABAP Runtime Errors \u2013 ST22<\/figcaption><\/figure>\n\n\n\nBrowser Developer Tools (Chrome, Firefox, Edge, Opera, etc.)<\/strong><\/h3>\n\n\n\nMany things in SAP FIORI occur at the browser level, so using built-in developer tools and their consoles can help pinpoint the source of potential problems \u2013 verify what request was made and which service\/function caused the error. Below is a screenshot of an example error and the information that can be read from the developer tool:<\/p>\n\n\n\n<\/a>Fig. 30 DevTools in Google Chrome \u2013 Highlighted Segment Indicating a Problem with a Specific oData Service<\/figcaption><\/figure>\n\n\n\nAdditional useful tools<\/strong><\/h3>\n\n\n\n\n- \/UI5\/APP_INDEX_CALCULATE<\/strong> \u2013 this transaction generates or recreates the SAPUI5 application index, which is crucial after deploying new Fiori applications, system updates, or changes in application configuration. Using this transaction is often recommended when facing issues with displaying Fiori applications, such as missing applications or availability problems\u2014especially if changes have been made.<\/li>\n\n\n\n
- \/n\/IWFND\/CACHE_CLEANUP<\/strong> \u2013 in case of issues with oData services or Fiori applications, such as malfunctioning applications or missing or outdated data, this transaction can help restore proper functioning by clearing the cache, forcing the system to reload current data from the backend.<\/li>\n\n\n\n
- SM20 (Security Audit Log)<\/strong> \u2013 used to review user logs, such as their transactions.<\/li>\n\n\n\n
- SLG1 \u2013 Used to review system logs triggered by the user, such as in a specific transaction or program.<\/li>\n\n\n\n
- HTTP Trace Tools \u2013 various tools for monitoring HTTP or oData requests in the context of SAP FIORI applications. You can review detailed information about each request, such as the <\/strong>method (GET, POST, PUT, DELETE), headers, body, response status, response time, and more.<\/li>\n<\/ul>\n\n\n\n
\n \n \n <\/picture>\n \n \n Sii x SAP<\/h2>\n <\/div>\n
\n As an SAP Silver Partner, we have many years of experience in implementing ERP solutions in companies of various scales and process complexities.\n <\/p>\n \n SAP offering<\/span>\n <\/a>\n <\/div>\n<\/div>\n\n\n\nOther errors<\/strong><\/h2>\n\n\n\n\n- Incorrectly assigned or missing system alias during the creation\/configuration of a new FIORI application, specifically for the services supporting it. This results in the application not being visible in the FIORI environment. For more information and examples, refer to: SAP Community – No System Alias found for Service ” and user,”<\/strong><\/a> and SAP Note 3245402 – OData Service throws an error: System alias ‘ ‘ does not exist<\/a><\/li>\n\n\n\n
- Users hide applications themselves \u2013 if users can personalize groups in the FIORI system, users often experiment with the system or accidentally hide tiles from the FIORI application view. This can be done using the Edit Home Page option by clicking on their avatar in SAP FIORI:<\/li>\n<\/ul>\n\n\n\n
<\/a>Fig. 31 Edit Home Page \u2013 accessing the application<\/figcaption><\/figure>\n\n\n\n
To remind you, there are two ways to verify if a user already has the appropriate role that theoretically should give them access to a specific FIORI application:<\/p>\n\n\n\n
- \n
- For standard SAP FIORI applications, open the publicly accessible SAP FIORI Apps Library<\/a>, select the category “All apps,” choose the appropriate SAP system version, and in the “Configuration” tab, check the “Business Role(s)” table for the list of roles that grant access to the selected application. Then, in the SU01 or PFCG transaction, verify if the user already has this role assigned.<\/li>\n<\/ul>\n\n\n\n<\/a>
Fig. 2 SAP Fiori apps reference library \u2013 list of roles with access to FIORI applications<\/figcaption><\/figure>\n\n\n\n - \n
- For both standard and custom SAP FIORI applications, open the transaction \/n\/UI2\/FLPCM_CUST<\/strong> in SAP GUI, go to the “Tiles\/Target Mappings” tab, and enter the exact name of your FIORI tile (case sensitivity and spaces matter!). Select it and choose the “Show usage in Roles”<\/strong> option. Then, in the SU01 or PFCG transaction, verify if the user already has this role assigned.<\/li>\n<\/ul>\n\n\n\n<\/a>
Fig. 3 Launchpad content manager \u2013 list of roles with access to FIORI applications<\/figcaption><\/figure>\n\n\n\n It’s also worth checking whether the FIORI application you searched for is in the FIORI catalog in the form of (Tile+TM) and whether this catalog is assigned to the FIORI role that the user has or wants to assign to them. To verify this, follow the same steps as in the previous points, but at the end, choose the “Show usage in Roles<\/strong>” option, check the “Reference Details<\/strong>” column, and in the PFCG transaction, ensure that the catalog is assigned to the role that the user has or that you want to assign to them.<\/p>\n\n\n\n
<\/a>Fig. 4 Launchpad content manager \u2013 list of catalogs containing Tile + TM<\/figcaption><\/figure>\n\n\n\n If a given application’s information (Tile + TM) is not available in any catalog, then the missing Tile or TM element must be added to the appropriate FIORI catalog. However, this is a topic for a completely separate article. <\/p>\n\n\n\n
For now, I’ve left a link to the SAP Documentation that describes similar cases: SAP Fiori Launchpad Content Manager<\/a>.<\/p>\n\n\n\n
Errors when opening a FIORI tile<\/strong><\/h2>\n\n\n\n
Scenario 1.<\/strong><\/h3>\n\n\n\n
In the SAP Launchpad, we found the FIORI application we are interested in. We want to open it, but it takes a very long time, and eventually, instead of the application window, we get a 403\/404 browser error \u2013 an example of such an error is shown below:<\/p>\n\n\n\n
<\/a>Fig. 5 Error 403 \u2013 application fails to load \u2013 no access to content<\/figcaption><\/figure>\n\n\n\n This indicates that an OData service (a service that communicates between the front and backend) is not functioning correctly, is inactive, or has not been implemented in the system. To analyze and fix this, follow these steps:<\/p>\n\n\n\n
Step 1. Run the transaction \/n\/UI2\/FLPCM_CUST<\/strong> <\/p>\n\n\n\n
Step 2. In the “Tiles\/Target Mappings<\/strong>” tab, find the application in question, select it, and choose the option Services -> Check and Show Services<\/strong>. Check the oData V2 Services<\/strong> and oData V4 Services<\/strong> tabs. Below are screenshots from the transaction:<\/p>\n\n\n\n
<\/a>Fig. 6 Launchpad Content Manager \u2013 Check and Show Services<\/figcaption><\/figure>\n\n\n\n <\/a>Fig. 7 Launchpad Content Manager \u2013 list of application services<\/figcaption><\/figure>\n\n\n\n If any of the OData services in these tabs have a red status (inactive), you should:<\/p>\n\n\n\n
- \n
- go to the transaction \/n\/IWFND\/MAINT_SERVICE<\/strong>, find the inactive OData service in the External Service Name<\/strong> column, select it, and activate it in the ICF Services window at the bottom left by choosing ICF Node -> Activate<\/strong>:<\/li>\n<\/ul>\n\n\n\n<\/a>
Fig. 8 Activate and Maintain Services – activating the OData service<\/figcaption><\/figure>\n\n\n\n If the service status does not change and you receive a system message stating that the service cannot be activated, select ICF Node \u2013> Configure SICF<\/strong>. You will be redirected to the SICF<\/strong> transaction,directly to the tree of objects containing the service. If it is deactivated (grayed out), right-click on it and choose Activate Service<\/strong>, then confirm by selecting the second option, Yes,<\/strong> in the next window, as shown in the screenshots below:<\/p>\n\n\n\n
<\/a>Fig. 9 Activate and maintain services \u2013 navigating to SICF configuration<\/figcaption><\/figure>\n\n\n\n <\/a>Fig. 10 Define services \u2013 activating the ICF service<\/figcaption><\/figure>\n\n\n\n It will now be active when you return to your service in the \/n\/IWFND\/MAINT_SERVICE transaction. Its status will also change to “green” in the OData tabs in the \/n\/UI2\/FLPCM_CUST<\/strong> transaction mentioned at the beginning of Step 2.<\/p>\n\n\n\n
- \n
- go to the \/n\/IWFND\/MAINT_SERVICE<\/strong> transaction and search for the inactive OData service in the External Service Name<\/strong> column. It has not been implemented in your system if you cannot find it. How can you implement it? Refer to the following articles:\n
- \n
- for oData V2: SAP Note 2525224 \u2013 Missing OData Service when Attempting to Add Service in \/IWFND\/MAINT_SERVICES<\/a> and Activate OData Services for Sana SAP Fiori Apps<\/a><\/li>\n\n\n\n
- for oData V4: Publish\/Activate an oData V4 Service Group in SAP<\/a> and OData V4 Service Catalog<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Once the services are implemented and activated, return to your service in the \/n\/IWFND\/MAINT_SERVICE<\/strong> transaction, where it will now be active. Its status will also change to “green” in the OData tabs in the \/n\/UI2\/FLPCM_CUST<\/strong> transaction mentioned at the beginning of Step 2.<\/p>\n\n\n\n
Step 3<\/strong>. Test the application’s functionality in the SAP FIORI Launchpad, preferably after refreshing the page, clearing the browser’s cookies\/cache, or logging back into SAP FIORI.<\/p>\n\n\n\n
Scenario 2.<\/strong><\/h3>\n\n\n\n
In the SAP Launchpad, we found the FIORI application we are interested in. We want to open it, but it takes a very long time, and eventually, instead of the application window, we receive a 403\/500 browser error \u2013 request failed, for example:<\/p>\n\n\n\n
<\/a>Fig. 11 Error \u2013 issue with loading the UI5 component<\/figcaption><\/figure>\n\n\n\n You should proceed in the same way as in Scenario 1, with the difference that in Step 2, you need to check the ICF Services<\/strong> tab. If any ICF service is inactive, you should select it and choose the Define Services<\/strong> option, and then activate the ICF service in the same way as in Scenario 1 \u2013 Step 2, when the system redirected us to the SICF transaction:<\/p>\n\n\n\n
<\/a>Fig. 12 Launchpad Content Manager \u2013 inactive ICF service<\/figcaption><\/figure>\n\n\n\n <\/a>Fig. 13 Define services \u2013 activating the ICF service<\/figcaption><\/figure>\n\n\n\n The 403\/500 error \u2013 Request Failed or Component Failed may also have a direct authorization-related cause in the SAP S\/4 HANA system. The user may not have the necessary authorizations for the S_RFCACL<\/strong> authorization object, which we can diagnose using the SU53, STAUTHTRACE, or App Support (in FIORI) transactions. I will mention these tools further in the article.<\/p>\n\n\n\n
Scenario 3.<\/strong><\/h3>\n\n\n\n
The steps taken in Scenarios 1 and 2 did not help, and additionally, we are receiving the following message:<\/p>\n\n\n\n
<\/a>Fig. 14 Error \u2013 problem loading content \u2013 UI5 component<\/figcaption><\/figure>\n\n\n\n This means that the application still cannot locate a particular oData service and, consequently, the ICF service as well. To verify this, you should perform Step 1 and Step 2 from Scenario 1 and check if the number of oData V2 and V4 services matches the documentation for this application in the FIORI Library.<\/a> Any service that is missing should be added similarly to Scenario 1, Step 2(b).<\/p>\n\n\n\n
<\/a>Fig. 15 SAP Fiori Apps Reference \u2013 information about ICF and oData services used by the application<\/figcaption><\/figure>\n\n\n\n <\/a><\/figure>\n\n\n\nAuthorization errors in CDS views<\/strong><\/h2>\n\n\n\n
CDS (Core Data Services) views in SAP allow the creation of advanced, efficient, and complex data models and application logic at the database level. These views can be accessed via SAP FIORI. Still, access to the mentioned data models (Virtual Data Model) in CDS views is always controlled through a combination of the following authorizations:<\/p>\n\n\n\n
- \n
- Classic authorization object checks \u2013 through authorization checks in ABAP code, such as objects (S_TCODE, S_START, S_SERVICE, SDDLVIEW, etc.) \u2013 occur when the application is started.<\/li>\n\n\n\n
- User authorization verification at the CDS view data source level happens dynamically while using the view as it fetches additional data. Permissions in the CDS view code are continually compared to the user authorizations in PFCG.<\/li>\n<\/ul>\n\n\n\n
Below is a diagram comparing the classic approach to authorization verification for ABAP-based applications with the DCL approach for CDS views:<\/p>\n\n\n\n
<\/a>Fig. 16 Comparision of standard ABAP approach with DCL approach for CDS views (diagram inspired from webinar SAP Fiori Security \u2013 Authorization Debugging<\/a>)<\/figcaption><\/figure>\n\n\n\n The DCL (Data Control Language)<\/strong> approach defines what data a user can view, depending on their permissions. It is mainly used to restrict access to data at the record level (row-level security) and at the column level (column-level security) in CDS data models.<\/p>\n\n\n\n
Once defined, authorization rules are automatically applied to all queries using the given CDS view, ensuring consistency and reducing the risk of errors. This allows for dynamic and context-sensitive data access adjustments based on user attributes, which is harder to achieve with the classic approach.<\/p>\n\n\n\n
Due to their more flexible and efficient operation, CDS views and the DCL approach are also increasingly used in standard SAP transactions. An example is the Display Material (MM03) application.<\/p>\n\n\n\n
User tracking<\/strong> and simulation of data access in CDS<\/h3>\n\n\n\n
In transaction STAUTHTRACE<\/strong>, I initiated user tracking to verify which authorizations I am attempting to use. After starting the Display Material (MM03) application, I received the following logs:<\/p>\n\n\n\n
<\/a>Fig. 17 System Trace for authorization checks \u2013 logs with results of individual authorizations \u2013 including CDS views<\/figcaption><\/figure>\n\n\n\n As seen in the CDS Entity column, there is information that some of the data displayed to me in the Display Material (MM03) application comes from a CDS view, and access to this data is authorized at the CDS view level. An important note is that such information will not be available in SU53!<\/p>\n\n\n\n
Therefore, for more detailed verification of logs\/authorization errors, it is also advisable to use transaction STAUTHTRACE. Furthermore, from the logs, I can directly navigate to the CDS Access Control application, allowing me to verify what is being checked in the CDS view to display the appropriate data. Below is an example of the previously invoked view:<\/p>\n\n\n\n
<\/a>Fig. 18 CDS access control \u2013 database script for CDS view with authorization query<\/figcaption><\/figure>\n\n\n\n As shown, there is a fragment of code that, at the CDS view level, compares the values of authorization objects provided here with the authorization objects held by the user currently viewing the CDS view and decides whether the specific data set can be displayed.<\/p>\n\n\n\n
In the example above, this data set pertains to access to product groups (object M_MATE_MAT, field: BEGRU). The CDS view checks what access the user has to the object and displays data only for those product groups (BEGRU) where the user has the activity values 03 (display) and F4 (display in value help).<\/p>\n\n\n\n
Therefore, unlike the classic approach, the system does not check every activity field value (ACTVT) value for the data product groups from the BEGRU field in the ABAP script. Instead, it “fetches” the user’s accesses (activities) to the values in the BEGRU field and, at the database script level, checks if these values are among those specified in the CDS view query. If they are, the data is displayed. A beneficial tool for verifying what data a specific user can access in a view is the CDS Access Control Runtime Simulator (SACM):<\/strong><\/p>\n\n\n\n
<\/a>Fig. 19 Access Control Management \u2013 tool selection screen<\/figcaption><\/figure>\n\n\n\n <\/a>Fig. 20 CDS Access Control Runtime Simulator \u2013 Access Simulation Selection screen for a selected user<\/figcaption><\/figure>\n\n\n\n <\/a>Fig. 21 ACM Runtime Simulator \u2013 results of Access Simulation to CDS view for a user with full access<\/figcaption><\/figure>\n\n\n\n <\/a>Fig. 22 ACM Runtime Simulator \u2013 results of Access Simulation to CDS view for a user with limited access<\/figcaption><\/figure>\n\n\n\n In Fig. 20, it is clear that my user can access all data in this view. However, in Fig. 21, a user with different roles can only access one product group marked as XYZ. Only data for this product group will be displayed to them in the application using this CDS view.<\/p>\n\n\n\n
This is very useful when a user cannot see some data and receives no authorization error, nor does it appear in SU53. In such cases, combining STAUTHTRACE and SACM tools significantly eases the problem analysis.<\/p>\n\n\n\n
Error analysis tools + most commonly detected errors<\/strong><\/h2>\n\n\n\n
SU53<\/strong><\/h3>\n\n\n\n
This is a tool that hardly needs an introduction; it is an absolute classic for analyzing authorization issues in both ABAP and FIORI systems \ud83d\ude0a<\/strong><\/p>\n\n\n\n
In the context of FIORI application functionality, the most common problem is the lack of user authorization for the relevant services (e.g., ODATA) defined in the authorization object S_SERVICE. This will cause issues with opening applications or even result in a lack of access to specific data or options.<\/p>\n\n\n\n
Below is an example of such logs in transaction SU53:<\/p>\n\n\n\n
<\/a>Fig. 23 Example errors related to lack of access to oData Services in authorization Object S_SERVICE<\/figcaption><\/figure>\n\n\n\n To resolve this, you need to either find a role that already contains the object with that value (e.g., using transaction SUIM) or add this value to the S_SERVICE object in an existing role using transaction PFCG:<\/p>\n\n\n\n
<\/a>Fig. 24 Transaction PFCG \u2013 adding oData Services as values to the authorization Object S_SERVICE in a role<\/figcaption><\/figure>\n\n\n\n A limitation of SU53 is that it does not provide logs for all types of authorization errors; for example, it does not include logs for errors related to CDS view authorizations defined at the CDS view code level. <\/p>\n\n\n\n
TIP!<\/strong> As soon as you know that a FIORI application has been affected and check the logs in SU53, it is advisable to save them immediately, as they are only visible for a limited time. This way, you avoid asking the user to “regenerate” the error \ud83d\ude0a Alternatively, you can ask the user to download and send us the logs.<\/p>\n\n\n\n
App Support<\/strong><\/h3>\n\n\n\n
Simplified, this is the equivalent of SU53 but available directly from the SAP FIORI Launchpad. However, this application is not available by default; it must be activated, and the FIORI catalog must be added to the roles we select in SAP. The application appears as follows:<\/p>\n\n\n\n
<\/a>Fig. 25 Main screen of the App Support Application (Source: SAP Fiori for SAP S\/4HANA \u2013 10 health checks for the SAP Fiori launchpad<\/strong><\/a>]<\/figcaption><\/figure>\n\n\n\n SAP documentation on how to activate the application for users: Setting Up App Support<\/a>.<\/p>\n\n\n\n
STAUTHTRACE<\/strong><\/h3>\n\n\n\n
This tool allows you to track which authorization objects are checked during specific user operations. This helps identify which authorizations are required and which are causing problems. You can select the range of users for whom you want to enable tracing and specify the operations you want to track:<\/p>\n\n\n\n
<\/a>Fig. 26 System Trace for Authorization Checks \u2013 STAUTHTRACE<\/figcaption><\/figure>\n\n\n\n This tool will also indicate errors related to permissions for CDS views.<\/p>\n\n\n\n
\/n\/IWFND\/ERROR_LOG<\/strong><\/h3>\n\n\n\n
This diagnostic tool allows verification of error logs during the processing of oData service requests \u2013 errors related to communication between SAP Gateway and the backend system, including data processing issues:<\/p>\n\n\n\n
<\/a>Fig. 27 SAP Gateway Error Log \u2013 Frontend<\/figcaption><\/figure>\n\n\n\n \/n\/IWBEP\/ERROR_LOG<\/strong><\/h3>\n\n\n\n
Similar to the previous tool, it allows verification of error logs during oData request processing, but on the backend side. It also helps analyze errors related to the RFC authorization object – S_RFCACL mentioned earlier:<\/p>\n\n\n\n
<\/a>Fig. 28 SAP Backend Error Log<\/figcaption><\/figure>\n\n\n\n ST22<\/strong><\/h3>\n\n\n\n
A transaction used for analyzing ABAP errors. It is included here because sometimes what initially appears to be an authorization error may not be one \ud83d\ude0a For example, if a user receives an unclear error message that suggests a lack of access. There are no error logs in transaction SU53; it is worth checking logs in transaction ST22 to determine if it is an ABAP\/developer error:<\/p>\n\n\n\n
<\/a>Fig. 29 ABAP Runtime Errors \u2013 ST22<\/figcaption><\/figure>\n\n\n\n Browser Developer Tools (Chrome, Firefox, Edge, Opera, etc.)<\/strong><\/h3>\n\n\n\n
Many things in SAP FIORI occur at the browser level, so using built-in developer tools and their consoles can help pinpoint the source of potential problems \u2013 verify what request was made and which service\/function caused the error. Below is a screenshot of an example error and the information that can be read from the developer tool:<\/p>\n\n\n\n
<\/a>Fig. 30 DevTools in Google Chrome \u2013 Highlighted Segment Indicating a Problem with a Specific oData Service<\/figcaption><\/figure>\n\n\n\n Additional useful tools<\/strong><\/h3>\n\n\n\n
- \n
- \/UI5\/APP_INDEX_CALCULATE<\/strong> \u2013 this transaction generates or recreates the SAPUI5 application index, which is crucial after deploying new Fiori applications, system updates, or changes in application configuration. Using this transaction is often recommended when facing issues with displaying Fiori applications, such as missing applications or availability problems\u2014especially if changes have been made.<\/li>\n\n\n\n
- \/n\/IWFND\/CACHE_CLEANUP<\/strong> \u2013 in case of issues with oData services or Fiori applications, such as malfunctioning applications or missing or outdated data, this transaction can help restore proper functioning by clearing the cache, forcing the system to reload current data from the backend.<\/li>\n\n\n\n
- SM20 (Security Audit Log)<\/strong> \u2013 used to review user logs, such as their transactions.<\/li>\n\n\n\n
- SLG1 \u2013 Used to review system logs triggered by the user, such as in a specific transaction or program.<\/li>\n\n\n\n
- HTTP Trace Tools \u2013 various tools for monitoring HTTP or oData requests in the context of SAP FIORI applications. You can review detailed information about each request, such as the <\/strong>method (GET, POST, PUT, DELETE), headers, body, response status, response time, and more.<\/li>\n<\/ul>\n\n\n
\n\n \n \n <\/picture>\n \n\nSii x SAP<\/h2>\n <\/div>\n
\n As an SAP Silver Partner, we have many years of experience in implementing ERP solutions in companies of various scales and process complexities.\n <\/p>\n \n SAP offering<\/span>\n <\/a>\n <\/div>\n<\/div>\n\n\n\n
Other errors<\/strong><\/h2>\n\n\n\n
- \n
- Incorrectly assigned or missing system alias during the creation\/configuration of a new FIORI application, specifically for the services supporting it. This results in the application not being visible in the FIORI environment. For more information and examples, refer to: SAP Community – No System Alias found for Service ” and user,”<\/strong><\/a> and SAP Note 3245402 – OData Service throws an error: System alias ‘ ‘ does not exist<\/a><\/li>\n\n\n\n
- Users hide applications themselves \u2013 if users can personalize groups in the FIORI system, users often experiment with the system or accidentally hide tiles from the FIORI application view. This can be done using the Edit Home Page option by clicking on their avatar in SAP FIORI:<\/li>\n<\/ul>\n\n\n\n
<\/a>Fig. 31 Edit Home Page \u2013 accessing the application<\/figcaption><\/figure>\n\n\n\n - Users hide applications themselves \u2013 if users can personalize groups in the FIORI system, users often experiment with the system or accidentally hide tiles from the FIORI application view. This can be done using the Edit Home Page option by clicking on their avatar in SAP FIORI:<\/li>\n<\/ul>\n\n\n\n
- \/n\/IWFND\/CACHE_CLEANUP<\/strong> \u2013 in case of issues with oData services or Fiori applications, such as malfunctioning applications or missing or outdated data, this transaction can help restore proper functioning by clearing the cache, forcing the system to reload current data from the backend.<\/li>\n\n\n\n
- \/UI5\/APP_INDEX_CALCULATE<\/strong> \u2013 this transaction generates or recreates the SAPUI5 application index, which is crucial after deploying new Fiori applications, system updates, or changes in application configuration. Using this transaction is often recommended when facing issues with displaying Fiori applications, such as missing applications or availability problems\u2014especially if changes have been made.<\/li>\n\n\n\n
- for oData V4: Publish\/Activate an oData V4 Service Group in SAP<\/a> and OData V4 Service Catalog<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- for oData V2: SAP Note 2525224 \u2013 Missing OData Service when Attempting to Add Service in \/IWFND\/MAINT_SERVICES<\/a> and Activate OData Services for Sana SAP Fiori Apps<\/a><\/li>\n\n\n\n
- go to the \/n\/IWFND\/MAINT_SERVICE<\/strong> transaction and search for the inactive OData service in the External Service Name<\/strong> column. It has not been implemented in your system if you cannot find it. How can you implement it? Refer to the following articles:\n
- go to the transaction \/n\/IWFND\/MAINT_SERVICE<\/strong>, find the inactive OData service in the External Service Name<\/strong> column, select it, and activate it in the ICF Services window at the bottom left by choosing ICF Node -> Activate<\/strong>:<\/li>\n<\/ul>\n\n\n\n
- For both standard and custom SAP FIORI applications, open the transaction \/n\/UI2\/FLPCM_CUST<\/strong> in SAP GUI, go to the “Tiles\/Target Mappings” tab, and enter the exact name of your FIORI tile (case sensitivity and spaces matter!). Select it and choose the “Show usage in Roles”<\/strong> option. Then, in the SU01 or PFCG transaction, verify if the user already has this role assigned.<\/li>\n<\/ul>\n\n\n\n