quarta-feira, 25 de janeiro de 2023

SAP Fiori for SAP S/4HANA –How to restrict filter values in SAP Fiori apps

 TL;DR: Explicit authorizations are your best bet for limiting the values in filters of SAP Fiori apps. You can identify which AuthObjects to set from the authorization proposals of the related OData Services, i.e. the OData Services are listed against the SAP Fiori app in the SAP Fiori apps library. Where authorizations are not applied, you can use public or role-specific views to preset correct filter values. Avoid deleting SAP standard configuration codes.   

A few days ago one of my SAP S/4HANA customers came to me with a problem:

“We have configured our own values for various dropdown fields.

Now in our SAP Fiori apps both our own values and the original SAP values are showing.

We don’t want to lose the standard SAP values in case we need them for troubleshooting or comparison.

How do we hide the standard SAP values so that our users only select our values?”

Example%20of%20what%20the%20customer%20wanted%20to%20achieve%20-%20keep%20the%20custom%20values%2C%20hide%20the%20filter%20values%20in%20the%20Notification%20Type%20filter%20of%20F2071%20Find%20Maintenance%20Notifications

Example of what the customer wanted to achieve – keep the custom values, hide the filter values in the Notification Type filter of F2071 Find Maintenance Notifications

The customer’s primary concern was to avoid confusion for business users. They didn’t want maintenance techs learning to use the app to be presented with a lot of irrelevant values.

After a few discussions with some functional experts – and a little experimentation – it was clear this was a reasonably common request.  Given that hundreds of SAP Fiori apps contain a filter bar, we thought it was worth sharing how we resolved it.

In brief, after evaluating the options it was clear that:

  1. Authorizations were the best approach to restrict filter values
  2. When authorizations are not available for a filter value, a public or role-specific view is an acceptable alternative

But the real trick is how to find which authorizations you need to set! You will learn how you can find this in the explanation below.

If you want to know more about creating public and role-specific views, refer to blog post SAP Fiori for SAP S/4HANA – New options for managing Views for filters tables and charts

Note: All screenshots in this blog post are from the author’s SAP S/4HANA 2022 trial system, however the approach described works much the same in previous SAP S/4HANA releases (with some minor differences e.g. in the look and feel of Adapt Filters).  The customer in question was using SAP S/4HANA 2021.

The example use case

The customer was using some of the SAP Fiori apps for enterprise asset management (EAM), such as:

  • F2071 Find Maintenance Notifications
  • F2175 Find Maintenance Orders
  • F2173 Find Maintenance Orders and Operations

These apps all use the Fiori elements list report floorplan which includes a smart filter bar and a table showing the results found.

The customer had configured their own values for the fields:

  • Notification Type,
  • Order Type,
  • Maintenance Activity Type, and
  • Priority

When they used the apps, for these fields the filters showed their custom values and the SAP standard values.

For example: In F2071 Find Maintenance Notification, the filter on Notification Type brings:

  • SAP standard values M1, M2, M3
  • Custom values MA, MF, MR

By%20default%20app%20F2071%20Maintenance%20Notifications%20showed%20both%20SAP%20values%20and%20custom%20values%20in%20the%20Notification%20Type%20filter

By default app F2071 Maintenance Notifications showed both SAP values and custom values in the Notification Type filter

The customer was concerned – rightly – that this would be confusing for their business users. They only wanted their business users to see their custom values.

But how what was the best way to remove the unwanted SAP values?

The%20aim%20of%20the%20customer%20-%20hide%20the%20default%20SAP%20values%20in%20the%20Notification%20Type%20filter

The aim of the customer – hide the default SAP values in the Notification Type filter

Options for restricting filter dropdown values

After a few discussions, these were the options considered for hiding the default SAP values:

  1. Delete the standard SAP values
  2. Do a complex extension to hide the values programmatically
  3. Restrict filter values with authorizations
  4. Create a public or role-specific view in the app

Option 1: Delete the standard SAP values

This is possible but risky.

While some of our functional consultants confirmed this was something they had seen done at some customers it’s not ideal. Whenever you delete standard SAP values you risk removing dependent configuration entries that your own custom values may depend on.

Plus, if you discover something is not working as you want, it’s very useful to have the standard SAP values to review.

Decision: Risky. Avoid this approach. 

Option 2: Do a complex extension to hide the values programmatically

This is possible but high effort.

It requires a developer to do a detailed evaluation of the app, most likely create a copy of the app, and then adjust the copy using the Business Application Studio or VSCode.

Depending on how the app was written (freestyle vs. Fiori elements), and depending on the experience of the developer, this can be quite complex and time-consuming.

Creating a copy of the app is an additional TCO (total cost of ownership) burden as the support of the app is then the customer’s responsibility.  Any improvements or corrections made to the original app must also be applied manually to the copy. Even where an adaptation project is possible, that’s another piece of code you and your customer must support. For example, if the business needs to add another custom value, they may need to call a developer back in to change the app.

Also, SAP Fiori developer skills are at a premium and this seemed a very expensive and effortful way of making what should be a relatively simple change.

Decision: Expensive. Effortful. Avoid this approach.

Option 3: Restrict filter values with authorizations

This sounded like a possible answer but needed some a little experimentation to confirm.

Like many sandbox and development systems, many of the business roles were authorized with AuthObject set to “*” i.e. all values.  So, what would happen if users were only authorized to use the custom values and not the standard SAP values? Success!

This took care of most of the fields that the customer needed to restrict as most of them could be controlled through authorizations.

Decision: Relatively easy. Effective. Preferred approach.

How to restrict filter values with authorizations

To restrict filter values, you need to:

  1. Identify which AuthObjects to set
  2. Identify which Business Roles need to be changed
  3. Adjust the AuthObjects in the role and regenerate the authorization profile

Finding the AuthObjects of a SAP Fiori app

So perhaps the trickiest part of this approach is working out how to find the AuthObjects. AuthObjects are the lowest level of the security role. AuthObjects control which activities and objects users are allowed to perform.

Hint: This is the time to start getting your security administrator involved.  They will have access to the right tools to find and adjust authorizations.  They are also responsible for updating the related business roles with the authorizations you find.

There are several ways to find AuthObjects – some are easy than others:

  1. AuthObjects may be listed in the app documentation or a SAP Note for that app.
  2. Authorization trace (transaction STAUTHTRACE) you could run an authorization trace across the user. It might still be quite tricky to find which AuthObject relates to which field of the app.
  3. Authorization proposals as explained in Getting back to Standard Proposals with SU24 Authorisation Variants

Hint: What about using the SAP Fiori launchpad App Support? App Support captures failed authorizations, in this use case there are no failed authorizations because the user can see all values, i.e. all authorizations have been passed successfully.

Authorization proposals turned out to be the easiest way to find the AuthObjects with a simple 3 step process:

  1. Find the OData Service(s) of the SAP Fiori app. This was easily found in the SAP Fiori apps library

Example%20of%20finding%20the%20OData%20Service%20of%20the%20SAP%20Fiori%20app%20in%20the%20SAP%20Fiori%20apps%20library

Example of finding the OData Service of the SAP Fiori app on the tab Implementation Information section Configuration in the SAP Fiori apps library

  1. Find the authorization proposals for the OData Service. This was easily found in transaction SU24. By searching on the for the gateway service and using the OData Service id, you can find all the AuthObjects evaluated by the app.

Example%20of%20selecting%20the%20gateway%20service%20and%20the%20OData%20Service%20in%20GUI%20transactionSU24

Example of selecting the gateway service and the OData Service in GUI transaction SU24

Example%20of%20the%20list%20of%20AuthObjects%20evaluated%20by%20the%20OData%20Service%20as%20shown%20in%20transaction%20SU24

Example of the list of AuthObjects evaluated by the OData Service as shown in transaction SU24

  1. Find the AuthObject for the field. While some apps can apply several authorizations (this service applied 45) this was still a relatively simple process to scroll through the list and identify the correct AuthObject.

Example%20of%20finding%20the%20AuthObject%20for%20Notification%20Types%20by%20reading%20the%20titles%20of%20the%20listed%20AuthObjects%20in%20SU24

Example of finding the AuthObject for Notification Types by reading the short text of the listed AuthObjects in SU24

For example, for notification types, you can see the AuthObject is called I_QMEL which has the short text “PM/QM Notification Types”. The Check Indicator value “Check” confirms that this authorization is checked by the OData Service.

IMPORTANT: When using transaction SU24, you will need to use a different value for the Type of Application parameter depending on whether your SAP Fiori app uses and ODatav2 or an ODatav4 service.  Most older apps use ODatav2 – the matching parameter value is “SAP Gateway Business Suite Enablement – Service”.  Increasingly new apps use ODatav4 – the matching parameter value is “SAP Gateway OData V4 Service Group & Assignments”.

Identifying which business roles need to be changed

So the second challenge is to know which business roles need to be changed.

Here the easiest tool to help find this was the Launchpad Content Manager (Client-specific). You can reach this from the Fiori launchpad if you have the Fiori Administrator role (by default called Z_FIORI_FOUNDATION_ADMIN) or by calling GUI transaction /UI2/FLPCM_CUST.

Hint: The Fiori Administrator role is generated by your technical team using task list SAP_FIORI_FOUNDATION_S4. It grants all the launchpad content and layout tools to people assigned this role.

The%20launchpad%20of%20the%20Fiori%20Administrator%20role%20highlighting%20the%20tile%20Launchpad%20Content%20Manager%20Client-Specific

The launchpad of the Fiori Administrator role highlighting the tile Launchpad Content Manager Client-Specific

By going to the Tiles/Target Mapping tab it is an easy matter to search for the app by its id. By default this shows the business catalogs that hold the app. You can even use the Show Usage in Roles feature to find the roles.

Example%20of%20Launchpad%20Content%20Manager%20Tiles%20and%20Target%20Mappings%20tab%20showing%20the%20result%20of%20searching%20for%20app%20F2071%20and%20highlighting%20the%20Show%20Usage%20in%20Roles%20button

Example of Launchpad Content Manager Tiles and Target Mappings tab showing the resulting catalogs found when searching for app F2071 and highlighting the Show Usage in Roles button

You can see in this example that both standard SAP business roles and custom business roles in which the app is assigned are listed.

Example%20in%20Launchpad%20Content%20Manager%20showing%20the%20SAP%20and%20custom%20business%20roles%20to%20which%20app%20F2071%20is%20assigned

Example in Launchpad Content Manager showing the SAP and custom business roles to which app F2071 is assigned

Obviously, the customer only needed to change their custom business roles. You can even select a role and launch straight into the role maintenance transaction using the button Open in PFCG. You can even export the list of roles to a spreadsheet in case you need to discuss the change with the role owners first.

Example%20in%20Launchpad%20Content%20Manager%20highlighting%20the%20Export%20button%20and%20the%20Open%20in%20PFCG%20button%20in%20the%20Roles%20containing%20tile/target%20mapping%20pane

Example in Launchpad Content Manager highlighting the Export button and the Open in PFCG button in the Roles containing tile/target mapping pane

Process to adjust the Authorizations

  1. Edit the role’s authorization data to set explicit values for the relevant AuthObject. You can use tools such as GUI transaction PFCG which provides both individual role maintenance and Mass Maintenance of Authorization Values options.
  2. Once the AuthObjects have been changed, you then need to regenerate the role’s authorization profile to update the role and apply it to users.

For example, for individual maintenance you adjust the AuthObjects in the Authorization Data maintenance area which is reached from the Authorization tab of transaction PFCG. In the example below, you can see the 3 values to be kept are maintained against the AuthObject I_QMEL. The other values are unchanged.  The generate button is highlighted.

Example%20of%20adjusting%20the%20authorizations%20for%20AuthObject%20I_QMEL%20in%20the%20Change%20Role%20Authorizations%20dialog

Example of adjusting the authorizations for AuthObject I_QMEL in the Change Role Authorizations dialog

The resulting impact on the SAP Fiori app is that only the authorized filter values are available.

Now%20that%20authorizations%20have%20been%20adjusted%20the%20SAP%20Fiori%20app%20F2071%20only%20displays%20the%20custom%20values%20for%20the%20Notification%20Type%20filter

Now that authorizations have been adjusted the SAP Fiori app F2071 only displays the custom values for the Notification Type filter

Option 4: Create a public or role-specific view in the app

For most of the filter values the customer needed to control we could find authorization objects for the fields.  However, some filter fields were not controlled by authorizations, such as Priority.

This was a different challenge as the same priority code could mean something different depending on the priority type that was relevant. In the example below you can see that priority 1 is very high for some most priority types; high for SL and SR; low for priority type SR; and so on.

Now%20that%20authorizations%20have%20been%20adjusted%20the%20SAP%20Fiori%20app%20F2071%20only%20displays%20the%20custom%20values%20for%20the%20Notification%20Type%20filter

Example of the default values for the Priority filter showing priorities for many different priority types

Priority Type was obviously important in restricting which priorities were relevant.  Time to check Adapt Filters! You can see the button immediately after the Go button.

Example%20of%20the%20filter%20bar%20highlighting%20the%20standard%20Adapt%20Filters%20button%20in%20the%20filter%20area%20ofSAP%20Fiori%20app%20F2071%20Find%20Maintenance%20Notifications

Example of the filter bar highlighting the standard Adapt Filters button in the filter area ofSAP Fiori app F2071 Find Maintenance Notifications

Sure enough Priority Type was an optional available filter.

Example%20of%20finding%20the%20Priority%20Type%20filter%20in%20the%20Adapt%20Filters%20dialog%20of%20SAP%20Fiori%20app%20F2071

Example of finding the Priority Type filter in the Adapt Filters dialog of SAP Fiori app F2071

By selecting the Priority Type it is added as a filter, and you can use the up/down arrow heads to adjust the sequence of filters in the filter bar.

Example%20showing%20Priority%20Type%20selected%20as%20an%20additional%20filter%20and%20the%20up/down%20arrowhead%20icons%20have%20been%20used%20to%20position%20the%20filter%20within%20the%20filter%20bar

Example showing Priority Type selected as an additional filter and the up/down arrowhead icons have been used to position the filter within the filter bar

You can then select which priority types are relevant for the user.

Example%20of%20restricting%20the%20available%20priority%20types%20using%20the%20Priority%20Type%20filter

Example of restricting the available priority types using the Priority Type filter

This restricted the Priorities to only those relevant for selection.

Example%20showing%20the%20impact%20on%20the%20Priorities%20filter%20once%20Priority%20Types%20have%20been%20restricted

Example showing the impact on the Priorities filter once Priority Types have been restricted

To save those settings so they were defaulted for our maintenance technicians, you can simply create a role-specific or public view.

Example%20showing%20where%20the%20user%20selects%20the%20custom%20public%20view%20for%20Plant%20Maintenance%20and%20Service%20Notifications

Example showing the top of the filter bar where the user selects the custom public view for Plant Maintenance and Service Notifications

Decision: Easy. Effective. Reasonable alternative where fields are not covered by authorizations.

Becoming a SAP Fiori for SAP S/4HANA guru

You’ll find much more on the community topic page for SAP Fiori for SAP S/4HANA

Other helpful links in the SAP Community:

Brought to you by the SAP S/4HANA Customer Care and RIG.


Source: https://blogs.sap.com/2023/01/25/sap-fiori-for-sap-s-4hana-how-to-restrict-filter-values-in-sap-fiori-apps/

segunda-feira, 23 de janeiro de 2023

Review and Validate Tools for SAP Script Forms

 After completing a few cycles of form remediation which includes hundreds of SAP script forms, I keep trying to prepare some tools for self-check and quick validation of SAP script forms. In this article, I wrap up various programs for such purposes.

 

<1> Script Form Break-Down Tools by Michael Keller

  • 1. It can provide different colors for Element, Command, and Comment lines which will much easier to check syntax;
  • 2. Also this tool has Indentation for IF/ELSE/ENDIF/CASE/WHEN statements can help quick identity fundamental flaws;
  • 3. Fold and Unfold pairs of IF/ENDIF, etc.

Please check more details about this program at this.

 

<2> Script Form Scanner post by Sabrina Pinto

  • It will help find where used list of any text string for all SAP scripts in one shot.
  • It can check all included standard texts related to addresses or Logos easier and determine how many forms and which windows are actually sharing the same SO10 text now.

Please check more details about this program at this.

<3> Standard Text SO10 Scanner

May need to update hundreds of standard text especially related to address with conditions, I create this tiny program to check the specific text inside the standard text.

  1. This could be used to check where used list for any specific address and find which could be shared or updated together;
  2. Can be used to validate new standard text maintenance and related remediation.

REPORT z_so10_search.
TABLES: stxh.

*-----------------------------------------------------------------------
* Types& Data Definition
*-----------------------------------------------------------------------
TYPES: BEGIN OF ty_out,
         tdobject TYPE stxl-tdobject,
         tdname   TYPE stxl-tdname,
         tdid     TYPE stxl-tdid,
         tdspras  TYPE stxl-tdspras,
         tdformat TYPE tdformat,
         flag     TYPE flag,
         tdline   TYPE tdline,
       END OF ty_out.
DATA: gt_out TYPE TABLE OF ty_out,
      gs_out TYPE ty_out.

TYPES: BEGIN OF ty_stxh,
        tdobject TYPE stxl-tdobject,
        tdname LIKE stxh-tdname,
        tdspras LIKE stxh-tdspras,
      END OF ty_stxh.
DATA: gt_stxh TYPE TABLE OF ty_stxh,
      gs_stxh TYPE ty_stxh,
      gt_lines LIKE TABLE OF tline,
      gs_lines LIKE LINE OF gt_lines.

*-----------------------------------------------------------------------
* Selection Parameters
*-----------------------------------------------------------------------

SELECTION-SCREEN: BEGIN OF BLOCK a2 WITH FRAME TITLE text-002.
PARAMETERS p_search(80) OBLIGATORY.
PARAMETERS: P_match AS CHECKBOX. "display only specific line
SELECTION-SCREEN: END   OF BLOCK a2.

SELECTION-SCREEN SKIP.
SELECTION-SCREEN: BEGIN OF BLOCK a1 WITH FRAME TITLE text-001.
SELECT-OPTIONS: s_tdname FOR stxh-tdname.
PARAMETERS p_obj   TYPE stxh-tdobject OBLIGATORY DEFAULT 'TEXT'.
PARAMETERS p_id    TYPE stxh-tdid DEFAULT 'ST'.
PARAMETERS p_langu LIKE stxh-tdspras DEFAULT 'EN'.
SELECTION-SCREEN: END   OF BLOCK a1.

*-----------------------------------------------------------------------
* START-OF-SELECTION
*-----------------------------------------------------------------------
START-OF-SELECTION.
  PERFORM get_data.

*-----------------------------------------------------------------------
* FORM GET_DATA
*-----------------------------------------------------------------------
FORM get_data.
  DATA: l_tab_tadir     TYPE TABLE OF tadir,
        l_str_tadir     TYPE tadir,
        l_tabix_str(10) TYPE c,
        l_percentage    TYPE p,
        l_cnt           TYPE i,
        l_text          TYPE itex132,
        l_cnt_str(10)   TYPE c.

  REFRESH gt_stxh.
  SELECT tdobject tdname tdspras
    FROM stxh
    INTO TABLE gt_stxh
    WHERE tdname IN s_tdname
    AND tdobject = p_obj
    AND tdid = p_id
    AND tdspras = p_langu.

* Write count of programs into list
  DESCRIBE TABLE gt_stxh LINES l_cnt.
  IF l_cnt = 0.
    EXIT.
  ENDIF.

  l_cnt_str = l_cnt.
  CONDENSE l_cnt_str.

  REFRESH: gt_out.
  LOOP AT gt_stxh INTO gs_stxh.

    l_tabix_str = sy-tabix.
    CONDENSE l_tabix_str.
    IF l_cnt IS NOT INITIAL.
*   Display progress indicator
      l_percentage = 100 * ( sy-tabix / l_cnt ).

      CONCATENATE '(' 'Processing'(009) l_tabix_str 'of'(010) l_cnt_str ')'
                   'Searching Text object'(008) gs_stxh-tdname
                  INTO l_text SEPARATED BY space.
      CALL FUNCTION 'SAPGUI_PROGRESS_INDICATOR'
        EXPORTING
          percentage = l_percentage
          text       = l_text.
    ENDIF.

    REFRESH gt_lines.
    CALL FUNCTION 'READ_TEXT'
      EXPORTING
*       CLIENT                  = SY-MANDT
        id                      = p_id
        language                = gs_stxh-tdspras
        name                    = gs_stxh-tdname
        object                  = p_obj
      TABLES
        lines                   = gt_lines
      EXCEPTIONS
        id                      = 0
        language                = 0
        name                    = 0
        not_found               = 0
        object                  = 0
        reference_check         = 0
        wrong_access_to_archive = 0
        OTHERS                  = 0.

    FIND ALL OCCURRENCES OF REGEX p_search IN TABLE gt_lines
* RESPECTING CASE
    RESULTS DATA(results).

    SEARCH gt_lines FOR p_search.
    IF sy-subrc EQ 0.
      CONDENSE gs_stxh-tdname.
      CLEAR gs_out.
      MOVE-CORRESPONDING gs_stxh TO gs_out.
      LOOP AT gt_lines INTO gs_lines.
        gs_out-tdformat = gs_lines-tdformat.
        gs_out-tdline   = gs_lines-tdline.
        SEARCH gs_lines FOR p_search.
        IF sy-subrc EQ 0.
          gs_out-flag = 'X'.
        ELSE.
          CLEAR gs_out-flag.
          if P_match = 'X'.
            CONTINUE.
          endif.
        ENDIF.

        APPEND gs_out TO gt_out.
      ENDLOOP.
    ENDIF.
  ENDLOOP.

  IF gt_out[] IS NOT INITIAL.
    cl_demo_output=>display_data( gt_out ).
  ELSE.
    WRITE: / 'String not found!'.
  ENDIF.

ENDFORM.

Hope those tools could help during the work of SAP script forms remediation and new address-related maintenance.


Source: https://blogs.sap.com/2023/01/12/review-and-validate-tools-for-sap-script-forms/