Users, roles and authorization objects
Certain authorization objects are required on the Backend and Frontend servers in addition to the application roles required for the specific FAB app. IQX has documented these for your reference. The authorizations may be implemented as recommended below or to your own role and naming convention using PFCG.
Implementing App-Specific FAB Authorisation /IQX/FAB
App-specific authorization can be invoked by the selection of the Authorization Checkbox on the Properties screen and providing a value in the Auth. Group field in the FAB Workbench.
...
from the workbench (TCODE /IQX/FAB). This is implemented in the role /IQX/CONFIG (Section
4.3.3)
FAB Generic User Roles
Assign to who: All users that will use the applications generated by FAB
Where to assign: All systems installed with FAB
Backend
Role Name: /IQX/END_USER
Authorization Objects defined for the role are:
...
Role template: IQX_END_USER.txt
Frontend
Role Name: /IQX/END_USER_GW
...
Role template/upload file: IQX_END_USER_GW.txt
FAB Developer / Cutover Roles (Install on GW and Backend)
Assign to who: Developers and consultants who will perform the configuration
...
Role template/upload file: IQX_CONFIG.txt
FAB Support Roles (Install on GW and Backend)
Assign to who: Users, usually developers/consultants, that will provide support in the Production environment
...
Role template/upload file: IQX_SUPPORT.txt
OneList Admin role
Assign to who: Developer in Dev/UAT environment, Support users, Administrative users that support in Production environment
...
Role template file: IQX_OL_ADMIN.txt
Trust relationship, set up and testing using SM59.
For a Hub deployment, a trust relationship is required between the BE and FE servers. This enables communication between the two servers. The trust relationship is achieved by setting up the same user in both the BE and FE servers and then testing the connection using SM59. Refer to section 4.3.2.1 for details on the authorization/role implementation related to trusted RFC.
...