7.1 The Importance of a Secure and Customized Fiori Environment

A successful SAP Fiori implementation does not end with configuration. Its long-term value depends on ensuring the environment is secure, adaptable, and operationally sound. Security is paramount to protect sensitive business information and processes from unauthorized access. Customization is crucial for adapting the system to meet specific business needs and evolving requirements, such as applying corporate branding. Finally, a clear understanding of data flow and workflow integration is essential for troubleshooting and managing the system effectively.

7.2 Extending and Theming SAP Fiori

SAP provides powerful tools for tailoring the Fiori experience to an organization’s specific needs.

• UI Theme Designer The UI Theme Designer is a browser-based, What-You-See-Is-What-You-Get (WYSIWYG) tool for applying corporate branding to Fiori applications. It allows designers to modify existing theme templates without writing code. Key features include live previews, different levels of theming (Quick for basic changes, Expert for detailed control), and cross-technology capabilities, enabling a single custom theme to be applied to SAPUI5 apps, Web Dynpro ABAP, and other technologies for a consistent look across the entire SAP landscape.
• Fiori App Extensibility Standard Fiori apps can be extended to add custom functionality. This can be done at two different layers:
  1. ABAP Back-End Layer: Business Add-Ins (BAdIs) can be implemented to modify or enhance the standard business logic of the application.
  2. UI Layer: Developers can create custom UI applications that extend the standard SAP-delivered apps. This allows for changes to the user interface, such as adding new fields or modifying layouts, without altering the original application code.

7.3 A Framework for SAP Fiori Security

Securing a Fiori landscape requires a multi-layered approach. User management is required on both the ABAP front-end server (NetWeaver Gateway) and the ABAP back-end server to ensure proper access control.

Authentication Methods

When a user launches a Fiori app, the front-end server must first authenticate their identity. SAP NetWeaver supports several robust authentication mechanisms, and it’s important to understand the primary use case for each:

• SPNEGO/KERBEROS: This is ideal for seamless authentication in a corporate LAN environment. It allows users already logged into a Windows domain to access Fiori without re-entering credentials, providing a true single sign-on experience.
• SAP Logon Tickets: After an initial authentication, the system can issue a logon ticket. This acts as a trusted credential that allows the user to access multiple SAP applications and services across the landscape without repeatedly providing their password.
• X.509 Certificates: These are digital certificates that provide strong, cryptography-based authentication. This method is often used for high-security scenarios, verifying the identity of the user or client machine.

Once a user is authenticated on the front-end, communication to the back-end system is handled via a trusted RFC connection, which establishes a secure session without requiring the user to authenticate again.

Secure Network Communication (SNC)

SNC provides an additional layer of security for protecting data in transit between different SAP system components. It integrates external security products to apply strong cryptographic algorithms to the data communication paths. SNC offers three distinct levels of protection:

1. Authentication only: Verifies the identity of the communication partners. This is the minimum level of protection.
2. Integrity protection: Detects any changes or manipulation of the data during transmission.
3. Privacy protection: Encrypts the messages, making the data unreadable to eavesdroppers. This is the maximum level of protection and also includes integrity protection.

7.4 Analyzing Data Flow and Workflow Integration

• Data Flow The data flow in a Fiori system follows a standard request-response architecture over HTTP/HTTPS. The Front-End Server acts as both a web server (hosting UI objects and the Launchpad) and an OData proxy. When a Fiori app needs data, it sends an OData request to the front-end server. The server, using a system alias and a trusted RFC connection, forwards this request to the Back-End Server, which contains the business logic and application data. The back-end processes the request, retrieves the data, and sends it back along the same path.
• SAP Business Workflow SAP Business Workflow is a powerful engine for automating business processes. It captures events (such as the creation of a document) and routes work items to the appropriate users for action. Fiori can be configured to integrate directly with this engine. This allows users to receive, view, and action their workflow items—such as approval requests—directly from their Fiori Launchpad, turning it into a centralized inbox for all their tasks.

This exploration of operational aspects naturally leads to the foundational development concepts of SAP UI5, which are necessary for building and extending the Fiori applications themselves.