We’re experiencing a persistent authorization error in our SAP PLM Fiori requirements management app after assigning a custom catalog to users. The error appears immediately when users try to access the Requirements Overview tile from the Fiori Launchpad.
The issue started after we created a custom catalog (Z_REQ_MGMT_CAT) to control access to requirements functionality. We’ve assigned the catalog to the relevant user roles, but users still get “Authorization missing for service /UI2/FLP” when clicking the tile. The Fiori catalog mapping seems correct in transaction /UI2/FLPCM_CONF, and the target mapping points to the right semantic object.
We’ve checked the authorization object S_START assignment in PFCG, and it appears to be included in the roles. The app log shows entries related to authorization checks, but we’re struggling to interpret which specific authorization object is failing. Has anyone encountered similar issues with custom Fiori catalogs blocking requirements app access in SAP PLM 2022?
Update: ST01 trace revealed the issue! The authorization check was failing on object S_SERVICE with a specific service key that wasn’t in our role.
Have you checked the app log with transaction SLG1? Filter by object /UI2/FLP and look for entries around the time of the error. The log usually contains detailed information about which authorization check failed and what values were being checked. In my experience with PLM Fiori apps, sometimes the issue is not the catalog itself but missing authorization for the underlying OData service metadata access.
One thing to verify - did you transport the catalog assignment or just create it in the development system? I had a case where the catalog existed but the business role assignment wasn’t transported correctly to QA. Run transaction /UI2/FLPD_CONF and check if your Z_REQ_MGMT_CAT shows up with the correct target mappings in all systems.
Perfect timing on this question - I just resolved an identical issue last week. Here’s the complete solution addressing all three aspects:
Fiori Catalog Mapping:
The catalog assignment itself is usually correct, but you need to verify the complete chain. In /UI2/FLPCM_CONF, confirm that Z_REQ_MGMT_CAT contains the tile, the tile has the correct target mapping, and that target mapping points to semantic object REQ_MGMT with action display (or manage). Most importantly, check that the catalog is assigned to a business role that your users actually have.
Authorization Object Assignment:
This is where the real problem lies. You need THREE authorization objects working together:
- S_START - Grant access to semantic object REQ_MGMT with appropriate actions
- S_SERVICE - This is the one that usually gets missed. Add service key ZREQUIREMENTS_SRV (or your specific service name)
- S_RFC - For backend function module calls, grant access to RFC ZREQ_* or specific function groups
In PFCG, edit your role, go to the Authorization tab, and manually add these objects if they’re missing. For S_SERVICE specifically, you may need to use transaction SU24 to check which services are associated with the requirements transaction and add them to your authorization profile.
App Log Analysis:
Use SLG1 with these filters to diagnose authorization issues:
- Object: /UI2/FLP
- Sub-object: NAVIGATION
- Date/Time: When error occurred
The log entries will show you the exact authorization check that failed, including the object name and field values being checked. Look for entries with message type ‘E’ (Error). Cross-reference the failed object with your role in PFCG.
One additional tip: After making authorization changes, users must log out completely from Fiori Launchpad and log back in. Simply refreshing the browser won’t pick up the new authorizations. Also run transaction SU53 immediately after the error occurs - it shows the last failed authorization check with complete details.
The combination of proper catalog mapping, complete authorization object assignment, and systematic log analysis should resolve your issue. Test with a single user first before rolling out to the broader team.
I’ve seen this before. The problem is usually in the authorization default values for S_START. You need to explicitly grant access to the semantic object. Go to PFCG, edit your role, navigate to the Authorization tab, find S_START, and check if the semantic object REQ_MGMT (or whatever your app uses) is listed. If it’s showing a wildcard or generic value, you need to add the specific semantic object and action. Also double-check that you’ve run the authorization trace (ST01) while reproducing the error - that will show you exactly which object is failing the check.