Technical Articles
Configuring Roles – SAP Fiori Launchpad Cloudfoundry
Hi All,
Today, I would like to show how to configure the roles in Fiori launchpad Cloud foundry. In detail,
We can control the apps that will be displayed in the launchpad, based on the authorization check.
For instance, there are two apps in the FIORI launchpad.
We have two roles in the Application.
1. USER
2. ADMIN.
Fiori Launchpad should show strictly user-related apps if USER Login to the Application.
How to achieve the above scenario?.
Please follow the steps to do that.
Step1: Declare the scopes in xs-app.json
Step 2: Declare the Same scopes in xs-security.json in below formate.
Step 3. Create Roles in xs-security.json inside role-templates sections.
Please note that created roles will display in the Role Collection under your cloud account.
Step 4: Configure Authorization in the manifest.json in your HTML5 Module.
Add below code in the manifest.json: $XSAPPNAME.user was defined in scopes early in step 2
Step 5: Just repeat the above step for another app which is for Admin.
Step 6: Build and Deploy in your cloud foundry account
Step 7: Create Two Roles in Role Collection under the Security section
Step 8: Click on POC_Open_user Role and add Role Templates which you have created already in xs-security.json Please refer Step-3
Select the user role from the template section.
Step 9: Assign roles to the account Id in Trust Configurations.
Step 10: Please open your launchpad approuter URL. You can only see the USER related apps.
Fiori Launchpad Before applying Roles & Authorization
Fiori Launchpad After applying Roles & Authorization ( Assigned User role )
Conclusion: We can filter the apps in the Fiori launchpad Cloud Foundry based on the Roles.
I hope this blog post helps you during your development.
Thanks & Regards
Charan
Thanks Charan for the informative blog.
This information is hard to find inside the SAP documentation. And also there are not a lot of people that have done this with XSA so thanks for sharing Charan ;-)!
Nice. Thanks for sharing
Nice post!
One question, is your application and launchpad in the same MTA or in diferent MTA?
Both are in same application.
Great post!!!!
Great post, thanks for sharing ☺️ One question, is there a possibility to show all assigned users with the associated roles in the ID Service?
Cheers, Markus
Hi Markus,
Its not possible . You have to search with their Email Ids in Trust SAP ID service. There you can see their roles ( You should have Administrators rights )
Thanks
Charan
Great article Lot’s of information to Read…Great work Keep Posting and update to People. Thanks.
Thanks, this is very helpful information.
Out of curiosity: How did you find out about the "sap.platform.cf" entry in the manifest.json? Is it described in some "official" documentation?
Yes, It is available in sap help documentation. However, it is hard to find in the documntation untill we read properly.
Hi Charanraj,
thank you for the info, I have one requirement where I need to pass more than one Scope- "sap.platform.cf" . For example
Hi Abdul Musavir,
It's possible. we have implemented successfully in our project.
Please check xs security.json file and Roles Template properly.
Thanks
Charan
We have following requirement:
same fiori app : javascript.app1, but we configured two tiles with following
{
"id": "app1",
"appId": "com.sap.test.app1",
"vizId": "app1-Manage"
}, {
"id": "app1",
"appId": "com.sap.test.app1",
"vizId": "app1-Others"
},
Now how can we configure two different oAuthScopes (app1Manage, app1Others) for same project javascript.app1.
Now in Launchpad:
For oAuthScope app1Manage we need to show first tile.
For OAuthScope app1Others we need to show second tile.
Regards,
Rama
Hello,
Did you manage to find how to do so ?
We are actually wondering the same for a business scenario on our project.
Thanks,
Jérémy
Hi Jérémy,
Got any Solution ?
Hi Rama ,
Any Luck with this scenario
Hello,
I have seen that on Launchpad service, you are now able to make local copy of an application.
This done, you should be able to assign each app to a group, a catalog and a role.
This said, I haven't try this approach yet. I've just seen recently that the feature was available.
I'm interested on the return of experience if you try this.
Best regards,
jérémy.
Hi Jeremy ,
Same Approach but instead of complete copy . Created new application with different Semantic object and action . Component level extended actual application component instead of SAP Component
Very helpful. Thanks for Sharing!!
Hello charan,
Could you please let me know how to differentiate the User and Admin Assigned roles in Launchpad service in Cloud foundry. I have configured two apps in Launchpad I want assign two different roles in two apps.
I followed all the steps mentioned in blog but I am unable to filter the apps based on Assigned roles.
Thanks in Advance.
Regards,
Mamatha M
Hi Mamatha,
First Step: You have to create two scopes in xs.security.json
Second Step: Assign the above scopes to Role Templates
Third step: In your cloud foundry account create two role collections and assign these role templates each respectively
Fourth Step: Assign this role collection two roles
Fifth step: In Manifest JSON of each app assign each scope
User APP:
"sap.platform.cf": {
"OAuth scopes": ["$XSAPPNAME.user"]
},
Admin APP :
"sap.platform.cf": {
"OAuth scopes": ["$XSAPPNAME.Admin"]
},
build and deploy to your space after you can see your launchpad
Thanks
Charan
Hello charan,
After clearing small issues finally I am done with Role configuration.
Your blog helped me lot, Thank you so much.
Regards,
Mamatha
Nice! Good Luck
thank u
Hi Chetan,
Thanks for the detailed blog, we are having strange error.
we have 3 tiles in one of our application and our requirement is to disable a tile for one type of user.
So we have created 2 scopes and 2 role templates, each role template contains one scope which we defined in xs-security.json file.
we have added in manifest.json files of both modules(tiles) of respective scope at the end of the file.
we also adjusted the xs-app.json file of both the modules(tiles) and done the build and deployed the application cloud.
and we have done correct role and role collection mapping in BTP.
Still we can see both the tiles for the users.is there any other file we need to make any changes? or in our usecase we have attributes in our xs-security.json file along with scopes, is there any additional changes we need to do if we have role templates with attributes.
Note : we have code in visual code.
could you help us if anything need to be done additionally.
were you able to fix it?
we are having the same issue at the moment.
Hi CHARANRAJ THARIGONDA
Is Group -level role access setup in a similar way using the MTA, or handled via the Portal site?
Regards
Adam