Skip to Content
Technical Articles
Author's profile photo CHARANRAJ THARIGONDA

Configuring Roles – SAP Fiori Launchpad Cloudfoundry

Hi All,

Today, I would like to show how to configure the roles in Fiori launchpad Cloud foundry. In detail,

We can control the apps that will be displayed in the launchpad, based on the authorization check.


For instance, there are two apps in the  FIORI launchpad.

We have two roles in the Application.



Fiori Launchpad should show strictly user-related apps if USER Login to the Application.

How to achieve the above scenario?.

Please follow the steps to do that.

Step1: Declare the scopes in xs-app.json



Step 2: Declare the Same scopes in xs-security.json in below formate.


Step 3. Create Roles in xs-security.json inside role-templates sections.

Please note that created roles will display in the Role Collection under your cloud account.



Step 4:  Configure Authorization in the manifest.json in your HTML5 Module.


Add below code in the manifest.json: $XSAPPNAME.user was defined in scopes early in step 2


Step 5: Just repeat the above step for another app which is for Admin.


Step 6: Build and Deploy in your cloud foundry account


Step 7: Create Two Roles in Role Collection under the Security section



Step 8:  Click on POC_Open_user Role and add Role Templates which you have created already in xs-security.json Please refer Step-3



Select the user role from the template section.


Step 9: Assign roles to the account Id in Trust Configurations.



Step 10: Please open your launchpad approuter URL. You can only see the USER related apps.

Fiori Launchpad Before applying Roles & Authorization

Fiori Launchpad After applying  Roles & Authorization ( Assigned User role )


Conclusion: We can filter the apps in the Fiori launchpad Cloud Foundry based on the Roles.

I hope this blog post helps you during your development.


Thanks & Regards


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Yatin Parab
      Yatin Parab

      Thanks Charan for the informative blog.


      Author's profile photo shervin soleymanpoor
      shervin soleymanpoor

      This information is hard to find inside the SAP documentation. And also there are not a lot of people that have done this with XSA so thanks for sharing Charan ;-)!

      Author's profile photo Murali Shanmugham
      Murali Shanmugham

      Nice. Thanks for sharing

      Author's profile photo Enric Castella Gonzalez
      Enric Castella Gonzalez

      Nice post!


      One question, is your application and launchpad in the same MTA or in diferent MTA?

      Author's profile photo CHARANRAJ THARIGONDA
      Blog Post Author

      Both are in same application. 


      Author's profile photo Bruno Amaral
      Bruno Amaral

      Great post!!!!

      Author's profile photo Markus Bechler
      Markus Bechler

      Great post, thanks for sharing ☺️ One question, is there a possibility to show all assigned users with the associated roles in the ID Service?

      Cheers, Markus

      Author's profile photo CHARANRAJ THARIGONDA
      Blog Post Author

      Hi Markus,

      Its not possible . You have to search with their Email Ids in Trust SAP ID service. There you can see their roles ( You should have Administrators rights )



      Author's profile photo Anaya Z
      Anaya Z

      Great article Lot’s of information to Read…Great work Keep Posting and update to People. Thanks.

      Author's profile photo Daniel Gent
      Daniel Gent

      Thanks, this is very helpful information.

      Out of curiosity: How did you find out about the "" entry in the manifest.json? Is it described in some "official" documentation?

      Author's profile photo CHARANRAJ THARIGONDA
      Blog Post Author

      Yes, It is available in sap help documentation. However, it is hard to find in the documntation untill we read properly.

      Author's profile photo Abdul Musavir
      Abdul Musavir

      Hi Charanraj,

      thank you for the info, I have one requirement where I need to pass more than one Scope-  "" . For example

      "": {
      "oAuthScopes": [
      Is this possible ? I tried but seems like the above configuration is not working, it does not support 2 different scopes to be passed via the
      Your help is highly appreciated
      Author's profile photo CHARANRAJ THARIGONDA
      Blog Post Author

      Hi Abdul Musavir,

      It's possible. we have implemented successfully in our project.



      Please check xs security.json file and Roles Template properly.




      Author's profile photo Rama Dasu Puli Venkata
      Rama Dasu Puli Venkata

      We have following requirement:

      same fiori app : javascript.app1, but we configured two tiles with following

      "id": "app1",
      "appId": "",
      "vizId": "app1-Manage"
      }, {
      "id": "app1",
      "appId": "",
      "vizId": "app1-Others"

      Now how can we configure two different oAuthScopes (app1Manage, app1Others) for  same project javascript.app1.

      Now in Launchpad:

      For oAuthScope app1Manage we need to show first tile.

      For OAuthScope app1Others we need to show second tile.




      Author's profile photo Jeremy CHABERT
      Jeremy CHABERT


      Did you manage to find how to do so ?

      We are actually wondering the same for a business scenario on our project.



      Author's profile photo Jibin Joy
      Jibin Joy

      Hi Jérémy,

      Got any Solution ?

      Author's profile photo Jibin Joy
      Jibin Joy

      Hi Rama ,

      Any Luck with this scenario

      Author's profile photo Jeremy CHABERT
      Jeremy CHABERT


      I have seen that on Launchpad service, you are now able to make local copy of an application.
      This done, you should be able to assign each app to a group, a catalog and a role.

      This said, I haven't try this approach yet. I've just seen recently that the feature was available.
      I'm interested on the return of experience if you try this.

      Best regards,



      Author's profile photo Jibin Joy
      Jibin Joy

      Hi Jeremy ,


      Same Approach but instead of complete copy . Created new application with different Semantic object and action . Component level extended actual application component instead of SAP Component

      Author's profile photo Sai Shivani Gunda
      Sai Shivani Gunda

      Very helpful. Thanks for Sharing!!

      Author's profile photo Mamatha Majji
      Mamatha Majji

      Hello charan,

      Could you please let me know how to differentiate the User and Admin Assigned roles in Launchpad service in Cloud foundry. I have configured two apps in Launchpad I want assign two different roles in two apps.

      I followed all the steps mentioned in blog but I am unable to filter the apps based on Assigned roles.


      Thanks in Advance.


      Mamatha M

      Author's profile photo Charanraj Tharigonda
      Charanraj Tharigonda

      Hi Mamatha,


      First Step: You have to create two scopes in

      Second Step: Assign the above scopes to Role Templates

      Third step: In your cloud foundry account create two role collections and assign these role templates each respectively

      Fourth Step: Assign this role collection two roles

      Fifth step: In Manifest JSON of each app assign each scope

      User APP:

      "": {
      "OAuth scopes": ["$XSAPPNAME.user"]


      Admin APP :

      "": {
      "OAuth scopes": ["$XSAPPNAME.Admin"]


      build and deploy to your space after you can see your launchpad




      Author's profile photo Mamatha Majji
      Mamatha Majji

      Hello charan,

      After clearing small issues finally I am done with Role configuration.

      Your blog helped me lot, Thank you so much.




      Author's profile photo Charanraj Tharigonda
      Charanraj Tharigonda

      Nice! Good Luck

      Author's profile photo Ramesh Reddy
      Ramesh Reddy

      thank u


      Author's profile photo Zameer Ahamad
      Zameer Ahamad

      Hi Chetan,

      Thanks for the detailed blog, we are having strange error.

      we have 3 tiles in one of our application and our requirement is to disable a tile for one type of user.

      So we have created 2 scopes and 2 role templates, each role template contains one scope which we defined in xs-security.json file.

      we have added in manifest.json files of both modules(tiles) of respective scope at the end of the file.

      we also adjusted the xs-app.json file of both the modules(tiles) and done the build and deployed the application cloud.

      and we have done correct role and role collection mapping in BTP.

      Still we can see both the tiles for the there any other file we need to make any changes? or in our usecase we have attributes in our xs-security.json file along with scopes, is there any additional changes we need to do if we have role templates with attributes.

      Note : we have code in visual code.

      could you help us if anything need to be done additionally.

      Author's profile photo Amin Almarsafy
      Amin Almarsafy

      were you able to fix it?

      we are having the same issue at the moment.

      Author's profile photo Adam Harkus
      Adam Harkus



      Is Group -level role access setup in a similar way using the MTA, or handled via the Portal site?