Role-Based Tile Group Visibility in XSA Fiori Launchpad On-Premise

SAP HANA Developer Guide for SAP HANA XS Advanced Model provides very clear instructions on how to implement an access/visibility restriction to a Fiori launchpad app tile by using scopes/UAA. However, I’ve come across a situation when all the tiles in a particular tile group are no longer visible due to missing authorizations and the now-empty group is still being displayed in the launchpad. Which of course is not critical but still noticeably glitchy and undesirable. I have had zero luck finding any material or examples on-line on how to control the tile group visibility via UAA/XSA platform.

The thing that hinted at this control being possible was the structure of site-content.json file itself. The way you have to have a role Everyone defined with all the groups and catalogs included in it. And luckily all the components involved are written in Node.js and so the ultimate source of truth – the source code – is right there open for someone determined enough.

To cut to the chase. Tile group visibility is not controlled via scopes unlike the tiles themselves. It is controlled via role attribute specifically named siteGroupRoles. So, here are the things to be done  to achieve this.

Development side

Security descriptor xs-security.json:

{ ... "attributes": [ { "name": "siteGroupRoles", "description": "Fiori Launchpad tile group", "valueType": "string" }, ... ], "role-templates": [ { "name": "flpGroup", "description": "Fiori Launchpad tile group visibility", "scope-references": [], "attribute-references": [ "siteGroupRoles" ] }, ...

We are defining siteGroupRoles attribute and referencing it in flpGroup role-template


{ ... "roles": { "Everyone": { ... }, "RestrictedGroup_FLP": { "_version": "1.0", "identification": { "id": "RestrictedGroup_FLP", "entityType": "role" }, "payload": { "catalogs": [], "groups": [ { "id": "restricred-group-1" }, { "id": "restricred-group-2" } ] } }, ...

We are creating a launchpad role RestrictedGroup_FLP that contains restricted tile groups.

Administration side

Now we move on to the administration side – so the project must first be built and deployed to XSA. The deployment process takes care of the role-templates in xs-security.json that do not reference any attributes. It automatically creates the corresponding roles in the XSA platform. However this is not our case – the roles based on our flpGroup role-template have to be created manually as it references siteGroupRoles attribute.

This manual task may be done in XSA Cockpit, Security > Roles menu of your deployed launchpad site app.


The role name is arbitrary, but the value of the siteGroupRoles attribute must exactly match the launchpad role name: RestrictedGroup_FLP (the name is too long for the input field in the screen shot)

So finally, the role can added to a role collection, making the restricted groups in the launchpad visible to anyone with that role collection.