cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

XSA Fiori launchpad not displaying application tile - xsuaa issue

Go to solution
anandmuthu
Participant

on ‎05-15-2020 9:02 AM

Hi Experts,

I am having trouble to expose my application tile to the XSA Fiori launchpad in XSA. The fiori launchpad and the application is both separate application MTA's.

The application already has site-content.json configured so the Fiori can display the said application in a tile format. This all works when the role provided in the application is 'Everyone'. However when changed to a specific role, the tile goes missing and I suspect its that the role access is not correctly passed from the user access to the application. I have tried various trial and error methods generate and redeploy and I am still stuck.

Hope anybody can help. Following are the details and can provide further information.

System: HANA XSA On Premise SP04

1. The following is the xs-security.json that is used in the template

{
	"xsappname": "dcmhub_td1",
	"scopes": [{
		"name": "$XSAPPNAME.Display",
		"description": "display"
	}, {
		"name": "$XSAPPNAME.Create",
		"description": "create"
	}, {
		"name": "$XSAPPNAME.Edit",
		"description": "edit"
	}, {
		"name": "$XSAPPNAME.Delete",
		"description": "delete"
	}, {
		"name": "$XSAPPNAME.DataGenerator",
		"description": "data generator"
	}, {
		"name": "xs_authorization.read",
		"description": "Read authorization information from UAA"
	}, {
		"name": "xs_authorization.write",
		"description": "Write authorization information to UAA"
	}, {
		"name": "$XSAPPNAME.ODATASERVICEUSER",
		"description": "Enter"
	}, {
		"name": "$XSAPPNAME.ODATASERVICEADMIN",
		"description": "Enter"
	}],
	"role-templates": [{
		"name": "DecHubViewer",
		"description": "View Decommissioning Hub data",
		"scope-references": [
			"$XSAPPNAME.Display",
			"$XSAPPNAME.Create",
			"$XSAPPNAME.Edit",
			"$XSAPPNAME.Delete",
			"$XSAPPNAME.DataGenerator",
			"xs_authorization.read",
			"xs_authorization.write",
			"$XSAPPNAME.ODATASERVICEUSER",
			"$XSAPPNAME.ODATASERVICEADMIN"]
	}]
}

2.Following is the site-content.json. I put in the two significant points of changes. The role and the authorization scope.

	"roles": {
		"DecHubViewer": {
			"_version": "1.0",
			"identification": {
				"id": "DecHubViewer",
				"namespace": "",
				"entityType": "role"
			},
			"payload": {
				"catalogs": [],
				"groups": [{
					"id": "tool_GroupId"
				}]
			}
		}
........

			},
			"sap.platform.runtime": {
				"componentProperties": {
					"url": "/",
					 "oAuthScopes": ["$XSAPPNAME.Display"]
				}
			}
		}

3. The xs-app.json. I have tried to add and remove the authorization scope at the route as well.

{
	"welcomeFile": "index.html",
	"authenticationMethod": "route",
	"routes": [{
		"source": "(.*)(.xsjs)",
		"destination": "xsjs_api",
		"csrfProtection": false,
		"authenticationType": "xsuaa"


	}, {
		"source": "(.*)(.xsodata)",
		"destination": "xsjs_api",
		"authenticationType": "xsuaa"
	},{
		"source": "^/(.*)$",
		"localDir": "resources/tool"


	}]
}

4.mtayaml.txt - Attached is the mta.yaml

5. Following is the authrorization scope added to the manifest.

	},
  "sap.platform.cf": {
      "uri": "/resources/tool",
      "oAuthScopes": ["$XSAPPNAME.Display"]	
		}	
}

6. All the above are the ones done on the applications. I have deployed this many times with various changes. Manually creating the uaa service causes the deployment fail. I delete the uaa instance and redeploy and its usually successful.

7. After deployment, the roles are assigned, following are the roles setup. The role collection already have the relevant roles created from the template.

8. The role collection already applied to my user ID.

9. When I launch the fiori launchpad, I am unable to see the application tile.

Hope anybody can help or give some hints on how i may troubleshoot further where could be the cause of the problem.

Thanks.

Anand Muthu

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

brad_smith5
Active Participant
‎05-20-2020 11:05 PM
0 Kudos

Hi Anand,

I believe your problem lies in the site-content.json and manifest.json files. From the code provided you have placed the scope in the sap.platform.runtime object. This needs to be placed in the sap.platform.cf object similar to the manifest.json.

Try this in your site-content.json:

"sap.platform.cf": {
      "oAuthScopes": ["$XSAPPNAME.Display"]	
},
"sap.platform.runtime": {
	"componentProperties": {
		"url": "/"
	}
}

Try this in your manifest.json:

"sap.platform.cf": {
      "oAuthScopes": ["$XSAPPNAME.Display"]	
},
"sap.platform.runtime": {
	"componentProperties": {
		"url": "/resources/tool"
	}
}

To be clear, I have the sap.platform.cf section in both the site-content.json and manifest.json files. oAuthScopes does not belong in sap.platform.runtime, url does not belong in sap.platform.cf.

A link to the incomplete official documentation:

https://help.sap.com/viewer/4505d0bdaf4948449b7f7379d24d0f0d/2.0.04/en-US/a36a58c53b664215ba63dc599a...

Further to this, I have setup foreign scope references in my launchpad xs-security.json. At this point I am unsure whether this is necessary for the tiles to behave, but I required it for other reasons so it is present in my working copy and worth a mention.

This can be done by adding the following to the root node:

"foreign-scope-references":["$ACCEPT_GRANTED_SCOPES"],
"authorities":["$ACCEPT_GRANTED_AUTHORITIES"],

I have then referenced the launchpad in the application scopes xs-security.json

{
	"name": "$XSAPPNAME.Display",
	"description": "display",
	"granted-apps": ["launchpad_xsappname","launchpad_xsappname!i2"],
	"grant-as-authority-to-apps": ["launchpad_xsappname","launchpad_xsappname!i2"],
}

"launchpad_xsappname" is the xsappname defined in the launchpad xs-security.json

Here is some supporting documentation for this setup. It provides some guidance and additional reading, but is still quite average:

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/517895a9612241259d6941dbf9a...

Also note that the $XSAPPNAME(application,business-partner) function in the link does not appear work on XSA.

Also make sure to log out and back in to the launchpad when you change the role collection contents.

I hope this helps,

Brad.

Show replies
Show replies
anandmuthu
Participant
‎05-21-2020 4:55 AM

Hi Bradley,

Thank you for your guidance and explanation. You are amazing. I have solved the fiori launchpad issues with your help. I raised the same questions to SAP 1 week+ ago and they still haven't get back to me. The solution is now working as expected and I am able to control the tile display from the role management. Just a few confirmation from my findings.

The foreign scope references are needed for a cross MTA solution to work. I tried without it and it didn't work. Based on my limited understanding is that the launchpad has its own UAA instance and generate a security token when we login and the application tile has a different UAA instance. The foreign scope grants will allow the fiori launchpad uaa access to the same scopes of the application it is trying to display and launch.

Thank you again.

Anand

Answers (0)

Ask a Question