Skip to Content

Role based authorizarion for views in SAPUI5

Nov 07, 2017 at 07:01 AM


avatar image

I have created a simple CRUD application having 3 views using SAPUI5 with java as backend. I am not maintaing any user details in backend.

i am trying to protect few pages with admin permission. Roles i have mentioned in cockpit also mapped admin permission to the created role.

i have added securityContraints attribute in neo-app.json as follows

"securityConstraints": [{ "permission": "admin", "description": "Access User Data", "protectedPaths": [ "/" ], "excludedPaths": [ "/home" ] }]

This is protecting the entire application for other user who doesnt have admin permission including home view even though it is mentioned in excludedPaths.

is there a way to protect particular views(like folder wise, protect admin folder ("/admin") instead of "/")?

note: i tried giving "/admin/** - where admin is folder under view","/viewOne - url pattern" didn work

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Tudor Riscutia Nov 07, 2017 at 08:28 AM

Hi Abirami,

Is your UI part of the static resources of the Java backend? Or do you deploy it separately? For the first, you can secure the individual paths on the backend side.



Show 1 Share
10 |10000 characters needed characters left characters exceeded

Thanks Tudor for the reply. i am deploying separately as HTML5 application in the cockpit using SAP WebIDE.

I have referred the following link: ""

Andreas Mazzola
Nov 27, 2017 at 10:14 AM

Hi colleagues,

I've got the same problem and tried to secure all kinds of subpaths, but nothing works.

Did you find a solution Abirami?

Best Regards,


Show 1 Share
10 |10000 characters needed characters left characters exceeded

I could not find any solution for securing subpaths. I have deployed 2 different applications, 1 for admin (securing all path - protectedpath: '/') & 1 for others. I know this not a solution, but i left with no choice.

Ivan Mirisola
Dec 22, 2017 at 06:39 PM

I am confused.

The following is a configuration example that restricts a complete application to the accessUserData permission, with the exception of all paths starting with "/logout":

"securityConstraints": [
            "permission": "accessUserData",
            "description": "Access User Data",
            "protectedPaths": [
            "excludedPaths": [

Have added this permission to your admin users via cockpit?

Wildcards should work. So if you have "/admin/**" as protected paths it should block everything underneath the admin folder for your app.

I believe what you need to do is reverse the logic. Make the folder "admin" protected and exclude the "home" from the permission so every user will be able to access it.


10 |10000 characters needed characters left characters exceeded