Hi, I have implemented authentication for SAPUI5 apps with Cloud Identity in order to use single sing on and other features.

I need to assing roles to end users to restrict access to certain apps and actions inside the app. I have only seen the security option with roles and groups inside the SCP, but since the users via CloudIdentity are not created inside the SCP, how can I assign roles to them? The app is SAPUI5 and deployed as HTML5 app not inside a launchpad.

Two scenarios:

1.- I have 100 users that can login (via cloud identity) to app A, and I need only 50 of those users to access to this app

2.- From the users that can use the app, I need to have for example, 'administrator' ( who will be able to use 100% of the app), 'sales' ( that will be able to edit information ), 'assessor' ( that will not be able to edit information)