Fiori launchpad: authorization/role question
I am new to SCN and am amazed by the wealth of information that is available here! We are currently doing a small project within our company for HCM Fiori apps, based on this experience we plan on implementing Fiori in other areas of our organization. I have a question about the Fiori launchpad authorizations.
P.S. - I have tried to reach through all the blogs and the content here, I feel like I am missing something very basic. If there is something I have missed
Our system set up(trusted RFC etc.) is complete, our gateway and ECC systems are on different servers. We installed all add-ons, actualy things worked quite seamlessly as we were following all the documents step by step. We created the following roles:
Z_GW_USER - /IWFND/RT_GW_USER and S_SERVICE(users + admin)
Z_GW_ADM - /IWFND/RT_ADMIN, S_DEVELOP, /UI2/CHIP, S_CTC_ADM(admin)
Z_UI_ADM - Copy SAP_UI2_ADMIN_700 and add IWSG. Auths. for ZINTEROP*, ZPAGE_BUILDER_CONF*, ZPAGE_BUILDER_CUST*,
ZPAGE_BUILDER_PERS*, ZTRANSPORT* (admin)
Z_UI_USER - Copy SAP_UI2_USER_700 and add IWSG auths for: ZINTEROP* and • ZPAGE_BUILDER_PERS* (user)
Z_TIMESHEET_BUS - Copy SAP_HR_BCR_EMPLOYEE_T and add. Auth for ZHCM_TIMESHEET_MAN_SRV(user)
Z_TIMESHEET_TECH - Copy SAP_HR_TCR_T and add auths. for timesheet service -> document said that this role is in the backend, but we actually could not find it in the backend(user)
Z_HCM_FIORI - role with Z catalog and Z group added(see below)
Z_RFC_USER - S_RFC and S_RFCACL(user)
Z_HR_START - start auths. for HCM_TIMESHEET_MAN oData service(IWSV auths.) (user)
The problem is, when we assign these roles to an end user, the Fiori launchpad is blank. We have another generic role that we assign to end users, when we assign this role, all HCM apps show up and the custom catalog also shows up -> I don't think this issue is related to technical config. as the apps are working when they show up.
Our requirement is - users should only see 2 apps "My Timesheet" and "Leave request" I created another catalog and group with only these apps and created a new role on gateway with the relevant catalog and group added(Z_HCM_FIORI), but it did not help.
So we either see ALL HCM apps, or nothing. See screenshots below. How can I reach a point where users only see these 2 apps, and I as launchpad admin can add apps later to the catalog and group and they automatically start showing up.
All apps show,custom catalog also shows:
Is there something we are doing wrong here?