You must perform this step and the following authorization- and role-related tasks on the front-end server to equip the user with the UI access to apps and the start authorizations for the activated OData services used by the apps.
Open transaction Role Maintenance (PFCG).
Create a new single role and assign the following in the role menu:
Catalog Provider Fiori Launchpad Catalogs
Catalog ID, for example, SAP_HCM_BC_EMPLOYEE_X1
Optional (if the users should see the tiles in a group already on the SAP Fiori launchpad start page): Type Group, Group ID, for example, SAP_HCM_BC_EMPLOYEE_X1
Alternatively, you can copy the template business role delivered by SAP, which already contains the catalog and group, as sample content to your customer namespace.
Add the following in the (new or copied) role menu for each of the OData services:
Type Authorization Default
Authorization Default TADIR Service
Object Type IWSG – Gateway: Service Groups Metadata
Select TADIR Service using value help for the object name with <name of activated service>.
Save the role menu, and go to the role authorization, change the authorization data, and adopt the generated authorizations accordingly.
Generate the authorization profile and save it.