Hi,

I'm struggling to find a way accessing roles and attributes of the user.

My users work in projects. So I thought it would be a nice way defining a ProjectUser role with an attribute that holds the static project code. If I can access both the role and the attribute of the user I could programatically provide the user with the data of his project.

But I encounter one dead end after the other.

First I cannot enter a static attribute in the Cockpit. Roles with attribute references are not displayed. This contradictory with the documentation at https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/4827f0bbe27d459fad8342896d4...

Second I cannot access the roles assigned to a user at runtime. With sap.ushell.Container.getService("UserInfo") I can read the ID, email, etc. if the app is launched from FLP. But the roles are not accessible.
I found an interesting blog from last year's TechEd describing how to use the node.js package @sap/approuter at https://blogs.sap.com/2019/05/23/how-to-get-the-email-of-the-logged-in-user-in-cloud-foundry/. But this is for XS advanced and also seems to retrieve the email only.

I an answer from Gregor Wolf to this question; https://answers.sap.com/questions/653476/fiori--ui5-authorization-using-backend-role.html he gave a hint to encapsulate the authorisation check in an OData entity. How should this be one? Should I create an entity for each role and restrict the read access to this role so that when I try reading the entity it would return an authorisation error? So by trial and error I would find out the assigned roles?

This still would leave me with the problem accessing the attributes. I could resolve this by assigning users to projects. But that would mean double work for the admin.

Isn't there a more elegant way as described by passing country or cost center as an attribute to restrict data access (by using another identity provider)?