Exploring SAP BTP Account Model Setup

This lesson contains the following topics:

• SAP BTP Account Model First Look
• SAP BTP Cockpit
• Setting Up Your SAP BTP Account Model
• SAP BTP Account Model Deep Dive
• Putting It All Together

The Global Account is the highest level in the hierarchy. It represents an organizations commercial relationship and contract with SAP.

• Analogy: The company headquarters or the master contract
• Purpose:
  • Billing: It is the single point of billing for all BTP consumption within an organization.
  • Entitlement Management: This is where SAP delivers all the services and resources they have purchased or subscribed to (e.g., SAP HANA Cloud, SAP Integration Suite, etc.).
  • High-Level Administration: Organizations can manage global account members (administrators) who are responsible for distributing the entitlements across the organization.
• Key Characteristics:
  • One Global Account per contract (e.g., CPEA, PAYG, or Subscription).
  • It does not host applications directly. It is purely a management and administrative entity.
  • It's the root from which organizations can manage and organize all their BTP activities.

Directories are an organizational layer that exists between the Global Account and Subaccounts. They help large organizations group and manage subaccounts more effectively.

• Analogy: The drawers in the filing cabinet, used to organize folders (i.e., subaccounts) by department (HR, Finance), region (EMEA, Americas), or project stage (Development, Production).
• Purpose:
  • Organization & Governance: Group subaccounts that share a common purpose. This simplifies management, especially when organizations have hundreds of subaccounts.
  • Delegated Administration: Organizations can assign directory administrators who can manage the subaccounts and entitlements only within that specific directory, without needing access to the entire Global Account.
  • Entitlement Distribution: Organizations can assign a portion of the global entitlements to a directory. The directory administrator can then further distribute those entitlements to the subaccounts within it.
• Key Characteristics:
  • Directories are optional; Subaccounts can be created directly under a Global Account.
  • They can be nested to create a deeper hierarchy (e.g., EMEA -> Germany -> Project X).
  • They are a powerful tool for implementing a clear governance structure.

The Subaccount is where the actual work happens. It is the technical and deployment environment where you run applications, enable services, and manage developer access.

• Analogy: The individual folders within a drawer, each containing a specific project's documents.
• Purpose:
  • Deployment Environment: This is where you create instances of services and deploy your applications and extensions.
  • Isolation: Subaccounts provide a clear boundary for security, resources, and users. A user in Subaccount A has no access to Subaccount B unless explicitly granted.
  • Technical Configuration: Each subaccount is configured for a specific Region (e.g., US East, Europe-Frankfurt) and Cloud Provider (e.g., AWS, Azure, GCP). This is critical for data residency and latency requirements.
• Key Characteristics:
  • It receives a specific set of entitlements and quotas assigned from its parent (either the Global Account or a Directory).
  • It is where you enable BTP Environments like Cloud Foundry, Kyma (Kubernetes), or the ABAP Environment. These environments are the actual runtimes for your code.
  • It has its own user and role management, separate from the Global Account.
  • Developers and administrators spend most of their time working within subaccounts.

A region represents a geographical location (for example, Europe (Frankfurt), US East (VA), Australia (Sydney)) where resources such as applications, data, or services are located. Regions are provided either by SAP or by their Infrastructure-as-a-Service (IaaS) partners Amazon Web Services (AWS), Microsoft Azure, Google Cloud, and Alibaba Cloud. The partners operate the infrastructure layer in the regions, whereas SAP operates the platform layer (discussed in the previous lesson) and the Cloud Foundry runtime environment (to be discussed in a later lesson). Some things to note about a region:

• This choice is made at the subaccount level.
• This means you can have a "Production" subaccount in a Frankfurt (EU) region on Azure for GDPR compliance, while having a "Development" subaccount in a US region on AWS for your US-based developers.

It would be okay at this point if the interaction of the different components in the SAP BTP model is a little bit "fuzzy" on the part of the learner. The following few bullet points may help in understanding how they all work together:

• Gateways (not regions) matter to global accounts (see the list of gateways in the previous paragraph). The choice of gateway is made based on maximizing performance of the SAP BTP Cockpit. Irregardless of the gateway chosen the administrator can perform admin functions on any subaccount located in any region.
• Regions (not gateways) matter to subaccounts. Each subaccount must be assigned to exactly one region.
• Neither gateways nor regions matter to directories. Directories exist to manage subaccounts and optionally manage entitlements to subaccounts (if the administrator prefers not to allocate entitlements to subaccounts directly).

Imagine you're a general contractor building a custom house. You don't do everything yourself; you hire specialized subcontractors:

• Services: The types of work available (Plumbing, Electrical, HVAC).
• Service Plans: The different levels they offer (e.g., Plumber offers "Basic Copper Piping" vs. "Premium PEX Piping").
• Entitlement/Quota: Your contract with the hardware store gives you the right to buy up to a certain amount of materials (e.g., you're entitled to buy plumbing supplies, with a quota of 1000 feet of pipe).
• Subscription: You and your family have a shared "family plan" with one plumberwhere for one price each of you can utilize his or her services.
• Service Instance: Instead of a shared family plan with one plumber, you have an agreement with a plumbing service (who employs many plumbers) and you can choose which specific plumber you would like to come and do work in your house.
• Application: The final house itself, which uses the plumbing and electricity to function.

Let's now go a little bit deeper:

• Core Concept: A specific software capability or technology offered by SAP on BTP. It's the "product" in the BTP catalog that you can use.
• Detailed Explanation: Services are the fundamental building blocks of BTP. They are reusable, multi-tenant software modules that provide a distinct business or technical function. You don't manage the underlying software updates or hardware; SAP does. You just consume the functionality.
• Examples:
  • SAP HANA Cloud:: A database-as-a-service.
  • SAP Integration Suite: A service for application and data integration.
  • SAP Build Apps: A low-code/no-code application development service.
  • SAP AI Core: A service to run and manage artificial intelligence workloads.
• Analogy: The type of work, like "Plumbing" or "Electrical." It's a general capability you can procure.

• Core Concept: A specific variant or "tier" of a Service, defining its features, capacity, and cost.
• Detailed Explanation: A single Service can have multiple plans. These plans dictate the resources, performance levels, APIs available, and pricing model. This allows you to choose the version that best fits your needs, from a free trial/community version to a large, productive enterprise version.
• Examples:
  • The SAP Build Apps service has a free plan (for trial and small-scale use) and a standard plan (for productive use with more capacity).
  • The SAP HANA Cloud service has plans like hana-free and hana (the paid version), which differ in memory, storage, and features.
• Analogy: The plumber offers different plans: a "Basic Plan" with standard copper pipes and a "Premium Plan" with high-end PEX piping and extended warranties.

• Entitlement: The right to use a service or plan (e.g., you are entitled to use the "standard" plan of the SAP Integration Suite).
• Quota: The quantity of that service you can use (e.g., 4 GB of SAP HANA Cloud memory, 1000 SAP API Management calls per month).
• The Flow: SAP assigns entitlements to the Global Account. The Global Account Administrator assigns entitlements and quotas to Directories or Subaccounts. The Subaccount Administrator then uses this quota to create service instances.

These are the actual runtimes that live inside a subaccount. You must enable an environment within a subaccount before you can deploy applications to it.

We’ve mentioned several times that SAP BTP services eventually will be provisioned and consumed. So how exactly does this happen? Depending on the service in question this will happen via a "Subscription" or a "Service Instance". Both lead to the same result (provisioning and / or consuming) but get there in slightly different ways. SAP BTP Services that operate on more of a "shared" model (where multiple users access the same service) tend to use a subscription based approach. Using the SAP BTP Cockpit the administrator will subscribe to the service once (and once only). Every user then who needs access to the service will use the same method of access which is almost always a shared URL. SAP BTP services that use this approach are sometimes referred to as "subscription based services". While technically speaking SAP BTP operates at the PaaS layer, subscription based services operate similarly to their counterparts at the SaaS layer (e.g., SAP S/4HANA Cloud, SAP Ariba, etc.).

With other SAP BTP services on the other hand the provisioning and consumption is based on instances of the service being created (similar to a cookie cutter being used to make cookies). As an example let’s say an application is being developed and the data for the application is to be stored in SAP HANA Cloud ("Database as a Service"). Multiple SAP HANA Cloud service instances based off of the SAP HANA Cloud service will need to be created. Subsequently a "service key" containing all the necessary information including credentials to access the instance will be created. Through a binding the application can access these credentials (and thus the service instance) and in doing so consume the service.

• Core Concept: The custom code or solution that you build and deploy on BTP.
• Detailed Explanation: An application is the end-product that delivers business value. It consumes one or more service instances to perform its functions. For example, your custom-built Fiori app might run on the Application Runtimeservice and connect to a HANA Cloud service instance (for data) and an Integration Suite service instance (to fetch data from another system).
• Examples:
  • A CAP (Cloud Application Programming Model) application.
  • A Fiori app deployed to the BTP Launchpad.
  • An application created with SAP Build Apps.
• Analogy: The finished house. It uses the plumbing (HANA instance) and electrical work (Integration Suite instance) to be a functional, livable home for its residents.

Applications are created by using tools and programming models and deployed to environments. As mentioned through bindings they can access service instances and thus consume SAP BTP services. In addition they can be administered and if necessary connect to both cloud and on-premise systems.