Note
This lesson is geared mainly towards administrators, but any roles involved could benefit from it.SAP recommends a staged account model for handling your application on SAP BTP with DevOps. This model allows you to separate development from test runs and your production environment.
Business Scenario
As Rotating Banana's SAP BTP administrator, you still need to set your exact account model for SAP BTP. Nevertheless, having a model aligned with your existing on-premise staged environment would be beneficial.
Your SAP BTP account model for DevOps
Suppose you haven't set up an account model for your project yet (such as having a DEV, a PRE—PROD, and a PROD sub-account). In that case, the following figure outlines our general recommendation for an account model intended for the staged development of your projects on SAP BTP
Recommended SAP BTP Account Model
Create at least three sub-accounts to set up a staged development environment.
Create separate development (DEV), test, and production (PROD) sub-accounts for each functional area, using directories as the structuring element.
This recommended model also fits for projects applying DevOps:
With this model, each functional area gets its directory, comprising three sub-accounts (development, testing, and production). The functional area can use its identity provider for each directory and manage its entitlements.
In addition, you get dedicated subaccounts for centrally shared administrative services, where you could also instantiate many of the SAP BTP DevOps services. In detail, it depends on the actual service where to best run it and with how many instances. For example:
- You can run SAP Cloud Transport Management centrally, with 1-n instances:
- Even one instance allows you to handle delivery across different subaccounts (even from different regions and global accounts). Although every SAP Cloud Transport Management user does see all nodes defined in her instance, you can assign node-specific permissions, so that only authorized team members can handle transports on critical transport nodes, to ensure a segregation of duties.
- To facilitate role management and allow strict access control, we recommend running central SAP Cloud Transport Management instances on a central services subaccount and not on a development account.
- If you want to restrict visibility for easier handling of large landscapes (so that a delivery manager only sees the relevant nodes that she is authorized to handle), you can optionally set up several instances of SAP Cloud Transport Management.
- SAP Cloud ALM does allow connecting to several instances of SAP Cloud Transport Management.
- For SAP Continuous Integration and Delivery service, we recommend setting up one instance per team for security reasons, as a user with administrative permissions can use all credentials stored inside an instance.
- SAP Alert Notification service must run on space level with the application for which it shall handle alerts and notifications – so, it does not run as centrally shared service.
If you want to learn more SAP BTP Administrator's Guide provides further examples and guidance on account structuring.
Note
In addition to this information on the account model, the SAP BTP Administrator's Guide provides a detailed planning section for your governance model, security and compliance, and life-cycle management.Business Scenario
As Rotating Banana's SAP BTP administrator, you follow SAP's recommended setup and set up a staged account model for your projects on SAP BTP. Also, you set up SAP Cloud Transport Management on a dedicated shared services subaccount.
Summary
Now, you can start defining and setting up your account model on SAP BTP for DevOps based on the recommendations above and the additional best practices provided via documentation.
Further Reading
- Further guidance and examples: SAP BTP Administrator's Guide | SAP Help Portal
- Create a Subaccount | SAP Help Portal