Tell us what you think

We want to create the best possible experience for our learners. Your feedback helps us to improve the experience for everyone.

Introducing SAP BTP Security

Objectives

After completing this lesson, you will be able to:

Describe SAP BTP features related to security.
Explain how the user and authorization management is done in SAP BTP.

SAP BTP Overview and Features

SAP Business Technology Platform is an open platform-as-a-service (PaaS) that delivers in-memory capabilities, core platform services, and unique microservices for building and extending intelligent, mobile-enabled cloud applications. SAP BTP is an integrated offering comprised of four technology portfolios:

Database and data management
Application development and integration
Analytics
Intelligent technologies

The platform is designed to accelerate digital transformation by helping developers quickly, efficiently, and economically develop the personalized application solution they need without investing in On-Premise infrastructure. Based on open standards, SAP BTP offers complete flexibility and control over customers’ choice of clouds, frameworks, and applications. Thanks to low-code/no-code solutions also offered through SAP BTP, business users can automate tasks, establish workflows, and craft their customized interfaces.

Another notable feature of SAP BTP is its capacity to support cloud-native and hybrid cloud solutions while integrating with On-Premise systems and data sources. This flexibility enables organizations to adapt to changing business needs and infrastructure requirements without compromising security or performance.

Application Development, Automation, Integration, Data and Analytics, and AI are the foundational pillars of SAP BTP. They provide organizations with the tools and capabilities to digitalize their business processes, innovate rapidly, and deliver exceptional customer experiences in the digital age.

Illustration of a Business Technology Platform featuring categories: App Dev, Automation, Integration, Data and Analytics, and AI, with associated functionalities listed under each category.

Application Development

This aspect of SAP BTP empowers developers to create, deploy, and manage applications efficiently. It offers various development tools and services supporting different programming languages and approaches. It provides developers with a collaborative and cloud-based environment with preconfigured tools and services for application development, enabling faster and more efficient development cycles. Also, SAP BTP supports low-code/no-code development, enabling business users to create applications without extensive coding knowledge. For more information, see: https://www.sap.com/products/business-technology-platform/low-code.html.

Automation

Automation within SAP BTP enables organizations to streamline repetitive tasks, improve efficiency, and reduce manual intervention in business processes. This could include SAP Build Process Automation for automating routine tasks such as data entry or invoice processing. SAP BTP also offers workflow automation capabilities, allowing organizations to easily design, execute, and monitor complex business workflows. Organizations can free up resources, minimize errors, and focus on higher-value activities that drive business growth by automating mundane tasks and workflows. For more information, see: https://www.sap.com/products/technology-platform/process-automation.html.

Integration

Integration is critical to SAP BTP, enabling seamless communication and data exchange between systems, applications, and data sources. SAP BTP offers the SAP Integration Suite to facilitate connectivity across On-Premise and cloud environments and with external partners and customers. There are also resources for API management and prebuilt business content for out-of-the-box solutions. For more information, see: https://www.sap.com/products/integration.html.

Data and Analytics

Data and analytics capabilities on SAP BTP empower organizations to derive insights from their data, make informed decisions, and drive business outcomes. This includes services for data warehousing, data modeling, and advanced analytics. For more information, see: https://www.sap.com/products/analytics.html.

Artificial Intelligence (AI)

SAP BTP offers comprehensive AI technologies and services like SAP AI Business Services and Generative AI Hub. They enable organizations to harness the power of artificial intelligence to foster innovation, enhance efficiency, and provide added value to customers. By applying these AI capabilities, organizations can stay ahead of the competition and thrive in today's digital economy. For more information, see: https://www.sap.com/products/artificial-intelligence.html.

Hyperscaler

Hyperscalers such as Google Cloud, Microsoft Azure, and Amazon Web Services offer a wide range of services and resources that can enhance the performance and capabilities of SAP BTP. Hyperscalers provide an extensive, scalable, and flexible infrastructure that can support the various services and applications offered by SAP BTP. Hyperscalers have big resilient data centers in several regions that offer high availability through cluster technology. Also, a hyperscaler can provide other benefits, such as security and cost-effectiveness. Ultimately, the decision to use a hyperscaler for SAP BTP depends on each organization's specific requirements and preferences.

Business Technology Platform diagram showcasing Database & Data Management, Analytics, Application Development & Integration, and Intelligent Technologies & Integration, highlighting services from SAP, Microsoft Azure, AWS, Google Cloud Platform, Alibaba Cloud.

Although using a hyperscaler for the SAP BTP cloud is not mandatory, it can be beneficial for enterprises that require a high level of scalability, flexibility, and security. The well-known hyperscalers are AWS, Microsoft Azure, Google Cloud Platform, and Alibaba Cloud.

SAP BTP is available in several regions with these providers. SAP supports multicloud landscapes through this. The providers themselves can differ in up-time availability, service offerings, or latency from data centers. In collaboration with the hyperscalers, SAP offers data centers in the following regions: Europe, U.S. East, U.S. West, Singapore, and many more.

SAP also operates software in its data centers without using hyperscaler capabilities. These data centers are built with a hyperscaler-like architecture to be more resilient and flexible for scaling and high availability.

If you want to know more about the SAP and Hyperscalers in general, see: https://support.sap.com/en/offerings-programs/ccoe/sap-hyperscalers.html.

If you want to know more about SAP BTP in general, see: https://www.sap.com/products/business-technology-platform.html.

BTP User and Authorization Management

SAP BTP includes global accounts, directories, and subaccounts as layers for managing and operating SaaS solutions and custom applications and services. This involves setting up a trust with SAP Cloud Identity Services for business users and platform users such as administrators, developers, and operators who work with SAP BTP.

Administrators in SAP BTP global accounts set up a trust with SAP Cloud Identity Services for platform users. This process uses the OIDC protocol and enables login to all tools used for SAP BTP account management with Identity Authentication.

SAP BTP distinguishes between the following:

Platform users are usually administrators or operators (DevOps) who work with cloud management tools and deploy, administer, and troubleshoot services on SAP BTP. These users typically log on to the SAP BTP cockpit and work there. They can also be developers who use Cloud Foundry Spaces’ services.
Business users use the business applications that are deployed on SAP BTP. For example, the end users of a deployed custom application or users of subscribed apps or services, such as SAP Business Application Studio, are business users.

Illustration showing different user groups: three heads with colorful hair labeled Platform Users including administrators and operators, and three heads with gray hair labeled Business Users including application users.

The SAP BTP is organized in global accounts on the highest level, which multiple cloud infrastructure providers in different regions host. A global account reflects a contract with SAP and can consist of several directories and/or subaccounts that provide users with various applications and services. Furthermore, subaccounts can have multiple environments. Environments constitute the actual platform-as-a-service offering of SAP BTP that allows the development and administration of business applications. These environments are called spaces.

Hierarchical structure chart showing levels from top to bottom: Global Account, Directory, Subaccount, Org, Space. Roles listed: Global Account Administrator, Directory Member, Subaccount Administrator, Org Member, Space Member.

In Cloud Foundry, further levels are in place for better structuring and organization of work. For example, if you have too many, you can create directories in a global account to structure the subaccounts. And, if you enable the Cloud Foundry environment, you automatically create a Cloud Foundry org., in which you make one or more spaces.

Diagram of BTP Global Account with three Subaccounts (A, B, C). Subaccount A includes SAP BAS, Mobile Services, Business Application. Key shows symbols for Global Account Administrator, Subaccount Administrator, Business User.

Anyone who wants to use capabilities of the SAP BTP must be assigned as a user to the specific authorizations through roles. User management happens at all levels from global account over subaccount and directories to the environments. On each level, you require an administrator, who administers resources and the users on those levels. The way to administer has some differences depending on the level you are on.

You must be authorized to use different functions of SAP BTP. You can configure authorizations using roles and role collections in the Cloud Foundry environment.

Diagram showing Role Collection assigned to Administrator, Role assigned to Administrator Developer, with users assigned roles through static or federated assignment methods.

Role collections consist of individual roles that combine authorizations for resources and services on SAP BTP. A role collection can comprise one or multiple roles. You only assign role collections to users, not individual roles. Roles and their authorizations are provided automatically to users via role collection assignments.

Role collections are managed separately at each SAP BTP level. Role collections in the global account do not exist in the subaccounts. Likewise, role collections in subaccounts are not available in the global account.

SAP BTP already delivers a predefined set of role collections for platform and application users. To set up administrator access for platform users in the global account, directories, subaccounts, and so on, an existing administrator of a certain level on SAP BTP assigns predefined role collections to other platform users.

For users of applications that can be subscribed to on SAP BTP, predefined role collections become available after application subscription. It is also possible to create custom role collections with roles inside that give permissions for custom applications deployed on SAP BTP.

Lesson Summary

After this lesson, you can describe how SAP BTP tackles security using different features. Also, you can explain how an administrator can perform user and authorization management in SAP BTP.

Continue to quiz