Introducing the Landscape Overview

In your company you want to write custom code and modify SAP solutions. Modifications like on-premise are not possible in the cloud so you need to find a way to fulfill your needs. You want to integrate the SAP SaaS solutions like SAP Concur, SAP SuccessFactors and more, into your SAP S/4HANA Cloud, to end up with a fully integrated set of software solutions and business processes. In addition, you have third party software which you want to integrate. Your company generates and collects a lot of data. This data must be managed and analyzed to get value from it.

SAP Business Technology Platform (SAP BTP) is an open platform-as-a-service (PaaS) that delivers in-memory capabilities, core platform services, and unique micro-services for building and extending intelligent, mobile-enabled cloud applications. The platform is designed to accelerate digital transformation by helping you quickly, easily, and economically develop the exact application you need – without investing in on-premise infrastructure.

The SAP BTP is the technological base of the Intelligent, Sustainable Enterprise.

Based on open standards, SAP Business Technology Platform offers complete flexibility and control over your choice of clouds, frameworks, and applications.

SAP Business Technology Platform is used for three main scenarios in scope of the Intelligent, Sustainable Enterprise:

Integration

Complex IT landscapes include on-premise and cloud systems, SaaS applications and hyperscaler technology from SAP and third parties will be used in modern and digital enterprise.

Integration is essential to enhance business operations across the entire value chain by connecting all systems and business processes seamlessly. As a result, good integration will be key to a good IT landscape.

Data to Value

It is essential that organizations have a consolidated view across all their data assets and are able to achieve insight and make real-time decisions, especially during times of rapid change. Good data quality and data handling is very important because the increasing amount of data will be the currency of the future. Good data quality and good technologies to work with that data is the key for a flexible and scalable business of tomorrow. To get value from your data, you must analyze and interpret it, not just collect it.

Extensibility

Companies need to stay agile and adapt rapidly to new business conditions and changing customer demands. Extensibility allows companies to build and enhance all their application investments to meet their customer's dynamic needs and provide continual value. You can deliver new features agile and fast with SAP BTP as the underlying platform.

You can use services like feature flags, continuous delivery or cloud transportation management. You have the choice of the runtime you want to use. Caused by the rising amount of cloud solutions in IT landscapes you need to think about extensibility and not thinking in modifications like in the old on-premise world.

If you want to know more about the SAP BTP in general, see https://www.sap.com/products/business-technology-platform.html.

SAP BTP offers Global Accounts and Subaccounts.

Global Accounts

A global account is the realization of a contract you made with SAP. A global account is used to manage subaccounts, members, entitlements, and quotas. You receive entitlements and quotas to use platform resources per global account and then distribute the entitlements and quotas to the subaccount for actual consumption.

Subaccounts

Subaccounts let you structure a global account according to your organizations and projects requirements regarding members, authorizations, and entitlements. A global account can contain one or more subaccounts in which you deploy applications, use services, and manage your subscriptions. Subaccounts in a global account are independent of each other. This is important to consider with respect to security, member management, data management, data migration, integration, and so on, when you plan your landscape and overall architecture.

You can deploy applications in different regions. Each region represents a geographical location (for example, Europe, US East) where applications, data, or services are hosted.

Infrastructure

The infrastructure layer of a region is either provided by SAP or by one of SAP's Infrastructure-as-a-Service (IaaS) partners Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Alibaba Cloud.

Environments

Environments constitute the actual platform-as-a-service offering of SAP BTP that allows for the development and administration of business applications. Each environment comes equipped with the tools, technologies, and runtimes that you need to build applications. The availability of different environments allows for greater flexibility in your development process.

Services

Services enable, facilitate, or accelerate the development of business applications and other platform services on SAP BTP. You find all available services in the SAP Discovery Center.

Data

Your business and application data, managed through services like the SAP HANA Cloud service or the SAP Data Warehouse Cloud service.

Applications

The business applications that you deploy in a region, building on top of, and making use of the layers underneath.

As IT landscapes become more and more complex, the topic of security becomes more important. Your company must manage application users (business users) and platform users (admins, operators and so on). You want to assign roles and authorizations and build a central identity provisioning with the SAP Cloud Identity Services. All API's and interfaces which are used or integrated need to get secured as well.

SAP BTP distinguishes between the following:

• Platform users are usually administrators or operators (DevOps) who work with cloud management tools and deploy, administer, and troubleshoot services on SAP BTP. These are usually users who directly log on to SAP BTP cockpit and work there. These also can be developers who work and use service in Cloud Foundry spaces.

• Business users use the business applications that are deployed on SAP BTP. For example, the end users of a deployed custom application or users of subscribed apps or services, such as SAP Business Application Studio, are business users.

The SAP BTP is organized in global accounts on the highest level. These are hosted by multiple cloud infrastructure providers in different regions. A global account reflects a contract with SAP. It can consist of several directories and/or several subaccounts that provide different applications and services to users. Furthermore, subaccounts can have multiple environments. Environments constitute the actual platform-as-a-service offering of SAP BTP that allows the development and administration of business applications. These environments are called spaces.

In Cloud Foundry, further levels are in place for a better structuring and organization of work. For example, if you have too many subaccounts in a global account, you can create directories to structure them. And if you enable the Cloud Foundry environment, you automatically create a Cloud Foundry org, in which you create one or more spaces.

Anyone who wants to use SAP BTP must be assigned as a user to it. User management happens at all levels from global account to space. On each level you require an administrator, who administers resources and the users on those levels.

When a customer signs a contract with SAP, one user is created at the global account level. On this level, entitlements are defined, assigning entities and services, including billing information. The global account administrator can initially log on to SAP BTP to manage these entitlements and create directories and subaccounts. To ensure that more than one employee can administer the global account, the administrator needs to create other users at the global account level and assign them administrator permissions.

Typically, a global account consists of various subaccounts. When a global account administrator creates a subaccount, they automatically become the administrator of the subaccount. The subaccount administrator can manage entitlements, service subscription, create other users on the subaccount level and assign roles to the users. Subaccount administrators get administration authorizations for the subaccount only, not for the global account.

Subaccount administrators also create business users, who are consumers of applications and services that are provided on SAP BTP (for example: SAP Business Application Studio) or business applications (SaaS) that were created with the help of the tools and services provided by SAP BTP and deployed in a subaccount. These users can have access to SAP BTP, but they are not able to do any administrative tasks. If a business user only uses a single application on SAP BTP, he or she does not necessarily require access to the SAP BTP cockpit (meaning the subaccount) but to the application only. In this case, the subaccount administrator creates the user on a subaccount level and only assigns application authorizations to the user.

To use different functions of SAP BTP, you need to be authorized for it. In Cloud Foundry environment, you can configure authorizations using roles and role collections.

Role collections consist of individual roles that combine authorizations for resources and services on SAP BTP. A role collection can comprise one or multiple roles. You only assign role collections to users but not individual roles. Roles and their authorizations are provided automatically to users using role collection assignment.

Role collections are managed on each SAP BTP level separately. Role collections that exist in the global account do not exist in the subaccounts. Likewise, role collections in subaccounts are not available in the global account.

SAP BTP already delivers a predefined set of role collections for platform users and for application users. To set up administrator access for platform users in the global account, directories, subaccounts and so on, an existing administrator of a certain level on SAP BTP assigns predefined role collections to other platform users.

For users of applications that can be subscribed on SAP BTP, there are also predefined role collections that become available after application subscription. It is also possible to create custom role collections with roles inside that give permissions for custom applications deployed on SAP BTP.

Note

All users of SAP BTP are stored in identity providers. How you assign users to their authorizations depends on the type of trust configuration with the identity provider. If you're using the default trust configuration with SAP ID service, you assign users directly to role collections. However, if you are using a custom identity provider, you can assign role collections to individual users directly, or you map role collections to user groups or other user attributes defined in the identity provider. This is called federation.

The custom identity provider hosts the business users who can belong to user groups. It is efficient to use federation by assigning role collections to one or more user groups. The role collection contains all the authorizations that are necessary for this user group. This method saves time when you add a new business user. Simply add the users to the respective user groups and the new business users automatically get all the authorizations that are included in the role collection.

The SAP Identity Management and Access Governance solutions portfolio spreads along multiple cloud and on-premise applications:

SAP Single Sign-On provides simple, secure access to IT applications for business users. It offers advanced security capabilities to protect your company data and business applications.

SAP Identity Authentication provides simple and secure access to web-based applications with a variety of authentication methods anytime, from anywhere. The service was previously known as SAP Cloud Identity service.

SAP Identity Management keeps user's data secure and consistent and supports customers by implementing integrated identity lifecycle scenarios with SAP's cloud or on-premise HR solutions: SAP SuccessFactors solutions (cloud) and SAP ERP Human Capital Management (on-premise).

Identity Provisioning offers a comprehensive, low-cost approach to identity lifecycle management in the cloud. Identity Provisioning covers a broad range of source and target systems, both in the cloud and on-premise.

SAP Cloud Identity Access Governance is a cloud solution that integrates out-of-the-box with SAP S/4HANA and can run similar SOD scenarios as SAP GRC Access Control. Additionally, it has functionalities to build business roles in the cloud, provision those to various target systems through SAP Cloud Identity Services – Identity Provisioning and integrate in complex workflows thanks to SAP BTP Workflow service.

The SAP GRC Access Control application helps streamline the process of managing and validating user access to applications. SAP Identity Management and SAP Access Control as an integrated solution for identity and access governance.

The Identity Authentication service is mainly responsible for the Authentication and Single Sign-On, while Identity Provisioning service takes care of the Identity Lifecycle Management, which includes both users and groups.

The Identity Provisioning service allows you to do the following:

• Manage user accounts and authorizations across Cloud and on-premise systems
• Provision identities from user stores in the Cloud and on-premise
• Enable business applications to quickly support single sign-on with identity authentication

As a Key Value Proposition, the Identity Provisioning service provides:

• Fast and efficient administration of user on-boarding
• Centralized end-to-end lifecycle management of corporate identities in the Cloud
• Automated provisioning of existing on-premise identities to Cloud applications

Identity Authentication provides simple and secure access to Web based applications with a variety of authentication methods at any time and from anywhere. The service was previously known as SAP Cloud ID service.

Identity Authentication provides secure and simple access based on the following factors:

• Identity federation based on SAML 2.0.
• Web Single Sign-On SSO and desktop SSO
• Secure on-premise integration to reuse existing authentication systems
• Social login and two-factor authentication
• Risk-based authentication

Identity Authentication provides user and access management based on the following factors:

• User administration and integration with on-premise user stores
• User groups and application access management
• User self-service, for example, password reset, registration, and user profile maintenance
• System for Cross-domain Identity Management (SCIM) API

Identity Authentication provides the following enterprise features:

• Branding of end user UIs
• Password and privacy policies
• Identity Authentication is interoperable with all application supporting SAML 2.0 standard or OpenID Connect (OIDC)

Identity Authentication has the following IdP proxy features:

• Authentication is delegated to corporate IdP login
• Reuse of existing SSO infrastructure
• Easy and secure authentication for employee scenarios
• Federation based on the SAML 2.0 standard

Identity Authentication can connect to an on-premise user store. There is no user replication required to the Cloud and no internal network ports do not need to be exposed to the internet. Other IAS product features can be used including UI configuration policies and two-factor authentication.