Explaining Global Accounts and Subaccounts

In your company, you want to write custom code and modify SAP solutions. Modifications like those for the on-premise system are not possible in the cloud, so you need to find a way to fulfill your needs. You want to integrate the SAP Software-as-a-Service (SaaS) solutions like SAP Concur, SAP SuccessFactors, and more, into your SAP S/4HANA Cloud, to end up with a fully integrated set of software solutions and business processes. In addition, you have third-party software that you want to integrate. Your company generates and collects a lot of data. This data must be managed and analyzed to get value from it.

SAP Business Technology Platform (SAP BTP) is an open platform as a service (PaaS) that delivers in-memory capabilities, core platform services, and unique micro-services for building and extending intelligent, mobile-enabled cloud applications. The platform is designed to accelerate digital transformation by helping you to quickly, easily, and economically develop the exact application you need – without investing in on-premise infrastructure.

The SAP BTP is the technological base of the intelligent, sustainable enterprise.

Based on open standards, SAP Business Technology Platform offers complete flexibility and control over your choice of clouds, frameworks, and applications.

SAP Business Technology Platform is used for three main scenarios in scope of the intelligent, sustainable enterprise:

Integration

Complex IT landscapes include on-premise and cloud systems. SaaS applications and hyperscaler technology from SAP and third parties will be used in modern and digital enterprise.

Integration is essential to enhance business operations across the entire value chain by connecting all systems and business processes seamlessly. As a result, good integration will be key to a good IT landscape.

Data to Value

It is essential that organizations have a consolidated view across all their data assets and are able to achieve insight and make real-time decisions, especially during times of rapid change. Good data quality and data handling is very important because the increasing amount of data will be the currency of the future. Good data quality and good technologies to work with that data are the key for the flexible and scalable business of tomorrow. To get value from your data, you must analyze and interpret it, not just collect it.

Extensibility

Companies need to stay agile and adapt rapidly to new business conditions and changing customer demands. Extensibility allows companies to build and enhance all their application investments to meet their customers' dynamic needs and provide continual value. You can deliver new features in an agile and fast manner with SAP BTP as the underlying platform.

You can use services like feature flags, continuous delivery, or cloud transportation management. You have the choice of the runtime you want to use. Because of the rising amount of cloud solutions in IT landscapes, you need to think about extensibility and not think about modifications as you did in the old on-premise world.

If you want to know more about the SAP BTP in general, see: https://www.sap.com/products/business-technology-platform.html.

SAP BTP offers global accounts and subaccounts.

Global Accounts

A global account is the realization of a contract you made with SAP. A global account is used to manage subaccounts, members, entitlements, and quotas. You receive entitlements and quotas to use platform resources per global account and then distribute the entitlements and quotas to the subaccount for actual consumption.

Subaccounts

Subaccounts let you structure a global account according to your organization's and project's requirements regarding members, authorizations, and entitlements. A global account can contain one or more subaccounts in which you deploy applications, use services, and manage your subscriptions. Subaccounts in a global account are independent of each other. This is important to consider with respect to security, member management, data management, data migration, integration, and so on, when you plan your landscape and overall architecture.

You can deploy applications in different regions. Each region represents a geographical location (for example, Europe, US East) where applications, data, or services are hosted.

Infrastructure

The infrastructure layer of a region is either provided by SAP or by one of SAP's infrastructure-as-a-service (IaaS) partners, that is by example, Amazon Web Services (AWS) or Microsoft Azure.

Environments

Environments constitute the actual platform-as-a-service offering of SAP BTP that allows for the development and administration of business applications. Each environment comes equipped with the tools, technologies, and runtimes that you need to build applications. The availability of different environments allows for greater flexibility in your development process.

Services

Services enable, facilitate, or accelerate the development of business applications and other platform services on SAP BTP.

Data

Your business and application data are managed through services like the SAP Data Warehouse Cloud service.

Applications

These are the business applications that you deploy in a region, building on top of and making use of the layers underneath.

SAP BTP offers users the ability to turn data into business value, compose end-to-end business processes, and build and extend SAP applications quickly.

The services and solutions of SAP BTP are available on multiple cloud infrastructure providers. The multi-cloud foundation supports different environments, such as Cloud Foundry, ABAP, and Kyma, as well as multiple different regions, and a broad choice of programming languages.

The central point of entry to the cloud platform is the SAP BTP cockpit, where you can access your accounts and applications and manage all activities associated with them.

The hierarchical element, ''directory'' is essentially a grouping of subaccounts. Furthermore, subaccounts can have multiple environments.

The figure, Overview of Global Accounts, Directories, and Subaccounts, depicts the relationship between a global account, its directories, subaccounts, environments, regions, entitlements, and quotas.

As IT landscapes become more and more complex, the topic of security becomes more important. Your company must manage application users (business users) and platform users (admins, operators, and so on). You want to assign roles and authorizations and build a central identity provisioning with the SAP Cloud Identity Services. All APIs and interfaces that are used or integrated need to be secured as well.

SAP BTP distinguishes between the following:

• Platform users are usually administrators or operators who work with cloud management tools and deploy, administer, and troubleshoot services on SAP BTP. These are usually users who directly log on to SAP BTP cockpit and work there. These can also be developers who work and use the service in Cloud Foundry spaces.

• Business users use the business applications that are deployed on SAP BTP. For example, the end users of a deployed custom application or users of subscribed apps or services, such as SAP Business Application Studio, are business users.

The SAP BTP is organized in global accounts on the highest level. These are hosted by multiple cloud infrastructure providers in different regions. A global account reflects a contract with SAP. It can consist of several directories and/or several subaccounts that provide different applications and services to users. Furthermore, subaccounts can have multiple environments. Environments constitute the actual platform-as-a-service offering of SAP BTP that allows the development and administration of business applications. These environments are called spaces.

In Cloud Foundry, further levels are in place for a better structuring and organization of work. For example, if you have too many subaccounts in a global account, you can create directories to structure them. And if you enable the Cloud Foundry environment, you automatically create a Cloud Foundry org, in which you create one or more spaces.

Anyone who wants to use SAP BTP must be assigned as a user to it. User management happens at all levels, from global accounts to spaces. On each level, you require an administrator, who administers resources and the users on those levels.

When a customer signs a contract with SAP, one user is created at the global account level. On this level, entitlements are defined, assigning entities and services, including billing information. The global account administrator can initially log on to SAP BTP to manage these entitlements and create directories and subaccounts. To ensure that more than one employee can administer the global account, the administrator needs to create other users at the global account level and assign them administrator permissions.

Typically, a global account consists of various subaccounts. When a global account administrator creates a subaccount, they automatically become the administrator of the subaccount. The subaccount administrator can manage entitlements, service subscription, create other users on the subaccount level, and assign roles to the users. Subaccount administrators get administration authorizations for the subaccount only, not for the global account.

Subaccount administrators also create business users, who are consumers of applications and services that are provided on SAP BTP, for example, SAP Business Application Studio, or business applications (SaaS) that were created with the help of the tools and services provided by SAP BTP and deployed in a subaccount. These users can have access to SAP BTP, but they are not able to do any administrative tasks. If a business user only uses a single application on SAP BTP, they do not necessarily require access to the SAP BTP cockpit (meaning the subaccount) but to the application only. In this case, the subaccount administrator creates the user on a subaccount level and only assigns application authorizations to the user.

To use different functions of SAP BTP, you need to be authorized for it. In Cloud Foundry environment, you can configure authorizations using roles and role collections.

Role collections consist of individual roles that combine authorizations for resources and services on SAP BTP. A role collection can comprise one or multiple roles. You only assign role collections to users, but not individual roles. Roles and their authorizations are provided automatically to users using role collection assignment.

Role collections are managed on each SAP BTP level separately. Role collections that exist in the global account do not exist in the subaccounts. Likewise, role collections in subaccounts are not available in the global account.

SAP BTP already delivers a predefined set of role collections for platform users and for application users. To set up administrator access for platform users in the global account, directories, subaccounts, and so on, an existing administrator of a certain level on SAP BTP assigns predefined role collections to other platform users.

For users of applications that can be subscribed on SAP BTP, there are also predefined role collections that become available after application subscription. It is also possible to create custom role collections with roles inside that give permissions for custom applications deployed on SAP BTP.

The custom identity provider hosts the business users who can belong to user groups. It is efficient to use federation by assigning role collections to one or more user groups. The role collection contains all the authorizations that are necessary for this user group. This method saves time when you add a new business user. Simply add the users to the respective user groups and the new business users automatically get all the authorizations that are included in the role collection.

The SAP Identity Management and Access Governance solutions portfolio spreads along multiple cloud and on-premise applications:

SAP Single Sign-On provides simple, secure access to IT applications for business users. It offers advanced security capabilities to protect your company data and business applications.

SAP Cloud Identity Authentication service provides simple and secure access to Web-based applications with a variety of authentication methods at anytime and from anywhere. The service was previously known as SAP Cloud Identity service.

SAP Identity Management keeps the user's data secure and consistent and supports customers by implementing integrated identity lifecycle scenarios with SAP's cloud or on-premise HR solutions: SAP SuccessFactors solutions (cloud) and SAP ERP Human Capital Management (on-premise). Be aware of the EOL timeline for this product.

SAP Cloud Identity Provisioning offers a comprehensive, low-cost approach to identity lifecycle management in the cloud. Identity Provisioning covers a broad range of source and target systems, both in the cloud and on-premise.

SAP Cloud Identity Access Governance is a cloud solution that integrates out-of-the-box with SAP S/4HANA, and it can run similar SOD scenarios as SAP GRC Access Control. Additionally, it has functionalities to build business roles in the cloud, provision those to various target systems through SAP Cloud Identity Services, Identity Provisioning, and integrate in complex workflows thanks to SAP BTP Workflow service.

The SAP GRC Access Control application helps streamline the process of managing and validating user access to applications. SAP Identity Management and SAP Access Control function as an integrated solution for identity and access governance.

The Identity Authentication service is mainly responsible for the Authentication and Single Sign-On, while the Identity Provisioning service takes care of the Identity Lifecycle Management, which includes both users and groups.

The Identity Provisioning service allows you to do the following:

• Manage user accounts and authorizations across cloud and on-premise systems
• Provision identities from user stores in the cloud and on-premise
• Enable business applications to quickly support single sign-on with identity authentication

As a key value proposition, the Identity Provisioning service provides:

• Fast and efficient administration of user on-boarding
• Centralized end-to-end lifecycle management of corporate identities in the cloud
• Automated provisioning of existing on-premise identities to cloud applications

Identity Authentication provides simple and secure access to Web-based applications with a variety of authentication methods at any time and from anywhere.

Identity Authentication provides secure and simple access based on the following factors:

• Identity federation based on SAML 2.0
• Web Single Sign-On SSO and desktop SSO
• Secure on-premise integration to reuse existing authentication systems
• Social login and two-factor authentication
• Risk-based authentication

Identity Authentication provides user and access management based on the following factors:

• User administration and integration with on-premise user stores
• User groups and application access management
• User self-service, for example, password reset, registration, and user profile maintenance
• System for cross-domain Identity Management (SCIM) API

Identity Authentication provides the following enterprise features:

• Branding of end user UIs
• Password and privacy policies
• Identity Authentication is interoperable with all application supporting SAML 2.0 standard or OpenID Connect (OIDC)

Identity Authentication has the following IdP proxy features:

• Authentication that is delegated to corporate IdP login
• Reuse of existing SSO infrastructure
• Easy and secure authentication for employee scenarios
• Federation based on the SAML 2.0 standard

Identity Authentication can connect to an on-premise user store. There is no user replication required to the cloud and no internal network ports need to be exposed to the internet. Other Identity Authentication service product features can be used, including UI configuration policies and two-factor authentication.

The following table outlines the best practices for managing cloud accounts.

On the cloud platform, member management happens at all levels from global account to space, while user management is done for deployed applications.

User accounts enable users to log on to SAP BTP and access subaccounts and use services according to the permissions given to them. We distinguish between two types of users.

• Platform users are usually developers, administrators, or operators who deploy, administer, and troubleshoot applications and services on SAP BTP.
• Business users use the applications that are deployed to SAP BTP. For example, the end users of your deployed application or users of subscribed apps or services, such as SAP Business Application Studio, are business users.

Member management refers to managing permissions for platform users. A member is a user who is assigned to an SAP BTP global account or subaccount. Administrators can add users to global accounts and subaccounts and assign roles to them as needed. You can use predefined roles - for example, the administrator role for managing subaccount members.

User management refers to managing authentication and authorization for your business users. This is only done for your deployed applications.

The SAP BTP cockpit is structured according to global accounts, directories, and subaccounts.

A global account is the realization of a contract you or your company has made with SAP.

A global account is used to manage subaccounts, members, entitlements, and quotas. You receive entitlements and quotas to use platform resources per global account and then distribute the entitlements and quotas to the subaccount for actual consumption. There are two types of commercial models for global accounts: the consumption-based model and the subscription-based model.

Directories allow you to organize and manage your subaccounts according to your technical and business needs.

A directory can contain directories and subaccounts to create a hierarchy. Using directories to group other directories and subaccounts is optional - you can still create subaccounts directly under your global account.

You can create a hierarchical structure that is 7 levels deep. The highest level of a given path is always the global account and the lowest is a subaccount, which means that you can have up to 5 levels of directories.

Directories allow you to monitor usage and costs for contracts that use the consumption-based commercial model. In addition, you can also add the following features to your directories (optional):

• Manage Entitlements: This enables the assignment of a quota for services and applications to the directory from the global account quota for distribution to the directory's subaccounts. When you assign entitlements to a directory, you express the entitlements and maximum quota that can be distributed across its child subaccounts. You also have the option to choose the auto-assignment of a set amount of quota to all subaccounts created or moved to that directory. Subaccounts that are already in the directory when you select that option will not be auto-assigned quota.
• Manage Authorizations: This enables authorization management for the directory. For example, it allows certain users to manage directory entitlements. You can only use this feature in combination with the Manage Entitlements feature.

Platform users are usually developers, administrators, or operators who deploy, administer, and troubleshoot applications and services on SAP BTP. They’re the users that you give certain permissions, for instance, at global account or subaccount level.

Platform users who were added as members and who have administrative permissions can view or manage the list of global accounts, subaccounts, and environments, such as Cloud Foundry orgs and spaces. Members access them using the SAP BTP Cockpit, or the SAP BTP command-line interface (btp CLI), or environment-specific CLI, such as the Cloud Foundry (CF) CLI.

For platform users, there's a default identity provider. We expect that you have your own identity provider. We recommend that you configure your custom tenant of Identity Authentication as the identity provider and connect Identity Authentication to your own corporate identity provider.

Business users use the applications that are deployed to SAP BTP. For example, these are the end users of SaaS apps or services, such as SAP Workflow service or SAP Cloud Integration, and the end users of your custom applications are business users.

Application developers (platform users) create and deploy application-specific security artifacts for business users, such as scopes. Administrators use these artifacts to assign roles, build role collections, and assign these role collections to business users or user groups. In this way, they control the users' permissions in the application.

For business users, there's a default identity provider. We expect that you have your own identity provider. We recommend that you configure your custom tenant of Identity Authentication as the identity provider and connect Identity Authentication to your own corporate identity provider.

Member management refers to managing permissions for platform users. You can think about it as managing the members of your team.

Member management happens at global account, directory, subaccount, and environment level. Members' permissions apply to all operations that are associated with the global account, the organization, or the space, irrespective of the tool used. Depending on the scope and the cloud management tools feature set you're using, you manage members in different ways:

User management refers to managing authentication and authorization for your business users.