Explaining SAP BTP Accounts

Your organization aims to develop custom code and modify SAP solutions. However, unlike on-premise systems, such modifications are not possible in the cloud, so you need alternative ways to meet your specific requirements. You also want to integrate SAP Software-as-a-Service (SaaS) solutions, such as SAP Concur, SAP SuccessFactors, and others, with SAP S/4HANA Cloud to create a fully connected ecosystem of applications and business processes. Additionally, you plan to integrate various third-party applications.

Given that your organization generates and collects vast amounts of data, effective data management and analysis are essential to derive meaningful insights. The SAP Business Technology Platform (BTP) serves this need by providing an open platform-as-a-service (PaaS) environment with in-memory processing, core platform services, and specialized microservices. It enables you to build and extend intelligent, mobile-ready cloud applications quickly, easily, and cost-effectively, without the need for on-premise infrastructure.

The SAP BTP is the technological base of the intelligent, sustainable enterprise. Based on open standards, SAP BTP offers complete flexibility and control over your choice of clouds, frameworks, and applications. It is used for three main scenarios in the scope of an intelligent and sustainable enterprise:

• Integration

  Modern enterprises operate within complex IT landscapes that combine on-premise systems and cloud platforms along with SaaS applications and hyperscaler technologies from SAP and third-party providers.

  Integration plays a critical role in connecting these diverse systems and business processes across the entire value chain. Seamless integration enhances operational efficiency, data consistency, and business agility—making it a cornerstone of an effective IT landscape in the digital era.

• Data to Value

  It is essential for organizations to maintain a consolidated view of their data assets to generate insights and enable real-time decision-making, especially in periods of rapid change. As data continues to grow exponentially and becomes the currency of the future, ensuring high data quality and adopting robust data management technologies are critical. To truly unlock the value of data, organizations must go beyond collection—analyzing, interpreting, and applying insights to drive agility, scalability, and sustainable growth.

• Extensibility

  To remain competitive, organizations must stay agile and adapt quickly to evolving business conditions and customer expectations. Extensibility empowers organizations to enhance and expand their existing application investments, ensuring they continue to meet dynamic business needs and deliver ongoing value.

  With SAP BTP as the foundation, enterprises can develop and deliver new features rapidly and efficiently, supporting continuous innovation. You can leverage services such as feature flags, continuous delivery, and cloud transport management to enable agile and controlled innovation. With the flexibility to choose your preferred runtime environment, SAP BTP allows you to extend applications efficiently and securely. As the number of cloud solutions in IT landscapes continues to grow, organizations must embrace extensibility rather than traditional system modifications—marking a fundamental shift from the on-premise approach to modern cloud development.

Learn more about SAP BTP here: https://www.sap.com/products/business-technology-platform.html.

The figure shows a global account divided into regions.

SAP BTP offers global accounts and subaccounts.

• Global Accounts

  A global account is the realization of a contract that you made with SAP. It is used to manage subaccounts, members, entitlements, and quotas. You receive entitlements and quotas to use platform resources as per the global account which can then be distributed to the subaccounts for actual consumption.

• Subaccounts

  Subaccounts allow you to structure a global account based on your organization’s and project’s specific needs for members, authorizations, and entitlements. A global account can contain one or more subaccounts, where you can deploy applications, consume services, and manage subscriptions. Each subaccount within a global account operates independently, which is an important consideration for security, member management, data management, data migration, and integration when planning your overall landscape and architecture.

You can deploy applications in different regions. Each region represents a geographical location (for example, Europe, U.S. East) where applications, data, or services are hosted.

• Infrastructure

  The infrastructure layer of a region is either provided by SAP or by one of its Infrastructure-as-a-Service (IaaS) partners, such as Amazon Web Services (AWS) or Microsoft Azure.

• Environments

  Environments represent the Platform-as-a-Service (PaaS) layer of SAP BTP, enabling the development, deployment, and administration of business applications. Each environment provides the necessary tools, technologies, and runtime required to build applications efficiently. The availability of multiple environments offers flexibility and choice, allowing organizations to tailor their development processes based on their specific technical and business needs.

• Services

  Services enable, facilitate, or accelerate the development of business applications and other platform services on SAP BTP.

• Data

  Your business and application data are managed through services like the SAP Data Warehouse Cloud service.

• Applications

  These are the business applications that you deploy in a region, building on top of and using the layers underneath.

SAP BTP offers users the ability to turn data into business value, compose end-to-end business processes, and build and extend SAP applications quickly.

The services and solutions of SAP BTP are available on multiple cloud infrastructure providers. The multi-cloud foundation supports different environments, such as Cloud Foundry, ABAP, and Kyma, as well as multiple different regions, and a broad choice of programming languages.

The central point of entry to the cloud platform is the SAP BTP cockpit, where you can access your accounts and applications and manage all activities associated with them.

The hierarchical element, 'directory is essentially a grouping of subaccounts. Furthermore, subaccounts can have multiple environments.

The figure depicts the relationship between a global account, its directories, subaccounts, environments, regions, entitlements, and quotas.

As IT landscapes become more and more complex, the topic of security becomes more important. Your company must manage application users (business users) and platform users (admins, operators, and so on). You want to assign roles and authorizations and build a central identity provisioning with the SAP Cloud Identity Services. All APIs and interfaces that are used or integrated must be secured as well.

The figure shows the SAP BTP users.

SAP BTP distinguishes between the following:

• Platform users are usually administrators or operators who work with cloud management tools and deploy, administer, and troubleshoot services on SAP BTP. These are usually users who directly log on to SAP BTP cockpit and work there.
• Business users use the business applications that are deployed on SAP BTP. For example, the end users of a deployed custom application or users of subscribed apps or services, such as SAP Business Application Studio, are business users.

The figure shows the SAP accounts and memberships.

The SAP BTP is organized in global accounts on the highest level. These are hosted by multiple cloud infrastructure providers in different regions. A global account reflects a contract with SAP. It can consist of several directories and/or several subaccounts that provide different applications and services to users. Furthermore, subaccounts can have multiple environments. Environments constitute the actual platform-as-a-service offering of SAP BTP that allows the development and administration of business applications. These environments are called spaces.

In Cloud Foundry, further levels are in place for a better structuring and organization of work. For example, if you have too many subaccounts in a global account, you can create directories to structure them. And if you enable the Cloud Foundry environment, you automatically create a Cloud Foundry org., in which you create one or more spaces.

Anyone who wants to use SAP BTP must be assigned as a user to it. User management happens at all levels, from global accounts to spaces. On each level, you require an administrator, who administers resources and the users on those levels.

The figure shows the SAP BTP subaccounts.

When a customer signs a contract with SAP, one user is created at the global account level. On this level, entitlements are defined, assigning entities and services, including billing information. The global account administrator can initially log on to SAP BTP to manage these entitlements and create directories and subaccounts. To ensure that more than one employee can administer the global account, the administrator must create other users at the global account level and assign them administrator permissions.

Typically, a global account consists of various subaccounts. When a global account administrator creates a subaccount, they automatically become the administrator of the subaccount. The subaccount administrator can manage entitlements, service subscription, create other users on the subaccount level, and assign roles to the users. Subaccount administrators get administration authorizations for the subaccount only, not for the global account.

Subaccount administrators also create business users, who are consumers of applications and services that are provided on SAP BTP. For example, SAP Business Application Studio, or business applications (SaaS) that were created with the help of the tools and services provided by SAP BTP and deployed in a subaccount. These users can have access to SAP BTP, but they are not able to do any administrative tasks. If a business user only uses a single application on SAP BTP, they do not necessarily require access to the SAP BTP cockpit (meaning the subaccount) but to the application only. In this case, the subaccount administrator creates the user on a subaccount level and only assigns application authorizations to the user.

To use different functions of SAP BTP, you must be authorized for it. In the Cloud Foundry environment, you can configure authorizations using roles and role collections.

Role collections consist of individual roles that combine authorizations for resources and services on SAP BTP. A role collection can comprise one or multiple roles. You only assign role collections to users, but not individual roles. Roles and their authorizations are provided automatically to users using role collection assignment.

Role collections are managed on each SAP BTP level separately. Role collections that exist in the global account do not exist in the subaccounts. Likewise, role collections in subaccounts are not available in the global account.

SAP BTP already delivers a predefined set of role collections for platform users and for application users. To set up administrator access for platform users in the global account, directories, subaccounts, and so on, an existing administrator of a certain level on SAP BTP assigns predefined role collections to other platform users.

For users of applications that can be subscribed on SAP BTP, there are also predefined role collections that become available after application subscription. It is also possible to create custom role collections with roles inside that give permissions for custom applications deployed on SAP BTP.

The figure shows a role collection workflow.

The figure shows the SAP solutions for identity management and governance.

The SAP Identity Management and Access Governance solutions portfolio spreads along multiple cloud and on-premise applications:

• SAP Single Sign-On provides simple, secure access to IT applications for business users. It offers advanced security capabilities to protect your company data and business applications.
• SAP Cloud Identity Authentication Service provides simple and secure access to Web-based applications with a variety of authentication methods at anytime and from anywhere. The service was previously known as SAP Cloud Identity service.
• SAP Identity Management keeps the user's data secure and consistent and supports customers by implementing integrated identity lifecycle scenarios with SAP's cloud or on-premise HR solutions: SAP SuccessFactors solutions (cloud) and SAP ERP Human Capital Management (on-premise). Be aware of the EOL timeline for this product.
• SAP Cloud Identity Provisioning offers a comprehensive, low-cost approach to identity lifecycle management in the cloud. Identity Provisioning covers a broad range of source and target systems, both in the cloud and on-premise.
• SAP Cloud Identity Access Governance is a cloud solution that integrates out-of-the-box with SAP S/4HANA, and it can run similar SOD scenarios as SAP GRC Access Control. Additionally, it has functionalities to build business roles in the cloud, provision those to various target systems through SAP Cloud Identity Services, Identity Provisioning, and integrate in complex workflows thanks to SAP BTP Workflow service.
• The SAP GRC Access Control application helps streamline the process of managing and validating user access to applications. SAP Identity Management and SAP Access Control function as an integrated solution for identity and access governance.

The figure shows the SAP Cloud Identity Services.

The Identity Authentication service is mainly responsible for the Authentication and Single Sign-On, while the Identity Provisioning service takes care of the Identity Lifecycle Management, which includes both users and groups.

The figure shows the SAP identity provisioning.

The Identity Provisioning service allows you to do the following:

• Manage user accounts and authorizations across cloud and on-premise systems
• Provision identities from user stores in the cloud and on-premise
• Enable business applications to quickly support single sign-on with identity authentication

As a key value proposition, the Identity Provisioning service provides:

• Fast and efficient administration of user on-boarding
• Centralized end-to-end lifecycle management of corporate identities in the cloud
• Automated provisioning of existing on-premise identities to cloud applications

The figure shows the open security standards like SAML and OIDC.

Identity Authentication provides simple and secure access to Web-based applications with various authentication methods at any time and from anywhere.

Identity Authentication provides secure and simple access based on the following factors:

• Identity federation based on SAML 2.0
• Web Single Sign-On SSO and desktop SSO
• Secure on-premise integration to reuse existing authentication systems
• Social login and two-factor authentication
• Risk-based authentication

Identity Authentication provides user and access management based on the following factors:

• User administration and integration with on-premise user stores
• User groups and application access management
• User self-service, for example, password reset, registration, and user profile maintenance
• System for cross-domain Identity Management (SCIM) API

Identity Authentication provides the following enterprise features:

• Branding of end user UIs
• Password and privacy policies
• Identity Authentication is interoperable with all application supporting SAML 2.0 standard or OpenID Connect (OIDC)

Identity Authentication has the following IdP proxy features:

• Authentication that is delegated to corporate IdP login
• Reuse of existing SSO infrastructure
• Easy and secure authentication for employee scenarios
• Federation based on the SAML 2.0 standard

Identity Authentication can connect to an on-premise user store. There is no user replication required to the cloud and no internal network ports must be exposed to the internet. Other Identity Authentication service product features can be used, including UI configuration policies and two-factor authentication.

The following table outlines the best practices for managing cloud accounts.

On the SAP BTP, member management happens at all levels from global account to space, while user management is done for deployed applications.

User accounts enable users to log on to SAP BTP and access subaccounts and use services according to the permissions given to them. We distinguish between two types of users.

The figure shows the user management for subaccounts.

• Platform users are usually developers, administrators, or operators who deploy, administer, and troubleshoot applications and services on SAP BTP.
• Business users use the applications that are deployed to SAP BTP. For example, the end users of your deployed application or users of subscribed apps or services, such as SAP Business Application Studio, are business users.

Member management refers to managing permissions for platform users. A member is a user who is assigned to an SAP BTP global account or subaccount. Administrators can add users to global accounts and subaccounts and assign roles to them as needed. You can use predefined roles - for example, the administrator role for managing subaccount members.

User management refers to managing authentication and authorization for your business users. This is only done for your deployed applications.

The SAP BTP is structured according to global accounts, directories (optional), and subaccounts.

A global account is the realization of a contract you or your company has made with SAP.

A global account is used to manage subaccounts, members, entitlements, and quotas. You receive entitlements and quotas to use platform resources per global account and then distribute the entitlements and quotas to the subaccount for actual consumption. There are two types of commercial models for global accounts: the consumption-based model and the subscription-based model.

The figure shows the global account organization.

Directories allow you to organize and manage your subaccounts according to your technical and business needs.

A directory can contain directories and subaccounts to create a hierarchy. Using directories to group other directories and subaccounts is optional - you can still create subaccounts directly under your global account.

You can create a hierarchical structure that is seven levels deep. The highest level of a given path is always the global account and the lowest is a subaccount, which means that you can have up to five levels of directories.

The figure shows the organizing subaccounts with directories.

Directories allow you to monitor usage and costs for contracts that use the consumption-based commercial model. In addition, you can also add the following features to your directories (optional):

• Manage Entitlements: This enables the assignment of a quota for services and applications to the directory from the global account quota for distribution to the directory's subaccounts. When you assign entitlements to a directory, you express the entitlements and maximum quota that can be distributed across its child subaccounts. You also have the option to choose the auto-assignment of a set amount of quota to all subaccounts created or moved to that directory. Subaccounts that are already in the directory when you select that option will not be auto-assigned quota.
• Manage Authorizations: This enables authorization management for the directory. For example, it allows certain users to manage directory entitlements. You can only use this feature in combination with the Manage Entitlements feature.

Platform users are usually developers, administrators, or operators who deploy, administer, and troubleshoot applications and services on SAP BTP. They’re the users that you give certain permissions, for instance, at the global account or subaccount level.

Platform users who were added as members and who have administrative permissions can view or manage the list of global accounts, subaccounts, and environments, such as Cloud Foundry orgs and spaces. Members access them using the SAP BTP Cockpit, or the SAP BTP command line interface (CLI), or environment-specific CLI, such as the Cloud Foundry (CF) CLI.

For platform users, there's a default identity provider. We expect that you have your own identity provider. We recommend that you configure your custom tenant of Identity Authentication as the identity provider and connect Identity Authentication to your own corporate identity provider.

Business users use the applications that are deployed to SAP BTP. For example, these are the end users of SaaS apps or services, such as SAP Workflow service or SAP Cloud Integration, and the end users of your custom applications are business users.

Application developers (platform users) create and deploy application-specific security artifacts for business users, such as scopes. Administrators use these artifacts to assign roles, build role collections, and assign these role collections to business users or user groups. In this way, they control the users' permissions in the application.

For business users, there's a default identity provider. We expect that you have your own identity provider. We recommend that you configure your custom tenant of Identity Authentication as the identity provider and connect Identity Authentication to your own corporate identity provider.

Member management refers to managing permissions for platform users. You can think about it as managing the members of your team.

Member management happens at global account, directory, subaccount, and environment level. Members' permissions apply to all operations that are associated with the global account, the organization, or the space, irrespective of the tool used. Depending on the scope and the cloud management tools feature set you're using, you can manage members in different ways:

User management refers to managing authentication and authorization for your business users.