SAP BTP Best Practices
Related Skills
- sap-btp-cloud-platform: Use for technical implementation details, CLI commands, and runtime configurations
- sap-btp-connectivity: Use for connectivity patterns, destination configuration, and Cloud Connector setup
- sap-btp-service-manager: Use for service lifecycle management and programmatic service operations
- sap-btp-developer-guide: Use for development workflows, CAP integration, and application patterns
- sap-cap-capire: Use when designing CAP applications on BTP or implementing multitenancy
- sap-fiori-tools: Use for UI deployment strategies and frontend application guidelines
Production-ready SAP BTP implementation guidance based on official SAP documentation.
Quick Links:
Table of Contents
- Platform Fundamentals
- Account Model Setup
- Security and Authentication
- Connectivity
- Governance and Teams
- Development
- AI Development
- Deployment and Delivery
- High Availability and Failover
- Operations and Monitoring
- Cost Management
- Bundled Resources
Platform Fundamentals
Account Hierarchy
Global Account (SAP contract)
├── Directory (optional, up to 7 levels)
│ └── Subaccount (region-specific, apps run here)
│ ├── Cloud Foundry Org → Spaces
│ └── Kyma Cluster → Namespaces
└── Subaccount
Key Points:
- Global account = contract with SAP (one per commercial model)
- Directory = groups subaccounts (max 7 levels deep)
- Subaccount = deployed in specific region, enables runtimes
- Use labels for virtual grouping (Dev/Test/Prod, cost centers)
Environments
| Environment |
Use Case |
Key Features |
| Cloud Foundry |
Polyglot apps |
Multiple buildpacks, spaces |
| Kyma |
Cloud-native K8s |
Open-source, namespaces |
| ABAP |
ABAP extensions |
RAP, cloud-ready ABAP |
| Neo |
Legacy |
Migrate away - HTML5, Java, HANA XS |
Commercial Models
- Consumption-Based (BTPEA/CPEA): Flexible access, best for pilots
- Subscription-Based: Fixed-cost for known service needs
Best Practice: Start with consumption-based, move to subscription for stable workloads.
Account Model Setup
Simple Model (3 subaccounts)
Global Account
├── Dev Subaccount
├── Test Subaccount
└── Prod Subaccount
Best for: Initial implementations, single team, <3 projects
Directory Model (scalable)
Global Account
├── Directory: HR
│ ├── hr-dev / hr-test / hr-prod
├── Directory: Sales
│ ├── sales-dev / sales-test / sales-prod
└── Directory: Central IT
├── api-management
└── shared-services
Best for: Multiple teams, cost allocation, complex governance
Naming Conventions
| Entity |
Convention |
Example |
| Subaccount |
Natural language |
"HR Development" |
| Subdomain |
Lowercase, hyphens |
hr-dev-acme |
| CF Org |
Company prefix |
acme-hr-dev |
| CF Space |
Consistent across stages |
hr-recruiting |
Tip: Derive CF org/Kyma names from subaccount names for consistency.
Security and Authentication
Identity Provider Setup
Always use SAP Cloud Identity Services - Identity Authentication
Corporate IdP → Identity Authentication (proxy) → SAP BTP
Critical Steps:
- Add multiple administrators (different time zones)
- Enable MFA for all admins
- Configure security alerts
- Set up backup admins in SAP ID Service
Authorization Methods
| Method |
Best For |
Notes |
| Provisioning |
Production, many users |
Centralized roles, automated offboarding |
| Federation |
Simple scenarios |
Real-time sync, but doesn't scale well |
| Manual |
Testing only |
Quick setup, not production-ready |
Destination Authentication
Recommended:
PrincipalPropagation - SAP on-premise systemsOAuth2SAMLBearerAssertion - Third-party systemsOAuth2JWTBearer - User token exchange
Avoid in Production:
BasicAuthenticationOAuth2Password
See: references/security-and-authentication.md for complete guidance
Connectivity
Remote System Access
- Internet Services: Destinations with authentication
- On-Premise Systems: Destinations + Cloud Connector
Cloud Connector
- Lightweight on-premise agent
- Secure tunnel to SAP BTP (no inbound ports)
- Fine-grained access control
- Supports RFC and HTTP protocols
- Enables principal propagation
Note: Each subaccount needs separate Cloud Connector config.
Governance and Teams
Required Teams
Platform Engineering Team (Center of Excellence):
- Manages cloud landscape infrastructure
- Handles account operations, build infrastructure
- Creates governance and compliance guidelines
- Does NOT manage individual application lifecycles
Cloud Development Teams:
- Follow DevOps (develop AND operate)
- Responsible for application lifecycle
- Regular maintenance (e.g., UI updates every 6 months)
Essential Documentation
- Onboarding Doc: Organization, app IDs, timeline, tech stack
- Security Doc: Data sensitivity, policies, auth framework
- Services Catalog: Templates for destinations, builds, schemas
Development
Programming Models
SAP CAP (Cloud Application Programming Model):
- Framework with languages, libraries, tools
- Supports Java, JavaScript, TypeScript
- Enterprise-grade services and data models
ABAP Cloud:
- Modern ABAP for cloud-ready apps
- RAP (RESTful ABAP Programming Model)
- Extensions for ABAP-based products
Development Lifecycle
- Explore: Business opportunity, team roles
- Discover: Use cases, technology options
- Design: UX design, domain-driven design
- Deliver: Landscape setup, development
- Run and Scale: Feedback, optimization
AI Development
SAP BTP provides AI capabilities through SAP AI Core for:
- Generative AI (LLMs, RAG)
- Narrow AI (classical ML)
Key Resources:
Best Practices:
- Use service keys for secure authentication
- Implement PII data masking
- Build RAG with SAP HANA Cloud Vector Engine
- Configure content filtering
- Monitor model drift
Use Cases: 20+ samples including chatbots, PDF extraction, procurement.
See: references/ai-development-best-practices.md for patterns and examples
Deployment and Delivery
Deployment Methods
Cloud Foundry/Neo:
- Package as MTA archive
- Deploy via: BTP Cockpit, CF CLI, Business Application Studio
Kyma:
- Docker images (Dockerfile or Cloud Native Buildpacks)
- Helm charts for production
- Deploy via SAP Continuous Integration and Delivery
CI/CD Approaches
SAP Continuous Integration and Delivery:
- Low expertise required
- Ready-to-use infrastructure
- Direct SAP support
Project "Piper":
- High expertise required
- Jenkins-based
- Open-source community support
Best Practice: Combine CI/CD with SAP Cloud Transport Management for governance + agility.
See: references/deployment-and-delivery.md for detailed configs
High Availability and Failover
Multi-Region Architecture
Custom Domain URL
│
Load Balancer
├── Region 1 (active)
└── Region 2 (passive/active)
Failover Implementation
Four Core Principles:
- Deploy in Two Regions: Near users and backend systems
- Keep Synced: CI/CD pipeline or Cloud Transport Management
- Define Detection: Monitor 5xx errors, timeouts
- Plan Failback: Visual differentiation, user-driven
Legal: Check cross-region data processing restrictions.
See: references/failover-and-resilience.md for implementation details
Operations and Monitoring
Go-Live Checklist
- Deploy to production
- Set go-live timeframe (avoid quarter-end)
- Embed in SAP Fiori Launchpad
- Provision business users
- Configure role collections
Monitoring Tools
SAP Cloud ALM (Enterprise Support):
- Real User Monitoring
- Health Monitoring
- Integration and Exception Monitoring
- Job Automation Monitoring
SAP Cloud Logging:
- Observability across CF, Kyma, Kubernetes
SAP Alert Notification:
- Multi-channel notifications (email, chat, ticketing)
Cost Management
Best Practices
- Check Costs and Usage monthly
- Provide minimal required entitlements
- Use labels for cost allocation
- Set up automated alerts (Usage Data Management + Alert Notification)
Contract Strategies
- Consolidate subscriptions in one global account
- Use hybrid accounts for mixed workloads
- Note: Consumption credits non-transferable between global accounts
Bundled Resources
This skill provides comprehensive reference documentation:
Account & Governance
Security & Connectivity
references/security-and-authentication.md (13K lines)
- Complete auth methods comparison
- Destination configuration
- Kyma RBAC manifests
- Identity lifecycle management
Deployment & Operations
High Availability
references/failover-and-resilience.md (12K lines)
- Multi-region architecture
- Load balancer configurations
- Failover automation scripts
Templates & Examples
references/templates-and-examples.md (18K lines)
- Complete code templates
- Kubernetes RBAC manifests
- MTA descriptors
- Helm charts
- CI/CD configs
AI Development
references/ai-development-best-practices.md (6K lines)
- Generative AI patterns
- RAG implementation
- 20+ use cases catalog
Progress Tracking
- Implementation status
- Coverage details
- Validation checklists
Administration Tools
| Tool |
Use Case |
| SAP BTP Cockpit |
GUI for all admin tasks |
| btp CLI |
Terminal/automation scripting |
| REST APIs |
Programmatic administration |
| Terraform Provider |
Infrastructure as Code |
| SAP Automation Pilot |
Low-code/no-code automation |
Shared Responsibility Model
SAP Manages:
- Platform software updates/patches
- Infrastructure and OS monitoring
- BTP service monitoring
- Capacity management and incidents
- Global account provisioning
- HANA database operations
- Kyma
kyma-system namespace
You Manage:
- Global account strategy and subaccount config
- Application development, deployment, security
- Role assignments and integrations
- Application monitoring and health checks
- Open source vulnerability scanning
- Triggering HANA revision updates
Last Updated: 2025-11-27
Review Progress: See SAP_SKILLS_REVIEW_PROGRESS.md
Next Review: 2026-02-27 (quarterly)
