zhongwei/gh-secondsky-sap-skills-skills-sap-btp-best-practices
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-30 08:54:47 +08:00
commit bd301d195d
12 changed files with 3935 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

447
SKILL.md Normal file
View File

@@ -0,0 +1,447 @@
---
name: sap-btp-best-practices
description: |
Production-ready SAP BTP best practices for enterprise architecture, account management, security, and operations. Use when planning BTP implementations, setting up account hierarchies, configuring environments, implementing authentication, designing CI/CD pipelines, establishing governance, building Platform Engineering teams, implementing failover strategies, or managing application lifecycle on SAP BTP.
Keywords: SAP BTP, account hierarchy, global account, directory, subaccount, Cloud Foundry, Kyma, ABAP, SAP Identity Authentication, CI/CD, governance, Platform Engineering, failover, multi-region, SAP BTP best practices
license: GPL-3.0
metadata:
version: "1.3.0"
last_verified: "2025-11-27"
---
# SAP BTP Best Practices
## Related Skills
- **sap-btp-cloud-platform**: Use for technical implementation details, CLI commands, and runtime configurations
- **sap-btp-connectivity**: Use for connectivity patterns, destination configuration, and Cloud Connector setup
- **sap-btp-service-manager**: Use for service lifecycle management and programmatic service operations
- **sap-btp-developer-guide**: Use for development workflows, CAP integration, and application patterns
- **sap-cap-capire**: Use when designing CAP applications on BTP or implementing multitenancy
- **sap-fiori-tools**: Use for UI deployment strategies and frontend application guidelines
Production-ready SAP BTP implementation guidance based on official SAP documentation.
**Quick Links**:
- **Official Guide**: [https://github.com/SAP-docs/btp-best-practices-guide](https://github.com/SAP-docs/btp-best-practices-guide)
- **SAP Help Portal**: [https://help.sap.com/docs/btp/btp-administrators-guide](https://help.sap.com/docs/btp/btp-administrators-guide)
---
## Table of Contents
1. [Platform Fundamentals](#platform-fundamentals)
2. [Account Model Setup](#account-model-setup)
3. [Security and Authentication](#security-and-authentication)
4. [Connectivity](#connectivity)
5. [Governance and Teams](#governance-and-teams)
6. [Development](#development)
7. [AI Development](#ai-development)
8. [Deployment and Delivery](#deployment-and-delivery)
9. [High Availability and Failover](#high-availability-and-failover)
10. [Operations and Monitoring](#operations-and-monitoring)
11. [Cost Management](#cost-management)
12. [Bundled Resources](#bundled-resources)
---
## Platform Fundamentals
### Account Hierarchy
```
Global Account (SAP contract)
├── Directory (optional, up to 7 levels)
│ └── Subaccount (region-specific, apps run here)
│ ├── Cloud Foundry Org → Spaces
│ └── Kyma Cluster → Namespaces
└── Subaccount
```
**Key Points**:
- Global account = contract with SAP (one per commercial model)
- Directory = groups subaccounts (max 7 levels deep)
- Subaccount = deployed in specific region, enables runtimes
- Use labels for virtual grouping (Dev/Test/Prod, cost centers)
### Environments
| Environment | Use Case | Key Features |
|-------------|----------|--------------|
| **Cloud Foundry** | Polyglot apps | Multiple buildpacks, spaces |
| **Kyma** | Cloud-native K8s | Open-source, namespaces |
| **ABAP** | ABAP extensions | RAP, cloud-ready ABAP |
| **Neo** | Legacy | **Migrate away** - HTML5, Java, HANA XS |
### Commercial Models
- **Consumption-Based** (BTPEA/CPEA): Flexible access, best for pilots
- **Subscription-Based**: Fixed-cost for known service needs
**Best Practice**: Start with consumption-based, move to subscription for stable workloads.
---
## Account Model Setup
### Simple Model (3 subaccounts)
```
Global Account
├── Dev Subaccount
├── Test Subaccount
└── Prod Subaccount
```
Best for: Initial implementations, single team, <3 projects
### Directory Model (scalable)
```
Global Account
├── Directory: HR
│ ├── hr-dev / hr-test / hr-prod
├── Directory: Sales
│ ├── sales-dev / sales-test / sales-prod
└── Directory: Central IT
├── api-management
└── shared-services
```
Best for: Multiple teams, cost allocation, complex governance
### Naming Conventions
| Entity | Convention | Example |
|--------|------------|---------|
| Subaccount | Natural language | "HR Development" |
| Subdomain | Lowercase, hyphens | `hr-dev-acme` |
| CF Org | Company prefix | `acme-hr-dev` |
| CF Space | Consistent across stages | `hr-recruiting` |
**Tip**: Derive CF org/Kyma names from subaccount names for consistency.
---
## Security and Authentication
### Identity Provider Setup
**Always use SAP Cloud Identity Services - Identity Authentication**
```
Corporate IdP → Identity Authentication (proxy) → SAP BTP
```
**Critical Steps**:
1. Add multiple administrators (different time zones)
2. Enable MFA for all admins
3. Configure security alerts
4. Set up backup admins in SAP ID Service
### Authorization Methods
| Method | Best For | Notes |
|--------|----------|-------|
| **Provisioning** | Production, many users | Centralized roles, automated offboarding |
| **Federation** | Simple scenarios | Real-time sync, but doesn't scale well |
| **Manual** | Testing only | Quick setup, not production-ready |
### Destination Authentication
**Recommended**:
- `PrincipalPropagation` - SAP on-premise systems
- `OAuth2SAMLBearerAssertion` - Third-party systems
- `OAuth2JWTBearer` - User token exchange
**Avoid in Production**:
- `BasicAuthentication`
- `OAuth2Password`
**See**: `references/security-and-authentication.md` for complete guidance
---
## Connectivity
### Remote System Access
- **Internet Services**: Destinations with authentication
- **On-Premise Systems**: Destinations + Cloud Connector
### Cloud Connector
- Lightweight on-premise agent
- Secure tunnel to SAP BTP (no inbound ports)
- Fine-grained access control
- Supports RFC and HTTP protocols
- Enables principal propagation
**Note**: Each subaccount needs separate Cloud Connector config.
---
## Governance and Teams
### Required Teams
**Platform Engineering Team (Center of Excellence)**:
- Manages cloud landscape infrastructure
- Handles account operations, build infrastructure
- Creates governance and compliance guidelines
- **Does NOT** manage individual application lifecycles
**Cloud Development Teams**:
- Follow DevOps (develop AND operate)
- Responsible for application lifecycle
- Regular maintenance (e.g., UI updates every 6 months)
### Essential Documentation
1. **Onboarding Doc**: Organization, app IDs, timeline, tech stack
2. **Security Doc**: Data sensitivity, policies, auth framework
3. **Services Catalog**: Templates for destinations, builds, schemas
---
## Development
### Programming Models
**SAP CAP (Cloud Application Programming Model)**:
- Framework with languages, libraries, tools
- Supports Java, JavaScript, TypeScript
- Enterprise-grade services and data models
**ABAP Cloud**:
- Modern ABAP for cloud-ready apps
- RAP (RESTful ABAP Programming Model)
- Extensions for ABAP-based products
### Development Lifecycle
1. **Explore**: Business opportunity, team roles
2. **Discover**: Use cases, technology options
3. **Design**: UX design, domain-driven design
4. **Deliver**: Landscape setup, development
5. **Run and Scale**: Feedback, optimization
---
## AI Development
SAP BTP provides AI capabilities through **SAP AI Core** for:
- **Generative AI** (LLMs, RAG)
- **Narrow AI** (classical ML)
**Key Resources**:
- Repository: [SAP-samples/sap-btp-ai-best-practices](https://github.com/SAP-samples/sap-btp-ai-best-practices)
- Documentation: [https://btp-ai-bp.docs.sap/](https://btp-ai-bp.docs.sap/)
**Best Practices**:
- Use service keys for secure authentication
- Implement PII data masking
- Build RAG with SAP HANA Cloud Vector Engine
- Configure content filtering
- Monitor model drift
**Use Cases**: 20+ samples including chatbots, PDF extraction, procurement.
**See**: `references/ai-development-best-practices.md` for patterns and examples
---
## Deployment and Delivery
### Deployment Methods
**Cloud Foundry/Neo**:
- Package as MTA archive
- Deploy via: BTP Cockpit, CF CLI, Business Application Studio
**Kyma**:
- Docker images (Dockerfile or Cloud Native Buildpacks)
- Helm charts for production
- Deploy via SAP Continuous Integration and Delivery
### CI/CD Approaches
**SAP Continuous Integration and Delivery**:
- Low expertise required
- Ready-to-use infrastructure
- Direct SAP support
**Project "Piper"**:
- High expertise required
- Jenkins-based
- Open-source community support
**Best Practice**: Combine CI/CD with SAP Cloud Transport Management for governance + agility.
**See**: `references/deployment-and-delivery.md` for detailed configs
---
## High Availability and Failover
### Multi-Region Architecture
```
Custom Domain URL
Load Balancer
├── Region 1 (active)
└── Region 2 (passive/active)
```
### Failover Implementation
**Four Core Principles**:
1. **Deploy in Two Regions**: Near users and backend systems
2. **Keep Synced**: CI/CD pipeline or Cloud Transport Management
3. **Define Detection**: Monitor 5xx errors, timeouts
4. **Plan Failback**: Visual differentiation, user-driven
**Legal**: Check cross-region data processing restrictions.
**See**: `references/failover-and-resilience.md` for implementation details
---
## Operations and Monitoring
### Go-Live Checklist
1. Deploy to production
2. Set go-live timeframe (avoid quarter-end)
3. Embed in SAP Fiori Launchpad
4. Provision business users
5. Configure role collections
### Monitoring Tools
**SAP Cloud ALM** (Enterprise Support):
- Real User Monitoring
- Health Monitoring
- Integration and Exception Monitoring
- Job Automation Monitoring
**SAP Cloud Logging**:
- Observability across CF, Kyma, Kubernetes
**SAP Alert Notification**:
- Multi-channel notifications (email, chat, ticketing)
---
## Cost Management
### Best Practices
1. Check *Costs and Usage* monthly
2. Provide minimal required entitlements
3. Use labels for cost allocation
4. Set up automated alerts (Usage Data Management + Alert Notification)
### Contract Strategies
- Consolidate subscriptions in one global account
- Use hybrid accounts for mixed workloads
- Note: Consumption credits non-transferable between global accounts
---
## Bundled Resources
This skill provides comprehensive reference documentation:
### Account & Governance
- **`references/account-models.md`** (11K lines)
- Detailed account structure patterns
- Naming conventions and examples
- Cost allocation strategies
- **`references/governance-and-teams.md`** (13K lines)
- Platform Engineering team structure
- Onboarding processes
- Documentation templates
### Security & Connectivity
- **`references/security-and-authentication.md`** (13K lines)
- Complete auth methods comparison
- Destination configuration
- Kyma RBAC manifests
- Identity lifecycle management
### Deployment & Operations
- **`references/deployment-and-delivery.md`** (10K lines)
- MTA descriptor templates
- CI/CD pipeline configs
- Transport management setup
- **`references/operations-and-monitoring.md`** (11K lines)
- Go-live procedures
- Monitoring setup guides
- Troubleshooting checklists
### High Availability
- **`references/failover-and-resilience.md`** (12K lines)
- Multi-region architecture
- Load balancer configurations
- Failover automation scripts
### Templates & Examples
- **`references/templates-and-examples.md`** (18K lines)
- Complete code templates
- Kubernetes RBAC manifests
- MTA descriptors
- Helm charts
- CI/CD configs
### AI Development
- **`references/ai-development-best-practices.md`** (6K lines)
- Generative AI patterns
- RAG implementation
- 20+ use cases catalog
### Progress Tracking
- Implementation status
- Coverage details
- Validation checklists
---
## Administration Tools
| Tool | Use Case |
|------|----------|
| **SAP BTP Cockpit** | GUI for all admin tasks |
| **btp CLI** | Terminal/automation scripting |
| **REST APIs** | Programmatic administration |
| **Terraform Provider** | Infrastructure as Code |
| **SAP Automation Pilot** | Low-code/no-code automation |
---
## Shared Responsibility Model
**SAP Manages**:
- Platform software updates/patches
- Infrastructure and OS monitoring
- BTP service monitoring
- Capacity management and incidents
- Global account provisioning
- HANA database operations
- Kyma `kyma-system` namespace
**You Manage**:
- Global account strategy and subaccount config
- Application development, deployment, security
- Role assignments and integrations
- Application monitoring and health checks
- Open source vulnerability scanning
- Triggering HANA revision updates
---
**Last Updated**: 2025-11-27
**Review Progress**: See SAP_SKILLS_REVIEW_PROGRESS.md
**Next Review**: 2026-02-27 (quarterly)