--- name: sap-btp-best-practices description: | Production-ready SAP BTP best practices for enterprise architecture, account management, security, and operations. Use when planning BTP implementations, setting up account hierarchies, configuring environments, implementing authentication, designing CI/CD pipelines, establishing governance, building Platform Engineering teams, implementing failover strategies, or managing application lifecycle on SAP BTP. Keywords: SAP BTP, account hierarchy, global account, directory, subaccount, Cloud Foundry, Kyma, ABAP, SAP Identity Authentication, CI/CD, governance, Platform Engineering, failover, multi-region, SAP BTP best practices license: GPL-3.0 metadata: version: "1.3.0" last_verified: "2025-11-27" --- # SAP BTP Best Practices ## Related Skills - **sap-btp-cloud-platform**: Use for technical implementation details, CLI commands, and runtime configurations - **sap-btp-connectivity**: Use for connectivity patterns, destination configuration, and Cloud Connector setup - **sap-btp-service-manager**: Use for service lifecycle management and programmatic service operations - **sap-btp-developer-guide**: Use for development workflows, CAP integration, and application patterns - **sap-cap-capire**: Use when designing CAP applications on BTP or implementing multitenancy - **sap-fiori-tools**: Use for UI deployment strategies and frontend application guidelines Production-ready SAP BTP implementation guidance based on official SAP documentation. **Quick Links**: - **Official Guide**: [https://github.com/SAP-docs/btp-best-practices-guide](https://github.com/SAP-docs/btp-best-practices-guide) - **SAP Help Portal**: [https://help.sap.com/docs/btp/btp-administrators-guide](https://help.sap.com/docs/btp/btp-administrators-guide) --- ## Table of Contents 1. [Platform Fundamentals](#platform-fundamentals) 2. [Account Model Setup](#account-model-setup) 3. [Security and Authentication](#security-and-authentication) 4. [Connectivity](#connectivity) 5. [Governance and Teams](#governance-and-teams) 6. [Development](#development) 7. [AI Development](#ai-development) 8. [Deployment and Delivery](#deployment-and-delivery) 9. [High Availability and Failover](#high-availability-and-failover) 10. [Operations and Monitoring](#operations-and-monitoring) 11. [Cost Management](#cost-management) 12. [Bundled Resources](#bundled-resources) --- ## Platform Fundamentals ### Account Hierarchy ``` Global Account (SAP contract) ├── Directory (optional, up to 7 levels) │ └── Subaccount (region-specific, apps run here) │ ├── Cloud Foundry Org → Spaces │ └── Kyma Cluster → Namespaces └── Subaccount ``` **Key Points**: - Global account = contract with SAP (one per commercial model) - Directory = groups subaccounts (max 7 levels deep) - Subaccount = deployed in specific region, enables runtimes - Use labels for virtual grouping (Dev/Test/Prod, cost centers) ### Environments | Environment | Use Case | Key Features | |-------------|----------|--------------| | **Cloud Foundry** | Polyglot apps | Multiple buildpacks, spaces | | **Kyma** | Cloud-native K8s | Open-source, namespaces | | **ABAP** | ABAP extensions | RAP, cloud-ready ABAP | | **Neo** | Legacy | **Migrate away** - HTML5, Java, HANA XS | ### Commercial Models - **Consumption-Based** (BTPEA/CPEA): Flexible access, best for pilots - **Subscription-Based**: Fixed-cost for known service needs **Best Practice**: Start with consumption-based, move to subscription for stable workloads. --- ## Account Model Setup ### Simple Model (3 subaccounts) ``` Global Account ├── Dev Subaccount ├── Test Subaccount └── Prod Subaccount ``` Best for: Initial implementations, single team, <3 projects ### Directory Model (scalable) ``` Global Account ├── Directory: HR │ ├── hr-dev / hr-test / hr-prod ├── Directory: Sales │ ├── sales-dev / sales-test / sales-prod └── Directory: Central IT ├── api-management └── shared-services ``` Best for: Multiple teams, cost allocation, complex governance ### Naming Conventions | Entity | Convention | Example | |--------|------------|---------| | Subaccount | Natural language | "HR Development" | | Subdomain | Lowercase, hyphens | `hr-dev-acme` | | CF Org | Company prefix | `acme-hr-dev` | | CF Space | Consistent across stages | `hr-recruiting` | **Tip**: Derive CF org/Kyma names from subaccount names for consistency. --- ## Security and Authentication ### Identity Provider Setup **Always use SAP Cloud Identity Services - Identity Authentication** ``` Corporate IdP → Identity Authentication (proxy) → SAP BTP ``` **Critical Steps**: 1. Add multiple administrators (different time zones) 2. Enable MFA for all admins 3. Configure security alerts 4. Set up backup admins in SAP ID Service ### Authorization Methods | Method | Best For | Notes | |--------|----------|-------| | **Provisioning** | Production, many users | Centralized roles, automated offboarding | | **Federation** | Simple scenarios | Real-time sync, but doesn't scale well | | **Manual** | Testing only | Quick setup, not production-ready | ### Destination Authentication **Recommended**: - `PrincipalPropagation` - SAP on-premise systems - `OAuth2SAMLBearerAssertion` - Third-party systems - `OAuth2JWTBearer` - User token exchange **Avoid in Production**: - `BasicAuthentication` - `OAuth2Password` **See**: `references/security-and-authentication.md` for complete guidance --- ## Connectivity ### Remote System Access - **Internet Services**: Destinations with authentication - **On-Premise Systems**: Destinations + Cloud Connector ### Cloud Connector - Lightweight on-premise agent - Secure tunnel to SAP BTP (no inbound ports) - Fine-grained access control - Supports RFC and HTTP protocols - Enables principal propagation **Note**: Each subaccount needs separate Cloud Connector config. --- ## Governance and Teams ### Required Teams **Platform Engineering Team (Center of Excellence)**: - Manages cloud landscape infrastructure - Handles account operations, build infrastructure - Creates governance and compliance guidelines - **Does NOT** manage individual application lifecycles **Cloud Development Teams**: - Follow DevOps (develop AND operate) - Responsible for application lifecycle - Regular maintenance (e.g., UI updates every 6 months) ### Essential Documentation 1. **Onboarding Doc**: Organization, app IDs, timeline, tech stack 2. **Security Doc**: Data sensitivity, policies, auth framework 3. **Services Catalog**: Templates for destinations, builds, schemas --- ## Development ### Programming Models **SAP CAP (Cloud Application Programming Model)**: - Framework with languages, libraries, tools - Supports Java, JavaScript, TypeScript - Enterprise-grade services and data models **ABAP Cloud**: - Modern ABAP for cloud-ready apps - RAP (RESTful ABAP Programming Model) - Extensions for ABAP-based products ### Development Lifecycle 1. **Explore**: Business opportunity, team roles 2. **Discover**: Use cases, technology options 3. **Design**: UX design, domain-driven design 4. **Deliver**: Landscape setup, development 5. **Run and Scale**: Feedback, optimization --- ## AI Development SAP BTP provides AI capabilities through **SAP AI Core** for: - **Generative AI** (LLMs, RAG) - **Narrow AI** (classical ML) **Key Resources**: - Repository: [SAP-samples/sap-btp-ai-best-practices](https://github.com/SAP-samples/sap-btp-ai-best-practices) - Documentation: [https://btp-ai-bp.docs.sap/](https://btp-ai-bp.docs.sap/) **Best Practices**: - Use service keys for secure authentication - Implement PII data masking - Build RAG with SAP HANA Cloud Vector Engine - Configure content filtering - Monitor model drift **Use Cases**: 20+ samples including chatbots, PDF extraction, procurement. **See**: `references/ai-development-best-practices.md` for patterns and examples --- ## Deployment and Delivery ### Deployment Methods **Cloud Foundry/Neo**: - Package as MTA archive - Deploy via: BTP Cockpit, CF CLI, Business Application Studio **Kyma**: - Docker images (Dockerfile or Cloud Native Buildpacks) - Helm charts for production - Deploy via SAP Continuous Integration and Delivery ### CI/CD Approaches **SAP Continuous Integration and Delivery**: - Low expertise required - Ready-to-use infrastructure - Direct SAP support **Project "Piper"**: - High expertise required - Jenkins-based - Open-source community support **Best Practice**: Combine CI/CD with SAP Cloud Transport Management for governance + agility. **See**: `references/deployment-and-delivery.md` for detailed configs --- ## High Availability and Failover ### Multi-Region Architecture ``` Custom Domain URL │ Load Balancer ├── Region 1 (active) └── Region 2 (passive/active) ``` ### Failover Implementation **Four Core Principles**: 1. **Deploy in Two Regions**: Near users and backend systems 2. **Keep Synced**: CI/CD pipeline or Cloud Transport Management 3. **Define Detection**: Monitor 5xx errors, timeouts 4. **Plan Failback**: Visual differentiation, user-driven **Legal**: Check cross-region data processing restrictions. **See**: `references/failover-and-resilience.md` for implementation details --- ## Operations and Monitoring ### Go-Live Checklist 1. Deploy to production 2. Set go-live timeframe (avoid quarter-end) 3. Embed in SAP Fiori Launchpad 4. Provision business users 5. Configure role collections ### Monitoring Tools **SAP Cloud ALM** (Enterprise Support): - Real User Monitoring - Health Monitoring - Integration and Exception Monitoring - Job Automation Monitoring **SAP Cloud Logging**: - Observability across CF, Kyma, Kubernetes **SAP Alert Notification**: - Multi-channel notifications (email, chat, ticketing) --- ## Cost Management ### Best Practices 1. Check *Costs and Usage* monthly 2. Provide minimal required entitlements 3. Use labels for cost allocation 4. Set up automated alerts (Usage Data Management + Alert Notification) ### Contract Strategies - Consolidate subscriptions in one global account - Use hybrid accounts for mixed workloads - Note: Consumption credits non-transferable between global accounts --- ## Bundled Resources This skill provides comprehensive reference documentation: ### Account & Governance - **`references/account-models.md`** (11K lines) - Detailed account structure patterns - Naming conventions and examples - Cost allocation strategies - **`references/governance-and-teams.md`** (13K lines) - Platform Engineering team structure - Onboarding processes - Documentation templates ### Security & Connectivity - **`references/security-and-authentication.md`** (13K lines) - Complete auth methods comparison - Destination configuration - Kyma RBAC manifests - Identity lifecycle management ### Deployment & Operations - **`references/deployment-and-delivery.md`** (10K lines) - MTA descriptor templates - CI/CD pipeline configs - Transport management setup - **`references/operations-and-monitoring.md`** (11K lines) - Go-live procedures - Monitoring setup guides - Troubleshooting checklists ### High Availability - **`references/failover-and-resilience.md`** (12K lines) - Multi-region architecture - Load balancer configurations - Failover automation scripts ### Templates & Examples - **`references/templates-and-examples.md`** (18K lines) - Complete code templates - Kubernetes RBAC manifests - MTA descriptors - Helm charts - CI/CD configs ### AI Development - **`references/ai-development-best-practices.md`** (6K lines) - Generative AI patterns - RAG implementation - 20+ use cases catalog ### Progress Tracking - Implementation status - Coverage details - Validation checklists --- ## Administration Tools | Tool | Use Case | |------|----------| | **SAP BTP Cockpit** | GUI for all admin tasks | | **btp CLI** | Terminal/automation scripting | | **REST APIs** | Programmatic administration | | **Terraform Provider** | Infrastructure as Code | | **SAP Automation Pilot** | Low-code/no-code automation | --- ## Shared Responsibility Model **SAP Manages**: - Platform software updates/patches - Infrastructure and OS monitoring - BTP service monitoring - Capacity management and incidents - Global account provisioning - HANA database operations - Kyma `kyma-system` namespace **You Manage**: - Global account strategy and subaccount config - Application development, deployment, security - Role assignments and integrations - Application monitoring and health checks - Open source vulnerability scanning - Triggering HANA revision updates --- **Last Updated**: 2025-11-27 **Review Progress**: See SAP_SKILLS_REVIEW_PROGRESS.md **Next Review**: 2026-02-27 (quarterly)