zhongwei/gh-secondsky-sap-skills-skills-sap-btp-cloud-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-30 08:54:56 +08:00
commit 4b44ecffd4
17 changed files with 5701 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

427
references/administration.md Normal file
View File

@@ -0,0 +1,427 @@
# Administration Reference
Complete guidance for SAP BTP account administration and operations.
**Source**: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/50-administration-and-ops](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/50-administration-and-ops)
---
## Table of Contents
1. [Account Administration](#account-administration)
2. [Entitlement Management](#entitlement-management)
3. [User and Role Management](#user-and-role-management)
4. [Default Role Collections](#default-role-collections)
5. [Environment Management](#environment-management)
6. [Service Management](#service-management)
7. [Monitoring and Logging](#monitoring-and-logging)
8. [Backup and Recovery](#backup-and-recovery)
---
## Account Administration
### Global Account Operations
```bash
# List subaccounts
btp list accounts/subaccount
# Get global account details
btp get accounts/global-account
# Update global account
btp update accounts/global-account --display-name "New Name"
```
### Subaccount Operations
```bash
# Create subaccount
btp create accounts/subaccount \
--display-name "Development" \
--subdomain dev-acme \
--region eu10 \
--subaccount-admins admin@example.com
# Update subaccount
btp update accounts/subaccount <id> \
--display-name "New Name" \
--description "Updated description"
# Delete subaccount
btp delete accounts/subaccount <id>
# Move subaccount to directory
btp move accounts/subaccount <id> --to-directory <dir-id>
```
### Directory Operations
```bash
# Create directory
btp create accounts/directory \
--display-name "Business Unit A" \
--directory-features ENTITLEMENTS,AUTHORIZATIONS
# List directories
btp list accounts/directory
# Delete directory
btp delete accounts/directory <id>
```
### Labels
```bash
# Add label to subaccount
btp add accounts/label --subaccount <id> \
--name "Environment" --value "Development"
# List labels
btp list accounts/label --subaccount <id>
# Remove label
btp remove accounts/label --subaccount <id> --name "Environment"
```
---
## Entitlement Management
### View Entitlements
```bash
# Global account entitlements
btp list accounts/entitlement
# Subaccount assignments
btp list accounts/entitlement --subaccount <id>
```
### Assign Entitlements
```bash
# Assign to subaccount
btp assign accounts/entitlement \
--to-subaccount <id> \
--for-service hana-cloud \
--plan hana \
--amount 1
# Assign to directory
btp assign accounts/entitlement \
--to-directory <id> \
--for-service xsuaa \
--plan application \
--amount 10
```
### Common Services to Assign
| Service | Plan | Description | Availability |
|---------|------|-------------|--------------|
| `cloudfoundry` | `standard` | CF runtime | All CF regions |
| `kymaruntime` | `aws` / `azure` / `gcp` | Kyma runtime | Selected regions only |
| `abap` | `standard` | ABAP environment | Selected regions only |
| `hana-cloud` | `hana` | HANA Cloud database | All regions |
| `xsuaa` | `application` | Authorization service | All regions |
| `destination` | `lite` | Destination service | All regions |
| `connectivity` | `lite` | Connectivity service | All regions |
| `application-logs` | `lite` | Application logging | All regions |
> **Note**: Services marked "Selected regions only" require checking regional availability in BTP Cockpit
> or SAP Discovery Center before assignment. Kyma/ABAP availability varies by IaaS provider and region.
---
## User and Role Management
### User Operations
```bash
# Assign user to role collection
btp assign security/role-collection "Subaccount Administrator" \
--to-user user@example.com \
--of-idp sap.ids
# Remove user from role collection
btp unassign security/role-collection "Subaccount Administrator" \
--from-user user@example.com \
--of-idp sap.ids
# List role collection assignments
btp list security/role-collection
```
### Group Mapping
```bash
# Map IdP group to role collection
btp assign security/role-collection "Developers" \
--to-group "BTP_Developers" \
--of-idp my-corporate-idp
# Remove group mapping
btp unassign security/role-collection "Developers" \
--from-group "BTP_Developers" \
--of-idp my-corporate-idp
```
### Trust Configuration
```bash
# List trust configurations
btp list security/trust
# Get trust details
btp get security/trust <idp-origin>
```
---
## Default Role Collections
### Global Account Level
| Role Collection | Description |
|-----------------|-------------|
| **Global Account Administrator** | Full access to global account, entitlements, subaccounts |
| **Global Account Viewer** | Read-only access to global account |
### Directory Level
| Role Collection | Description |
|-----------------|-------------|
| **Directory Administrator** | Manage directory, entitlements, subaccounts |
| **Directory Viewer** | Read-only access to directory |
### Subaccount Level
| Role Collection | Description |
|-----------------|-------------|
| **Subaccount Administrator** | Full access to subaccount |
| **Subaccount Viewer** | Read-only access to subaccount |
| **Subaccount Service Administrator** | Manage service brokers |
| **Cloud Connector Administrator** | Manage Cloud Connector |
| **Destination Administrator** | Manage destinations and trust |
| **Connectivity and Destination Administrator** | Combined CC + destinations |
### Cloud Foundry Roles
| Role | Description |
|------|-------------|
| **Org Manager** | Manage org settings, spaces, quotas |
| **Org Auditor** | View-only access to org |
| **Space Manager** | Manage space settings, members |
| **Space Developer** | Deploy apps, manage services |
| **Space Auditor** | View-only access to space |
---
## Environment Management
### Cloud Foundry
```bash
# Create CF environment
btp create accounts/environment-instance \
--subaccount <id> \
--environment cloudfoundry \
--plan standard \
--landscape eu10-004
# List environments
btp list accounts/environment-instance --subaccount <id>
# Delete environment
btp delete accounts/environment-instance <env-id> --subaccount <id>
```
### Kyma
```bash
# Create Kyma environment
btp create accounts/environment-instance \
--subaccount <id> \
--environment kyma \
--plan aws \
--parameters '{"name":"my-kyma"}'
# Get Kyma kubeconfig
# Download from BTP Cockpit or use Kyma Dashboard
```
---
## Service Management
### Service Instances
```bash
# Discover available services and plans
cf marketplace
# CF CLI - Create service instance
cf create-service <service> <plan> <name> -c '<parameters>'
# CF CLI - List services
cf services
# CF CLI - Update service
cf update-service <name> -p <new-plan> -c '<parameters>'
# CF CLI - Delete service
cf delete-service <name>
```
### Service Bindings
```bash
# Bind to app
cf bind-service <app> <service> -c '<parameters>'
# Create service key (for external access)
cf create-service-key <service> <key-name>
# View service key
cf service-key <service> <key-name>
```
### Service Broker Management
```bash
# Register service broker
cf create-service-broker <name> <user> <password> <url>
# List brokers
cf service-brokers
# Delete broker
cf delete-service-broker <name>
```
---
## Monitoring and Logging
### SAP Cloud ALM
Integration for:
- Real User Monitoring
- Health Monitoring
- Integration Monitoring
- Exception Monitoring
- Job Automation Monitoring
### Application Logging
```bash
# CF - View logs
cf logs <app> --recent
cf logs <app> # tail
# Subscribe to Application Logging service
cf create-service application-logs lite my-logs
cf bind-service my-app my-logs
```
### Audit Logging
Access via:
- SAP Audit Log Viewer Service (subscription)
- Audit Log Retrieval API
```bash
# API access
curl -X GET "[https://auditlog.cf.<region>.hana.ondemand.com/v2/auditlogrecords"](https://auditlog.cf.<region>.hana.ondemand.com/v2/auditlogrecords") \
-H "Authorization: Bearer <token>"
```
### Alert Notification
Configure alerts for:
- Application events
- Service events
- Platform events
Channels:
- Email
- Slack
- ServiceNow
- SAP Cloud ALM
---
## Backup and Recovery
### SAP-Managed Backups
| Service | Backup | Recovery |
|---------|--------|----------|
| SAP HANA Cloud | Continuous | Point-in-time restore |
| PostgreSQL (Hyperscaler) | 14-day retention | Point-in-time restore |
| Redis | No persistence | N/A |
| Object Store | Versioning available | Manual |
### Customer Responsibilities
You must backup:
- Service configurations
- Destination settings
- Trust configurations
- Application configurations
- Custom code (Git repositories)
### Kyma Backup
- Managed Kubernetes snapshots
- Excludes persistent volumes
- Use Velero for volume backups
### Cloud Foundry Apps
- No built-in backup
- Keep code in external Git
- Export service configurations
- Document environment variables
---
## Automation
### Terraform Provider
```hcl
provider "btp" {
globalaccount = "my-global-account"
}
resource "btp_subaccount" "dev" {
name = "Development"
subdomain = "dev-acme"
region = "eu10"
}
resource "btp_subaccount_entitlement" "cf" {
subaccount_id = btp_subaccount.dev.id
service_name = "APPLICATION_RUNTIME"
plan_name = "MEMORY"
amount = 1
}
```
### SAP Automation Pilot
Low-code automation for:
- Scheduled operations
- Event-triggered workflows
- Multi-step procedures
---
## Related Documentation
- Administration: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/50-administration-and-ops](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/50-administration-and-ops)
- btp CLI: [https://help.sap.com/docs/btp/btp-cli-command-reference/btp-cli-command-reference](https://help.sap.com/docs/btp/btp-cli-command-reference/btp-cli-command-reference)
- Terraform: [https://registry.terraform.io/providers/SAP/btp/latest/docs](https://registry.terraform.io/providers/SAP/btp/latest/docs)