SAP BTP Best Practices
Related Skills
-
sap-btp-cloud-platform: Use for technical implementation details, CLI commands, and runtime configurations
-
sap-btp-connectivity: Use for connectivity patterns, destination configuration, and Cloud Connector setup
-
sap-btp-service-manager: Use for service lifecycle management and programmatic service operations
-
sap-btp-developer-guide: Use for development workflows, CAP integration, and application patterns
-
sap-cap-capire: Use when designing CAP applications on BTP or implementing multitenancy
-
sap-fiori-tools: Use for UI deployment strategies and frontend application guidelines
Production-ready SAP BTP implementation guidance based on official SAP documentation.
Quick Links:
-
Official Guide: https://github.com/SAP-docs/btp-best-practices-guide
-
SAP Help Portal: https://help.sap.com/docs/btp/btp-administrators-guide
Table of Contents
-
Platform Fundamentals
-
Account Model Setup
-
Security and Authentication
-
Connectivity
-
Governance and Teams
-
Development
-
AI Development
-
Deployment and Delivery
-
High Availability and Failover
-
Operations and Monitoring
-
Cost Management
-
Bundled Resources
Platform Fundamentals
Account Hierarchy
Global Account (SAP contract) ├── Directory (optional, up to 7 levels) │ └── Subaccount (region-specific, apps run here) │ ├── Cloud Foundry Org → Spaces │ └── Kyma Cluster → Namespaces └── Subaccount
Key Points:
-
Global account = contract with SAP (one per commercial model)
-
Directory = groups subaccounts (max 7 levels deep)
-
Subaccount = deployed in specific region, enables runtimes
-
Use labels for virtual grouping (Dev/Test/Prod, cost centers)
Environments
Environment Use Case Key Features
Cloud Foundry Polyglot apps Multiple buildpacks, spaces
Kyma Cloud-native K8s Open-source, namespaces
ABAP ABAP extensions RAP, cloud-ready ABAP
Neo Legacy Migrate away - HTML5, Java, HANA XS
Commercial Models
-
Consumption-Based (BTPEA/CPEA): Flexible access, best for pilots
-
Subscription-Based: Fixed-cost for known service needs
Best Practice: Start with consumption-based, move to subscription for stable workloads.
Account Model Setup
Simple Model (3 subaccounts)
Global Account ├── Dev Subaccount ├── Test Subaccount └── Prod Subaccount
Best for: Initial implementations, single team, <3 projects
Directory Model (scalable)
Global Account ├── Directory: HR │ ├── hr-dev / hr-test / hr-prod ├── Directory: Sales │ ├── sales-dev / sales-test / sales-prod └── Directory: Central IT ├── api-management └── shared-services
Best for: Multiple teams, cost allocation, complex governance
Naming Conventions
Entity Convention Example
Subaccount Natural language "HR Development"
Subdomain Lowercase, hyphens hr-dev-acme
CF Org Company prefix acme-hr-dev
CF Space Consistent across stages hr-recruiting
Tip: Derive CF org/Kyma names from subaccount names for consistency.
Security and Authentication
Identity Provider Setup
Always use SAP Cloud Identity Services - Identity Authentication
Corporate IdP → Identity Authentication (proxy) → SAP BTP
Critical Steps:
-
Add multiple administrators (different time zones)
-
Enable MFA for all admins
-
Configure security alerts
-
Set up backup admins in SAP ID Service
Authorization Methods
Method Best For Notes
Provisioning Production, many users Centralized roles, automated offboarding
Federation Simple scenarios Real-time sync, but doesn't scale well
Manual Testing only Quick setup, not production-ready
Destination Authentication
Recommended:
-
PrincipalPropagation
-
SAP on-premise systems
-
OAuth2SAMLBearerAssertion
-
Third-party systems
-
OAuth2JWTBearer
-
User token exchange
Avoid in Production:
-
BasicAuthentication
-
OAuth2Password
See: references/security-and-authentication.md for complete guidance
Connectivity
Remote System Access
-
Internet Services: Destinations with authentication
-
On-Premise Systems: Destinations + Cloud Connector
Cloud Connector
-
Lightweight on-premise agent
-
Secure tunnel to SAP BTP (no inbound ports)
-
Fine-grained access control
-
Supports RFC and HTTP protocols
-
Enables principal propagation
Note: Each subaccount needs separate Cloud Connector config.
Governance and Teams
Required Teams
Platform Engineering Team (Center of Excellence):
-
Manages cloud landscape infrastructure
-
Handles account operations, build infrastructure
-
Creates governance and compliance guidelines
-
Does NOT manage individual application lifecycles
Cloud Development Teams:
-
Follow DevOps (develop AND operate)
-
Responsible for application lifecycle
-
Regular maintenance (e.g., UI updates every 6 months)
Essential Documentation
-
Onboarding Doc: Organization, app IDs, timeline, tech stack
-
Security Doc: Data sensitivity, policies, auth framework
-
Services Catalog: Templates for destinations, builds, schemas
Development
Programming Models
SAP CAP (Cloud Application Programming Model):
-
Framework with languages, libraries, tools
-
Supports Java, JavaScript, TypeScript
-
Enterprise-grade services and data models
ABAP Cloud:
-
Modern ABAP for cloud-ready apps
-
RAP (RESTful ABAP Programming Model)
-
Extensions for ABAP-based products
Development Lifecycle
-
Explore: Business opportunity, team roles
-
Discover: Use cases, technology options
-
Design: UX design, domain-driven design
-
Deliver: Landscape setup, development
-
Run and Scale: Feedback, optimization
AI Development
SAP BTP provides AI capabilities through SAP AI Core for:
-
Generative AI (LLMs, RAG)
-
Narrow AI (classical ML)
Key Resources:
-
Repository: SAP-samples/sap-btp-ai-best-practices
-
Documentation: https://btp-ai-bp.docs.sap/
Best Practices:
-
Use service keys for secure authentication
-
Implement PII data masking
-
Build RAG with SAP HANA Cloud Vector Engine
-
Configure content filtering
-
Monitor model drift
Use Cases: 20+ samples including chatbots, PDF extraction, procurement.
See: references/ai-development-best-practices.md for patterns and examples
Deployment and Delivery
Deployment Methods
Cloud Foundry/Neo:
-
Package as MTA archive
-
Deploy via: BTP Cockpit, CF CLI, Business Application Studio
Kyma:
-
Docker images (Dockerfile or Cloud Native Buildpacks)
-
Helm charts for production
-
Deploy via SAP Continuous Integration and Delivery
CI/CD Approaches
SAP Continuous Integration and Delivery:
-
Low expertise required
-
Ready-to-use infrastructure
-
Direct SAP support
Project "Piper":
-
High expertise required
-
Jenkins-based
-
Open-source community support
Best Practice: Combine CI/CD with SAP Cloud Transport Management for governance + agility.
See: references/deployment-and-delivery.md for detailed configs
High Availability and Failover
Multi-Region Architecture
Custom Domain URL │ Load Balancer ├── Region 1 (active) └── Region 2 (passive/active)
Failover Implementation
Four Core Principles:
-
Deploy in Two Regions: Near users and backend systems
-
Keep Synced: CI/CD pipeline or Cloud Transport Management
-
Define Detection: Monitor 5xx errors, timeouts
-
Plan Failback: Visual differentiation, user-driven
Legal: Check cross-region data processing restrictions.
See: references/failover-and-resilience.md for implementation details
Operations and Monitoring
Go-Live Checklist
-
Deploy to production
-
Set go-live timeframe (avoid quarter-end)
-
Embed in SAP Fiori Launchpad
-
Provision business users
-
Configure role collections
Monitoring Tools
SAP Cloud ALM (Enterprise Support):
-
Real User Monitoring
-
Health Monitoring
-
Integration and Exception Monitoring
-
Job Automation Monitoring
SAP Cloud Logging:
- Observability across CF, Kyma, Kubernetes
SAP Alert Notification:
- Multi-channel notifications (email, chat, ticketing)
Cost Management
Best Practices
-
Check Costs and Usage monthly
-
Provide minimal required entitlements
-
Use labels for cost allocation
-
Set up automated alerts (Usage Data Management + Alert Notification)
Contract Strategies
-
Consolidate subscriptions in one global account
-
Use hybrid accounts for mixed workloads
-
Note: Consumption credits non-transferable between global accounts
Bundled Resources
This skill provides comprehensive reference documentation:
Account & Governance
references/account-models.md (11K lines)
-
Detailed account structure patterns
-
Naming conventions and examples
-
Cost allocation strategies
references/governance-and-teams.md (13K lines)
-
Platform Engineering team structure
-
Onboarding processes
-
Documentation templates
Security & Connectivity
-
references/security-and-authentication.md (13K lines)
-
Complete auth methods comparison
-
Destination configuration
-
Kyma RBAC manifests
-
Identity lifecycle management
Deployment & Operations
references/deployment-and-delivery.md (10K lines)
-
MTA descriptor templates
-
CI/CD pipeline configs
-
Transport management setup
references/operations-and-monitoring.md (11K lines)
-
Go-live procedures
-
Monitoring setup guides
-
Troubleshooting checklists
High Availability
-
references/failover-and-resilience.md (12K lines)
-
Multi-region architecture
-
Load balancer configurations
-
Failover automation scripts
Templates & Examples
-
references/templates-and-examples.md (18K lines)
-
Complete code templates
-
Kubernetes RBAC manifests
-
MTA descriptors
-
Helm charts
-
CI/CD configs
AI Development
-
references/ai-development-best-practices.md (6K lines)
-
Generative AI patterns
-
RAG implementation
-
20+ use cases catalog
Progress Tracking
-
Implementation status
-
Coverage details
-
Validation checklists
Administration Tools
Tool Use Case
SAP BTP Cockpit GUI for all admin tasks
btp CLI Terminal/automation scripting
REST APIs Programmatic administration
Terraform Provider Infrastructure as Code
SAP Automation Pilot Low-code/no-code automation
Shared Responsibility Model
SAP Manages:
-
Platform software updates/patches
-
Infrastructure and OS monitoring
-
BTP service monitoring
-
Capacity management and incidents
-
Global account provisioning
-
HANA database operations
-
Kyma kyma-system namespace
You Manage:
-
Global account strategy and subaccount config
-
Application development, deployment, security
-
Role assignments and integrations
-
Application monitoring and health checks
-
Open source vulnerability scanning
-
Triggering HANA revision updates
Last Updated: 2025-11-27 Review Progress: See SAP_SKILLS_REVIEW_PROGRESS.md Next Review: 2026-02-27 (quarterly)