Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BTP - Configuring the basics! A proposed set of steps, thinking and how-to...

MattHarding
Active Contributor
‎11-22-2023 6:34 AM

Ask Yourself...


Let's ask you a questions to see if there's an issue:

Question for those with BTP multi-tier prod/non-prod landscape already


Do you protect your platform users with multi-factor authentication? If not - you are one username/password away from potentially great damage. If you do - you are likely a good candidate to help me here and propose recommended changes to this blog post in the comments!

Question for those without this


Do you know how your Global Accounts and Subaccounts should be set-up and what a minimum landscape should look like? If not, you will likely get an opinionated design of whatever the first consulting group sets up, for better or worse.

Sorting Out the Basics


This is all simply solved, but I feel everyone is in such a rush to get value out of BTP products, that it's easy to skip over some basic questions to sort out what you truly need.

My initial thought was - Surely someone can just post about this so I posted on x.com the following:


The Request for BTP Basic Set-Up Info


But I quickly realised that either some think of this as Intellectual Property, or that more likely, people are way too busy to put their learnings down in a post.

So guided by a few responses on X, and a few discussions; I decided to put down my thoughts on the steps to get a solid but basic landscape foundation in place, including pointing at the training material that should hopefully get you set-up in no time. The only caveat - The first step to setting up this requires you to have Global Account access and discussions with SAP from a licensing perspective which grinds me to a halt in actually setting this up; so fingers crossed, I get the theoretical steps below correct!

Post Publishing Updates from Comments


So I've inserted this section to draw attention to any new information that may be useful to consider:

24/11/2023 Updates

  • From Nagesh: Highlights a really good resource to start with: SAP BTP Onboarding Resource Center  plus the fact that "Every customer who purchases an SAP BTP License is entitled to a BTP Onboarding where they can discuss with BTP Onboarding Experts to understand how to get started and the best ways to get started. Cherry on the top, this is a 1:1 consulting offered to them (if Direct customer, SAP takes care, if it is a partner account Partner will be helping them with onboarding)"

  • From Jason (via X): Pointing out you can easily rename Subaccounts. And noted that while I said AWS seems to have everything, there were some things like CICD that only exist in Europe - But I'd still say, stay simple as you can be while you can.

  • General statement from a number of people to not overthink this, and I agree, but please still consider below before proceeding as some things like NEO instances of IAS servers you may already have should not be used at all nowadays!

  • It appears that my current instance of BTP IS that I'm using is likely a European NEO based instance - I'm checking into this, but I assume these will be dedicated instance, not part of your subaccount set-up (and this is the one where you need to request the naming for, as otherwise, you get a random name that won't help you differentiate prod and non-prod!  Personally, I'm hoping the CF version does allow you to provision it, but plan to watch some of the BTP Onboarding Resource Center videos to confirm.

  • This URL (with your single-factor S-Id I imagine) will let you find out the situation with all Identity Services Instances: https://iamtenants.accounts.cloud.sap/

  • Another good piece of advice from Nagesh: "To answer your question on the Hybrid license, Yes SAP has introduced this option, and it is a recommendation to avoid multiple global accounts unless required. You can go with Subscription and CPEA as the best option. While PAYG is also a possible option but expensive as you know. We address these questions during our onboarding."


25/11/2023 Update:

  • Just finished watching the Onboarding Videos and then via a link to latest updates (from mid-last year) - "You can now create an Identity Authentication and Identity Provisioning test tenant for SAP BTP, Cloud Foundry environment, in SAP BTP cockpit. Previously, only a productive tenant was created this way, while the test tenant was created by opening an incident."


9/12/2023 Update:

  • Just finished an Identity Services course from SAP and I'll update more info below shortly, but the thing I noted was - You can pretty well play with nearly all of this stuff in Trial now days - so highly recommend combining a test set-up and maybe getting yourself a free trial in Azure to give yourself a "company Identity Provider".

  • I'm thinking using Identity Services (which they've added the BTP Cloud prefix to not clash with Integration Suite - which is kind of like saying ATM Machine) is best done for Corporate users as just a Proxy (ignoring non-Internal user scenarios) so that Identity Authentication happens on your corporate IdP and IAS takes care of authentication principal propagation to everything else (even to your on-premise via Cloud Connector which might be a way of managing multiple Corporate SAML configurations though it is another point of failure in Authentication which is probably best to avoid)

  • Apparently there will be the ability to use your Corporate Identity Provider for Platform Users sometime in 2024 but not yet

  • A recommendation in the course for your Platform Users was to use your Cloud Identity Services users with increased MFA access as opposed to the default SAP Identity, though they did say to keep at least 1 default SAP identity with Cloud Administrator access (though begs the question of who that SAP Identity should be since SAP don't want you sharing S-Ids)

  • There is apparently no way to lock down your S-Id users from accessing me.sap.com and getting your stored user/passwords there that you send SAP - This, to me, is possibly the biggest security threat to your administrators (e.g. If you got a hold of someone's S-ID certificate)


Global Accounts


Unfortunately, Global Accounts are somewhat like Installations in the SAP world.  You would think a Global Account is the single entry point for all your sub accounts but that is not necessarily true.

So you may have purchased WebIDE in the past or another cloud platform product. It is most likely that each of these get their own Global Account.

Then there is the real BTP AWS Usage style account you want which is called the CPEA Global Account.

The CPEA Global Account is the one with the power to create Subaccounts, consume your subscriptions//instances, etc.

Now apparently, there is a hybrid way of setting this up which SAP recommend now days but it's not there by default, so I'd suggest looking into this, as personally, I would want a single Global Account so I can set up my Subaccounts and manage cloud admins easily (full visibility of everything). Speak to your account exec to discuss the possibilities (I'm guessing it's not trivial to do so maybe something SAP don't push hard, but it seems like an obvious first step).

Final step here - Get access to the Global Account as otherwise, there's not much to see here.

Subaccounts


I was pointed towards the SAP HANA Academy on Youtube for this and this was awesome (Please note - this link will stop working by the end of the year and you'll need to search in the SAP Learning hub).  Boosters may be useful here, but not necessary for the basics really if you want to learn a bit more how it all hangs together for your first few Subaccounts.

In short, it talks about Directories and Subaccounts better than I could, so let me focus on the Hyperscalers and layout that I expect is a good start point.

So SAP seem to be paying for infra on your behalf here, so unless your company has a big preference, I'd probably stick with AWS Cloud Foundry instances in your appropriate region (checking your company's data at rest and transit policies) since AWS seems to have all services available - though are nuances here depending on what you need of course).

Anyway, let's talk name and number of Subaccounts:

I'm going to go with the RISE with SAP non-production landscape set-up as a default first.

e.g. Dev, QAS and Production

Side note - We're dealing with Cloud Computing, so standing up and down additional non-prod landscapes is straightforward!

The majority of services that make sense in that aspect should be added. I'm thinking that these Subaccounts should mostly be identical.

But wait, there's more:

Your first Subaccount should probably be a "Services" Subaccount. This is to hold your dev tools, ALM services and most importantly, Identity Service (IAS) (non-prod and prod) instances (I'd reach out to SAP with your desire to set the solution up right and see what they say). You should be able to get a "free" prod and non-prod IAS available pretty easily (also it is available to trial also) and provision it yourself in your fresh new Subaccount.

Note - IPS and IAS make up Identity Services, and there might be some license restrictions to get access to IPS (authentication versus provisioning). Will update when I understand it better.

BTW - I would have hoped that BAS could sit on this Services Subaccount, but you might need to make things a little peculiar and put this on your Dev Subaccount for access to the Dev Space (see below) and to access your on-prem dev systems via Cloud Connector (see below).

Other Subaccounts you may want to consider in the future:

  • A HANA Cloud instance with multiple tenants - Basically to avoid paying for 3 depending on usage

  • A specific usage set of tenants (for example, to handle different security aspects (e.g. External Facing).


Realistically, a good start point is to set up Dev, QAS, Prod and Services as a default.

Note - Having the ability to set-up a Playpen Subaccount on demand to try out new offerings, could be a reasonable idea to keep your main Subaccounts clean too...

Spaces


Not really a requirement at this stage (and a Dev, QAS, Prod Subaccount means you probably only need 1 "dev" space in Dev, QS and Prod Subaccounts initially and note - Dev here means - "your stuff" - thanks to Mustafa for getting me to clarify this in his comment below), but I will come back to this post in the future and update my thoughts around app boundaries, isolation, etc; and when you should stray away from 1 Space per Landscape Subaccount.

Maybe the space should reflect your company instead?? <Company>Dev

While you can update Subaccount names easily, I'm not sure how hard it would be to change the Space name?

FYI - You will need to give permission to tools like BAS to your "Dev" SubAccount <Company>"Dev" Space.

BTP Identity Services with focus on I(Authentication)S


So this is the most important part to get right. This is the glue to give people a seamless authentication experience across the landscape. Plus it helps your developers/admin manage user access across different BTP (and just as importantly, other SAP Cloud products) much more centrally.

There are 2 parts to get right:

  1. Setting up connectivity for Business Users using your own SAML2 solution like Microsoft Azure AD (now known as Entra ID)

  2. Locking down Platform Users (like S-ID's) with some level of MFA


For Part 1: If you have Azure AD for your corporation set-up with good MFA access controls, then this set-up has been documented well in this video (shows all aspects since usually MS Azure access is not give to SAP Administrators) - It's worth understanding how SAML2 actually works, but this video doesn't even require you to do that. Not much else to add here at this point - Job done

For Part 2: There is the ability to start adding additional requirements for platform users. It might be as simple as using specific IP address ranges as trusted (which is at least something), but you can also set-up your Authenticator app in here too which I'd recommend as a better start point. I've set it up in the past to access the IAS instance, and unfortunately, I'm just assuming we can get this in place for all BTP related and IAS connected solutions. The set-up is pretty straightforward, but it is at this point, you do start to worry about locking yourself out of the system (though seems very straightforward).

From an update mid last year - "You can now create an Identity Authentication and Identity Provisioning test tenant for SAP BTP, Cloud Foundry environment, in SAP BTP cockpit. Previously, only a productive tenant was created this way, while the test tenant was created by opening an incident."

SAP Cloud Connector


This is a fundamental piece for the On-Premise world connecting to BTP.  Like the rest of BTP, it's really easy to set-up but in fact, can be quite dangerous if not set-up appropriately.

I won't go into detail about it here except to highlight the following:

  • Not a bad idea to set it up to use authentication against your AD/LDAP and AD Groups (so you can use Identity Management for access

  • Good idea to have non-prod and prod for this

  • Consider redundancy as BTP becomes more critical in your business

  • Deliberately expose only what you need

  • This application, while small and straightforward, gets patched frequently, I assume mainly for cyber security reasons, so be prepared to manage that. It's easy but will be a critical part and might be tricky if you don't have an outage window due to criticality of BTP solutions in place - e.g. Customer facing interfaces.

  • Don't forget about it or have only 1 person who knows about and has access to it!

  • A feature of the Dev, QAS, Prod Subaccount is that you want to have Production Cloud Connector connected to your Prod Account, and not Dev and QAS; as otherwise your Dev clients would also have access to Production and yeah - We don't want that...


Next Step Complexities to Consider


While the next steps for something like SAP Build should be straightforward with the above - I have to deal with SuccessFactors tenants not using IAS and how to convert them; or SAC on NEO and how to get principal propagation working for things like SuccessFactor Story Reports; plus general conversion from NEO to CF - but this is where your friendly consultants come into play. I just want to make sure the basics are set-up to begin with, so hopefully the above is a good template for us to run with.

Agree/Disagree???


Please comment in this post everything I've gotten wrong (or right) or any intricacies/recommendations you can detail - This is your chance to sell yourself and your company here as an experienced BTP architect/hands on administrator which will win you future work - The stuff above - It's just the basic friction that every customer should be past before you are even engaged in my opinion - otherwise you get people like me delaying you from starting as I want to be sure that BTP (and on-premise connected systems are protected, structured well and will accommodate where we might end up in the future!
11 Comments
MustafaBensan
Active Contributor
‎11-22-2023 8:05 AM

Hi Matt,

Great idea to start this discussion.  Here are my initial questions and comments to get the ball rolling:

  1. Optimising SAP HANA Cloud costs through multiple tenants is a good idea.  When referring to a "tenant" here, I assume you mean HDI Container within the SAP HANA Cloud instance, is that right?  Another consideration if you have a SAP HANA Cloud instance in its own subaccount for sharing tenants is how this would work when building CAP services for an application in another subaccount.  i.e. We would need to consider how CAP handles cross-subaccount interaction with HANA Cloud and whether this works out-of-the-box or whether special handling is required.
  2. I agree with the approach of DEV, QA and PROD subaccounts, assuming they correspond 1:1 with your backend systems in an S/4 context.
  3. Regarding space naming conventions, if subaccounts are DEV, QA and PROD, then space names should be the same in each subaccount for consistency and not named "Dev", "QA" and "Prod".  You could have multiple spaces in each subaccount depending on what you decide about their purpose.
  4. I like the idea of a common Services subaccount for ALM services like Cloud Transport Management.  It would be good to get SAP's view on whether there are any implications of having both prod and non-prod instances of IAS in the same Service subaccount.
  5. I'd suggest that Integration Suite non-prod and prod should be separate subaccounts.
  6. Another important setup point to consider is a consistent approach to principal propagation across your landscape and ensuring this is applied appropriately across your BTP subaccounts.
  7. Regarding platform user security, as a minimum best practice, I would think that the Corporate Identity Provider should be integrated rather than using the SAP ID service.

Anyway, that's my two cents worth for now.  Keen to know any further thoughts you or others may have.

Regards,

Mustafa.

 

MattHarding
Active Contributor
‎11-22-2023 12:20 PM
Thanks Mustafa. I'll update over time, but yes to HDI and I think an "It Depends answer" definitely falls into play here, since the easy answer might not be palatable from a cost perspective.

For 2 - I've actually just gone with the SAP Rise model - You may want more subaccounts, and that's fine, but most of us should try stick to Dev, QAS and Prod, and set-up a playpen temporarily or ongoing if they need it.

for 3 - Updated the text just to say Dev in each system and explain that this means "My Stuff".

For 4 - I'm probably tossing up between a Prod and non-Prod Service instance purely because of the separation of Cloud Connector access...Probably start with 1 and add another if the risk warrants it.

For 5 - Any reason for this? I'm pushing for a Dev, QAS and Prod IS since it's really dodgy to change config per non-prod system in the one environment, and since it lines up, the only thing probably getting in your way is contractual...

For 6 - This is getting into the SAC/SF area that I want to update as soon as I know more.

For 7 - I will look into this, but sounds like a perfect solution, though I need to understand how the admin "platform" style users in SuccessFactors works with this style of set-up.  TBC.

Will credit you in the update I do...Really appreciate the feedback.

Cheers,

Matt
MustafaBensan
Active Contributor
‎11-22-2023 1:10 PM
0 Kudos
Thanks for the feedback, Matt.  About Point 5, if you mean separate Dev, QAS and Prod Integration Suite subaccounts then I'm all for that if you have deep pockets 🙂  The only reason I suggested Prod and Non-prod subaccounts/tenants for Integration Suite is because this is the approach I have observed customers take to minimise cost, as the base subscription for an IS tenant is quite costly.

 
nageshcaparthy
Product and Topic Expert
Product and Topic Expert
‎11-23-2023 2:20 PM
0 Kudos
Hello Matt,

A lot of details for sure 🙂 and BTP itself is a huge topic and there are a lot of help guides, discovery centers, developer tutorials, etc... I would like to add a few comments on customer engagement:

  1. Every customer who purchases an SAP BTP License is entitled to a BTP Onboarding where they can discuss with BTP Onboarding Experts to understand how to get started and the best ways to get started. Cherry on the top, this is a 1:1 consulting offered to them (if Direct customer, SAP takes care, if it is a partner account Partner will be helping them with onboarding)

  2.  In case you looking for self-education, we have a monthly webinar that talks about the same topics and anyone can join this webinar

  3. You can find all this information at the SAP BTP Onboarding Resource Center 

  4. We have many blogs on getting started to help our customers (can be found in the above link)

  5. Customers also receive multiple other support options based on the contracts to have a successful Go-live helping on each of the topics


I am happy to hear your feedback and see what can be improved.

Hope this helps 🙂

Regards,

Nagesh

 
MattHarding
Active Contributor
‎11-24-2023 6:56 AM
0 Kudos
Thanks for the detail Nagesh.  I guess I've been involved in the evolution of SCP/NEO where there has been a lot of changes over time and was lost to find something that helps set-up the customer the first time. e.g. The first time I saw engagement with SAP where I am, it was for a solution, and it had a lot of questionable set-up that warranted discussion (and I was not involved architecturally as people understandably like to see SAP BTP as quick wins which it should be after initial set-up).

If all customers could just sign a CEAP or PAYG agreement, get their global account and have this 1:1 consulting to get them set-up; without discussing sales of other BTP products; then this might solve everything I've said (provided the 1:1 consulting gives consistent, well thought out and future proof options). e.g. I just heard about a NEO based IS instance being used for the first time this week at a customer in Europe.

BTW - Can you answer the question about hybrid models so customers can have a single Global Account (with a combo of subscription and PAYG or CPEA) - Is this okay to request (and should customers be requesting this for simplification purposes)?  e.g. I'd prefer a global account that has the subscription for Integration Suite with CPEA Account for adhoc other usage.

Anyway, I'll review the videos in the BTP Onboarding Resource Center (which looks really good) and I'll take your feedback and update the document. I still want this to be an introduction to get people to the right place and the right conversation.

Note - I'm also doing the free BTP Security course in a couple of weeks so hopefully they cover off the platform user cyber security issue which I see as a common problem many customers would have (and should not).

Cheers,

Matt
MattHarding
Active Contributor
‎11-24-2023 7:02 AM
0 Kudos
Hi Mustafa,

Just to clarify: For the IS tenant, my assumption is that you can use the same subaccount with the Hybrid model to avoid that cost issue? Still asking around about this though.

Cheers,

Matt
nageshcaparthy
Product and Topic Expert
Product and Topic Expert
‎11-24-2023 8:56 AM
0 Kudos
Hi Matt,

Yes, as the name says it's Onboarding and we recommend to reach us as soon as any customer gets the licenses active. Moreover, we inform this in the welcome emails which are sent once the contracts are signed.

To answer your question on the Hybrid license, Yes SAP has introduced this option, and it is a recommendation to avoid multiple global accounts unless required. You can go with Subscription and CPEA as the best option. While PAYG is also a possible option but expensive as you know. We address these questions during our onboarding.

If you are looking for BTP Cloud Identity Services, we have the discovery center mission on Get Started with Cloud Identity Services, please see in case it helps - https://discovery-center.cloud.sap/missiondetail/4325/4605/?tab=overview

Regards,

Nagesh

 

 

 
MattHarding
Active Contributor
‎11-24-2023 9:16 AM
0 Kudos
Thanks Nagesh - I think you just pinpointed the issue - The Global Account holder is rarely the technical person so I haven't receive any of this information. I'd recommend after signing the contracts, you ask who all their developers, basis and architects are so you can forward this information in the future as a potential solution to this.

Great news on the Hybrid license (though again, i need the non-technical contract's department involved to get this set-up). Would be nice if it was simply the default/recommended option.

FYI - Watched the 2 videos of relevance - Especially loved the options with subaccount set-up, but I'd still say it would be good to recommend the "minimum recommended" set-up similar to what I've done above - discussing SF/SAC/Ariba Principal Propagation potentially in there too.

Thanks,
Matt
Wallace
Active Participant
‎12-07-2023 10:58 AM
Hoping this is a valid comment, looking forward to the responses to it to see if there are others like me...

"BTP" has become like "Cloud"... its a lot of things...

  • SAP's Cloud run platform, so SAAS runs there. But then inside the SAAS, at the "account" level, it depends on which SAAS - some SAAS brings a global account, other SAAS works in a subaccount.  Why it matters is where you do work... if subaccount you likely use a BTP Cockpit to setup users, destinations, assign role collections (authorizations) to users, etc...  This is typically a purchase with an entitlement to run the SAAS - a one time charge.  An example of global account SAAS I think is SAC, SAP Analytics Cloud - it is SAAS...  And example of Sub-Account SAAS is DMC, Digital Manufacturing Cloud.

  • "Services" BTP - where service instances can be created from a single service or a mix of services in a subaccount.  This is the CPEA/Paygo/Subscription world.  And the different services bring different costs, from free to a good bit more spend than free, depending on setup.


So my wish for SAP - would be to stop communicating everything as "BTP" and start making it more clear which topic.  I don't think SAP Competitors run around promoting their "run" platform...
MattHarding
Active Contributor
‎12-09-2023 7:10 AM
0 Kudos
Hi Wallace,

Preaching to the converted here - It's like S/4HANA Public Cloud - private edition really hurt me they added Public to the RISE version of your on-premise S/4HANA system moved to SAP's IaaS.

Also, we know how SAP always goes: It started when NetWeaver was introduced which began as NetWeaver ABAP and NetWeaver JAVA, then NetWeaver "anything", then HANA came along and replaced NetWeaver, then Fiori was something specific, and then became everything, then BTP and SAP Build, and you just know where about to see everything "Powered by Joule".

But anything (at the moment) that runs in the cloud, is likely to say BTP!

FYI - I love it when anyone says BTP to me because it's like an alarm bell that a marketing person has sold them something but they don't understand what it is.  That said, I still struggle with the new names for IAS/IPS and CPI. They appear to say cloud cloud for BTP Cloud Identity Services, because BTP Integration Suite was taken. Naming is a bit of a mess!

So yes - Marketing has taken over the term BTP, just like they did with NetWeaver, HANA, Build, Fiori and likely Joule in the near future - and it's very annoying!

Cheers and thanks for commenting (hopefully others have opinions about this also,

Matt
Wallace
Active Participant
‎12-11-2023 11:49 AM
0 Kudos
Thanks Matt,

Sometimes I feel I'm the only one in my company and even to SAP contacts that sees this.
Looking forward to other posts from you.

Best Regards, Wallace
Labels in this area
Popular Blog Posts