Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
MattHarding
Active Contributor
4,915

Ask Yourself...


Let's ask you a questions to see if there's an issue:

Question for those with BTP multi-tier prod/non-prod landscape already


Do you protect your platform users with multi-factor authentication? If not - you are one username/password away from potentially great damage. If you do - you are likely a good candidate to help me here and propose recommended changes to this blog post in the comments!

Question for those without this


Do you know how your Global Accounts and Subaccounts should be set-up and what a minimum landscape should look like? If not, you will likely get an opinionated design of whatever the first consulting group sets up, for better or worse.

Sorting Out the Basics


This is all simply solved, but I feel everyone is in such a rush to get value out of BTP products, that it's easy to skip over some basic questions to sort out what you truly need.

My initial thought was - Surely someone can just post about this so I posted on x.com the following:

 

The Request for BTP Basic Set-Up Info


But I quickly realised that either some think of this as Intellectual Property, or that more likely, people are way too busy to put their learnings down in a post.

So guided by a few responses on X, and a few discussions; I decided to put down my thoughts on the steps to get a solid but basic landscape foundation in place, including pointing at the training material that should hopefully get you set-up in no time. The only caveat - The first step to setting up this requires you to have Global Account access and discussions with SAP from a licensing perspective which grinds me to a halt in actually setting this up; so fingers crossed, I get the theoretical steps below correct!

Post Publishing Updates from Comments


So I've inserted this section to draw attention to any new information that may be useful to consider:

20/06/2024 Updates

So many other things I could add but here's a small sample:

  • At least today, Cloud ALM forces you to have a separate global account - see note 3152095 (sorry to those with OCD out there now needing 1 Global Account - Plus this additional one!)
  • Apparently, very new, you can now use your corporate identity for Platform Users - Not sure I'm game to try it just yet, but let us know if you've successfully done this to protect your cloud landscape fully!

    24/11/2023 Updates

    • From Nagesh: Highlights a really good resource to start with: SAP BTP Onboarding Resource Center  plus the fact that "Every customer who purchases an SAP BTP License is entitled to a BTP Onboarding where they can discuss with BTP Onboarding Experts to understand how to get started and the best ways to get started. Cherry on the top, this is a 1:1 consulting offered to them (if Direct customer, SAP takes care, if it is a partner account Partner will be helping them with onboarding)"

 

    • From Jason (via X): Pointing out you can easily rename Subaccounts. And noted that while I said AWS seems to have everything, there were some things like CICD that only exist in Europe - But I'd still say, stay simple as you can be while you can.

 

    • General statement from a number of people to not overthink this, and I agree, but please still consider below before proceeding as some things like NEO instances of IAS servers you may already have should not be used at all nowadays!

 

    • It appears that my current instance of BTP IS that I'm using is likely a European NEO based instance - I'm checking into this, but I assume these will be dedicated instance, not part of your subaccount set-up (and this is the one where you need to request the naming for, as otherwise, you get a random name that won't help you differentiate prod and non-prod!  Personally, I'm hoping the CF version does allow you to provision it, but plan to watch some of the BTP Onboarding Resource Center videos to confirm.

 

 

    • Another good piece of advice from Nagesh: "To answer your question on the Hybrid license, Yes SAP has introduced this option, and it is a recommendation to avoid multiple global accounts unless required. You can go with Subscription and CPEA as the best option. While PAYG is also a possible option but expensive as you know. We address these questions during our onboarding."



25/11/2023 Update:

    • Just finished watching the Onboarding Videos and then via a link to latest updates (from mid-last year) - "You can now create an Identity Authentication and Identity Provisioning test tenant for SAP BTP, Cloud Foundry environment, in SAP BTP cockpit. Previously, only a productive tenant was created this way, while the test tenant was created by opening an incident."



9/12/2023 Update:

    • Just finished an Identity Services course from SAP and I'll update more info below shortly, but the thing I noted was - You can pretty well play with nearly all of this stuff in Trial now days - so highly recommend combining a test set-up and maybe getting yourself a free trial in Azure to give yourself a "company Identity Provider".

 

    • I'm thinking using Identity Services (which they've added the BTP Cloud prefix to not clash with Integration Suite - which is kind of like saying ATM Machine) is best done for Corporate users as just a Proxy (ignoring non-Internal user scenarios) so that Identity Authentication happens on your corporate IdP and IAS takes care of authentication principal propagation to everything else (even to your on-premise via Cloud Connector which might be a way of managing multiple Corporate SAML configurations though it is another point of failure in Authentication which is probably best to avoid)

 

    • Apparently there will be the ability to use your Corporate Identity Provider for Platform Users sometime in 2024 but not yet

 

    • A recommendation in the course for your Platform Users was to use your Cloud Identity Services users with increased MFA access as opposed to the default SAP Identity, though they did say to keep at least 1 default SAP identity with Cloud Administrator access (though begs the question of who that SAP Identity should be since SAP don't want you sharing S-Ids)

 

    • There is apparently no way to lock down your S-Id users from accessing me.sap.com and getting your stored user/passwords there that you send SAP - This, to me, is possibly the biggest security threat to your administrators (e.g. If you got a hold of someone's S-ID certificate)



Global Accounts


Unfortunately, Global Accounts are somewhat like Installations in the SAP world.  You would think a Global Account is the single entry point for all your sub accounts but that is not necessarily true.

So you may have purchased WebIDE in the past or another cloud platform product. It is most likely that each of these get their own Global Account.

Then there is the real BTP AWS Usage style account you want which is called the CPEA Global Account.

The CPEA Global Account is the one with the power to create Subaccounts, consume your subscriptions//instances, etc.

Now apparently, there is a hybrid way of setting this up which SAP recommend now days but it's not there by default, so I'd suggest looking into this, as personally, I would want a single Global Account so I can set up my Subaccounts and manage cloud admins easily (full visibility of everything). Speak to your account exec to discuss the possibilities (I'm guessing it's not trivial to do so maybe something SAP don't push hard, but it seems like an obvious first step).

Final step here - Get access to the Global Account as otherwise, there's not much to see here.

Subaccounts


I was pointed towards the SAP HANA Academy on Youtube for this and this was awesome (Please note - this link will stop working by the end of the year and you'll need to search in the SAP Learning hub).  Boosters may be useful here, but not necessary for the basics really if you want to learn a bit more how it all hangs together for your first few Subaccounts.

In short, it talks about Directories and Subaccounts better than I could, so let me focus on the Hyperscalers and layout that I expect is a good start point.

So SAP seem to be paying for infra on your behalf here, so unless your company has a big preference, I'd probably stick with AWS Cloud Foundry instances in your appropriate region (checking your company's data at rest and transit policies) since AWS seems to have all services available - though are nuances here depending on what you need of course).

Anyway, let's talk name and number of Subaccounts:

I'm going to go with the RISE with SAP non-production landscape set-up as a default first.

e.g. Dev, QAS and Production

Side note - We're dealing with Cloud Computing, so standing up and down additional non-prod landscapes is straightforward!

The majority of services that make sense in that aspect should be added. I'm thinking that these Subaccounts should mostly be identical.

But wait, there's more:

Your first Subaccount should probably be a "Services" Subaccount. This is to hold your dev tools, ALM services and most importantly, Identity Service (IAS) (non-prod and prod) instances (I'd reach out to SAP with your desire to set the solution up right and see what they say). You should be able to get a "free" prod and non-prod IAS available pretty easily (also it is available to trial also) and provision it yourself in your fresh new Subaccount.

Note - IPS and IAS make up Identity Services, and there might be some license restrictions to get access to IPS (authentication versus provisioning). Will update when I understand it better.

BTW - I would have hoped that BAS could sit on this Services Subaccount, but you might need to make things a little peculiar and put this on your Dev Subaccount for access to the Dev Space (see below) and to access your on-prem dev systems via Cloud Connector (see below).

Other Subaccounts you may want to consider in the future:

    • A HANA Cloud instance with multiple tenants - Basically to avoid paying for 3 depending on usage

 

    • A specific usage set of tenants (for example, to handle different security aspects (e.g. External Facing).



Realistically, a good start point is to set up Dev, QAS, Prod and Services as a default.

Note - Having the ability to set-up a Playpen Subaccount on demand to try out new offerings, could be a reasonable idea to keep your main Subaccounts clean too...

Spaces


Not really a requirement at this stage (and a Dev, QAS, Prod Subaccount means you probably only need 1 "dev" space in Dev, QS and Prod Subaccounts initially and note - Dev here means - "your stuff" - thanks to Mustafa for getting me to clarify this in his comment below), but I will come back to this post in the future and update my thoughts around app boundaries, isolation, etc; and when you should stray away from 1 Space per Landscape Subaccount.

Maybe the space should reflect your company instead?? <Company>Dev

While you can update Subaccount names easily, I'm not sure how hard it would be to change the Space name?

FYI - You will need to give permission to tools like BAS to your "Dev" SubAccount <Company>"Dev" Space.

BTP Identity Services with focus on I(Authentication)S


So this is the most important part to get right. This is the glue to give people a seamless authentication experience across the landscape. Plus it helps your developers/admin manage user access across different BTP (and just as importantly, other SAP Cloud products) much more centrally.

There are 2 parts to get right:

    1. Setting up connectivity for Business Users using your own SAML2 solution like Microsoft Azure AD (now known as Entra ID)

 

    1. Locking down Platform Users (like S-ID's) with some level of MFA



For Part 1: If you have Azure AD for your corporation set-up with good MFA access controls, then this set-up has been documented well in this video (shows all aspects since usually MS Azure access is not give to SAP Administrators) - It's worth understanding how SAML2 actually works, but this video doesn't even require you to do that. Not much else to add here at this point - Job done

For Part 2: There is the ability to start adding additional requirements for platform users. It might be as simple as using specific IP address ranges as trusted (which is at least something), but you can also set-up your Authenticator app in here too which I'd recommend as a better start point. I've set it up in the past to access the IAS instance, and unfortunately, I'm just assuming we can get this in place for all BTP related and IAS connected solutions. The set-up is pretty straightforward, but it is at this point, you do start to worry about locking yourself out of the system (though seems very straightforward).

From an update mid last year - "You can now create an Identity Authentication and Identity Provisioning test tenant for SAP BTP, Cloud Foundry environment, in SAP BTP cockpit. Previously, only a productive tenant was created this way, while the test tenant was created by opening an incident."

SAP Cloud Connector


This is a fundamental piece for the On-Premise world connecting to BTP.  Like the rest of BTP, it's really easy to set-up but in fact, can be quite dangerous if not set-up appropriately.

I won't go into detail about it here except to highlight the following:

    • Not a bad idea to set it up to use authentication against your AD/LDAP and AD Groups (so you can use Identity Management for access

 

    • Good idea to have non-prod and prod for this

 

    • Consider redundancy as BTP becomes more critical in your business

 

    • Deliberately expose only what you need

 

    • This application, while small and straightforward, gets patched frequently, I assume mainly for cyber security reasons, so be prepared to manage that. It's easy but will be a critical part and might be tricky if you don't have an outage window due to criticality of BTP solutions in place - e.g. Customer facing interfaces.

 

    • Don't forget about it or have only 1 person who knows about and has access to it!

 

    • A feature of the Dev, QAS, Prod Subaccount is that you want to have Production Cloud Connector connected to your Prod Account, and not Dev and QAS; as otherwise your Dev clients would also have access to Production and yeah - We don't want that...



Next Step Complexities to Consider


While the next steps for something like SAP Build should be straightforward with the above - I have to deal with SuccessFactors tenants not using IAS and how to convert them; or SAC on NEO and how to get principal propagation working for things like SuccessFactor Story Reports; plus general conversion from NEO to CF - but this is where your friendly consultants come into play. I just want to make sure the basics are set-up to begin with, so hopefully the above is a good template for us to run with.

Agree/Disagree???


Please comment in this post everything I've gotten wrong (or right) or any intricacies/recommendations you can detail - This is your chance to sell yourself and your company here as an experienced BTP architect/hands on administrator which will win you future work - The stuff above - It's just the basic friction that every customer should be past before you are even engaged in my opinion - otherwise you get people like me delaying you from starting as I want to be sure that BTP (and on-premise connected systems are protected, structured well and will accommodate where we might end up in the future!

11 Comments
Labels in this area