Let's ask you a questions to see if there's an issue:
Do you protect your platform users with multi-factor authentication? If not - you are one username/password away from potentially great damage. If you do - you are likely a good candidate to help me here and propose recommended changes to this blog post in the comments!
Do you know how your Global Accounts and Subaccounts should be set-up and what a minimum landscape should look like? If not, you will likely get an opinionated design of whatever the first consulting group sets up, for better or worse.
This is all simply solved, but I feel everyone is in such a rush to get value out of BTP products, that it's easy to skip over some basic questions to sort out what you truly need.
My initial thought was - Surely someone can just post about this so I posted on x.com the following:
The Request for BTP Basic Set-Up Info
But I quickly realised that either some think of this as Intellectual Property, or that more likely, people are way too busy to put their learnings down in a post.
So guided by a few responses on X, and a few discussions; I decided to put down my thoughts on the steps to get a solid but basic landscape foundation in place, including pointing at the training material that should hopefully get you set-up in no time. The only caveat - The first step to setting up this requires you to have Global Account access and discussions with SAP from a licensing perspective which grinds me to a halt in actually setting this up; so fingers crossed, I get the theoretical steps below correct!
So I've inserted this section to draw attention to any new information that may be useful to consider:
20/06/2024 Updates
So many other things I could add but here's a small sample:
25/11/2023 Update:
9/12/2023 Update:
Unfortunately, Global Accounts are somewhat like Installations in the SAP world. You would think a Global Account is the single entry point for all your sub accounts but that is not necessarily true.
So you may have purchased WebIDE in the past or another cloud platform product. It is most likely that each of these get their own Global Account.
Then there is the real BTP AWS Usage style account you want which is called the CPEA Global Account.
The CPEA Global Account is the one with the power to create Subaccounts, consume your subscriptions//instances, etc.
Now apparently, there is a hybrid way of setting this up which SAP recommend now days but it's not there by default, so I'd suggest looking into this, as personally, I would want a single Global Account so I can set up my Subaccounts and manage cloud admins easily (full visibility of everything). Speak to your account exec to discuss the possibilities (I'm guessing it's not trivial to do so maybe something SAP don't push hard, but it seems like an obvious first step).
Final step here - Get access to the Global Account as otherwise, there's not much to see here.
I was pointed towards the SAP HANA Academy on Youtube for this and this was awesome (Please note - this link will stop working by the end of the year and you'll need to search in the SAP Learning hub). Boosters may be useful here, but not necessary for the basics really if you want to learn a bit more how it all hangs together for your first few Subaccounts.
In short, it talks about Directories and Subaccounts better than I could, so let me focus on the Hyperscalers and layout that I expect is a good start point.
So SAP seem to be paying for infra on your behalf here, so unless your company has a big preference, I'd probably stick with AWS Cloud Foundry instances in your appropriate region (checking your company's data at rest and transit policies) since AWS seems to have all services available - though are nuances here depending on what you need of course).
Anyway, let's talk name and number of Subaccounts:
I'm going to go with the RISE with SAP non-production landscape set-up as a default first.
e.g. Dev, QAS and Production
Side note - We're dealing with Cloud Computing, so standing up and down additional non-prod landscapes is straightforward!
The majority of services that make sense in that aspect should be added. I'm thinking that these Subaccounts should mostly be identical.
But wait, there's more:
Your first Subaccount should probably be a "Services" Subaccount. This is to hold your dev tools, ALM services and most importantly, Identity Service (IAS) (non-prod and prod) instances (I'd reach out to SAP with your desire to set the solution up right and see what they say). You should be able to get a "free" prod and non-prod IAS available pretty easily (also it is available to trial also) and provision it yourself in your fresh new Subaccount.
Note - IPS and IAS make up Identity Services, and there might be some license restrictions to get access to IPS (authentication versus provisioning). Will update when I understand it better.
BTW - I would have hoped that BAS could sit on this Services Subaccount, but you might need to make things a little peculiar and put this on your Dev Subaccount for access to the Dev Space (see below) and to access your on-prem dev systems via Cloud Connector (see below).
Other Subaccounts you may want to consider in the future:
Realistically, a good start point is to set up Dev, QAS, Prod and Services as a default.
Note - Having the ability to set-up a Playpen Subaccount on demand to try out new offerings, could be a reasonable idea to keep your main Subaccounts clean too...
Not really a requirement at this stage (and a Dev, QAS, Prod Subaccount means you probably only need 1 "dev" space in Dev, QS and Prod Subaccounts initially and note - Dev here means - "your stuff" - thanks to Mustafa for getting me to clarify this in his comment below), but I will come back to this post in the future and update my thoughts around app boundaries, isolation, etc; and when you should stray away from 1 Space per Landscape Subaccount.
Maybe the space should reflect your company instead?? <Company>Dev
While you can update Subaccount names easily, I'm not sure how hard it would be to change the Space name?
FYI - You will need to give permission to tools like BAS to your "Dev" SubAccount <Company>"Dev" Space.
So this is the most important part to get right. This is the glue to give people a seamless authentication experience across the landscape. Plus it helps your developers/admin manage user access across different BTP (and just as importantly, other SAP Cloud products) much more centrally.
There are 2 parts to get right:
For Part 1: If you have Azure AD for your corporation set-up with good MFA access controls, then this set-up has been documented well in this video (shows all aspects since usually MS Azure access is not give to SAP Administrators) - It's worth understanding how SAML2 actually works, but this video doesn't even require you to do that. Not much else to add here at this point - Job done
For Part 2: There is the ability to start adding additional requirements for platform users. It might be as simple as using specific IP address ranges as trusted (which is at least something), but you can also set-up your Authenticator app in here too which I'd recommend as a better start point. I've set it up in the past to access the IAS instance, and unfortunately, I'm just assuming we can get this in place for all BTP related and IAS connected solutions. The set-up is pretty straightforward, but it is at this point, you do start to worry about locking yourself out of the system (though seems very straightforward).
From an update mid last year - "You can now create an Identity Authentication and Identity Provisioning test tenant for SAP BTP, Cloud Foundry environment, in SAP BTP cockpit. Previously, only a productive tenant was created this way, while the test tenant was created by opening an incident."
This is a fundamental piece for the On-Premise world connecting to BTP. Like the rest of BTP, it's really easy to set-up but in fact, can be quite dangerous if not set-up appropriately.
I won't go into detail about it here except to highlight the following:
While the next steps for something like SAP Build should be straightforward with the above - I have to deal with SuccessFactors tenants not using IAS and how to convert them; or SAC on NEO and how to get principal propagation working for things like SuccessFactor Story Reports; plus general conversion from NEO to CF - but this is where your friendly consultants come into play. I just want to make sure the basics are set-up to begin with, so hopefully the above is a good template for us to run with.
Please comment in this post everything I've gotten wrong (or right) or any intricacies/recommendations you can detail - This is your chance to sell yourself and your company here as an experienced BTP architect/hands on administrator which will win you future work - The stuff above - It's just the basic friction that every customer should be past before you are even engaged in my opinion - otherwise you get people like me delaying you from starting as I want to be sure that BTP (and on-premise connected systems are protected, structured well and will accommodate where we might end up in the future!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
11 | |
7 | |
7 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 | |
3 |