SAP Business Technology Platform Security

This is a community for learning, sharing, and getting help with the security services and features in SAP Business Technology Platform (SAP BTP) and their functional capabilities. Share your stories, connect with experts, and stay up to date on the latest developments.

Featured Content

SAP Business Technology Platform Services in GxP Environments

This new security white paper covers application and compliance management for good practices in the life sciences industry. Find out how SAP Business Technology Platform and its built-in services can help you create 21st-century applications.

Read the paper

Security Aspects of SAP Cloud Application Programming Model

Learn about security tips and techniques when building applications with CAP, such as adding XSUAA and roles, configuring Helmet for content security policies, and how to deal with CORS (Cross-Origin Resource Sharing).

Watch the Devtoberfest session replay

SAP BTP Extension Generators: Authentication and Authorization Tutorials

Check out our new video tutorial series about SAP BTP extension generators. In this tutorial, we zoom in on the security aspects of authentication and authorization for business applications.

Watch the hands-on tutorials

SAP BTP: New Cockpit Screens for User Management in the Global Account

As a global account administrator [Feature Set B], you can now see all users of your global accounts in the cockpit, related identity provider information, and manage the users.

Check out the details

Expert Content

SAP Authorization and Trust Management Service

The SAP Authorization and Trust Management service lets you manage user authorizations and trust to identity providers. User authorizations are managed using technical roles on application level, which can be aggregated into business-level groups and role collections for large-scale cloud scenarios.

Guide for User Authentication and Authorization in SAP BTPSAP Authorization and Trust Management Service in SAP Discovery CenterDocumentation: SAP Authorization and Trust Management ServiceDeveloping Secure Applications on the SAP BTP Cloud Foundry Runtime (Tutorial)Implement Instance-Based Access ControlCreating Role Collections in SAP BTPSecure a Node.js Application and Make it Available to Other SubaccountsTroubleshooting the SAP Authorization and Trust Management Service

SAP Cloud Application Programming Model (CAP)

The SAP Cloud Application Programming Model (CAP) offers automatic authorization enforcement in the CAP-supported runtimes Node.js and Java. No manual coding of permission checks are required because it is automatically enforced during runtime. Developers can still implement individual permission checks.

Overview VideoSAP Cloud Application Programming Model (CAP)Cookbook: Authorization and Access ControlSecurity Aspects of SAP Cloud Application Programming Model (Webinar replay)

SAP Credential Store

SAP Credential Store service provides a secure repository for passwords and keys for applications that are running on SAP BTP. It enables applications to retrieve credentials and use them for authentication to external services, or to perform cryptographic operations and transport layer security (TLS) communication.

SAP Credential Store in SAP Discovery CenterSAPinsider: Introducing SAP Credential StoreDocumentation: SAP Credential Store

SAP Custom Domain Service

SAP Custom Domain service allows you to make your SAP BTP applications accessible via an individual domain, which is different from the default one ( It also provides a self-service for managing the related certificates and trust. You can also integrate your own PKI solutions, so it is not limited to a specific trust center. Furthermore, you have full control over the private key and certificate lifecycle.

SAP Custom Domain Service in SAP Discovery CenterDocumentation: SAP Custom Domain ServiceGuided Answers: SAP Custom Domain Service

SAP Connectivity and Destination Service

SAP BTP connectivity provides two services, the SAP Connectivity service and the SAP Destination service. The SAP Connectivity service contains a connectivity proxy, which is used to access on-premise resources. The SAP Destination service can be used to retrieve and store the technical information about the target resource.

Documentation: Connectivity in the Cloud Foundry Environment

Cloud Connector

The Cloud Connector provides a secure tunnel between SAP BTP applications and on-premise systems to access relevant data. Existing on-premise data can be reused without exposing the entire internal landscape. The Cloud Connector itself will be installed on-premise, so you have full control over what happens in your on-premise SAP systems. Furthermore, the connection will be established from on-premise to SAP BTP. This offers the advantage that you do not have to open an additional incoming port. The Cloud Connector also offers principal propagation. It manages the authentication process of an identity between systems.

Overview BlogDocumentation: Cloud Connector