SAP Business Technology Platform Security
This is a community for learning, sharing, and getting help with the security services and features in SAP Business Technology Platform (SAP BTP) and their functional capabilities. Share your stories, connect with experts, and stay up to date on the latest developments.
In a large landscape, changing the root certificates that are the anchor of trust of TLS-protected communication requires some preparation, to ensure that everybody can communicate securely and without disruption. With the new BTP Trust Store, we want to help you avoid outages by providing information about changes in the trust anchors of SAP BTP early.
With the new Authorization Management service, administrators can assign access based on policies centrally within SAP Cloud Identity Services. An access policy allows a user to perform certain actions on a resource, subject to restricting rules. These rules can be adapted by administrators so that policies fit company requirements before being assigned to users.
Developers can define and deploy applications that support authorization policies, including functional checks, instance-base authorizations, and user attributes. The authorization policies are available in the SAP Cloud Identity Services administration console where administrators can assign them to users and thus manage user access to resources.
Check out our new security recommendations for SAP BTP services, helping you to secure the configuration and operation of these services in your landscape. A new hands-on guide is now available where you will learn more about the security recommendations and how to implement them.
SAP BTP account administrators can now configure trust to multiple custom Identity Authentication tenants for login of platform users. Custom domains offer a streamlined user experience. And with the improved federation support you can dynamically assign platform authorizations based on user attributes such as groups.
With the SAP Malware Scanning service you can scan business documents uploaded by your custom-developed apps for malware. This will help you to stay secure and meet internal and external compliance requirements.
In SAP Business Technology Platform, Feature Set B, you can now control platform users and their account access via a custom identity provider as an alternative to using the default SAP ID service. This will increase security by activating your own user management processes as well as improving compliance to internal and external company standards.
This new security white paper covers application and compliance management for good practices in the life sciences industry. Find out how SAP Business Technology Platform and its built-in services can help you create 21st-century applications.
SAP Authorization and Trust Management Service
The SAP Authorization and Trust Management service lets you manage user authorizations and trust to identity providers. User authorizations are managed using technical roles on application level, which can be aggregated into business-level groups and role collections for large-scale cloud scenarios.
Guide for User Authentication and Authorization in SAP BTP
SAP Authorization and Trust Management Service in SAP Discovery Center
Documentation: SAP Authorization and Trust Management Service
Developing Secure Applications on the SAP BTP Cloud Foundry Runtime (Tutorial)
Implement Instance-Based Access Control
Creating Role Collections in SAP BTP
Secure a Node.js Application and Make it Available to Other Subaccounts
Troubleshooting the SAP Authorization and Trust Management Service
SAP Cloud Application Programming Model (CAP)
The SAP Cloud Application Programming Model (CAP) offers automatic authorization enforcement in the CAP-supported runtimes Node.js and Java. No manual coding of permission checks are required because it is automatically enforced during runtime. Developers can still implement individual permission checks.
SAP Cloud Application Programming Model (CAP)
Cookbook: Authorization and Access Control
Security Aspects of SAP Cloud Application Programming Model (Webinar replay)
SAP Credential Store
SAP Credential Store service provides a secure repository for passwords and keys for applications that are running on SAP BTP. It enables applications to retrieve credentials and use them for authentication to external services, or to perform cryptographic operations and transport layer security (TLS) communication.
SAP Credential Store in SAP Discovery Center
SAP Malware Scanning Service
With the SAP Malware Scanning service you can scan business documents uploaded by your custom-developed apps for malware. This will help you to stay secure and meet internal and external compliance requirements.
SAP Custom Domain Service
SAP Custom Domain service allows you to make your SAP BTP applications accessible via an individual domain, which is different from the default one (hana.ondemand.com). It also provides a self-service for managing the related certificates and trust. You can also integrate your own PKI solutions, so it is not limited to a specific trust center. Furthermore, you have full control over the private key and certificate lifecycle.
SAP Custom Domain Service in SAP Discovery Center
SAP Connectivity and Destination Service
SAP BTP connectivity provides two services, the SAP Connectivity service and the SAP Destination service. The SAP Connectivity service contains a connectivity proxy, which is used to access on-premise resources. The SAP Destination service can be used to retrieve and store the technical information about the target resource.
Documentation: Connectivity in the Cloud Foundry Environment
Cloud Connector
The Cloud Connector provides a secure tunnel between SAP BTP applications and on-premise systems to access relevant data. Existing on-premise data can be reused without exposing the entire internal landscape. The Cloud Connector itself will be installed on-premise, so you have full control over what happens in your on-premise SAP systems. Furthermore, the connection will be established from on-premise to SAP BTP. This offers the advantage that you do not have to open an additional incoming port. The Cloud Connector also offers principal propagation. It manages the authentication process of an identity between systems.