Security - Secure Development Services

SAP offers secure development services that enable developers to design secure business applications for the cloud. By reusing security services, you can develop secure and compliant applications without re-inventing the wheel. Developers need a platform which is ready for enterprise-grade business applications, and SAP Cloud Platform can help you with this challenge.

Overview Video: Secure Development Services

SAP Cloud Application Programming Model (CAP)

The SAP Cloud Application Programming Model (CAP) is an open and opinionated, framework of languages, libraries, and tools for building enterprise-grade services and applications.

It offers the following capabilities for security:

  • Automatic authorization enforcement in the CAP-supported runtimes Node.js and Java
  • No manual coding of permission checks required because it is automatically enforced during runtime
  • Developers can still implement individual permission checks

Overview Video

SAP Cloud Application Programming Model (CAP)

Cookbook: Authorization and Access Control

SAP Cloud Platform Authorization Service (XSUAA)

The Authorization Service (XSUAA) of SAP Cloud Platform lets you manage user authorizations. The Authorization Service allows to confine access rights for resources to eligible business users or system users (system-to-system communication).

OAuth 2.0 is the protocol used for authorization.

Guide for User Authentication and Authorization in SAP Cloud Platform

Documentation: Authorization and Trust Management in the Cloud Foundry Environment

Documentation: The XSUAA Programming Model

SAP Cloud Platform Security

SAP Cloud Platform Credential Store

SAP Cloud Platform Credential Store provides a secure repository for passwords and keys for applications that are running on SAP Cloud Platform. It enables applications to retrieve credentials and use them for authentication to external services, or to perform cryptographic operations and transport layer security (TLS) communication.

Credential Store in SAP Cloud Platform Discovery Center

SAPinsider: Introducing SAP Cloud Platform Credential Store

Documentation: SAP Cloud Platform Credential Store

SAP Cloud Platform Connectivity and Destination Service

SAP Cloud Platform Connectivity provides two services, the Connectivity Service and the Destination Service. The Connectivity Service contains a connectivity proxy, which is used to access on-premise resources. The Destination Service can be used to retrieve and store the technical information about the target resource.

Documentation: Connectivity in the Cloud Foundry Environment

Cloud Connector

The Cloud Connector provides a secure tunnel between SAP Cloud Platform applications and on-premise systems to access relevant data. Existing on-premise data can be reused without exposing the entire internal landscape. The Cloud Connector itself will be installed on-premise, so you have full control over what happens in your on-premise SAP systems. Furthermore, the connection will be established from on-premise to SAP Cloud Platform. This offers the advantage that you do not have to open an additional incoming port.

The Cloud Connector also offers principal propagation. It manages the authentication process of an identity between systems.

Documentation: Cloud Connector

SAP Cloud Platform Custom Domain

Custom Domain allows you to make your SAP Cloud Platform applications accessible via an individual domain, which is different from the default one ( It also provides a self-service for managing the related certificates and trust. You can also integrate your own PKI solutions, so it is not limited to a specific trust center. Furthermore, you have full control over the private key and certificate lifecycle.

Custom Domain in SAP Cloud Platform Discovery Center

Documentation: Using Custom Domains

Guided Answers: Custom Domain