Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Almost a year ago, at SAP TechEd 2022, we launched SAP Build, our low-code/no-code portfolio on SAP Business Technology Platform. It has been very positively welcomed, and I would like to share with you my thoughts on a prominent topic for our customers: the governance of low-code/no-code projects.

Low-code is here to stay

I think that you won’t disagree with me: low-code is here to stay, and you already know why: indeed,  you have understood how great the outcomes are in terms of driving developer and business efficiency.

But we also know that there might be some downsides if low-code is unproperly adopted: With the amazing adoption of low-code during the past months, we now have a clearer view of what could possibly go wrong if low-code is not properly deployed.

According to this article from Forbes, “the major downside for low-code and no-code tools is the lack of architectural governance, which can result in downtime and performance and scalability issues”. “Low-code and no-code tools can make it easy to skip important safeguarding procedures during production, which can lead to errors and security risks”. And: “Low-code and no-code tools may lead to an overemphasis on speed at the expense of quality. While faster development is appealing, it’s crucial not to compromise on security and performance”.

As explained in this article from ZDNET, it is paramount to “mitigate the risk of the proliferation of applications in the environment that aren't developed to company standards”. “Applications that are implemented without following proper development standards risks introducing security or regulatory compliance issues to the environment”.

Many SAP customers have already started their low-code journey, and some of them are extending SAP S/4HANA with low-code applications and automations that increase their agility and efficiency, be it in finance, procurement, manufacturing etc. Of course, they do not want to make any compromise on security, performance and overall compliance that could affect the ERP, which is at the core of their operations.

That’s why governance is not an option but a must-have for low-code projects… but what kind of governance?

What is a Low-code Governance Model?

Of course, low-code tools revolutionize the experience for creating applications and automating business processes… but must also deliver faster value, avoid shadow-IT, and ensure trust between business users (citizen developers), professional developerts, and central IT.

  • on one hand, IT Organization wants to ensure security and compliance for all the components of the IT landscape, from infrastructure to lightweight apps. IT’s mission is to avoid so-called “shadow IT”, and to reduce risk of proliferation of dubious applications created by citizen developers.

  • on the other hand, citizen developers expect to work within a scalable governance framework appropriate for the use case risk level and their skill level, to have enough flexibility for development and scaling, and to benefit of enablement and support.

Finding the right balance between empowerment and control allows for successful low-code development while mitigating potential risks. That balance defines your governance model for low-code.

How robust should your low-code governance model be?

According to what we have seen and discussed with SAP customers, the robustness of the governance model varies based on your organization's risk appetite and pace of innovation:

Governance models play a crucial role in managing risk and enabling innovation within an organization. The robustness of these models depends on your unique business context.

Here we can explore customer examples that showcase the relationship between appetite for risk and the pace of innovation in the context of low-code development.

Green - Trust-Based:

  • In this case, there's a higher appetite for risk under specific conditions, while still maintaining trust and control.

  • Low-code is primarily used for personal productivity applications, such as Save Gmail to Dropbox, Notify by email for new OneDrive uploads, Email upcoming calendar events, etc.

  • Enterprise IT use cases touching key business processes are not applicable in this scenario.

Green-Yellow - Guided Development:

  • This approach emphasizes collaboration with business stakeholders rather than strict control by IT.

  • Citizen Developers undergo e-learning for low-code development without formal certification.

  • A development checklist ensures compliance and maintains quality during the development process.

Yellow - Power Users Enabled-to-Build:

  • IT recognizes the risk of proliferation but doesn't want to hinder business innovation.

  • Citizen Developers with greater technical aptitude receive "Power User" training, including learning sprints and hands-on building with experts like SAP Discovery Center Missions.

  • These trained Power Users can handle every process up until the move to production.

  • IT takes over the final checks and deployment to production, balancing innovation with risk control.

Orange - Certified Development:

  • In this stage, a more structured approach is adopted to ensure better risk management.

  • IT defines learning requirements for Citizen Developers, who must complete training and certification before starting their low-code projects.

  • Once certified, Citizen Developers can perform every process up until production, after which IT takes over for the final deployment.

  • IT implements monitoring and integrated life cycle management tooling to maintain control.

Red - Controlled:

  • This model is based on how SAP itself runs SAP Build, and places significant emphasis on empowering Citizen Developers while keeping strict control over low-code development.

  • Low-code ideas must first be approved by business process owners and corporate IT before proceeding.

  • Once initiated, Citizen Developers can build up until production, but IT takes over the production release, following a quality control process based on the 4-eyes principle.

  • Ongoing monitoring and debugging become a shared responsibility.

How is SAP facilitating low-code governance? With SAP BTP!

At SAP we have been developing enterprise software for over 50 years. Our goal is for all companies to be Intelligent Sustainable Enterprises. To reach that goal, enterprise applications are not enough. Which is why we have SAP Business Technology Platform. SAP BTP comprises multiple capabilities that support application development, automation, integration, data and analytics use cases. SAP BTP aims to empower the business and bridge the gap between business and technology. Which is why we are heavily investing in our low-code/no-code portfolio for application development… and in governance-focused capabilities.

Governance for low-code projects follows the same principles as for other projects on SAP BTP: topics like setting up an account structure, assign roles and authorizations, manage cost and monitor operations also apply to low-code projects.

Let me just share with you an example of governance best practices: SAP BTP recommends using staged development environment which allows your IT organization to carefully check the quality, compliance and performance of any low-code application or automation before easily and securely deploying it on your productive cloud tenants.

For a customer starting with his BTP journey, this is the recommended structure – 3 tier environment. Creating subaccounts for DEV/TEST/PROD allows dedicated user management between different stages – and you can then create dedicated spaces for apps or projects within these subaccounts if you do not need a dedicated user management for these apps/projects.

According to your needs, you can also create subaccounts to:

  • Separate dev scenarios and projects to allow easier config (such as with regards to access restrictions)

  • Separate work of different teams

  • Set up different trust configurations between subaccounts

  • Restrict access to apps and their admin (such as “high-security” subaccounts with restricted access)

So, as we agreed in the beginning of this blog post, low-code is here to stay and establishing a proper gownernance model around it is no rocket science.

Learn more on SAP Build governance!

If you want to discover more on SAP Build Governance, visit our brand new Governance Resource Center for SAP Build. It is a one-stop resource hub that can greatly simplify your governance-related efforts: it provides a wealth of information, assets and practical templates designed for IT administrators, such as governance guides, a toolkit for building a citizen developer center of excellence business site, and the new Use Case Evaluator for SAP Build projects. Just go there and take over everything that will be off value for your organization!

And of course if you want to start your low-code journey with no further ado, join our SAP Builders community and start learning SAP Build!






  1. IDC, InfoBrief, sponsored by SAP, Breaking the code, How Low Code Is Changing Development, #US49060722, May 2022

  2. IDC, Developers' Reasons Vary for Using Low-Code and No-Code Development Tools, # US49454122, July 2022