Understanding SAP Business Technology Platform ser...
Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
SAP Business Technology Platform (SAP BTP for short) gives you access to a wide range of services (around 90 at the time).
Your business can leverage them when extending or integrating other solutions. Very soon, you will realize that there are differences between some services and others, and you’ll wonder why is that. You will turn to the documentation: Entitlements and Quotas - SAP Help Portal, only to find that little is said about this. While we work on these docs, I wanted to share my thoughts so that you can learn about those differences.
The three offerings: environments, subscriptions and instances
These three words explain the three different services offered in SAP Business Technology Platform:
Environments
Environments constitute the actual platform-as-a-service offering of SAP BTP that allows for the development and administration of business applications. Environments are anchored in SAP BTP on subaccount level.
SAP BTP offers three environments: ABAP, Cloud Foundry and Kyma. Some existing customers still have Neo, but this is no longer offered.
Subscription based services
You will also see these ones called software as a service (SaaS), or multitenant applications. The experience here is that you subscribe to the service, and in return you receive a URL, from which you can access that service. Opening the URL brings you to a web application from which you can leverage the service. This is how other SaaS like SuccessFactors or S/4HANA Cloud work as well.
These are the purest services. They provide a specific functionality, like databases, connectivity, authentication…. You connect your application to them to leverage that functionality. These services don’t provide a UI to manage them. Instead, they rely on API to connect to applications and other services and provide their services.
Another important concept when using services in SAP Business Technology Platform are the plans. Each service is offered through one or more service plans. A service plan represents a specific functionality of the service. Plans are also used to offer free-tier versions of the services.
Two examples:
SAP HANA Cloud service offers two functionalities: the in-memory database and the data lake, these are two different service plans. On top of that, SAP HANA Cloud has a free-tier offering, so there are two additional plans available: free-tier in-memory and free-tier data lake.
Another, very usual, case is SAP Integration Suite. This service offers subscription plans (free-tier, standard and digital edition) which are different versions of the core service, and an instance plan (messages) that gives API access.
💡 You will find the same pattern in many services. The same service offers a subscription plan (for human access through a UI), and an instance plan (for machines access through API's).
Provisioning services: subaccount level and environment level
Subscription services and instance services can be provisioned in different ways: from the SAP Business Technology Platform Cockpit, using the btp cli, or using cf cli. In SAP BTP Cockpit, you can manage subscriptions and instances from the same place, although the services will live in different places.
From Instances and Subscriptions, you can see all subscriptions, services and environments (sorry for the large image)
Let’s take a look at the details.
Environments
A quick mention on environments. You enable environments at a subaccount level. Inside a subaccount, you can:
Have no environment enabled
Have one environment enabled (Cloud Foundry or Kyma)
Have more than one environment enabled (Cloud Foundry and Kyma)
They are also enabled at a subaccount level, and are independent of the environments. You don’t need to have Cloud Foundry enabled to subscribe to SAP Launchpad Service, for example.
Instances
They are provisioned inside an environment, so they are environment specific.
Each environment has its own organization (for users and applications): In Cloud Foundry, instances are created inside a space. For Kyma, instances are created inside a namespace.
Subscriptions, instances and environments coexist in a subaccount
Access and permissions: Role collections
This is a whole topic on its own. The documentation (User and Member Management - SAP Help Portal) only talks about roles and role collections regarding default roles from the platform (the ones making you a global account admin, a subaccount admin).
A nice overview on the concepts of roles and role collections was done by Philip Mugglestone in the SAP HANA Academy and is available here: BTP Onboarding: Security - YouTube (the first 5:35 minutes are the overview, then he shows how roles work deploying a small app).
Here I will focus on how each service works in terms of access.
Environments
Both Cloud Foundry and Kyma, when enabled, will have their own permissions:
Cloud Foundry will create an organization and admins can create spaces. Admins give users read or write access to the organization and the spaces, according to the job they need to do. Read more about Cloud Foundry roles at About Roles in the Cloud Foundry Environment - SAP Help Portal.
The user that enabled the environment will become an admin (org-manager in Cloud Foundry, cluster-admin for Kyma). This user can add other users and give permissions to them.
Subscriptions
Once subscribed to a service, users are given permission at a subaccount level (by subaccount admins). All subscription services expose roles in the subaccount, and some already provide role collections (if not, you have to create them). Users assigned to the role collections will then be able to access the subscription.
Instances
They exist at a space (or namespace) level in an environment. Users with access to that space (or namespace) will be able to interact with them. Service instances are accessed through API’s. Service keys are used to provide a secure connection to those API’s. Anyone with those credentials will be able to communicate with the service instance, hence using the service.
Service entitlements: quotas and shared units
There are two ways services are entitled:
quota assignments: You assign a quota number (1, 2, 3,…) to a subaccount. This determines the maximum usage or number of instances that the subaccount can use.
shared units: You allow the subaccount to use the given service.
Some services have quotas, others have shared units
Going back to our different services, we have:
Environments
They are entitled via quota assignments. Cloud Foundry is measured in GB of memory, Kyma uses compute units.
Subscriptions
They use the shared unit method. You allow subaccounts to subscribe to a service (they can only subscribe once per subaccount).
Instances
Free services like Destinations, HTML5 App Repository and Connectivity use the shared units approach. They are generally assigned automatically to every subaccount, and you don’t have to worry about these.
Paid services, like Document Information Extraction, use quota assignments to control how many instances can exist in a subaccount.
Cost management: Restricting usage and monitoring the cost
Services are measured in a different ways (number of users, transactions, messages…), making it difficult to limit usage beforehand. You don’t want users locked out from Launchpad because you only provisioned 50 users, or make integrations fail because the maximum number of messages was reached in the middle of the month.
The strategy to keep costs under control in a consumption based product is a mix of good governance (subaccount and service ownership, subaccount and service provisioning, role management), and usage monitoring (reports, automatic notifications). For all types of services, you can monitor the usage from the SAP Business Technology Platform Usage Analytics in the cockpit, and via Resource Consumption API’s.
Environments
You give environment entitlements to subaccounts using quotas, so you can establish limits on how much Cloud Foundry, ABAP or Kyma resources a subaccount or directory uses. A Cloud Foundry organization won’t be able to use more memory that it is entitled to.
Subscriptions
These services are charged by usage (users, transactions…).
You can limit the usage of certain services that are charged per users (SAP Business Application Studio), as we saw that to access them, users need to be permissioned in the first place, but those services are usually not very critical.
Instances
Same as before, these are charged by usage.
Epilogue
This has been an attempt to answer some common questions from customers using SAP Business Technology Platform. The information here might not be 100% complete, and things change fast, but hopefully, I made this topic a bit more clear.