🇺🇸English
SAP BTP Best Practices
Related Skills
- sap-btp-cloud-platform : Use for technical implementation details, CLI commands, and runtime configurations
- sap-btp-connectivity : Use for connectivity patterns, destination configuration, and Cloud Connector setup
- sap-btp-service-manager : Use for service lifecycle management and programmatic service operations
- sap-btp-developer-guide : Use for development workflows, CAP integration, and application patterns
- sap-cap-capire : Use when designing CAP applications on BTP or implementing multitenancy
- sap-fiori-tools : Use for UI deployment strategies and frontend application guidelines
Production-ready SAP BTP implementation guidance based on official SAP documentation.
Quick Links :
Table of Contents
- Platform Fundamentals
- Account Model Setup
- Security and Authentication
- Connectivity
- Governance and Teams
- Development
- AI Development
- Deployment and Delivery
- High Availability and Failover
- Operations and Monitoring
- Cost Management
- Bundled Resources
Platform Fundamentals
Account Hierarchy
Global Account (SAP contract)
├── Directory (optional, up to 7 levels)
│ └── Subaccount (region-specific, apps run here)
│ ├── Cloud Foundry Org → Spaces
│ └── Kyma Cluster → Namespaces
└── Subaccount
Key Points :
- Global account = contract with SAP (one per commercial model)
- Directory = groups subaccounts (max 7 levels deep)
- Subaccount = deployed in specific region, enables runtimes
- Use labels for virtual grouping (Dev/Test/Prod, cost centers)
Environments
| Environment | Use Case | Key Features |
|---|
| Cloud Foundry | Polyglot apps | Multiple buildpacks, spaces |
| Kyma | Cloud-native K8s | Open-source, namespaces |
| ABAP | ABAP extensions | RAP, cloud-ready ABAP |
| Neo | Legacy | Migrate away - HTML5, Java, HANA XS |
Commercial Models
- Consumption-Based (BTPEA/CPEA): Flexible access, best for pilots
- Subscription-Based : Fixed-cost for known service needs
Best Practice : Start with consumption-based, move to subscription for stable workloads.
Account Model Setup
Simple Model (3 subaccounts)
Global Account
├── Dev Subaccount
├── Test Subaccount
└── Prod Subaccount
Best for: Initial implementations, single team, <3 projects
Directory Model (scalable)
Global Account
├── Directory: HR
│ ├── hr-dev / hr-test / hr-prod
├── Directory: Sales
│ ├── sales-dev / sales-test / sales-prod
└── Directory: Central IT
├── api-management
└── shared-services
Best for: Multiple teams, cost allocation, complex governance
Naming Conventions
| Entity | Convention | Example |
|---|
| Subaccount | Natural language | "HR Development" |
| Subdomain | Lowercase, hyphens | hr-dev-acme |
| CF Org | Company prefix | acme-hr-dev |
| CF Space | Consistent across stages | hr-recruiting |
Tip : Derive CF org/Kyma names from subaccount names for consistency.
Security and Authentication
Identity Provider Setup
Always use SAP Cloud Identity Services - Identity Authentication
Corporate IdP → Identity Authentication (proxy) → SAP BTP
Critical Steps :
- Add multiple administrators (different time zones)
- Enable MFA for all admins
- Configure security alerts
- Set up backup admins in SAP ID Service
Authorization Methods
| Method | Best For | Notes |
|---|
| Provisioning | Production, many users | Centralized roles, automated offboarding |
| Federation | Simple scenarios | Real-time sync, but doesn't scale well |
| Manual | Testing only | Quick setup, not production-ready |
Destination Authentication
Recommended :
PrincipalPropagation - SAP on-premise systemsOAuth2SAMLBearerAssertion - Third-party systemsOAuth2JWTBearer - User token exchange
Avoid in Production :
BasicAuthenticationOAuth2Password
See : references/security-and-authentication.md for complete guidance
Connectivity
Remote System Access
- Internet Services : Destinations with authentication
- On-Premise Systems : Destinations + Cloud Connector
Cloud Connector
- Lightweight on-premise agent
- Secure tunnel to SAP BTP (no inbound ports)
- Fine-grained access control
- Supports RFC and HTTP protocols
- Enables principal propagation
Note : Each subaccount needs separate Cloud Connector config.
Governance and Teams
Required Teams
Platform Engineering Team (Center of Excellence) :
- Manages cloud landscape infrastructure
- Handles account operations, build infrastructure
- Creates governance and compliance guidelines
- Does NOT manage individual application lifecycles
Cloud Development Teams :
- Follow DevOps (develop AND operate)
- Responsible for application lifecycle
- Regular maintenance (e.g., UI updates every 6 months)
Essential Documentation
- Onboarding Doc : Organization, app IDs, timeline, tech stack
- Security Doc : Data sensitivity, policies, auth framework
- Services Catalog : Templates for destinations, builds, schemas
Development
Programming Models
SAP CAP (Cloud Application Programming Model) :
- Framework with languages, libraries, tools
- Supports Java, JavaScript, TypeScript
- Enterprise-grade services and data models
ABAP Cloud :
- Modern ABAP for cloud-ready apps
- RAP (RESTful ABAP Programming Model)
- Extensions for ABAP-based products
Development Lifecycle
- Explore : Business opportunity, team roles
- Discover : Use cases, technology options
- Design : UX design, domain-driven design
- Deliver : Landscape setup, development
- Run and Scale : Feedback, optimization
AI Development
SAP BTP provides AI capabilities through SAP AI Core for:
- Generative AI (LLMs, RAG)
- Narrow AI (classical ML)
Key Resources :
Best Practices :
- Use service keys for secure authentication
- Implement PII data masking
- Build RAG with SAP HANA Cloud Vector Engine
- Configure content filtering
- Monitor model drift
Use Cases : 20+ samples including chatbots, PDF extraction, procurement.
See : references/ai-development-best-practices.md for patterns and examples
Deployment and Delivery
Deployment Methods
Cloud Foundry/Neo :
- Package as MTA archive
- Deploy via: BTP Cockpit, CF CLI, Business Application Studio
Kyma :
- Docker images (Dockerfile or Cloud Native Buildpacks)
- Helm charts for production
- Deploy via SAP Continuous Integration and Delivery
CI/CD Approaches
SAP Continuous Integration and Delivery :
- Low expertise required
- Ready-to-use infrastructure
- Direct SAP support
Project "Piper" :
- High expertise required
- Jenkins-based
- Open-source community support
Best Practice : Combine CI/CD with SAP Cloud Transport Management for governance + agility.
See : references/deployment-and-delivery.md for detailed configs
High Availability and Failover
Multi-Region Architecture
Custom Domain URL
│
Load Balancer
├── Region 1 (active)
└── Region 2 (passive/active)
Failover Implementation
Four Core Principles :
- Deploy in Two Regions : Near users and backend systems
- Keep Synced : CI/CD pipeline or Cloud Transport Management
- Define Detection : Monitor 5xx errors, timeouts
- Plan Failback : Visual differentiation, user-driven
Legal : Check cross-region data processing restrictions.
See : references/failover-and-resilience.md for implementation details
Operations and Monitoring
Go-Live Checklist
- Deploy to production
- Set go-live timeframe (avoid quarter-end)
- Embed in SAP Fiori Launchpad
- Provision business users
- Configure role collections
Monitoring Tools
SAP Cloud ALM (Enterprise Support):
- Real User Monitoring
- Health Monitoring
- Integration and Exception Monitoring
- Job Automation Monitoring
SAP Cloud Logging :
- Observability across CF, Kyma, Kubernetes
SAP Alert Notification :
- Multi-channel notifications (email, chat, ticketing)
Cost Management
Best Practices
- Check Costs and Usage monthly
- Provide minimal required entitlements
- Use labels for cost allocation
- Set up automated alerts (Usage Data Management + Alert Notification)
Contract Strategies
- Consolidate subscriptions in one global account
- Use hybrid accounts for mixed workloads
- Note: Consumption credits non-transferable between global accounts
Bundled Resources
This skill provides comprehensive reference documentation:
Account & Governance
-
references/account-models.md (11K lines)
- Detailed account structure patterns
- Naming conventions and examples
- Cost allocation strategies
-
references/governance-and-teams.md (13K lines)
- Platform Engineering team structure
- Onboarding processes
- Documentation templates
Security & Connectivity
references/security-and-authentication.md (13K lines)
- Complete auth methods comparison
- Destination configuration
- Kyma RBAC manifests
- Identity lifecycle management
Deployment & Operations
-
references/deployment-and-delivery.md (10K lines)
- MTA descriptor templates
- CI/CD pipeline configs
- Transport management setup
-
references/operations-and-monitoring.md (11K lines)
- Go-live procedures
- Monitoring setup guides
- Troubleshooting checklists
High Availability
references/failover-and-resilience.md (12K lines)
- Multi-region architecture
- Load balancer configurations
- Failover automation scripts
Templates & Examples
references/templates-and-examples.md (18K lines)
- Complete code templates
- Kubernetes RBAC manifests
- MTA descriptors
- Helm charts
- CI/CD configs
AI Development
references/ai-development-best-practices.md (6K lines)
- Generative AI patterns
- RAG implementation
- 20+ use cases catalog
Progress Tracking
- Implementation status
- Coverage details
- Validation checklists
Administration Tools
| Tool | Use Case |
|---|
| SAP BTP Cockpit | GUI for all admin tasks |
| btp CLI | Terminal/automation scripting |
| REST APIs | Programmatic administration |
| Terraform Provider | Infrastructure as Code |
| SAP Automation Pilot | Low-code/no-code automation |
Shared Responsibility Model
SAP Manages :
- Platform software updates/patches
- Infrastructure and OS monitoring
- BTP service monitoring
- Capacity management and incidents
- Global account provisioning
- HANA database operations
- Kyma
kyma-system namespace
You Manage :
- Global account strategy and subaccount config
- Application development, deployment, security
- Role assignments and integrations
- Application monitoring and health checks
- Open source vulnerability scanning
- Triggering HANA revision updates
Last Updated : 2025-11-27 Review Progress : See SAP_SKILLS_REVIEW_PROGRESS.md Next Review : 2026-02-27 (quarterly)
Weekly Installs
68
Repository
secondsky/sap-skills
GitHub Stars
157
First Seen
Jan 23, 2026
Security Audits
Gen Agent Trust HubPassSocketPassSnykPass
Installed on
gemini-cli60
opencode60
codex59
github-copilot58
kimi-cli52
amp52
