sap-btp-best-practices

name: sap-btp-best-practices description: | SAP BTP best practices for enterprise architecture, account management, security, and operations, with verification evidence tracked in the repository ledger. Use when planning BTP implementations, setting up account hierarchies, configuring environments, implementing authentication, designing CI/CD pipelines, establishing governance, building Platform Engineering teams, implementing failover strategies, or managing application lifecycle on SAP BTP.

Keywords: SAP BTP, account hierarchy, global account, directory, subaccount, Cloud Foundry, Kyma, ABAP, SAP Identity Authentication, CI/CD, governance, Platform Engineering, failover, multi-region, SAP BTP best practices license: GPL-3.0 metadata: maintainer: "Eduard Jiglau" maintainer_email: "hello@sap-ai-skills.com" website: "https://sap-ai-skills.com" version: "2.3.2" last_verified: "2025-11-27"

SAP BTP Best Practices

Related Skills

sap-btp-cloud-platform: Use for technical implementation details, CLI commands, and runtime configurations
sap-btp-connectivity: Use for connectivity patterns, destination configuration, and Cloud Connector setup
sap-btp-service-manager: Use for service lifecycle management and programmatic service operations
sap-btp-developer-guide: Use for development workflows, CAP integration, and application patterns
sap-cap-capire: Use when designing CAP applications on BTP or implementing multitenancy
sap-ai-core: Use for AI Core platform setup, model deployment, and orchestration configuration
sap-cloud-sdk-ai: Use for SDK-level AI integration in CAP or standalone BTP applications
sap-fiori-tools: Use for UI deployment strategies and frontend application guidelines

When to Use This Skill

Use this skill when designing a BTP account model, setting up governance, choosing commercial/environment patterns, establishing security and authentication defaults, designing CI/CD and operations practices, or reviewing a BTP landscape before implementation.

Quick Start

Identify the target account model: global account, directories, subaccounts, environments, and regions.
Choose the runtime path: Cloud Foundry, Kyma, ABAP Environment, or a hybrid portfolio.
Apply security defaults from Security and Authentication.
Use the relevant implementation skill for detailed execution: sap-btp-cloud-platform, sap-btp-connectivity, sap-btp-service-manager, sap-cap-capire, or sap-fiori-tools.
Record production-specific gaps in the project plan before changing last_verified.

Documentation-audited SAP BTP implementation guidance based on official SAP documentation. The last_verified date remains stale until the source refresh and any live account checks are completed.

Quick Links:

Official Guide: https://github.com/SAP-docs/btp-best-practices-guide
SAP Help Portal: https://help.sap.com/docs/btp/btp-administrators-guide

Platform Fundamentals
Account Model Setup
Security and Authentication
Connectivity
Governance and Teams
Development
AI Development
Deployment and Delivery
High Availability and Failover
Operations and Monitoring
Cost Management
Bundled Resources

Platform Fundamentals

Account Hierarchy

Global Account (SAP contract)
├── Directory (optional, up to 7 levels)
│   └── Subaccount (region-specific, apps run here)
│       ├── Cloud Foundry Org → Spaces
│       └── Kyma Cluster → Namespaces
└── Subaccount

Key Points:

Global account = contract with SAP (one per commercial model)
Directory = groups subaccounts (max 7 levels deep)
Subaccount = deployed in specific region, enables runtimes
Use labels for virtual grouping (Dev/Test/Prod, cost centers)

Environments

Environment	Use Case	Key Features
Cloud Foundry	Polyglot apps	Multiple buildpacks, spaces
Kyma	Cloud-native K8s	Open-source, namespaces
ABAP	ABAP extensions	RAP, cloud-ready ABAP
Neo	Legacy	Migrate away - HTML5, Java, HANA XS

Commercial Models

Consumption-Based (BTPEA/CPEA): Flexible access, best for pilots
Subscription-Based: Fixed-cost for known service needs

Best Practice: Start with consumption-based, move to subscription for stable workloads.

Account Model Setup

Simple Model (3 subaccounts)

Global Account
├── Dev Subaccount
├── Test Subaccount
└── Prod Subaccount

Best for: Initial implementations, single team, <3 projects

Directory Model (scalable)

Global Account
├── Directory: HR
│   ├── hr-dev / hr-test / hr-prod
├── Directory: Sales
│   ├── sales-dev / sales-test / sales-prod
└── Directory: Central IT
    ├── api-management
    └── shared-services

Best for: Multiple teams, cost allocation, complex governance

Naming Conventions

Entity	Convention	Example
Subaccount	Natural language	"HR Development"
Subdomain	Lowercase, hyphens	`hr-dev-acme`
CF Org	Company prefix	`acme-hr-dev`
CF Space	Consistent across stages	`hr-recruiting`

Tip: Derive CF org/Kyma names from subaccount names for consistency.

Security and Authentication

Identity Provider Setup

Always use SAP Cloud Identity Services - Identity Authentication

Corporate IdP → Identity Authentication (proxy) → SAP BTP

Critical Steps:

Add multiple administrators (different time zones)
Enable MFA for all admins
Configure security alerts
Set up backup admins in SAP ID Service

Authorization Methods

Method	Best For	Notes
Provisioning	Production, many users	Centralized roles, automated offboarding
Federation	Simple scenarios	Real-time sync, but doesn't scale well
Manual	Testing only	Quick setup, not production-ready

Destination Authentication

Recommended:

PrincipalPropagation - SAP on-premise systems
OAuth2SAMLBearerAssertion - Third-party systems
OAuth2JWTBearer - User token exchange

Avoid in Production:

BasicAuthentication
OAuth2Password

See: references/security-and-authentication.md for complete guidance

Connectivity

Remote System Access

Internet Services: Destinations with authentication
On-Premise Systems: Destinations + Cloud Connector

Cloud Connector

Lightweight on-premise agent
Secure tunnel to SAP BTP (no inbound ports)
Fine-grained access control
Supports RFC and HTTP protocols
Enables principal propagation

Note: Each subaccount needs separate Cloud Connector config.

Governance and Teams

Required Teams

Platform Engineering Team (Center of Excellence):

Manages cloud landscape infrastructure
Handles account operations, build infrastructure
Creates governance and compliance guidelines
Does NOT manage individual application lifecycles

Cloud Development Teams:

Follow DevOps (develop AND operate)
Responsible for application lifecycle
Regular maintenance (e.g., UI updates every 6 months)

Essential Documentation

Onboarding Doc: Organization, app IDs, timeline, tech stack
Security Doc: Data sensitivity, policies, auth framework
Services Catalog: Templates for destinations, builds, schemas

Development

Programming Models

SAP CAP (Cloud Application Programming Model):

Framework with languages, libraries, tools
Supports Java, JavaScript, TypeScript
Enterprise-grade services and data models

ABAP Cloud:

Modern ABAP for cloud-ready apps
RAP (RESTful ABAP Programming Model)
Extensions for ABAP-based products

Development Lifecycle

Explore: Business opportunity, team roles
Discover: Use cases, technology options
Design: UX design, domain-driven design
Deliver: Landscape setup, development
Run and Scale: Feedback, optimization

AI Development

SAP BTP provides AI capabilities through SAP AI Core for:

Generative AI (LLMs, RAG)
Narrow AI (classical ML)

Key Resources:

Repository: SAP-samples/sap-btp-ai-best-practices
Documentation: https://btp-ai-bp.docs.sap/

Best Practices:

Use service keys for secure authentication
Implement PII data masking
Build RAG with SAP HANA Cloud Vector Engine
Configure content filtering
Monitor model drift

Use Cases: 20+ samples including chatbots, PDF extraction, procurement.

CAP + AI Integration Patterns:

Use SAP Cloud SDK for AI (@sap-ai-sdk/orchestration) inside CAP event handlers — never raw HTTP calls to LLM providers
Bind AI Core service instance to CAP app via MTA (plan: extended) — credentials are managed by BTP, not in code
Always process LLM calls asynchronously in production: return 202 Accepted, process in background via cds.spawn. LLM responses can take 30-60 seconds, exceeding BTP load balancer timeouts
Externalize prompts into JSON files or CDS entities so they can be updated without redeployment
Use HANA Cloud Vector(1536) type in CDS entities for RAG scenarios with the HANA Vector Engine
Allocate at least 512MB memory for Node.js containers processing large text payloads with the AI SDK
Implement resilience: validate LLM outputs before writing to the database (prevent injection attacks), cache frequent responses for cost control

See: references/ai-development-best-practices.md for patterns and examples. For CAP-specific code patterns, see sap-cap-capire skill. For SDK integration, see sap-cloud-sdk-ai skill.

Deployment and Delivery

Deployment Methods

Cloud Foundry/Neo:

Package as MTA archive
Deploy via: BTP Cockpit, CF CLI, Business Application Studio

Kyma:

Docker images (Dockerfile or Cloud Native Buildpacks)
Helm charts for production
Deploy via SAP Continuous Integration and Delivery

CI/CD Approaches

SAP Continuous Integration and Delivery:

Low expertise required
Ready-to-use infrastructure
Direct SAP support

Project "Piper":

High expertise required
Jenkins-based
Open-source community support

Best Practice: Combine CI/CD with SAP Cloud Transport Management for governance + agility.

See: references/deployment-and-delivery.md for detailed configs

High Availability and Failover

Multi-Region Architecture

Custom Domain URL
       │
    Load Balancer
       ├── Region 1 (active)
       └── Region 2 (passive/active)

Failover Implementation

Four Core Principles:

Deploy in Two Regions: Near users and backend systems
Keep Synced: CI/CD pipeline or Cloud Transport Management
Define Detection: Monitor 5xx errors, timeouts
Plan Failback: Visual differentiation, user-driven

Legal: Check cross-region data processing restrictions.

See: references/failover-and-resilience.md for implementation details

Operations and Monitoring

Go-Live Checklist

Deploy to production
Set go-live timeframe (avoid quarter-end)
Embed in SAP Fiori Launchpad
Provision business users
Configure role collections

Monitoring Tools

SAP Cloud ALM (Enterprise Support):

Real User Monitoring
Health Monitoring
Integration and Exception Monitoring
Job Automation Monitoring

SAP Cloud Logging:

Observability across CF, Kyma, Kubernetes

SAP Alert Notification:

Multi-channel notifications (email, chat, ticketing)

Cost Management

Best Practices

Check Costs and Usage monthly
Provide minimal required entitlements
Use labels for cost allocation
Set up automated alerts (Usage Data Management + Alert Notification)

Contract Strategies

Consolidate subscriptions in one global account
Use hybrid accounts for mixed workloads
Note: Consumption credits non-transferable between global accounts

Bundled Resources

This skill provides comprehensive reference documentation:

Account & Governance

references/account-models.md (11K lines)
- Detailed account structure patterns
- Naming conventions and examples
- Cost allocation strategies
references/governance-and-teams.md (13K lines)
- Platform Engineering team structure
- Onboarding processes
- Documentation templates

Security & Connectivity

references/security-and-authentication.md (13K lines)
- Complete auth methods comparison
- Destination configuration
- Kyma RBAC manifests
- Identity lifecycle management

Deployment & Operations

references/deployment-and-delivery.md (10K lines)
- MTA descriptor templates
- CI/CD pipeline configs
- Transport management setup
references/operations-and-monitoring.md (11K lines)
- Go-live procedures
- Monitoring setup guides
- Troubleshooting checklists

High Availability

references/failover-and-resilience.md (12K lines)
- Multi-region architecture
- Load balancer configurations
- Failover automation scripts

Templates & Examples

references/templates-and-examples.md (18K lines)
- Complete code templates
- Kubernetes RBAC manifests
- MTA descriptors
- Helm charts
- CI/CD configs

AI Development

references/ai-development-best-practices.md (6K lines)
- Generative AI patterns
- RAG implementation
- 20+ use cases catalog

Progress Tracking

Implementation status
Coverage details
Validation checklists

Administration Tools

Tool	Use Case
SAP BTP Cockpit	GUI for all admin tasks
btp CLI	Terminal/automation scripting
REST APIs	Programmatic administration
Terraform Provider	Infrastructure as Code
SAP Automation Pilot	Low-code/no-code automation

Shared Responsibility Model

SAP Manages:

Platform software updates/patches
Infrastructure and OS monitoring
BTP service monitoring
Capacity management and incidents
Global account provisioning
HANA database operations
Kyma kyma-system namespace

You Manage:

Global account strategy and subaccount config
Application development, deployment, security
Role assignments and integrations
Application monitoring and health checks
Open source vulnerability scanning
Triggering HANA revision updates

Last Updated: 2026-06-16 Review Progress: See SAP_SKILLS_REVIEW_PROGRESS.md Next Review: Source refresh pending; do not advance last_verified without primary-source evidence.