 SAP BTP

It offers different services for different categories of users, and also it also on Cloud
 Application development
o Build apps
o BAS ( Business application Studio)
 Business process Automation tools
 Integration (SAP integration Suit)
 DATA and Analytics (SAP Analytical Cloud, SAP HANA Cloud)
 SAP AI (SAP AI for Business services)

SAP BTP Architecture Components

Global Account
o it’s a contract between SAP and Client.
o All the services which customer or partner subscribed is provided in
Global Account by SAP some free service
Sub-Account
o Its Heart of BTP
o Its logical connection between customer to the backend Hardware
where the services are subscribed.
It should be created by us, services subscribed in Subaccount can be used
in that sub account only.
Directory
o It acts as instance of Global account
o Help in dividing the workload of distributing services.
 IAM (Identity & Access management)
 IAM is framework which helps to control the Identities in IT infrastructure for
how they access the system. (in Cloud infrastructure / Landscape)
 Types of Identities:
o User Identities
 Quantifiable factors that can be verified by application system,
this is also called “Authentication Factor”
 Authentication Factors are:
 Knowledge : Something user know, such as User ID /
Password
 Possession : Something user have to reach out (Browser,
App)
 Intrinsic Qualities : Something makes user
Unique(Fingerprint/ retina Scan)
o System Identities
 Digital system/ Application identity is associated with a client ID
that can be verify by other application system.
 IAM mechanization make sure right Person accessing the information
 Components of IAM
o Authentication (tells WHOS is THIS?)
 Allows users to login to application, with this system validates
Credentials of Principle trying to get access to that system
o Authorization ( tells What you can do)
 Allows user to perform relevant tasks within the application. with
this system grants Privileges to Principle once they are
authenticated to use the system resources.
o Identity Lifecycle (Manage multi system access)
 Replicates Identities from one application to other Applications,
it helps IDM and IAG to provision identities to Proxy Cloud
Application.

 Traditional way of IAM:

o Each system has its own User account
o User has different credentials for each system
 Modern IAM with Identity Provider :
o Act as authentication for all systems, also known as Identity Provider.
o Trust is created between IAM and connected system for Authentication.
o One User ID for all connected systems

 SAP Cloud Landscape:

 SAP Cloud IAM Tools:

 SAP IAS – Identity authentication service : Provides authentication

functionality
 SAP IDS – Identity directories service : Provides user store
capabilities
 SAP IPS - Identity Provisioning service : Identity Lifecycle
management
 Authorization Management : Stores / manages security
Policies
 SAP Cloud IAM is know as SAP CIS
o (Cloud Identity Service)x
Need only one USER ID / PASSWORD for all systems.

 SAP CIS technical services:

IAS is act as User Interface or Frontend for CIS

As shown in above figure SAP IDS is backend of SAP IAS and IPS
IPS is Lifecycle management

 IAS
o IAS as main Identity provider
 Stores all users
 Will do authentication
 o IAS as Proxy
 May or May not store user data
 Always Corporate IDP will do Authentication (3rd party
authentication)

o IAS as main Identity provider

 Trust will be created with each application

 SAP Launchpad Build workzone (centralized Launchpad):

o Launchpad created called BTP Build workzone, in this you can
create site and fiori tiles for each trust application.
o Each Tile will have Roles those need to be assigned to users.

o IAS as Proxy Mode

 SAP recommends using IAS in proxy mode even if customer
has existing IAS solution such as Azure AD / Okta / Google
IAM
 In Proxy mode SAP IAS will not store user DATA
 SAP IAS will create Trust with existing IAS and BTP
 Authentication happens with Clients IAS (Azure AD)
o
Risk Based Authentication:
o Depending upon user type access is provided
o Multiple applications in Landscape carries different types of
risks based on user access, e.g. external users may need
additional authentication, or they should have any access to
Payroll system.
o If you want to implement authentication based authentication
behavior/ department/ group/ user type is possible based on
RBA.
o
Different Identity providers can be used to authenticate different system
authentication.

IPS
 IPS will read the data from Source system and write in target
system
 If you want to replicate users from one system to another, you
can use IPS.
 Field labels may have different in each system, IPS helps
transform this and convert in to Target.
  You need to maintain field mapping from Source and Target
when configuring


Terminology Mapping

 SAP IAG
Integration Scenarios in IAG:
 Direct integration
o Its own integration capability
 o Connector withing IAG allows you to connect
directly with target without any cloud connector.
 Via IPS Proxy
o IPS work as Proxy system and help to integrate
any SAP Cloud system with IAG
 Cloud Connector
o Cloud connector is use to integrate any On
Premise application with IAG (GRC application/ S/4
ERP or any ECC application)

 Cloud Connector
o Serves between link between On-Demand application in
SAP BTP and Existing On-Premise system (IAG running
on BTP, SAP DATA Intelligence connection with S/4 or
GRC)
o It runs as on Premise Agent in secure Network and act
as reverse invoke proxy between On-Premise network
and BTP.
o It can be installed on Windows, Linux, Mac OS.
o It creates secure tunnel to create connections and
expose only limited required resources to Cloud.

SAP IAG Integration with GRC:

Steps:
1. Add BTP Sub account in Cloud connector – this will create connection
between Subaccount and Cloud connector.
2. Add ABAP (GRC backend) system in Cloud connector using RFC or any other
available option – this creates a connection between backend and Cloud
connector.
3. Add ABAP system resources which need to be utilized (O-data Services) in IAG
4. Create RFC user (System user) , IAG will utilize this user to access Backend.
5. Create a Destination in BTP subaccount
Then you can add the application in IAG (ABAP systems)
Below is the screenshot for Destination configuration in IAG:
Path and steps:
Prerequisites for BTP IAG to GRC
connection.
 1. Access the Subaccount where IAG is scrubbed:
Navigate to Connectivity >> Cloud connector
Add Subaccount

Same as the Copy from

Subaccount Region Subaccoun

Name of
Connector
Subaccoun

Email ID of
user with Locatio
proper n ID
authorization

Once saved we can see cloud connector created in IAG.

2. Add ABAP system in connection we have created.

 Login to the Backend ABAP system
Execute transaction code : SMICM and get system details such as Host name
Navigate to IAG Integration with GRC on BTP and select Cloud to On-Premise
option as our Target system is On Premise system and click on Add system.
Select the Protocol – we can chose either HTTPS or RFC
Give Port number and HOST , also you can have Virtual Host as well to mask
or hide actual details.
Check in Cloud connector if you can see the ABAP system added.

3. Add Resources to the system

Under Cloud to On Premise option where we have added ABAP system
Add resources

Click to add
resources
Subaccount
 Give path of
ODATA directory
on ABAP system

And save

Check in BTP if Resources are visible, status should Green.

4. Create RFT user in ABAP system with user type as System

User must be assigned with required authorization in ABAP system to
communicate with ABTP
5. Add Destination in BTP
Under Subaccount we have option to create Destination
Click on add new Destination

Responsibility of IAG Consultant

Used case to explain this:
Client is new on BTP and want App to be developed on BTP. Client wants to secure
the BTP Landscape suing Cloud Identity services. They also have SAP IAG in scope
for Access Control for different solutions running on BTP
Design BTP account Landscape for Developing and application
Setup security aspect (SSO, MFA) for developers
Deploy the developed app in BTP Cloud Foundry
Design account model for Business Applications on BTP and Subscribe it
Design account Model for SAP IAG and Understand end to end configuration
so that IAG can do access Control for the Application subscribed in Last Step.
Security work in this:
Set up trust between Identity provider and Sub account
Onboard users in IDP
Setup MFA
Setting up more things as per requirements.

How to subscribe the services as per the requirements:

SAP offers various free as well as paid services to be deployed in BTP account.

Make sure to choose Deployment model as per clients requirement

In above case separate Subaccounts for DEV – QAS – Production is best suited
approach.

We create separate SUB accounts for DEV/QAS/PROD :

Subacc Subacc Subacc

ount ount ount
DEV QAS PROD

Add services as per need from Service marketplace:

In this case we have:
Subscribed for SAP Build work zone for App development

Created instance of Runtime for Connectivity service and Destination Service

Created Cloud Foundry Environment.

1. Subscriptions: These are service plans that you subscribe to, which define the costs and
benefits for a given service. Subscriptions are typically managed at the global account
level and distributed to directories and subaccounts1. Examples include services like SAP
Web IDE or SAP Business Application Studio.
2. Instances: These are specific service instances that you create within your environment.
An instance represents a particular deployment of a service, such as a database or a
connectivity service2. Instances provide specific functionalities and are managed through
APIs rather than a UI.
3. Environments: These are the platforms where you develop and run your applications.
SAP BTP offers different environments like Cloud Foundry, ABAP, Kyma, and Neo
(though Neo is being phased out)3. Each environment supports different runtimes,
programming languages, and services.

In summary:
 Subscriptions are service plans you subscribe to.
 Instances are specific deployments of services.
 Environments are the platforms where you develop and run your applications.
 [email protected]

7892826793

 SAP CPI

Cloud Platform integration. It is IPA solution from SAP.

IPA stands for Integration Platform as service.
It offers Robust integration, highly scalable, works with All businesses.

SAP Intelligent Cloud

Learning Resources: 1.SAP BTP Services YouTube Playlist:
• SAP BTP Services | SAP BTP Training |...
2.BTP Admin YouTube Playlist: • SAP BTP Admin Training | SAP BTP Admi...
3.BTP Security YouTube Playlist ( IAS , IPS , IAG):
• SAP BTP Security Training | SAP IAS |...
4.SAP IAG YouTube Playlist: • SAP IAG Integration with GRC Training...
5.BTP Development YouTube Playlist ( CAP , RAP , Extension ):
• SAP BTP Development Training | BTP De...
6.BTP Integration YouTube Playlist ( CPI , API-M and Event Mesh ):
• SAP Integration Suite Training | SAP ...
7.BTP Build Suite YouTube Playlist ( BPA , BW and BA):
• SAP BTP Build Suite | BTP BPA | BTP B...
8.BTP DevOps YouTube Playlist: • BTP DevOps | BTP CI/CD | SAP Cloud Tr...
9.BTP Data & Analytics ( SAC BI ,Planning , Datasphere) :
• SAP Analytics Cloud Training (SAC) | ...
10.SAP Digital Manufacturing Cloud; • SAP Digital Manufacturing Cloud Train...
11.SAP Cloud Learning Bytes for 32 Topics : https://www.linkedin.com/posts/avinas...