Often times there are lot of questions like whether SAP Cloud Platform trial account can be used for SuccessFactors extension development or should we always use extension account paired with SuccessFactors instance or any standalone account without any pairing can be used for development of SuccessFactors extensions on SAP Cloud Platform . This blog will help you to understand the difference between various account types, pros and cons of using one account type over the other and mostly the concepts of accounts in context of SAP Cloud Platform and SuccessFactors extensions development.
So let’s try to understand basics of an account and various terminologies used in the context of SAP SuccessFactors extension on SAP Cloud Platform. Mostly importantly the concepts of Global account , sub-accounts and how they are linked will help you to design system landscape model that fits your business needs. For example, if you want to set up different environments for development, testing, and productive usage, you can create a subaccount for each of these scenarios in your global account.
It is very important to consider landscape design which ultimately decides on how you manage security (authentication and authorization), member management, data management, data migration and lifecycle management, integration, and so on, when you plan your landscape and overall architecture before even you start with any development.
SAP Cloud Platform account is the container of your artifacts in the cloud and accounts are completely isolated.You can choose between two types of global accounts, enterprise and trial, that determine pricing, conditions of use, resources, services available, and hosts.
An enterprise account is usually associated with one SAP customer or partner and is typically subject to charges. It groups together different subaccounts that an administrator makes available to users for deploying applications.
A trial account allows you to try out SAP Cloud Platform without incurring a fee, but its usage is restricted with regard to available resources and services.
It depends on your use case whether you choose a free trial account or a paid enterprise account. You may want to start out with an SAP Cloud Platform trial account that also gives you access to our community, including free technical resources such as tutorials and blogs. If you plan to use your global account in productive mode, you must purchase a paid enterprise account. It is important that you are aware of these differences when you are planning and setting up your account model.
Each account holds
* Resources that can be consumed by apps
* Users allowed to work in the account
* Applications deployed and running in the account
* Data written by apps running in the account
* Configuration for apps running in the account
* Each account is assigned to a data center.
Global Accounts and Subaccounts
Global account is like a logical shell account that you will receive when you sign-up for productive SAP Cloud Platform account. All metrics like quota and resources, or amount of Java Compute Units, even billing, is done at the global account level. You can’t really run any applications , trust connection directly at the global account level. Global account is an enterprise account which is usually associated with one SAP customer or partner and is typically subject to charges.
Global accounts can contain one or more subaccounts that allow you to deploy applications, use services, and manage subscriptions on SAP Cloud Platform. Subaccount is where you will be deploying application, do configuration , enable required services , manage subscriptions and enable security settings. Administrators can assign the available quotas to the different subaccounts and move it between subaccounts that belong to the same global account.
Each subaccount is associated with a particular region, which is the physical location where applications, data, or services are hosted. The region assigned to your subaccount doesn’t have to be directly related to your location. You could be located in the United States, for example, but operate your subaccount in Europe. For more information, see Regions and Hosts.
Now extension account is also a subaccount but in the context of SuccessFactors extensions this subaccount is actually the account that gets created as result of technical on-boarding which pairs both SAP Cloud extension account with SuccessFactors instance.
Through the configuration of the extension package for SuccessFactors, a new SAP Cloud Platform extension account is created and linked to the corresponding SAP SuccessFactors company instance. Existing SAP Cloud Platform accounts are not touched, instead this new dedicated Extension Account is created. The above picture depicts how an extension account is paired with SAP SuccessFactors instance.
To initiate the automated configuration of the SAP Cloud Platform extension package for SAP SuccessFactors, the SAP SuccessFactors administrators with Provisioning access need an integration token. The integration token determines the SAP Cloud Platform users who will be initially authorized to deploy and administer the extension applications in the SAP Cloud Platform extension subaccount created during the automated configuration. The token also determines the SAP Cloud Platform region and the global account from which the respective resources will be consumed.
For more information, see Installing and Configuring Extension Applications Automatically.
After the automated configuration has finished, following configuration steps are enabled:
- An SAP Cloud Platform subaccount “extension account” with portal service name and SAP Web IDE subscriptions created.
You have the SAP SuccessFactors connectivity configured.
You have the security settings for the extension package configured. During the automated configuration the system generates a key pair and a service provider certificate identifying SAP Cloud Platform as a service provider and configures the SAP Cloud Platform trust settings.
You have the Extensions Administrators group and the Extensions Admin permission role created in SAP SuccessFactors.
Changes the role provider for the portal service to the SAP SuccessFactors role provider
You have the extension management page configured in SAP SuccessFactors.
- extension service is subscribed to extension account
However, keep in mind that the newly created SAP Cloud Platform account has no resources assigned. Once you have performed the automated configuration, you assign the quota to the newly created account depending on the purchased and available in your customer Cloud Platform environment.
After you have performed the configuration, you can continue with the installation and configuration of your extension applications.
What is difference between extension account and a regular subaccount ?
Extension account is also a type of subaccount but gets created as result of technical onboarding triggered by SFSF provisioning. Subaccounts are totally isolated from each other and at least automatic onboarding process never copies any enabled service from other subaccounts.
Some of the characteristics of the extension account are: –
- Extension account is paired with SFSF instance
- Trust configuration is created by default with that of SucessFactors IDP
- By default, only portal service and WEB IDE is enabled. Other required services needs to be enabled manually.
- Extension service is subscribed on extension account .
- Extension account is new account created as result of technical on-boarding process.
- Visibly you can see the such accounts marked as “EXTENSION” in the cockpit under the global account.
Any sub-account which is not created as result of the automated configuration procedure of extension package for SuccessFactors can be termed as subaccount which means there is no pre-defined pairing of SAP Cloud Platform account and SuccessFactors instance.
Such subaccounts will not be able take advantage of benefits that extension package for SuccessFactors has to offer to manage adminstration , lifecyle management and security etc. More ever you have to manually do do IDP configuration and can’t take advantage of SuccessFactors RBP permissions for extension applications.
A subscription means that there is a contract between an application provider and a tenant who authorizes the tenant to use the provider’s application.
if customer wants to adopt an application developed by a Partners, then usually it follows the provider-consumer deployment model. With this model, the application is deployed and running in the Partner environment and customer account is simply subscribed.
In case of multi tenant application you will have two accounts, one acting as provider account where extension application resides, consumes resources of provider account and runs within the provider account and other is consumer account which basically subscribes to the provider application.Deployment and operation of the application are done by the provider account.
Which Account to use during development of SuccessFactors extensions ?
For quick demo’s or POC’s, you can use trial account to build some extension application. Remember you have to define destination on SAP Cloud Platform trial to consume OData API’s from SucessFactors instance. But keep in mind, you will not be able to take advantage of all features that extension package for SuccessFactors has to offer and trial account has limitation on certain resource and services. You can’t use trial account for deploying production apps or to subscribe partner apps.
Refer extension account section below to understand value add extension account brings to manage Administration & Lifecycle Management,Security & Connectivity and User Interface Integration.
Stand alone Subaccount
In the context of SuccessFactors, any sub-account which is not created as result of the automated configuration procedure of extension package for SuccessFactors can be termed as standalone subaccount which means there is no pre-defined pairing of SAP Cloud Platform account and SuccessFactors instance.You can build extension application on such stand alone subaccounts by creating destination at account level which defines connectivity to consume OData API’s from SuccessFactors.
With such subaccounts will not be able take advantage of benefits that extension package for SuccessFactors has to offer to manage adminstration , lifecyle management and security etc. which means lot of configuration, lifecycle management tasks needs to be managed manually before and after extension application development.
Since an extension account comes with predefined pairing of SAP Cloud Platform account with SuccessFactors as result of technical on-boarding configuration, You can straightway jump start with the installation and configuration of your extension applications development without going through manual steps.
Here are some of the benefits of using extension account:-
Administration & Lifecycle Management
- Automated Technical On-Boarding – connect your cloud solution to your SAP Cloud Platform instance with a click of a button
- Development services for building extensions that are tightly connected and integrated to SuccessFactors by using all the authentication and authorization capabilities of the SAP SAP SuccessFactors
- Solution Deployment, Subscription, and Monitoring
Security & Connectivity
- API Authentication Support from Line of Business to and from SAP Cloud Platform
- Principal Propagation from SAP Cloud Platform to and from Line of Business
- SAML 2.0 Single Sign On
- Delegated Authorization Checks
User Interface Integration
- Harmonized end-user experience across the standard SuccessFactors modules and the new platform extensions.
- User Interface embedding into Line of Business portal
- User Interface rebranding making an extension all look like it belongs
User access to Accounts
User accounts enable users to log on to SAP Cloud Platform and access subaccounts and use services according to the permissions given to them.
There are two types of users on SAP Cloud Platform: platform and business. Platform users are usually developers, administrators, or operators who deploy, administer, and troubleshoot applications and services. Business users are those who use the applications that are deployed to SAP Cloud Platform.
A user account corresponds to a particular user in the SAP ID service and consists, for example, of a user ID and password. You can also integrate your own identity management systems to manage business users . However, managing platform users using your own SAP Cloud Platform Identity Authentication Service tenant is possible only in the Neo environment. For more information, see Platform Identity Provider.
A user account can be assigned to one or more global accounts, subaccounts. As a user, you can view a list of all global accounts, subaccounts, and access them using the cockpit. A user with administrative permissions can create subaccounts , add users to subaccounts and assign roles to users for the subaccount.
Note:- In case of extension account, IDP of extension account is configured with that of SuccessFactors.