[SAP BTP Onboarding Series] SAP BTP Subaccount Technical Overview
As a developer or an SAP Business Technology Platform consultant, most of your time will be spent on the Subaccount level in the BTP cockpit. The majority of the work you’ll be doing on application development, hosting, or service activation/access is done on the Subaccount level. herein this blog, I’m going to explain each of the components in a short brief for beginners or anyone who would like to understand all the components in sub-accounts.
Before I start, I would like to point out that this is in continuation to my previous blog on BTP Onboarding Series SAP BTP Cockpit – Global Account Technical Overview.
Within the SAP BTP Subaccount, we have a lot to learn and manage, so to begin, I would like to talk about the overview screen first and then detail each service available under the hamburger menu (Image 4). When you navigate to a subaccount, you should see a similar screen like below:
For ease of explanation, I have split the screen into 5 sections
1. Subaccount overview – this section helps you to identify your subaccount name which is listed with – “Subaccount: XXXXXX – Overview”, the name displayed in the XXXXXX is your subaccount name (in my case the name is “DevSystem”). It also helps you to navigate between the subaccounts that your global administrator granted you access to. Simply click the down arrow button next to the subaccount name to see the list of other accessible subaccounts in your global account.
In the example above, I have created 11 subaccounts at different data center locations.
2. General Tab – the most important details related to your subaccount is listed here. To begin with, you can see the total number of Entitlements (specific services and the quantity) available, and Instances & Subscriptions activated in this subaccount. I have explained entitlements in detail in my previous blog, so I would not be going into details here. Instances are something related to runtime environments activated in your subaccount and subscriptions are the number of applications that you have subscribed to. We shall look more into it at the later stage of the blog.
Some of the other details listed in Image 3 can be explained as follows:
Subdomain – The subdomain becomes part of the URL for accessing subscribed applications. This is the same name given by users or systems assigned while creating a Subaccount. Note: while it is possible to change a subaccount name, it is not possible to change the subdomain name. Take this into consideration when naming your subaccounts.
Tenant ID and Subaccount ID: are used during some of the configurations on application routing, authorization of accounts, etc. Subaccount ID is used for the BTP Command Line Interface access to get authenticated to a specified subaccount ID.
Created On and Modified On: self-explanatory, it’s the date and GMT the Subaccount was created and Modified on.
Provider: this is who is offering the data center for your subaccount to run in. It is the infrastructure as a service (IaaS) and can be either SAP datacenters (for NEO) or one of our IaaS partners (recommended), AWS, Azure, GCP, or Alibaba Cloud. In my example above you can see I’ve selected AWS.
Region: the location of the data center for this subaccount. For a map of providers and region locations please visit the SAP Discovery Center.
Environment: The actual Platform as a Service (PaaS) offering where you complete the development and administration of applications. SAP offers a few environments for you to choose from today and it is necessary to understand specific service availability in the SAP Discovery Center Service Catalog before making your selection. The Neo environment is a SAPs development environment and if you require this environment you must run it in a standalone subaccount. The other environments offered are Cloud Foundry, Kyma, and ABAP, which can all be run in one subaccount by selecting the Multi-Environment (recommended) option. As you can see in my example I have created a multi-environment subaccount. For more detailed information on what you can achieve with each environment see the SAP Help Documentation.
Used for Production: in my case, it’s flagged as No during the subaccount creation as it’s a Dev account. If the flag is yes, it helps customers and the BTP Support team during an incident to identify the accounts easily.
Beta Features: I have enabled it during creation. This allows the subaccount to list all the beta services on your SAP BTP to be listed for testing purposes.
3. Cloud Foundry Tab – before I dig more into the cloud foundry tab I would like to mention that this is one of the default environment options that will be made available to all your subaccounts and based on the quota or license type you should be able to enable the cloud foundry services to develop/host your applications.
As BTP follows the multi-cloud environment approach, we also offer the Kyma Environment and the ABAP Environment (which need to be enabled manually with the help of entitlements) along with Cloud Foundry Environment. Organizations are free to pick and choose the environments for development/hosting applications.
In short, the Cloud Foundry environment allows you to create polyglot cloud applications in Cloud Foundry. It contains the SAP BTP, Cloud Foundry runtime service, which is based on the open-source application platform managed by the Cloud Foundry Foundation; Cloud Foundry helps to develop new business applications and business services, supporting multiple runtimes, programming languages, libraries, and services. You can leverage a multitude of build-packs, including community innovations and self-developed build-packs. To help you to get started with SAP Cloud Foundry, I would recommend the following links:
- Fundamentals of the SAP BTP, Cloud Foundry environment
- Cloud Foundry Environment
- Getting Started with an Enterprise Account in the Cloud Foundry Environment
4. Labels – list of labels that were added while creating the subaccount. Labels can be used to categorize and identify entities including directories, subaccounts, instances, and subscriptions in your global account.
5. Entitlements – list of entitlements that are available to your subaccount which is assigned from the global account level. It is important to emphasize that SAP BTP entitlements are delivered on the global account level and it is the responsibility of the customer, specifically global administrators, to assign or place those services into subaccounts where they can be used for a project. In case of any missing entitlements and services, subaccount users/administrators need to reach out to global admins requesting to assign those services.
Now let us take a look at the options on the left-hand side; they are the most useful ones which help to access some of the services, run, pause or stop services, security configurations, connectivity to other systems, etc.. are all that can be achieved. To make it simple, I have continued the numbering process in the image below.
6. Services –
6.1 Service Marketplace – it provides an option to access all the services that are entitled to your subaccount. Here you can find all the BTP Services, Applications, Environments, All Capabilities such as Extension Suite and Integration Suite, etc., and an option to filter by Active and Inactive services. The screen below shows a small example of the services listed.
You can also find some details here on Service Marketplace.
Note: In case you come here and do not see the service you are seeking is available, please contact your global account administrator to ensure they have assigned the entitlement to the subaccount you are in. You can check how to do this by referencing my other blog which describes the details on entitlements.
6.2 Instances and Subscriptions – as we see, BTP offers multiple services and runtime environments to plan your developments and deployments; Instances and Subscriptions help to get details and perform actions on the service instances which are created in this subaccount. The list of actions changes depending on the environment to which the instance belongs.
Image 6 shows the options to either create services or instances from this page, or you can go back to the service marketplace to pick and choose your services to be created. Documentation can be found in the marketplace for the respective services in the service marketplace and when you follow step 3 on Cloud Foundry to activate the services, they should be listed here and you may click on the three dots at the end of the row. The settings button on the right helps to add or modify the column view in case you want to add or hide the details.
7. HTML5 Applications – this is the central storage repository for HTML5 Applications on SAP BTP, Cloud Foundry. The service can be consumed via SAP BTP Cloud Foundry or by SAP BTP Kyma Runtime. The service also allows developers to manage the lifecycle of the HTML5 applications. In runtime, the service enables the consuming application, typically the application router, to access HTML5 application static content securely and efficiently. To make it more beneficial, it provides features such as Zero Down-Time Enablement, Versioning and Authorization, Availablity, and Performance functionalities.
8.1 Destinations – are used to define connections to your remote systems such as on-prem or in the cloud. They can define connections for outbound communication from your application to remote systems. Every destination you define has a name, a URL, authentication details, proxy type, etc., to establish a secure connection. To get started you can click on New Destination as shown in the image below.
You can also see other options, such as
- Import Destination in cases where you already have destinations created in another system, you can simply export them and try to import them. In case of errors, you would need to modify the values to get them working.
- Certificates help to manage JAVA Keystores used for clients or servers for SSL Authentication. Here all the uploaded certificates are listed, so you can upload or delete the certificates, and also help to generate new certificates (supported formats include JKS, PFX, P12, CRT, CER, and DER, please ensure to check the required formats).
- Download Trust file contains the subaccount-specific key which can be used to set up principal propagation/user propagation to other remote systems such as cloud to on-prem or cloud to cloud. More information on how to achieve this can be found here.
- Download IDP Metadata file contains the subaccount-specific IDP metadata which can be used to set up trust between systems for the SAML Bearer principal propagation flow. This could be between SAP Subaccounts or third-party applications.
- Renew Trust provides us an option to renew the subaccount-specific key that is about to be expired. Once renewed you can download it from the Download Trust.
To get started, you can try a small example Create a Destination in the SAP BTP Cockpit exercise.
8.2 Cloud Connectors – any on-prem destinations that are created, are listed in this section. This can be achieved by using a Cloud Connector application which can be installed on Windows, Linux, Mac OS, etc… It helps to create a secure tunnel between your SAP On-Prem systems to SAP BTP. Cloud Connector application offers multiple options, I would recommend starting with a small blog – Cloud Connector explained in simple terms and refer to Cloud Connector for official documentation.
9.1 Users – lists all the people who have access to this subaccount or if you need to create new users with role collections it can be achieved in this section similar to Global Admin activities.
9.2 Role Collections – You can manage role collections, add roles, and assign users or user groups. It’s possible to create a new role collection from scratch or use a copy of an existing one. In the next step, you can add roles and assign users or user groups. It’s also possible to delete a role collection.
9.3 Roles – Displays all the roles in this subaccount with the name of the application and the role template it is based on. You can also add a new role using an existing role template, configure its attributes, and add it to role collections. You can also edit the role description and delete the role.
9.4 Trust Configurations – in case you decide to use a custom identity provider of your choice apart from the default IDP, you can edit the default active setting to custom and make the required changes to activate the custom provider. More information can be found here.
9.5 Settings – You can make security configurations for the SAP Authorization and Trust Management service on this screen. You can only embed content in your web page if the content shares the same protocol, host, and port as your web page. If the origins don’t match, you must maintain a list of origins that allows for exceptions to the same-origin policy. The same-origin policy also applies to cookies. Trusted Domains helps to add domains that are allowed to embed the login page and Token Validity on request, issues access, ID, and refresh token for accessing protected resources. Please ensure you read the Security Considerations in case you want to add some of these functionalities.
10. Entitlements and Usage Analytics – both these options are similar to global accounts which helps to manage the entitlements specific to your current subaccount and usage analytics show the details on all the services used to your current subaccount.
With this, we believe you have an overall high-level understanding of BTP Global Account and Subaccount which can help you to get started. Looking forward to your feedback and the topics which you would like to hear from us and not list in the SAP Community Blogs or another forum.
BTP Onboarding Team