Understanding SAP Business Technology Platform service offering
SAP Business Technology Platform (SAP BTP for short) gives you access to a wide range of services (around 90 at the time).
Your business can leverage them when extending or integrating other solutions. Very soon, you will realize that there are differences between some services and others, and you’ll wonder why is that. You will turn to the documentation: Entitlements and Quotas – SAP Help Portal, only to find that little is said about this. While we work on these docs, I wanted to share my thoughts so that you can learn about those differences.
The three offerings: environments, subscriptions and instances
These three words explain the three different services offered in SAP Business Technology Platform:
Environments constitute the actual platform-as-a-service offering of SAP BTP that allows for the development and administration of business applications. Environments are anchored in SAP BTP on subaccount level.
Read more in SAP BTP: Environments – SAP Help Portal
Subscription based services
You will also see these ones called software as a service (SaaS), or multitenant applications. The experience here is that you subscribe to the service, and in return you receive a URL, from which you can access that service. Opening the URL brings you to a web application from which you can leverage the service. This is how other SaaS like SuccessFactors or S/4HANA Cloud work as well.
Instance based services
These are the purest services. They provide a specific functionality, like databases, connectivity, authentication…. You connect your application to them to leverage that functionality. These services don’t provide a UI to manage them. Instead, they rely on API to connect to applications and other services and provide their services.
Another important concept when using services in SAP Business Technology Platform are the plans. Each service is offered through one or more service plans. A service plan represents a specific functionality of the service. Plans are also used to offer free-tier versions of the services.
- SAP HANA Cloud service offers two functionalities: the in-memory database and the data lake, these are two different service plans. On top of that, SAP HANA Cloud has a free-tier offering, so there are two additional plans available: free-tier in-memory and free-tier data lake.
- Another, very usual, case is SAP Integration Suite. This service offers subscription plans (free-tier, standard and digital edition) which are different versions of the core service, and an instance plan (messages) that gives API access.
💡 You will find the same pattern in many services. The same service offers a subscription plan (for human access through a UI), and an instance plan (for machines access through API’s).
Provisioning services: subaccount level and environment level
Subscription services and instance services can be provisioned in different ways: from the SAP Business Technology Platform Cockpit, using the btp cli, or using cf cli. In SAP BTP Cockpit, you can manage subscriptions and instances from the same place, although the services will live in different places.
Let’s take a look at the details.
A quick mention on environments. You enable environments at a subaccount level. Inside a subaccount, you can:
- Have no environment enabled
- Have one environment enabled (Cloud Foundry or Kyma)
- Have more than one environment enabled (Cloud Foundry and Kyma)
ABAP is special, and you enable ABAP inside Cloud Foundry.
They are also enabled at a subaccount level, and are independent of the environments. You don’t need to have Cloud Foundry enabled to subscribe to SAP Launchpad Service, for example.
They are provisioned inside an environment, so they are environment specific.
Each environment has its own organization (for users and applications): In Cloud Foundry, instances are created inside a space. For Kyma, instances are created inside a namespace.
Access and permissions: Role collections
This is a whole topic on its own. The documentation (User and Member Management – SAP Help Portal) only talks about roles and role collections regarding default roles from the platform (the ones making you a global account admin, a subaccount admin).
A nice overview on the concepts of roles and role collections was done by Philip Mugglestone in the SAP HANA Academy and is available here: BTP Onboarding: Security – YouTube (the first 5:35 minutes are the overview, then he shows how roles work deploying a small app).
Here I will focus on how each service works in terms of access.
Both Cloud Foundry and Kyma, when enabled, will have their own permissions:
- Cloud Foundry will create an organization and admins can create spaces. Admins give users read or write access to the organization and the spaces, according to the job they need to do. Read more about Cloud Foundry roles at About Roles in the Cloud Foundry Environment – SAP Help Portal.
- Kyma, in a similar way, has a cluster and admins can create namespace. Permissions work in a very similar way. See Assign Roles in the Kyma Environment – SAP Help Portal
The user that enabled the environment will become an admin (org-manager in Cloud Foundry, cluster-admin for Kyma). This user can add other users and give permissions to them.
Once subscribed to a service, users are given permission at a subaccount level (by subaccount admins). All subscription services expose roles in the subaccount, and some already provide role collections (if not, you have to create them). Users assigned to the role collections will then be able to access the subscription.
They exist at a space (or namespace) level in an environment. Users with access to that space (or namespace) will be able to interact with them. Service instances are accessed through API’s. Service keys are used to provide a secure connection to those API’s. Anyone with those credentials will be able to communicate with the service instance, hence using the service.
Service entitlements: quotas and shared units
There are two ways services are entitled:
- quota assignments: You assign a quota number (1, 2, 3,…) to a subaccount. This determines the maximum usage or number of instances that the subaccount can use.
- shared units: You allow the subaccount to use the given service.
Going back to our different services, we have:
They are entitled via quota assignments. Cloud Foundry is measured in GB of memory, Kyma uses compute units.
They use the shared unit method. You allow subaccounts to subscribe to a service (they can only subscribe once per subaccount).
Free services like Destinations, HTML5 App Repository and Connectivity use the shared units approach. They are generally assigned automatically to every subaccount, and you don’t have to worry about these.
Paid services, like Document Information Extraction, use quota assignments to control how many instances can exist in a subaccount.
Cost management: Restricting usage and monitoring the cost
Services are measured in a different ways (number of users, transactions, messages…), making it difficult to limit usage beforehand. You don’t want users locked out from Launchpad because you only provisioned 50 users, or make integrations fail because the maximum number of messages was reached in the middle of the month.
The strategy to keep costs under control in a consumption based product is a mix of good governance (subaccount and service ownership, subaccount and service provisioning, role management), and usage monitoring (reports, automatic notifications). For all types of services, you can monitor the usage from the SAP Business Technology Platform Usage Analytics in the cockpit, and via Resource Consumption API’s.
You give environment entitlements to subaccounts using quotas, so you can establish limits on how much Cloud Foundry, ABAP or Kyma resources a subaccount or directory uses. A Cloud Foundry organization won’t be able to use more memory that it is entitled to.
These services are charged by usage (users, transactions…).
You can limit the usage of certain services that are charged per users (SAP Business Application Studio), as we saw that to access them, users need to be permissioned in the first place, but those services are usually not very critical.
Same as before, these are charged by usage.
This has been an attempt to answer some common questions from customers using SAP Business Technology Platform. The information here might not be 100% complete, and things change fast, but hopefully, I made this topic a bit more clear.