How to Become Expert in SAP BTP Security– A Complete Learning Journey
There is no doubt that security is the MOST critical topic for any organizations. Nowadays organizations cannot afford to have any security issues in their solutions. Specially in cloud world, it is extremely important to bridge the gap between development and security.
In my previous blog series Fundamentals of Security in SAP BTP, we learnt how an SAP BTP developer or administrator can onboard themselves on topics related to SAP BTP security.
In this blog, I will provide a complete learning journey to become expert in SAP BTP security. If you are an SAP BTP developer, architect, administrator, or consultant and looking for a complete guided path on how to become expert in SAP BTP security, this blog is exactly for you.
What are the prerequisites to learn SAP BTP Security?
Before you start learning security aspect of SAP BTP, you must gain basic understanding of what SAP BTP is and how to build application on SAP BTP. If you are completely new to the topic, go through below resources to learn basics of SAP BTP.
What is SAP Business Technology Platform (SAP BTP)?
How do I get free access to SAP Business Technology Platform?
Now that you know what SAP BTP is, the next task should be getting a system and explore further.
If you are an SAP partner or customer, you can get started with SAP BTP for free with the Pay-As-You-Go plan. A step-by-step tutorial is also available on how to create SAP BTP account and use.
If you are a student or learner, you can get a free SAP BTP trial account. You may also look into other SAP BTP related product trials.
Note: Don’t overload yourself to become SAP BTP expert before learning security topics. You can parallelly learn SAP BTP while gaining expertise on security.
Step 1: Get your basics right – Learn fundamentals of SAP BTP Security
If a security professional (or a security code scanner) tells you – “Make sure you Stop SQL injections!”. And you immediate next thought is – “What the hell is SQL injection?”.
Or if you say – “I don’t know OAuth, but I will follow the step-by-step guide to implement it.”
Then – Be 100% sure that your solution will not be fully secure.
Although the implementation might be different across different platforms and languages, there are few basic concepts which are always same. Don’t be too focused on implementing security that you skip the basic concepts behind it. Before implementing security, you should learn these concepts. For example:
- What is SAML?
- How does OAuth work?
- How Does Single Sign-On (SSO) Work?
- What is XSUAA?
- Why do we need App Router in SAP BTP?
Go through below materials to get your basics right!
- Fundamentals of Security in SAP BTP
- What is OAuth and how does it work?
- User and Member Management in SAP BTP – Platform users vs Business users
Once you finish the theory, it would great to put it onto action. Complete few hands-on to develop a secure application in SAP BTP.
If you want to quickly proceed to next topics, at least complete the first hands-on from below list.
- Implement Authentication and Authorization in a Node.js App
- Implement Restrictions and Roles in SAP Cloud Application Programming Model
- Secure Your Java Application on SAP BTP
Step 2: Become Expert in SAP BTP Security
Once you finish the fundamental topics, it’s time to go in-depth in SAP BTP Security. Go through below materials to become expert.
SAP Cloud Identity Services
SAP Cloud Identity Authentication service (IAS) and SAP Cloud Identity Provisioning service (IPS) are now part of the product SAP Cloud Identity Services. SAP has combined them under one official product name, but technically they are independent services.
SAP Cloud Identity Authentication service (IAS) enables single sign-on for SAP cloud business. It serves in principle two fundamental usage scenarios:
- It can act as an identity provider (IdP) that validates user’s credentials and offers single sign-on for relying parties
- It can act as a proxy for integration into an already existing single sign-on infrastructure with a corporate IdP.
To know more about it, check SAP Cloud Identity Services – Identity Authentication
SAP Cloud Identity Provisioning service (IPS) enables user data synchronization between different SAP applications. For example: If a company uses SAP SuccessFactors, they would like for every new employee created in SAP SuccessFactors to automatically have a user in Identity Authentication, so they can access SAP S/4HANA cloud. Many SAP cloud solutions come pre-integrated with this service and SAP continues to expand this list of applications.
To know more about it, check SAP Cloud Identity Services – Identity Provisioning
SAP Cloud Application Programming Model (CAP)
SAP Cloud Application Programming Model is
- Not a specific product but a framework, a set of tools, languages, and libraries.
- It brings together SAP’s own technologies like SAP Business Application Studio, Core Data Services (CDS), SAP HANA and open-source technologies like Node.js or Java
- And lets you efficiently and rapidly build enterprise services and business applications in a full-stack development approach
CAP offers out-of-the-box support for security implementations. It does not require you to manually code for authorization while still gives you flexibility to design in your way.
If you are developing a full-stack enterprise application on SAP BTP, SAP highly recommends using CAP.
To know more about it, check below materials:
SAP Credential Store
SAP Credential Store service provides a repository for passwords, keys and keyrings for applications that are running on SAP BTP.
It enables the applications to retrieve credentials and use them for authentication to external services, or to perform cryptographic operations and TLS communication. SAP Credential Store is exposed to the applications via a REST API.
To know more about SAP Credential Store, check below materials:
SAP Custom Domain Service
SAP Custom Domain service allows subaccount owners to make their SAP BTP applications accessible via a custom domain that is different from the default one (hana.ondemand.com) – for example www.myshop.com.
To know more about it, check below materials:
SAP Custom Domain Service – help page
SAP Custom Domain Service – Discovery Center
Step 3: Stay Updated on SAP BTP Security
SAP BTP is an evolving technology. Once you become expert on SAP BTP security, it is a good idea to be updated on latest changes and innovations. Once in a while, you may look into below resources to stay current.
Join the community for SAP security products and solutions. Here you can also find expert content such as blogs, how to guides and many more on SAP BTP Security topics.
Subscribe to the SAP newsletter to stay informed about the latest news on SAP’s portfolio of security products and upcoming events.
I believe this blog would have helped you to design your learning journey for SAP BTP Security. If you have any question, or if you think I have missed any important topic, please let me know in the comment.
If you have any queries, let me know in comment or get in touch with me at LinkedIn!
If you are looking for a end-to-end guide on SAP BTP and it’s core capabilities, you may look into SAP’s free learning content on SAP BTP. It is made for both integration designers and extension developers from all levels of expertise and will help you stay up to date with the latest SAP BTP innovations.
Well Explained. Thank you Raja.
Tushar Maheshwari thanks! Glad it helped.
Great information. Thanks.
What about user roles?... I understand IAS can provide central Authentication and SSO. But what about Authorizations?
To use your example, a new user in SuccessFactor can SSO into BTP. But what are they going to see when they log into BTP? What tiles will be available to them in BTP's Launchpad Services?
How does BTP provide users with role-based content if the user roles are in the end-applications (like SuccessFactor, Ariba, Concur)?
Hi Ramin Shafai ,
First of all, very interesting way to put the question, using the edited image
Thanks Raja. I have much reading to do 🙂
In addition to SAP Cloud Identity Service - Identity Provisioning service please be aware that SAP also propose the cloud solution SAP Cloud Identity Access Governance that integrate with SAP OP and Cloud applications and propose additional features: user access request form, approval workflow and automated provisioning for application roles, access risk analysis (segregation of duties), Business role management and Privilege Access Management.
Please find here the currently supported integration scenarios
SAP Cloud Identity Access Governance propose a standard integration scenario with SAP SuccessFactors to be able to govern multiple applications role assignment to user based on the employee assignment to position in SuccessFactors:
Thanks for the information Vincent.