sap-btp-best-practices

# SAP BTP Best Practices

## Related Skills

- **sap-btp-cloud-platform**: Use for technical implementation details, CLI commands, and runtime configurations
- **sap-btp-connectivity**: Use for connectivity patterns, destination configuration, and Cloud Connector setup
- **sap-btp-service-manager**: Use for service lifecycle management and programmatic service operations
- **sap-btp-developer-guide**: Use for development workflows, CAP integration, and application patterns
- **sap-cap-capire**: Use when designing CAP applications on BTP or implementing multitenancy
- **sap-ai-core**: Use for AI Core platform setup, model deployment, and orchestration configuration
- **sap-cloud-sdk-ai**: Use for SDK-level AI integration in CAP or standalone BTP applications
- **sap-fiori-tools**: Use for UI deployment strategies and frontend application guidelines

Production-ready SAP BTP implementation guidance based on official SAP documentation.

**Quick Links**:
- **Official Guide**: [https://github.com/SAP-docs/btp-best-practices-guide](https://github.com/SAP-docs/btp-best-practices-guide)
- **SAP Help Portal**: [https://help.sap.com/docs/btp/btp-administrators-guide](https://help.sap.com/docs/btp/btp-administrators-guide)

---

## Table of Contents

1. [Platform Fundamentals](#platform-fundamentals)
2. [Account Model Setup](#account-model-setup)
3. [Security and Authentication](#security-and-authentication)
4. [Connectivity](#connectivity)
5. [Governance and Teams](#governance-and-teams)
6. [Development](#development)
7. [AI Development](#ai-development)
8. [Deployment and Delivery](#deployment-and-delivery)
9. [High Availability and Failover](#high-availability-and-failover)
10. [Operations and Monitoring](#operations-and-monitoring)
11. [Cost Management](#cost-management)
12. [Bundled Resources](#bundled-resources)

---

## Platform Fundamentals

### Account Hierarchy

```
Global Account (SAP contract)
├── Directory (optional, up to 7 levels)
│   └── Subaccount (region-specific, apps run here)
│       ├── Cloud Foundry Org → Spaces
│       └── Kyma Cluster → Namespaces
└── Subaccount
```

**Key Points**:
- Global account = contract with SAP (one per commercial model)
- Directory = groups subaccounts (max 7 levels deep)
- Subaccount = deployed in specific region, enables runtimes
- Use labels for virtual grouping (Dev/Test/Prod, cost centers)

### Environments

| Environment | Use Case | Key Features |
|-------------|----------|--------------|
| **Cloud Foundry** | Polyglot apps | Multiple buildpacks, spaces |
| **Kyma** | Cloud-native K8s | Open-source, namespaces |
| **ABAP** | ABAP extensions | RAP, cloud-ready ABAP |
| **Neo** | Legacy | **Migrate away** - HTML5, Java, HANA XS |

### Commercial Models

- **Consumption-Based** (BTPEA/CPEA): Flexible access, best for pilots
- **Subscription-Based**: Fixed-cost for known service needs

**Best Practice**: Start with consumption-based, move to subscription for stable workloads.

---

## Account Model Setup

### Simple Model (3 subaccounts)
```
Global Account
├── Dev Subaccount
├── Test Subaccount
└── Prod Subaccount
```
Best for: Initial implementations, single team, <3 projects

### Directory Model (scalable)
```
Global Account
├── Directory: HR
│   ├── hr-dev / hr-test / hr-prod
├── Directory: Sales
│   ├── sales-dev / sales-test / sales-prod
└── Directory: Central IT
    ├── api-management
    └── shared-services
```
Best for: Multiple teams, cost allocation, complex governance

### Naming Conventions

| Entity | Convention | Example |
|--------|------------|---------|
| Subaccount | Natural language | "HR Development" |
| Subdomain | Lowercase, hyphens | `hr-dev-acme` |
| CF Org | Company prefix | `acme-hr-dev` |
| CF Space | Consistent across stages | `hr-recruiting` |

**Tip**: Derive CF org/Kyma names from subaccount names for consistency.

---

## Security and Authentication

### Identity Provider Setup

**Always use SAP Cloud Identity Services - Identity Authentication**

```
Corporate IdP → Identity Authentication (proxy) → SAP BTP
```

**Critical Steps**:
1. Add multiple administrators (different time zones)
2. Enable MFA for all admins
3. Configure security alerts
4. Set up backup admins in SAP ID Service

### Authorization Methods

| Method | Best For | Notes |
|--------|----------|-------|
| **Provisioning** | Production, many users | Centralized roles, automated offboarding |
| **Federation** | Simple scenarios | Real-time sync, but doesn't scale well |
| **Manual** | Testing only | Quick setup, not production-ready |

### Destination Authentication

**Recommended**:
- `PrincipalPropagation` - SAP on-premise systems
- `OAuth2SAMLBearerAssertion` - Third-party systems
- `OAuth2JWTBearer` - User token exchange

**Avoid in Production**:
- `BasicAuthentication`
- `OAuth2Password`

**See**: `references/security-and-authentication.md` for complete guidance

---

## Connectivity

### Remote System Access

- **Internet Services**: Destinations with authentication
- **On-Premise Systems**: Destinations + Cloud Connector

### Cloud Connector

- Lightweight on-premise agent
- Secure tunnel to SAP BTP (no inbound ports)
- Fine-grained access control
- Supports RFC and HTTP protocols
- Enables principal propagation

**Note**: Each subaccount needs separate Cloud Connector config.

---

## Governance and Teams

### Required Teams

**Platform Engineering Team (Center of Excellence)**:
- Manages cloud landscape infrastructure
- Handles account operations, build infrastructure
- Creates governance and compliance guidelines
- **Does NOT** manage individual application lifecycles

**Cloud Development Teams**:
- Follow DevOps (develop AND operate)
- Responsible for application lifecycle
- Regular maintenance (e.g., UI updates every 6 months)

### Essential Documentation

1. **Onboarding Doc**: Organization, app IDs, timeline, tech stack
2. **Security Doc**: Data sensitivity, policies, auth framework
3. **Services Catalog**: Templates for destinations,