Preface

13

The Structure of This Book

14

1 Introduction to SAP Business Technology Platform

17

1.1 Positioning

18

1.1.1 SAP Extension Suite: Developing and Extending Cloud Solutions

22

1.1.2 SAP Integration Suite: Cloud Solutions and On-Premise Systems

25

1.2 Environments

27

1.2.1 SAP BTP, Neo Environment

29

1.2.2 SAP BTP, Cloud Foundry Environment

31

1.2.3 Environment Selection

34

1.3 Architecture

35

1.3.1 Global Accounts

36

1.3.2 Subaccounts

42

1.3.3 Organizations

47

1.3.4 Spaces

49

1.4 Summary

51

2 SAP Business Technology Platform Security at a Glance

53

2.1 Secure Communication

53

2.1.1 Basics of Secure Communication

54

2.1.2 SAP Destination Service

55

2.1.3 Certificate Handling in Destinations

59

2.2 Authentication

62

2.2.1 Identity Providers for SAP BTP

63

2.2.2 Lightweight Directory Access Protocol

72

2.3 Authorizations

75

2.4 SAP Cloud Identity Services

77

2.4.1 Identity Authentication

77

2.4.2 Identity Provisioning

108

2.5 SAP Cloud Identity Access Governance

115

2.6 Checklist for General Security

116

2.7 Summary

117

3 Configuring Security and Authorizations in the Neo Environment

119

3.1 Setting Up the Command Line for SAP BTP, Neo Environment

120

3.2 User Management

123

3.3 Trust Configuration

129

3.3.1 Setting Up the Local Service Provider

130

3.3.2 Setting Up the Platform Identity Provider

131

3.3.3 Setting Up the Application Identity Provider

134

3.4 Authorization Management

139

3.4.1 Creating and Managing Roles

139

3.4.2 Creating and Managing User Groups

152

3.5 Checklist for Security and Permissions in SAP BTP, Neo Environment

155

3.6 Real-World Examples of User and Authorization Management

155

3.6.1 Two-Factor Authentication of Subaccount Admins Using the Platform Identity Provider

156

3.6.2 Authenticating SAP Web IDE Users via Microsoft Azure AD

162

3.7 Summary

175

4 Configuring Security and Authorizations in the Cloud Foundry Environment

177

4.1 Setting Up the Command Line for SAP BTP, Cloud Foundry Environment

178

4.2 User Management

181

4.3 Trust Configuration

183

4.3.1 Setting Up the SAP ID Service

184

4.3.2 Setting Up a Platform Identity Provider

184

4.3.3 Setting Up Third-Party Identity Providers

185

4.4 Authorization Management

187

4.4.1 Creating and Managing Roles

187

4.4.2 Maintaining Composite Roles

191

4.4.3 Composite Role Mapping

196

4.4.4 Reporting in the Authorization Environment

198

4.5 Checklist for Security and Permissions in SAP BTP, Cloud Foundry Environment

199

4.6 Real-World Examples of User and Permission Management

201

4.6.1 Activation and Secure Configuration of the SAP Launchpad Service

201

4.6.2 Two-Factor Authentication of Users via Microsoft Azure AD

208

4.7 Summary

218

5 Secure Cloud Connector Configuration

219

5.1 Architecture

220

5.2 Installing and Configuring the Cloud Connector

223

5.2.1 Download and Installation

223

5.2.2 Initial Configuration

225

5.2.3 Connection to SAP BTP

228

5.2.4 Further Recommendations for Secure Configuration

231

5.2.5 Monitoring

232

5.3 Authentication Methods

234

5.4 Cloud-to-On-Premise Connections

236

5.4.1 Security Precautions

236

5.4.2 Setting Up the Connection

239

5.4.3 Configuring Access Control

244

5.4.4 Enabling the SAP Connectivity Service

249

5.5 Setting Up the SAP Destination Service

251

5.5.1 Creating Destinations in SAP BTP, Neo Environment

252

5.5.2 Creating Destinations in SAP BTP, Cloud Foundry Environment

254

5.6 Checklist for Cloud Connector Configuration

255

5.7 Real-World Examples of Secure Cloud Connector Configuration

256

5.7.1 Connecting an On-Premise Git Server to SAP BTP, Neo Environment

256

5.7.2 Connecting SAP BTP, Cloud Foundry Environment to an SAP S/4HANA System

262

5.7.3 LDAP Authentication Configuration

267

5.8 Summary

269

6 Administration Tools

271

6.1 Administering SAP BTP, Neo Environment via the Command Line

271

6.2 Managing Global Accounts via the Command Line

274

6.3 Administration via APIs

276

6.3.1 SAP API Business Hub

277

6.3.2 Audit Log Retrieval via APIs

279

6.3.3 User Management via APIs

286

6.3.4 Permission Management via APIs

290

6.3.5 SAP Cloud Management Service APIs

292

6.4 Checklist for Working with the Command Line and APIs

298

6.5 Real-World Examples of Using the Command Line Securely

299

6.5.1 Using the Command Line to Configure a Custom Domain in SAP BTP, Neo Environment

299

6.5.2 Using the Command Line to Manage SAP BTP

301

6.6 Summary

304

7 Securing Key Cloud Services

305

7.1 SAP Web IDE and SAP Business Application Studio

306

7.1.1 SAP Web IDE

307

7.1.2 SAP Business Application Studio

310

7.2 Cloud Integration

313

7.2.1 Cloud Integration in SAP BTP, Neo Environment

314

7.2.2 Cloud Integration in SAP BTP, Cloud Foundry Environment

318

7.2.3 Roles and Authorizations

323

7.2.4 Security Recommendations

325

7.3 SAP Integration Suite in SAP BTP, Cloud Foundry Environment

326

7.3.1 SAP API Management

326

7.3.2 Roles and Authorizations

328

7.3.3 Securing the Provided APIs and Endpoints

329

7.4 SAP Cloud Portal Service and SAP Launchpad Service

330

7.4.1 SAP Cloud Portal Service in SAP BTP, Neo Environment

330

7.4.2 SAP Launchpad Service in SAP BTP, Cloud Foundry Environment

334

7.5 SAP BTP, ABAP Environment

335

7.5.1 User Administration

337

7.5.2 Access to External Systems

338

7.6 Corporate User Stores

338

7.7 Checklist for Securing Cloud Services

342

7.8 Summary

343