sap-btp-best-practices
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSAP BTP Best Practices
SAP BTP 最佳实践
Related Skills
相关技能
- sap-btp-cloud-platform: Use for technical implementation details, CLI commands, and runtime configurations
- sap-btp-connectivity: Use for connectivity patterns, destination configuration, and Cloud Connector setup
- sap-btp-service-manager: Use for service lifecycle management and programmatic service operations
- sap-btp-developer-guide: Use for development workflows, CAP integration, and application patterns
- sap-cap-capire: Use when designing CAP applications on BTP or implementing multitenancy
- sap-fiori-tools: Use for UI deployment strategies and frontend application guidelines
Production-ready SAP BTP implementation guidance based on official SAP documentation.
Quick Links:
- Official Guide: https://github.com/SAP-docs/btp-best-practices-guide
- SAP Help Portal: https://help.sap.com/docs/btp/btp-administrators-guide
- sap-btp-cloud-platform: 用于查看技术实施细节、CLI命令及运行时配置
- sap-btp-connectivity: 用于查看连接模式、目标配置及Cloud Connector设置
- sap-btp-service-manager: 用于服务生命周期管理及程序化服务操作
- sap-btp-developer-guide: 用于查看开发工作流、CAP集成及应用模式
- sap-cap-capire: 用于在BTP上设计CAP应用或实现多租户功能
- sap-fiori-tools: 用于查看UI部署策略及前端应用指南
基于SAP官方文档的可用于生产环境的SAP BTP实施指南。
快速链接:
- 官方指南: https://github.com/SAP-docs/btp-best-practices-guide
- SAP帮助门户: https://help.sap.com/docs/btp/btp-administrators-guide
Table of Contents
目录
Platform Fundamentals
平台基础
Account Hierarchy
账户层级
Global Account (SAP contract)
├── Directory (optional, up to 7 levels)
│ └── Subaccount (region-specific, apps run here)
│ ├── Cloud Foundry Org → Spaces
│ └── Kyma Cluster → Namespaces
└── SubaccountKey Points:
- Global account = contract with SAP (one per commercial model)
- Directory = groups subaccounts (max 7 levels deep)
- Subaccount = deployed in specific region, enables runtimes
- Use labels for virtual grouping (Dev/Test/Prod, cost centers)
Global Account (SAP contract)
├── Directory (optional, up to 7 levels)
│ └── Subaccount (region-specific, apps run here)
│ ├── Cloud Foundry Org → Spaces
│ └── Kyma Cluster → Namespaces
└── Subaccount核心要点:
- 全局账户 = 与SAP签订的合同(每种商业模式对应一个)
- 目录 = 对子账户进行分组(最多支持7级嵌套)
- 子账户 = 部署在特定区域,提供运行时环境
- 使用标签进行虚拟分组(如开发/测试/生产、成本中心)
Environments
环境
| Environment | Use Case | Key Features |
|---|---|---|
| Cloud Foundry | Polyglot apps | Multiple buildpacks, spaces |
| Kyma | Cloud-native K8s | Open-source, namespaces |
| ABAP | ABAP extensions | RAP, cloud-ready ABAP |
| Neo | Legacy | Migrate away - HTML5, Java, HANA XS |
| 环境 | 适用场景 | 核心特性 |
|---|---|---|
| Cloud Foundry | 多语言应用 | 多类构建包、空间隔离 |
| Kyma | 云原生K8s应用 | 开源、命名空间隔离 |
| ABAP | ABAP扩展开发 | RAP、云原生ABAP |
| Neo | 遗留系统 | 建议迁移 - 支持HTML5、Java、HANA XS |
Commercial Models
商业模式
- Consumption-Based (BTPEA/CPEA): Flexible access, best for pilots
- Subscription-Based: Fixed-cost for known service needs
Best Practice: Start with consumption-based, move to subscription for stable workloads.
- 基于用量计费(BTPEA/CPEA):灵活访问,适合试点项目
- 订阅式计费:固定成本,适用于服务需求明确的场景
最佳实践:先采用基于用量计费模式,待工作负载稳定后切换为订阅式计费。
Account Model Setup
账户模型搭建
Simple Model (3 subaccounts)
简单模型(3个子账户)
Global Account
├── Dev Subaccount
├── Test Subaccount
└── Prod SubaccountBest for: Initial implementations, single team, <3 projects
Global Account
├── Dev Subaccount
├── Test Subaccount
└── Prod Subaccount适用场景:初始实施、单一团队、项目数量<3个
Directory Model (scalable)
目录模型(可扩展)
Global Account
├── Directory: HR
│ ├── hr-dev / hr-test / hr-prod
├── Directory: Sales
│ ├── sales-dev / sales-test / sales-prod
└── Directory: Central IT
├── api-management
└── shared-servicesBest for: Multiple teams, cost allocation, complex governance
Global Account
├── Directory: HR
│ ├── hr-dev / hr-test / hr-prod
├── Directory: Sales
│ ├── sales-dev / sales-test / sales-prod
└── Directory: Central IT
├── api-management
└── shared-services适用场景:多团队协作、成本分摊、复杂治理需求
Naming Conventions
命名规范
| Entity | Convention | Example |
|---|---|---|
| Subaccount | Natural language | "HR Development" |
| Subdomain | Lowercase, hyphens | |
| CF Org | Company prefix | |
| CF Space | Consistent across stages | |
Tip: Derive CF org/Kyma names from subaccount names for consistency.
| 实体 | 规范 | 示例 |
|---|---|---|
| 子账户 | 自然语言 | "HR开发环境" |
| 子域名 | 小写字母、连字符分隔 | |
| CF组织 | 带公司前缀 | |
| CF空间 | 各阶段命名保持一致 | |
提示:从子账户名称衍生CF组织/Kyma命名,确保一致性。
Security and Authentication
安全与身份认证
Identity Provider Setup
身份提供商设置
Always use SAP Cloud Identity Services - Identity Authentication
Corporate IdP → Identity Authentication (proxy) → SAP BTPCritical Steps:
- Add multiple administrators (different time zones)
- Enable MFA for all admins
- Configure security alerts
- Set up backup admins in SAP ID Service
始终使用SAP Cloud Identity Services - Identity Authentication
企业IdP → Identity Authentication(代理)→ SAP BTP关键步骤:
- 添加多名管理员(覆盖不同时区)
- 为所有管理员启用MFA(多因素认证)
- 配置安全告警
- 在SAP ID Service中设置备用管理员
Authorization Methods
授权方式
| Method | Best For | Notes |
|---|---|---|
| Provisioning | Production, many users | Centralized roles, automated offboarding |
| Federation | Simple scenarios | Real-time sync, but doesn't scale well |
| Manual | Testing only | Quick setup, not production-ready |
| 方式 | 适用场景 | 说明 |
|---|---|---|
| 自动配置 | 生产环境、用户数量多 | 集中式角色管理、自动化离职处理 |
| 联邦认证 | 简单场景 | 实时同步,但扩展性不佳 |
| 手动配置 | 仅用于测试 | 快速搭建,不适合生产环境 |
Destination Authentication
目标系统身份认证
Recommended:
- - SAP on-premise systems
PrincipalPropagation - - Third-party systems
OAuth2SAMLBearerAssertion - - User token exchange
OAuth2JWTBearer
Avoid in Production:
BasicAuthenticationOAuth2Password
See: for complete guidance
references/security-and-authentication.md推荐方案:
- - SAP本地系统
PrincipalPropagation - - 第三方系统
OAuth2SAMLBearerAssertion - - 用户令牌交换
OAuth2JWTBearer
生产环境避免使用:
BasicAuthenticationOAuth2Password
参考:完整指南请查看
references/security-and-authentication.mdConnectivity
连接性
Remote System Access
远程系统访问
- Internet Services: Destinations with authentication
- On-Premise Systems: Destinations + Cloud Connector
- 互联网服务: 带身份认证的目标配置
- 本地系统: 目标配置 + Cloud Connector
Cloud Connector
Cloud Connector
- Lightweight on-premise agent
- Secure tunnel to SAP BTP (no inbound ports)
- Fine-grained access control
- Supports RFC and HTTP protocols
- Enables principal propagation
Note: Each subaccount needs separate Cloud Connector config.
- 轻量级本地代理
- 与SAP BTP建立安全隧道(无需开放入站端口)
- 细粒度访问控制
- 支持RFC和HTTP协议
- 支持主体传播
注意:每个子账户需要独立配置Cloud Connector。
Governance and Teams
治理与团队
Required Teams
必备团队
Platform Engineering Team (Center of Excellence):
- Manages cloud landscape infrastructure
- Handles account operations, build infrastructure
- Creates governance and compliance guidelines
- Does NOT manage individual application lifecycles
Cloud Development Teams:
- Follow DevOps (develop AND operate)
- Responsible for application lifecycle
- Regular maintenance (e.g., UI updates every 6 months)
平台工程团队(卓越中心):
- 管理云架构基础设施
- 负责账户操作、构建基础设施
- 制定治理与合规准则
- 不负责单个应用的生命周期管理
云开发团队:
- 遵循DevOps模式(开发+运维)
- 负责应用全生命周期
- 定期维护(如每6个月更新UI)
Essential Documentation
核心文档
- Onboarding Doc: Organization, app IDs, timeline, tech stack
- Security Doc: Data sensitivity, policies, auth framework
- Services Catalog: Templates for destinations, builds, schemas
- 入职文档: 组织架构、应用ID、时间线、技术栈
- 安全文档: 数据敏感度、政策、认证框架
- 服务目录: 目标配置、构建、 schema的模板
Development
开发
Programming Models
编程模型
SAP CAP (Cloud Application Programming Model):
- Framework with languages, libraries, tools
- Supports Java, JavaScript, TypeScript
- Enterprise-grade services and data models
ABAP Cloud:
- Modern ABAP for cloud-ready apps
- RAP (RESTful ABAP Programming Model)
- Extensions for ABAP-based products
SAP CAP(云应用编程模型):
- 包含语言、库、工具的框架
- 支持Java、JavaScript、TypeScript
- 企业级服务与数据模型
ABAP Cloud:
- 适用于云原生应用的现代ABAP
- RAP(RESTful ABAP编程模型)
- 基于ABAP产品的扩展开发
Development Lifecycle
开发生命周期
- Explore: Business opportunity, team roles
- Discover: Use cases, technology options
- Design: UX design, domain-driven design
- Deliver: Landscape setup, development
- Run and Scale: Feedback, optimization
- 探索: 业务机会、团队角色
- 调研: 用例、技术选型
- 设计: UX设计、领域驱动设计
- 交付: 架构搭建、开发实现
- 运行与扩展: 反馈收集、优化迭代
AI Development
AI开发
SAP BTP provides AI capabilities through SAP AI Core for:
- Generative AI (LLMs, RAG)
- Narrow AI (classical ML)
Key Resources:
- Repository: SAP-samples/sap-btp-ai-best-practices
- Documentation: https://btp-ai-bp.docs.sap/
Best Practices:
- Use service keys for secure authentication
- Implement PII data masking
- Build RAG with SAP HANA Cloud Vector Engine
- Configure content filtering
- Monitor model drift
Use Cases: 20+ samples including chatbots, PDF extraction, procurement.
See: for patterns and examples
references/ai-development-best-practices.mdSAP BTP通过SAP AI Core提供AI能力,支持:
- 生成式AI(大语言模型、RAG)
- 窄AI(传统机器学习)
核心资源:
最佳实践:
- 使用服务密钥进行安全认证
- 实现PII数据掩码
- 基于SAP HANA Cloud向量引擎构建RAG
- 配置内容过滤
- 监控模型漂移
适用场景: 20+个示例,包括聊天机器人、PDF提取、采购等。
参考:模式与示例请查看
references/ai-development-best-practices.mdDeployment and Delivery
部署与交付
Deployment Methods
部署方式
Cloud Foundry/Neo:
- Package as MTA archive
- Deploy via: BTP Cockpit, CF CLI, Business Application Studio
Kyma:
- Docker images (Dockerfile or Cloud Native Buildpacks)
- Helm charts for production
- Deploy via SAP Continuous Integration and Delivery
Cloud Foundry/Neo:
- 打包为MTA归档文件
- 部署方式:BTP控制台、CF CLI、Business Application Studio
Kyma:
- Docker镜像(Dockerfile或云原生构建包)
- 生产环境使用Helm Chart
- 通过SAP Continuous Integration and Delivery部署
CI/CD Approaches
CI/CD方案
SAP Continuous Integration and Delivery:
- Low expertise required
- Ready-to-use infrastructure
- Direct SAP support
Project "Piper":
- High expertise required
- Jenkins-based
- Open-source community support
Best Practice: Combine CI/CD with SAP Cloud Transport Management for governance + agility.
See: for detailed configs
references/deployment-and-delivery.mdSAP Continuous Integration and Delivery:
- 所需专业技能门槛低
- 现成可用的基础设施
- SAP官方直接支持
Project "Piper":
- 所需专业技能门槛高
- 基于Jenkins
- 开源社区支持
最佳实践:将CI/CD与SAP Cloud Transport Management结合,兼顾治理与敏捷性。
参考:详细配置请查看
references/deployment-and-delivery.mdHigh Availability and Failover
高可用与故障转移
Multi-Region Architecture
多区域架构
Custom Domain URL
│
Load Balancer
├── Region 1 (active)
└── Region 2 (passive/active)自定义域名URL
│
负载均衡器
├── 区域1(活跃)
└── 区域2(备用/活跃)Failover Implementation
故障转移实施
Four Core Principles:
- Deploy in Two Regions: Near users and backend systems
- Keep Synced: CI/CD pipeline or Cloud Transport Management
- Define Detection: Monitor 5xx errors, timeouts
- Plan Failback: Visual differentiation, user-driven
Legal: Check cross-region data processing restrictions.
See: for implementation details
references/failover-and-resilience.md四大核心原则:
- 部署在两个区域: 靠近用户与后端系统
- 保持同步: 通过CI/CD流水线或Cloud Transport Management
- 定义检测机制: 监控5xx错误、超时情况
- 规划故障回退: 可视化区分、用户驱动
合规注意:检查跨区域数据处理限制。
参考:实施细节请查看
references/failover-and-resilience.mdOperations and Monitoring
运维与监控
Go-Live Checklist
上线检查清单
- Deploy to production
- Set go-live timeframe (avoid quarter-end)
- Embed in SAP Fiori Launchpad
- Provision business users
- Configure role collections
- 部署到生产环境
- 设定上线时间窗口(避免季末)
- 嵌入到SAP Fiori Launchpad
- 为业务用户分配权限
- 配置角色集合
Monitoring Tools
监控工具
SAP Cloud ALM (Enterprise Support):
- Real User Monitoring
- Health Monitoring
- Integration and Exception Monitoring
- Job Automation Monitoring
SAP Cloud Logging:
- Observability across CF, Kyma, Kubernetes
SAP Alert Notification:
- Multi-channel notifications (email, chat, ticketing)
SAP Cloud ALM(企业支持):
- 真实用户监控
- 健康状态监控
- 集成与异常监控
- 作业自动化监控
SAP Cloud Logging:
- 跨CF、Kyma、Kubernetes的可观测性
SAP Alert Notification:
- 多渠道通知(邮件、聊天、工单系统)
Cost Management
成本管理
Best Practices
最佳实践
- Check Costs and Usage monthly
- Provide minimal required entitlements
- Use labels for cost allocation
- Set up automated alerts (Usage Data Management + Alert Notification)
- 每月查看成本与用量报告
- 仅分配最小必要的权限
- 使用标签进行成本分摊
- 设置自动化告警(用量数据管理 + 告警通知)
Contract Strategies
合同策略
- Consolidate subscriptions in one global account
- Use hybrid accounts for mixed workloads
- Note: Consumption credits non-transferable between global accounts
- 将订阅集中到单个全局账户
- 混合工作负载使用混合账户
- 注意:用量额度无法在全局账户间转移
Bundled Resources
整合资源
This skill provides comprehensive reference documentation:
本技能提供全面的参考文档:
Account & Governance
账户与治理
-
(11K lines)
references/account-models.md- Detailed account structure patterns
- Naming conventions and examples
- Cost allocation strategies
-
(13K lines)
references/governance-and-teams.md- Platform Engineering team structure
- Onboarding processes
- Documentation templates
-
(11000行)
references/account-models.md- 详细的账户结构模式
- 命名规范与示例
- 成本分摊策略
-
(13000行)
references/governance-and-teams.md- 平台工程团队架构
- 入职流程
- 文档模板
Security & Connectivity
安全与连接性
- (13K lines)
references/security-and-authentication.md- Complete auth methods comparison
- Destination configuration
- Kyma RBAC manifests
- Identity lifecycle management
- (13000行)
references/security-and-authentication.md- 完整的授权方式对比
- 目标系统配置
- Kyma RBAC清单
- 身份生命周期管理
Deployment & Operations
部署与运维
-
(10K lines)
references/deployment-and-delivery.md- MTA descriptor templates
- CI/CD pipeline configs
- Transport management setup
-
(11K lines)
references/operations-and-monitoring.md- Go-live procedures
- Monitoring setup guides
- Troubleshooting checklists
-
(10000行)
references/deployment-and-delivery.md- MTA描述符模板
- CI/CD流水线配置
- 传输管理设置
-
(11000行)
references/operations-and-monitoring.md- 上线流程
- 监控设置指南
- 故障排查清单
High Availability
高可用
- (12K lines)
references/failover-and-resilience.md- Multi-region architecture
- Load balancer configurations
- Failover automation scripts
- (12000行)
references/failover-and-resilience.md- 多区域架构
- 负载均衡配置
- 故障转移自动化脚本
Templates & Examples
模板与示例
- (18K lines)
references/templates-and-examples.md- Complete code templates
- Kubernetes RBAC manifests
- MTA descriptors
- Helm charts
- CI/CD configs
- (18000行)
references/templates-and-examples.md- 完整代码模板
- Kubernetes RBAC清单
- MTA描述符
- Helm Chart
- CI/CD配置
AI Development
AI开发
- (6K lines)
references/ai-development-best-practices.md- Generative AI patterns
- RAG implementation
- 20+ use cases catalog
- (6000行)
references/ai-development-best-practices.md- 生成式AI模式
- RAG实现方案
- 20+个用例目录
Progress Tracking
进度跟踪
- Implementation status
- Coverage details
- Validation checklists
- 实施状态
- 覆盖范围详情
- 验证检查清单
Administration Tools
管理工具
| Tool | Use Case |
|---|---|
| SAP BTP Cockpit | GUI for all admin tasks |
| btp CLI | Terminal/automation scripting |
| REST APIs | Programmatic administration |
| Terraform Provider | Infrastructure as Code |
| SAP Automation Pilot | Low-code/no-code automation |
| 工具 | 适用场景 |
|---|---|
| SAP BTP Cockpit | 所有管理任务的GUI界面 |
| btp CLI | 终端/自动化脚本 |
| REST APIs | 程序化管理 |
| Terraform Provider | 基础设施即代码 |
| SAP Automation Pilot | 低代码/无代码自动化 |
Shared Responsibility Model
责任共享模型
SAP Manages:
- Platform software updates/patches
- Infrastructure and OS monitoring
- BTP service monitoring
- Capacity management and incidents
- Global account provisioning
- HANA database operations
- Kyma namespace
kyma-system
You Manage:
- Global account strategy and subaccount config
- Application development, deployment, security
- Role assignments and integrations
- Application monitoring and health checks
- Open source vulnerability scanning
- Triggering HANA revision updates
Last Updated: 2025-11-27
Review Progress: See SAP_SKILLS_REVIEW_PROGRESS.md
Next Review: 2026-02-27 (quarterly)
SAP负责:
- 平台软件更新/补丁
- 基础设施与操作系统监控
- BTP服务监控
- 容量管理与事件处理
- 全局账户配置
- HANA数据库操作
- Kyma 命名空间
kyma-system
您负责:
- 全局账户策略与子账户配置
- 应用开发、部署与安全
- 角色分配与集成
- 应用监控与健康检查
- 开源漏洞扫描
- 触发HANA版本更新
最后更新: 2025-11-27
审核进度: 请查看SAP_SKILLS_REVIEW_PROGRESS.md
下一次审核: 2026-02-27(每季度一次)