sap-btp-best-practices

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

SAP BTP Best Practices

SAP BTP 最佳实践

Related Skills

Platform Fundamentals

平台基础

Account Hierarchy

账户层级

Global Account (SAP contract)
├── Directory (optional, up to 7 levels)
│   └── Subaccount (region-specific, apps run here)
│       ├── Cloud Foundry Org → Spaces
│       └── Kyma Cluster → Namespaces
└── Subaccount

Key Points:

Global account = contract with SAP (one per commercial model)
Directory = groups subaccounts (max 7 levels deep)
Subaccount = deployed in specific region, enables runtimes
Use labels for virtual grouping (Dev/Test/Prod, cost centers)

Global Account (SAP contract)
├── Directory (optional, up to 7 levels)
│   └── Subaccount (region-specific, apps run here)
│       ├── Cloud Foundry Org → Spaces
│       └── Kyma Cluster → Namespaces
└── Subaccount

核心要点:

全局账户 = 与SAP签订的合同（每种商业模式对应一个）
目录 = 对子账户进行分组（最多支持7级嵌套）
子账户 = 部署在特定区域，提供运行时环境
使用标签进行虚拟分组（如开发/测试/生产、成本中心）

Environments

环境

Environment	Use Case	Key Features
Cloud Foundry	Polyglot apps	Multiple buildpacks, spaces
Kyma	Cloud-native K8s	Open-source, namespaces
ABAP	ABAP extensions	RAP, cloud-ready ABAP
Neo	Legacy	Migrate away - HTML5, Java, HANA XS

环境	适用场景	核心特性
Cloud Foundry	多语言应用	多类构建包、空间隔离
Kyma	云原生K8s应用	开源、命名空间隔离
ABAP	ABAP扩展开发	RAP、云原生ABAP
Neo	遗留系统	建议迁移 - 支持HTML5、Java、HANA XS

Commercial Models

商业模式

Consumption-Based (BTPEA/CPEA): Flexible access, best for pilots
Subscription-Based: Fixed-cost for known service needs

Best Practice: Start with consumption-based, move to subscription for stable workloads.

基于用量计费（BTPEA/CPEA）：灵活访问，适合试点项目
订阅式计费：固定成本，适用于服务需求明确的场景

最佳实践：先采用基于用量计费模式，待工作负载稳定后切换为订阅式计费。

Account Model Setup

账户模型搭建

Simple Model (3 subaccounts)

简单模型（3个子账户）

Global Account
├── Dev Subaccount
├── Test Subaccount
└── Prod Subaccount

Best for: Initial implementations, single team, <3 projects

Global Account
├── Dev Subaccount
├── Test Subaccount
└── Prod Subaccount

适用场景：初始实施、单一团队、项目数量<3个

Directory Model (scalable)

目录模型（可扩展）

Global Account
├── Directory: HR
│   ├── hr-dev / hr-test / hr-prod
├── Directory: Sales
│   ├── sales-dev / sales-test / sales-prod
└── Directory: Central IT
    ├── api-management
    └── shared-services

Best for: Multiple teams, cost allocation, complex governance

Global Account
├── Directory: HR
│   ├── hr-dev / hr-test / hr-prod
├── Directory: Sales
│   ├── sales-dev / sales-test / sales-prod
└── Directory: Central IT
    ├── api-management
    └── shared-services

适用场景：多团队协作、成本分摊、复杂治理需求

Naming Conventions

命名规范

Entity	Convention	Example
Subaccount	Natural language	"HR Development"
Subdomain	Lowercase, hyphens	`hr-dev-acme`
CF Org	Company prefix	`acme-hr-dev`
CF Space	Consistent across stages	`hr-recruiting`

Tip: Derive CF org/Kyma names from subaccount names for consistency.

实体	规范	示例
子账户	自然语言	"HR开发环境"
子域名	小写字母、连字符分隔	`hr-dev-acme`
CF组织	带公司前缀	`acme-hr-dev`
CF空间	各阶段命名保持一致	`hr-recruiting`

提示：从子账户名称衍生CF组织/Kyma命名，确保一致性。

Security and Authentication

安全与身份认证

Identity Provider Setup

身份提供商设置

Always use SAP Cloud Identity Services - Identity Authentication

Corporate IdP → Identity Authentication (proxy) → SAP BTP

Critical Steps:

Add multiple administrators (different time zones)
Enable MFA for all admins
Configure security alerts
Set up backup admins in SAP ID Service

始终使用SAP Cloud Identity Services - Identity Authentication

企业IdP → Identity Authentication（代理）→ SAP BTP

关键步骤:

添加多名管理员（覆盖不同时区）
为所有管理员启用MFA（多因素认证）
配置安全告警
在SAP ID Service中设置备用管理员

Authorization Methods

授权方式

Method	Best For	Notes
Provisioning	Production, many users	Centralized roles, automated offboarding
Federation	Simple scenarios	Real-time sync, but doesn't scale well
Manual	Testing only	Quick setup, not production-ready

方式	适用场景	说明
自动配置	生产环境、用户数量多	集中式角色管理、自动化离职处理
联邦认证	简单场景	实时同步，但扩展性不佳
手动配置	仅用于测试	快速搭建，不适合生产环境

Destination Authentication

目标系统身份认证

Recommended:

```
PrincipalPropagation
```
- SAP on-premise systems
```
OAuth2SAMLBearerAssertion
```
- Third-party systems
```
OAuth2JWTBearer
```
- User token exchange

Avoid in Production:

```
BasicAuthentication
```
```
OAuth2Password
```

See:

references/security-and-authentication.md

for complete guidance

推荐方案:

```
PrincipalPropagation
```
- SAP本地系统
```
OAuth2SAMLBearerAssertion
```
- 第三方系统
```
OAuth2JWTBearer
```
- 用户令牌交换

生产环境避免使用:

```
BasicAuthentication
```
```
OAuth2Password
```

参考：完整指南请查看

references/security-and-authentication.md

Connectivity

连接性

Remote System Access

远程系统访问

Internet Services: Destinations with authentication
On-Premise Systems: Destinations + Cloud Connector

互联网服务: 带身份认证的目标配置
本地系统: 目标配置 + Cloud Connector

Cloud Connector

Lightweight on-premise agent
Secure tunnel to SAP BTP (no inbound ports)
Fine-grained access control
Supports RFC and HTTP protocols
Enables principal propagation

Note: Each subaccount needs separate Cloud Connector config.

轻量级本地代理
与SAP BTP建立安全隧道（无需开放入站端口）
细粒度访问控制
支持RFC和HTTP协议
支持主体传播

注意：每个子账户需要独立配置Cloud Connector。

Governance and Teams

治理与团队

Required Teams

必备团队

Platform Engineering Team (Center of Excellence):

Manages cloud landscape infrastructure
Handles account operations, build infrastructure
Creates governance and compliance guidelines
Does NOT manage individual application lifecycles

Cloud Development Teams:

Follow DevOps (develop AND operate)
Responsible for application lifecycle
Regular maintenance (e.g., UI updates every 6 months)

平台工程团队（卓越中心）:

管理云架构基础设施
负责账户操作、构建基础设施
制定治理与合规准则
不负责单个应用的生命周期管理

云开发团队:

遵循DevOps模式（开发+运维）
负责应用全生命周期
定期维护（如每6个月更新UI）

Essential Documentation

核心文档

Onboarding Doc: Organization, app IDs, timeline, tech stack
Security Doc: Data sensitivity, policies, auth framework
Services Catalog: Templates for destinations, builds, schemas

入职文档: 组织架构、应用ID、时间线、技术栈
安全文档: 数据敏感度、政策、认证框架
服务目录: 目标配置、构建、 schema的模板

Development

开发

Programming Models

编程模型

SAP CAP (Cloud Application Programming Model):

Framework with languages, libraries, tools
Supports Java, JavaScript, TypeScript
Enterprise-grade services and data models

ABAP Cloud:

Modern ABAP for cloud-ready apps
RAP (RESTful ABAP Programming Model)
Extensions for ABAP-based products

SAP CAP（云应用编程模型）:

包含语言、库、工具的框架
支持Java、JavaScript、TypeScript
企业级服务与数据模型

ABAP Cloud:

适用于云原生应用的现代ABAP
RAP（RESTful ABAP编程模型）
基于ABAP产品的扩展开发

Development Lifecycle

开发生命周期

Explore: Business opportunity, team roles
Discover: Use cases, technology options
Design: UX design, domain-driven design
Deliver: Landscape setup, development
Run and Scale: Feedback, optimization

探索: 业务机会、团队角色
调研: 用例、技术选型
设计: UX设计、领域驱动设计
交付: 架构搭建、开发实现
运行与扩展: 反馈收集、优化迭代

AI Development

AI开发

SAP BTP provides AI capabilities through SAP AI Core for:

Generative AI (LLMs, RAG)
Narrow AI (classical ML)

Key Resources:

Repository: SAP-samples/sap-btp-ai-best-practices
Documentation: https://btp-ai-bp.docs.sap/

Best Practices:

Use service keys for secure authentication
Implement PII data masking
Build RAG with SAP HANA Cloud Vector Engine
Configure content filtering
Monitor model drift

Use Cases: 20+ samples including chatbots, PDF extraction, procurement.

See:

references/ai-development-best-practices.md

for patterns and examples

SAP BTP通过SAP AI Core提供AI能力，支持：

生成式AI（大语言模型、RAG）
窄AI（传统机器学习）

核心资源:

代码仓库: SAP-samples/sap-btp-ai-best-practices
文档: https://btp-ai-bp.docs.sap/

最佳实践:

使用服务密钥进行安全认证
实现PII数据掩码
基于SAP HANA Cloud向量引擎构建RAG
配置内容过滤
监控模型漂移

适用场景: 20+个示例，包括聊天机器人、PDF提取、采购等。

参考：模式与示例请查看

references/ai-development-best-practices.md

Deployment and Delivery

部署与交付

Deployment Methods

部署方式

Cloud Foundry/Neo:

Package as MTA archive
Deploy via: BTP Cockpit, CF CLI, Business Application Studio

Kyma:

Docker images (Dockerfile or Cloud Native Buildpacks)
Helm charts for production
Deploy via SAP Continuous Integration and Delivery

Cloud Foundry/Neo:

打包为MTA归档文件
部署方式：BTP控制台、CF CLI、Business Application Studio

Kyma:

Docker镜像（Dockerfile或云原生构建包）
生产环境使用Helm Chart
通过SAP Continuous Integration and Delivery部署

CI/CD Approaches

CI/CD方案

SAP Continuous Integration and Delivery:

Low expertise required
Ready-to-use infrastructure
Direct SAP support

Project "Piper":

High expertise required
Jenkins-based
Open-source community support

Best Practice: Combine CI/CD with SAP Cloud Transport Management for governance + agility.

See:

references/deployment-and-delivery.md

for detailed configs

SAP Continuous Integration and Delivery:

所需专业技能门槛低
现成可用的基础设施
SAP官方直接支持

Project "Piper":

所需专业技能门槛高
基于Jenkins
开源社区支持

最佳实践：将CI/CD与SAP Cloud Transport Management结合，兼顾治理与敏捷性。

参考：详细配置请查看

references/deployment-and-delivery.md

High Availability and Failover

高可用与故障转移

Multi-Region Architecture

多区域架构

Custom Domain URL
       │
    Load Balancer
       ├── Region 1 (active)
       └── Region 2 (passive/active)

自定义域名URL
       │
    负载均衡器
       ├── 区域1（活跃）
       └── 区域2（备用/活跃）

Failover Implementation

故障转移实施

Four Core Principles:

Deploy in Two Regions: Near users and backend systems
Keep Synced: CI/CD pipeline or Cloud Transport Management
Define Detection: Monitor 5xx errors, timeouts
Plan Failback: Visual differentiation, user-driven

Legal: Check cross-region data processing restrictions.

See:

references/failover-and-resilience.md

for implementation details

四大核心原则:

部署在两个区域: 靠近用户与后端系统
保持同步: 通过CI/CD流水线或Cloud Transport Management
定义检测机制: 监控5xx错误、超时情况
规划故障回退: 可视化区分、用户驱动

合规注意：检查跨区域数据处理限制。

参考：实施细节请查看

references/failover-and-resilience.md

Operations and Monitoring

运维与监控

Go-Live Checklist

上线检查清单

Deploy to production
Set go-live timeframe (avoid quarter-end)
Embed in SAP Fiori Launchpad
Provision business users
Configure role collections

部署到生产环境
设定上线时间窗口（避免季末）
嵌入到SAP Fiori Launchpad
为业务用户分配权限
配置角色集合

Monitoring Tools

监控工具

SAP Cloud ALM (Enterprise Support):

Real User Monitoring
Health Monitoring
Integration and Exception Monitoring
Job Automation Monitoring

SAP Cloud Logging:

Observability across CF, Kyma, Kubernetes

SAP Alert Notification:

Multi-channel notifications (email, chat, ticketing)

SAP Cloud ALM（企业支持）:

真实用户监控
健康状态监控
集成与异常监控
作业自动化监控

SAP Cloud Logging:

跨CF、Kyma、Kubernetes的可观测性

SAP Alert Notification:

多渠道通知（邮件、聊天、工单系统）

Cost Management

成本管理

Best Practices

最佳实践

Check Costs and Usage monthly
Provide minimal required entitlements
Use labels for cost allocation
Set up automated alerts (Usage Data Management + Alert Notification)

每月查看成本与用量报告
仅分配最小必要的权限
使用标签进行成本分摊
设置自动化告警（用量数据管理 + 告警通知）

Contract Strategies

合同策略

Consolidate subscriptions in one global account
Use hybrid accounts for mixed workloads
Note: Consumption credits non-transferable between global accounts

将订阅集中到单个全局账户
混合工作负载使用混合账户
注意：用量额度无法在全局账户间转移

Bundled Resources

整合资源

This skill provides comprehensive reference documentation:

本技能提供全面的参考文档：

Account & Governance

账户与治理

references/account-models.md
(11K lines)
- Detailed account structure patterns
- Naming conventions and examples
- Cost allocation strategies
references/governance-and-teams.md
(13K lines)
- Platform Engineering team structure
- Onboarding processes
- Documentation templates

references/account-models.md
（11000行）
- 详细的账户结构模式
- 命名规范与示例
- 成本分摊策略
references/governance-and-teams.md
（13000行）
- 平台工程团队架构
- 入职流程
- 文档模板

Security & Connectivity

安全与连接性

references/security-and-authentication.md
(13K lines)
- Complete auth methods comparison
- Destination configuration
- Kyma RBAC manifests
- Identity lifecycle management

references/security-and-authentication.md
（13000行）
- 完整的授权方式对比
- 目标系统配置
- Kyma RBAC清单
- 身份生命周期管理

Deployment & Operations

部署与运维

references/deployment-and-delivery.md
(10K lines)
- MTA descriptor templates
- CI/CD pipeline configs
- Transport management setup
references/operations-and-monitoring.md
(11K lines)
- Go-live procedures
- Monitoring setup guides
- Troubleshooting checklists

references/deployment-and-delivery.md
（10000行）
- MTA描述符模板
- CI/CD流水线配置
- 传输管理设置
references/operations-and-monitoring.md
（11000行）
- 上线流程
- 监控设置指南
- 故障排查清单

High Availability

高可用

references/failover-and-resilience.md
(12K lines)
- Multi-region architecture
- Load balancer configurations
- Failover automation scripts

references/failover-and-resilience.md
（12000行）
- 多区域架构
- 负载均衡配置
- 故障转移自动化脚本

Templates & Examples

模板与示例

references/templates-and-examples.md
(18K lines)
- Complete code templates
- Kubernetes RBAC manifests
- MTA descriptors
- Helm charts
- CI/CD configs

references/templates-and-examples.md
（18000行）
- 完整代码模板
- Kubernetes RBAC清单
- MTA描述符
- Helm Chart
- CI/CD配置

AI Development

AI开发

references/ai-development-best-practices.md
(6K lines)
- Generative AI patterns
- RAG implementation
- 20+ use cases catalog

references/ai-development-best-practices.md
（6000行）
- 生成式AI模式
- RAG实现方案
- 20+个用例目录

Progress Tracking

进度跟踪

Implementation status
- Coverage details
- Validation checklists

实施状态
- 覆盖范围详情
- 验证检查清单

Administration Tools

管理工具

Tool	Use Case
SAP BTP Cockpit	GUI for all admin tasks
btp CLI	Terminal/automation scripting
REST APIs	Programmatic administration
Terraform Provider	Infrastructure as Code
SAP Automation Pilot	Low-code/no-code automation

工具	适用场景
SAP BTP Cockpit	所有管理任务的GUI界面
btp CLI	终端/自动化脚本
REST APIs	程序化管理
Terraform Provider	基础设施即代码
SAP Automation Pilot	低代码/无代码自动化

Shared Responsibility Model

责任共享模型

SAP Manages:

Platform software updates/patches
Infrastructure and OS monitoring
BTP service monitoring
Capacity management and incidents
Global account provisioning
HANA database operations
Kyma
```
kyma-system
```
namespace

You Manage:

Global account strategy and subaccount config
Application development, deployment, security
Role assignments and integrations
Application monitoring and health checks
Open source vulnerability scanning
Triggering HANA revision updates

Last Updated: 2025-11-27 Review Progress: See SAP_SKILLS_REVIEW_PROGRESS.md Next Review: 2026-02-27 (quarterly)

SAP负责:

平台软件更新/补丁
基础设施与操作系统监控
BTP服务监控
容量管理与事件处理
全局账户配置
HANA数据库操作
Kyma
```
kyma-system
```
命名空间

您负责:

全局账户策略与子账户配置
应用开发、部署与安全
角色分配与集成
应用监控与健康检查
开源漏洞扫描
触发HANA版本更新

最后更新: 2025-11-27 审核进度: 请查看SAP_SKILLS_REVIEW_PROGRESS.md 下一次审核: 2026-02-27（每季度一次）

sap-btp-best-practices

Original

Translation

SAP BTP Best Practices

SAP BTP 最佳实践

Related Skills

相关技能

Table of Contents

目录

Platform Fundamentals

平台基础

Account Hierarchy

账户层级

Environments

环境

Commercial Models

商业模式

Account Model Setup

账户模型搭建

Simple Model (3 subaccounts)

简单模型（3个子账户）

Directory Model (scalable)

目录模型（可扩展）

Naming Conventions

命名规范

Security and Authentication

安全与身份认证

Identity Provider Setup

身份提供商设置

Authorization Methods

授权方式

Destination Authentication

目标系统身份认证

Connectivity

连接性

Remote System Access

远程系统访问

Cloud Connector

Cloud Connector

Governance and Teams

治理与团队

Required Teams

必备团队

Essential Documentation

核心文档

Development

开发

Programming Models

编程模型

Development Lifecycle

开发生命周期

AI Development

AI开发

Deployment and Delivery

部署与交付

Deployment Methods

部署方式

CI/CD Approaches

CI/CD方案

High Availability and Failover

高可用与故障转移

Multi-Region Architecture

多区域架构

Failover Implementation

故障转移实施

Operations and Monitoring

运维与监控

Go-Live Checklist

上线检查清单

Monitoring Tools

监控工具

Cost Management

成本管理

Best Practices

最佳实践

Contract Strategies

合同策略

Bundled Resources

整合资源

Account & Governance