SAP Business Technology Platform Security
This is a community for learning, sharing, and getting help with the security services and features in SAP Business Technology Platform (SAP BTP) and their functional capabilities. Share your stories, connect with experts, and stay up to date on the latest developments.
The Authorization Management service is a pivotal component within SAP Cloud Identity Services, providing a unified platform for managing authorizations across applications based on the SAP BTP and also the administration console of SAP Cloud Identity Services itself. Administrators can configure and assign policies through a centralized console, enhancing the efficiency and consistency of policy application across different services and users.
Missed SAP TechEd 2024? Watch the recordings of our virtual sessions to find out more about the security services available with SAP Business Technology Platform and get a concise summary of the most important security features and strategies.
This new blog post series aims to provide technical guidance on how to plan and implement IAM with SAP Cloud Identity Services and Microsoft Entra. In the first part, explore the implementation of a workflow-based access management solution to SAP Business Technology Platform with Microsoft Entra ID Governance.
Explore how identity and access management (IAM) software from SAP supports building successful system integrations in cloud and hybrid environments. With SAP Cloud Identity Services and well-established IAM related industry standards, SAP improves system integration and helps provide a seamless user experience while also improving security and compliance.
Check out our new IAM reference architectures now available in SAP Discovery Center. They describe the authentication and identity lifecycle flows for SAP applications via SAP Cloud Identity Services; and how the different authorization technologies within the SAP portfolio can be used from a central point for the identity lifecycle.
In a large landscape, changing the root certificates that are the anchor of trust of TLS-protected communication requires some preparation, to ensure that everybody can communicate securely and without disruption. With the new BTP Trust Store, we want to help you avoid outages by providing information about changes in the trust anchors of SAP BTP early.
With the new Authorization Management service, administrators can assign access based on policies centrally within SAP Cloud Identity Services. An access policy allows a user to perform certain actions on a resource, subject to restricting rules. These rules can be adapted by administrators so that policies fit company requirements before being assigned to users.
Check out our new security recommendations for SAP BTP services, helping you to secure the configuration and operation of these services in your landscape. A new hands-on guide is now available where you will learn more about the security recommendations and how to implement them.
USER ACCESS & PERMISSIONS
SAP Cloud Identity Services
SAP Cloud Identity Services are our central solution for managing authentication, single sign-on, and the identity lifecycle. They improve system integration, provide a seamless user experience, and enhance security and compliance.
SAP Cloud Identity Services consist of the following services:
- Identity Authentication
- Identity Provisioning
- Identity Directory
- Authorization Management
SAP Cloud Identity Services topic page
SAP Authorization and Trust Management Service
The SAP Authorization and Trust Management service lets you manage user authorizations and trust to identity providers. Identity providers are the user base for applications. We recommend that you use an Identity Authentication tenant, an SAP on-premise system, or a custom corporate identity provider. User authorizations are managed using technical roles on application level, which can be aggregated into business-level role collections for large-scale cloud scenarios.
Developing Secure Applications on the SAP BTP Cloud Foundry Runtime (Tutorial)
Implement Instance-Based Access Control
Creating Role Collections in SAP BTP
Secure a Node.js Application and Make it Available to Other Subaccounts
Troubleshooting the SAP Authorization and Trust Management Service
SECURE CONNECTIVITY
SAP Connectivity Service
The SAP Connectivity service lets you establish connectivity between your cloud applications and on-premise systems running in isolated networks.
Destination Service
The Destination service lets you retrieve the backend destination details you need to configure applications in the Cloud Foundry environment.
Cloud Connector
The Cloud Connector provides a secure tunnel between SAP BTP applications and on-premise systems to access relevant data:
- Serves as a link between SAP BTP applications and on-premise systems.
- Combines an easy setup with a clear configuration of the systems that are exposed to the SAP BTP.
- Lets you use existing on-premise assets without exposing the entire internal landscape.
COMMUNICATION & ENCRYPTION
SAP Credential Store
SAP Credential Store service provides a repository for passwords, keys and keyrings for applications that are running on SAP BTP. It enables the applications to retrieve credentials and use them for authentication to external services, or to perform cryptographic operations and TLS communication. SAP Credential Store is exposed to the applications via a REST API.
SAP Custom Domain Service
SAP BTP allows subaccount owners to make their SAP BTP applications reachable and secure via a custom domain that is different from the default domain – for example, subdomain.mydomain.com. The SAP Custom Domain service lets you configure your own custom domain to publicly expose your application, instead of using the default subdomain.
AUDITING & MONITORING
SAP Audit Log Service
The SAP Audit Log Service is a core, security, and compliance-based SAP BTP service to provide means for audit purposes. The default and advanced capabilities of the SAP Audit Log Service are available for SAP BTP Applications and Services.
Audit Logging in the Cloud Foundry Environment
SECURE DEVELOPMENT & OPERATIONS
SAP Malware Scanning Service
Use SAP Malware Scanning service to scan business documents for malware. Integrate this service with your custom-developed apps running on Cloud Foundry. When your apps upload business documents, your apps can call the SAP Malware Scanning service to check for viruses or other malware.
Secure Programming with SAP Cloud Application Programming Model (CAP)
SAP Cloud Application Programming Model (CAP) is a framework of languages, libraries, and tools for building enterprise-grade services and applications. It guides developers along a path of proven best practices and a great wealth of out-of-the-box solutions to recurring tasks.
CAP offers automatic authorization enforcement in the CAP-supported runtimes Node.js and Java. No manual coding of permission checks are required because it is automatically enforced during runtime. Developers can still implement individual permission checks.