SAP Business Technology Platform
SAP's unified cloud platform for application development, integration, data management, and AI. The extensibility backbone for S/4HANA and the entire SAP portfolio — available on AWS, Azure, GCP, and Alibaba Cloud across 30+ global regions.
What is SAP BTP?
SAP Business Technology Platform (BTP) is SAP's unified cloud platform that connects, extends, and innovates across the entire SAP portfolio and third-party systems. Built around four capability pillars: Application Development and Automation, Integration, Data and Analytics, and AI and Automation — all anchored on a Foundation layer providing identity, connectivity, and authorisation services.
BTP runs on hyperscaler infrastructure across 30+ data centres on AWS, Azure, GCP, and Alibaba Cloud. Region ae1 (AWS UAE / Dubai) provides UAE PDPL data residency compliance for HANA Cloud, AI Core, Generative AI Hub, and Cloud Foundry. All BTP services share the same Account Model (Global Account → Directories → Subaccounts) for consistent governance and cost management.
BTP is the mandatory extensibility platform for the Clean Core strategy: all custom developments, integrations, and AI enhancements for S/4HANA Public Cloud, RISE, and GROW with SAP are built on BTP using clean APIs — not inside the S/4HANA system.
Quick Facts
- Runtimes
- CF · Kyma · ABAP Cloud
- Services
- 80+ BTP services
- Regions
- 30+ global data centres
- Hyperscalers
- AWS · Azure · GCP · Alibaba
- UAE Region
- ae1 (AWS Dubai)
- Dev Tool
- SAP Business Application Studio
- AI Services
- AI Core · Gen AI Hub · Joule
- Commercial
- PAYG · CPEA · BTPEA · Subscription
- RISE Included
- IAS/IPS · Build Work Zone Std
- CLI Tool
- BTP CLI (btp)
SAP BTP Capability Layers
Account Model
The SAP BTP Account Model provides a hierarchical structure for organising services, users, and costs. The hierarchy has three levels: Global Account (contractual root) → Directories (optional grouping) → Subaccounts (deployment units). Entitlements define which services are available in each subaccount — without an entitlement, a service cannot be provisioned even if quota is available in the Global Account.
Account Model — Detailed Pages
Top-level contractual container. Holds all entitlements, directories, billing, and Global Account admins.
Optional organisational grouping layer. Up to 7 levels deep. Enables delegated administration and budget distribution.
Primary deployment and isolation unit. Each subaccount owns its runtimes, services, role collections, and trust config.
Quota management for BTP services. Services must be explicitly entitled before they can be provisioned in a subaccount.
Capacity and pricing tiers for each BTP service — from free trial plans to production-grade service instances.
30+ data centres on AWS, Azure, GCP, and Alibaba Cloud. Region ae1 (AWS Dubai) for UAE PDPL data residency.
BTP Runtimes
SAP BTP provides three managed runtimes, each optimised for different workloads and developer profiles. All three runtimes run within a Subaccount and share the same foundation services (identity, connectivity, destinations). A single Subaccount can enable multiple runtimes simultaneously.
| Criterion | Cloud Foundry | Kyma | ABAP Cloud |
|---|---|---|---|
| Best for | CAP Node.js and Java, MTA apps | Containerised microservices, event-driven | ABAP developer teams, RAP services |
| Programming model | CAP (CDS + Node.js / Java) | Any language (Dockerfile + Helm) | ABAP Cloud (RAP + CDS views) |
| Managed by SAP | Diego cells — yes | Kubernetes control plane — yes | Full ABAP system — yes |
| Scaling | Horizontal autoscale | Kubernetes HPA | SAP-managed |
| Dev tool | Business App Studio (BAS) | BAS or local kubectl | ABAP Development Tools (ADT) |
| Clean Core | Required (BTP-side extensions) | Required (BTP-side extensions) | Built-in (released APIs only) |
| Commercial | CPEA / BTPEA | CPEA / BTPEA | CPEA / BTPEA |
Runtimes — Detailed Pages
Managed PaaS for CAP Node.js and Java applications. MTA deployment, autoscaling, and HANA Cloud HDI integration.
Managed Kubernetes with Istio service mesh, Kyma Functions (serverless), Event Mesh integration, and Helm chart deployment.
ABAP-as-a-Service on BTP. Build RAP services and OData V4 APIs using released APIs only — fully clean core compliant.
Security and Identity
SAP BTP security is built on three layered services. The SAP Cloud Identity Services — Identity Authentication (IAS) authenticates users via OIDC and SAML 2.0, acting as a proxy in front of corporate identity providers. The Identity Provisioning Service (IPS) synchronises users and groups from Active Directory or LDAP to IAS and BTP subaccounts using SCIM 2.0. The Authorization and Trust Management Service (XSUAA) issues and validates OAuth 2.0 JWT tokens scoped to individual BTP applications.
1// xs-security.json — XSUAA security descriptor for a BTP application
2{
3 "xsappname": "my-btp-app",
4 "tenant-mode": "dedicated",
5 "description": "Security descriptor for my CAP application",
6 "scopes": [
7 {
8 "name": "$XSAPPNAME.Read",
9 "description": "Read access to application data"
10 },
11 {
12 "name": "$XSAPPNAME.Write",
13 "description": "Write and delete access to application data"
14 }
15 ],
16 "role-templates": [
17 {
18 "name": "Viewer",
19 "description": "Read-only access",
20 "scope-references": ["$XSAPPNAME.Read"]
21 },
22 {
23 "name": "Editor",
24 "description": "Full read and write access",
25 "scope-references": ["$XSAPPNAME.Read", "$XSAPPNAME.Write"]
26 }
27 ],
28 "role-collections": [
29 {
30 "name": "MyApp Viewer",
31 "role-template-references": ["$XSAPPNAME.Viewer"]
32 },
33 {
34 "name": "MyApp Editor",
35 "role-template-references": ["$XSAPPNAME.Editor"]
36 }
37 ]
38}Security and Identity — Detailed Pages
End-to-end BTP security: identity federation, OAuth 2.0, network isolation, audit logging, and GDPR/PDPL compliance.
SAP's cloud-native Identity Provider. Proxies Azure AD, ADFS, and Okta. Supports OIDC, SAML 2.0, MFA, and risk-based authentication.
SCIM 2.0 user and group synchronisation from Active Directory or LDAP to IAS and BTP Role Collections. Automates onboarding.
OAuth 2.0 JWT authorisation server per subaccount. Manages scopes, role templates, and role collections for all BTP applications.
Connectivity
BTP connectivity covers three distinct integration patterns. The SAP Cloud Connector provides an outbound reverse-proxy tunnel from the on-premises network to BTP — no inbound firewall rules are required. The Destination Service acts as a centralised configuration registry: applications read named destinations at runtime rather than hard-coding endpoints or credentials. The SAP Private Link Service (available for AWS and Azure) provides direct private network connectivity to RISE with SAP (PCE) systems, eliminating public internet traversal entirely.
- Installed on-premises — Java agent
- Outbound TLS 1.3 tunnel only
- No inbound firewall change needed
- Supports HTTP, RFC, TCP, LDAP
- Multi-landscape support (DEV/QAS/PRD)
- Mapped virtual hosts for security
- Named connection configurations
- HTTP, RFC, LDAP, SFTP destinations
- Basic, OAuth 2.0, certificate auth
- Principal propagation support
- Subaccount and instance-level scope
- Used by all BTP runtimes uniformly
- Private hyperscaler networking
- AWS PrivateLink and Azure Private Link
- Zero public internet exposure
- Required for RISE PCE connectivity
- Lower latency than Cloud Connector
- GCP support: Roadmap
Connectivity — Detailed Pages
The SAP BTP Connectivity service umbrella — Cloud Connector, Destination Service, and Private Link unified.
Reverse-proxy agent on-premise. Outbound TLS tunnel to BTP — no inbound firewall changes. Supports HTTP, RFC, TCP, LDAP.
Centralised connection configuration registry. Applications read named destinations at runtime for all HTTP, RFC, and LDAP connections.
Private network connectivity between BTP and RISE/PCE systems on AWS and Azure. Eliminates public internet traversal.
BTP CLI — Account Management Examples
The SAP BTP CLI (btp) provides command-line access to the BTP account model. Download from SAP Tools Portal. Used in CI/CD pipelines, Terraform automation, and administrative scripts.
# Install BTP CLI — download from tools.hana.ondemand.com
# Authenticate to Global Account
btp login
# → Enter Global Account subdomain, email, and password
# List all subaccounts in the Global Account
btp list accounts/subaccount
# Create a new subaccount in the UAE region (ae1 — AWS Dubai)
btp create accounts/subaccount \
--display-name "UAE Production" \
--region ae1 \
--subdomain my-company-uae-prd
# List available service plans for a service
btp list services/plan --environment cloudfoundry
# Assign entitlement: allocate HANA Cloud quota to a subaccount
btp assign accounts/entitlement \
--to-subaccount <SUBACCOUNT-GUID> \
--for-service hana \
--plan hana \
--amount 1Licensing and Commercial Models
SAP BTP services are available under several commercial models. The Cloud Platform Enterprise Agreement (CPEA) and its successor BTP Enterprise Agreement (BTPEA) are credit-consumption models where customers purchase an annual credit pool and draw down services within that pool. Under Pay-As-You-Go (PAYG), services are metered monthly with no commitment. Many foundation services are included in RISE with SAP and GROW with SAP bundles at no additional BTP charge.
Availability status reflects the overall BTP platform and major services. Individual service availability and commercial terms vary — verify on SAP Discovery Center.
SAP BTP
SAP's unified platform for application development, integration, data management, and AI — hosting 80+ services across Cloud Foundry, Kyma, and ABAP runtimes.
Platform access is free; individual services consume CPEA/BTPEA credits or carry their own subscription.
HANA Cloud
A fully managed, cloud-native, in-memory database platform on SAP BTP — supporting relational, vector, JSON, spatial, and graph data models with integrated data lake.
Capacity-based: compute block sizes (16–512 GB RAM), storage units (1 GB increments), and optional data lake file/relational storage. Included in RISE with SAP.
Integration Suite
SAP's enterprise integration platform-as-a-service (iPaaS) — enabling cloud-to-cloud, cloud-to-on-premise, and B2B integration via 2,000+ pre-built connectors.
Subscription-based. Message volume and API call thresholds define the tier. API Management and Event Mesh may carry separate entitlements.
AI Core
SAP's MLOps service on SAP BTP — providing infrastructure for AI model training, deployment, serving, and lifecycle management including access to the Generative AI Hub.
CPEA consumption-based: Resource Units for model training/serving, Inference Units for production AI workloads. Storage charged separately.
Joule
SAP's generative AI copilot embedded across SAP applications — providing natural language interaction for navigation, transactions, insights, and code generation across the SAP portfolio.
Core Joule skills included in RISE with SAP. Joule Booster (additional skill pack) is a separate entitlement for RISE customers. Standalone access requires SAP AI Business Services licensing.
CAP
An open-source, convention-over-configuration framework for building cloud-native services and applications on SAP BTP using CDS, Node.js, and Java.
Framework is free (Apache 2.0). BTP infrastructure costs apply when deployed on Cloud Foundry, Kyma, or ABAP environment.
BTP Commercial Models — Key Services
Service / Capability | PAYGNo commitment | CPEA / BTPEACredit consumptionGenerally Available | RISE with SAPBundledGenerally Available | GROW with SAPBundledGenerally Available |
|---|---|---|---|---|
| Platform Foundation | ||||
| Cloud Foundry Runtime | Free tier (limited) | |||
| SAP Cloud Identity Services (IAS) | Free | Free | Included | Included |
| SAP Business Application Studio | Free tier | Included (limited) | Included (limited) | |
| SAP Connectivity Service | ||||
| Application Development | ||||
| SAP CAP Framework | Free (open source) | Free | Free | Free |
| SAP Kyma Runtime | Free tier | Add-on required | Add-on required | |
| SAP Build Apps | Add-on | Included | ||
| SAP Build Work Zone (Standard) | Included | Included | ||
| Data, Analytics, and AI | ||||
| SAP HANA Cloud | Free tier (trial) | Included (capacity) | ||
| SAP AI Core | Free tier | |||
| Generative AI Hub | ||||
| SAP Joule | Included (limited) | Included (limited) | ||
| Integration | ||||
| SAP Integration Suite | Add-on subscription | Add-on subscription | ||
| SAP Event Mesh | ||||
SAP Sapphire 2025 and SAP Road Map Updates
SAP Joule Custom Skills
Generally AvailablePartners and customers can now build custom Joule skills using the SAP AI SDK. Skills integrate with any OData V4 or REST backend. Custom skills appear alongside SAP pre-built skills in the Joule Skill Catalogue. Announced at SAP Sapphire 2025.
Business Data Cloud (BDC)
Generally AvailableNew BTP capability combining SAP Datasphere and SAP Analytics Cloud into an AI-ready data fabric. Natively integrates with SAP S/4HANA via Datasphere Business Content. Available as a managed BTP service with its own commercial model.
ae1 Region (AWS UAE / Dubai) Expansion
Generally AvailableAdditional BTP services enabled in region ae1 (AWS UAE, Dubai). Expands UAE PDPL data residency compliance coverage. HANA Cloud, AI Core, Generative AI Hub, Cloud Foundry, and SAP Integration Suite are available in ae1.
SAP AI Agent Framework
RoadmapMulti-agent orchestration platform announced at SAP Sapphire 2025. Enables chaining of Joule skills and custom AI agents built with the SAP AI SDK. Direction: integrated with BTP AI services. No GA date confirmed as of June 2025. Do not plan production implementations.
Kyma Modules — Serverless v2 and Istio Upgrade
PlannedKyma Functions runtime v2 with improved cold-start performance and module architecture. Istio upgrade to 1.23+. SAP-committed on road map. Target: H2 2025. Check SAP Road Map Explorer for latest delivery status.
XSUAA Convergence with IAS
RoadmapSAP is progressively unifying the XSUAA and IAS authorization models. New BTP services are already IAS-native. Existing XSUAA-based applications will have a supported migration path. Timeline: phased over 2025–2026. Check SAP Road Map Explorer.
Best Practices
Use one Subaccount per Landscape
Create separate Subaccounts for DEV, QAS, and PRD. Subaccounts are the isolation unit — shared subaccounts create entanglement between environments.
Assign Entitlements before Provisioning
Always allocate service entitlement from the Global Account to the target Subaccount before creating a service instance. Without entitlement, provisioning fails silently in some services.
Use IAS as the Single IdP
Configure all BTP Subaccounts to trust a single IAS tenant. Connect the IAS tenant to your corporate Azure AD or ADFS via SAML federation. Avoid creating BTP-local users.
Never hard-code connection endpoints
Always use the Destination Service for all backend system connections. Named destinations are environment-portable and support principal propagation without code changes.
Choose the Cloud Connector for on-premise
For S/4HANA on-premise or ECC connectivity, always use the SAP Cloud Connector. It is the only supported mechanism for on-premise RFC and HTTP from BTP applications.
Use CPEA for variable workloads
CPEA and BTPEA credit models suit workloads with variable consumption. Fixed subscription is better for predictable, steady-state usage. Combine both for mixed portfolios.
Use Directories for budget governance
Create Directories per department or business unit. Allocate quota and assign directory admins at Directory level. This prevents one team exhausting the Global Account entitlement pool.
Enable BAS in each Subaccount
SAP Business Application Studio is included in RISE/GROW. Entitle it in every development Subaccount as the standard IDE for CAP, Fiori, and ABAP development.
Common Pitfalls
Sharing a Subaccount across landscapes
Fix: Each DEV, QAS, and PRD environment must be its own Subaccount. Sharing causes service collisions, role pollution, and cost attribution failures.
Skipping Destination Service and hard-coding URLs
Fix: Hard-coded backend URLs break when systems move regions or change hostnames. Always externalise connection config into named Destinations.
Treating Directories as mandatory
Fix: Directories are optional. Small organisations do not need them. Add the Directory layer only when you genuinely need delegated administration or budget separation.
Mixing XSUAA scopes across applications
Fix: Each BTP application should define its own security descriptor (xs-security.json) with application-prefixed scopes ($XSAPPNAME). Never share XSUAA service instances between unrelated applications.
Using Cloud Connector for RISE/PCE connections
Fix: RISE with SAP (PCE) connections should use SAP Private Link, not Cloud Connector. Cloud Connector routes through the public internet; Private Link stays on the hyperscaler backbone.
Misunderstanding entitlements vs. service instances
Fix: Entitlement = the right to use a service (quantity quota). Service instance = an actual provisioned service. You must have both: entitlement allocated to the subaccount AND then create the instance.
Commercial and Updates
SAP Official References
SAP BTP Help Portal
Official documentation for all BTP services, runtimes, and account model.
SAP Discovery Center
Service catalogue, pricing, trials, and mission-based learning paths.
SAP BTP Architecture Center
Reference architectures for BTP, S/4HANA, Integration Suite, and Joule.
SAP Road Map Explorer — BTP
GA, Planned, and Roadmap features for SAP BTP. Check before planning.
SAP BTP CLI Documentation
Complete BTP CLI reference for account management automation.
SAP BTP — ae1 Region (UAE)
Region ae1 (AWS Dubai): available services and UAE PDPL data residency.
SAP Cloud Connector — Administration Guide
Installation, configuration, and monitoring of the SAP Cloud Connector.
SAP Sapphire 2025 — BTP Announcements
Official announcements from SAP Sapphire 2025 covering BTP, Joule, and AI.