Account Model
Contractual Boundary
Central Billing
BTP Foundation

BTP Global Accounts

The top-level contractual and administrative container for all SAP BTP resources. Created once per SAP contract, it owns entitlements, manages the account hierarchy, and is the single billing point for the entire BTP landscape.

What is a Global Account?

A Global Account is the top-level entity created when you sign an SAP BTP contract. It is the contractual and billing boundary for everything on SAP BTP. All entitlements — the rights to use specific BTP services — are assigned at the Global Account level first, then distributed down through Directories and Subaccounts.

Administrators manage the Global Account via the BTP Cockpit at cockpit.btp.cloud.sap. Trust configuration, role collections, and identity provider settings are all configured at this level and cascade down to subaccounts.

The Global Account has a unique, immutable subdomain (e.g., mycompany.accounts.ondemand.com) set at creation time. SAP recommends naming it after the company's primary domain as it cannot be changed after provisioning.

Quick Facts

Scope
One per SAP BTP contract
Billing Unit
Central billing point
Subdomain
Immutable — set at creation
Admin Access
Role Collection based
Commercial Models
PAYG · CPEA · Subscription
Identity
SAP ID Service or custom IAS
Management UI
BTP Cockpit
CLI Tool
btp CLI (SAP BTP CLI)
BTP Account Hierarchy — Global Account to Services
Rendering diagram…

Commercial Models

PAYG
Pay-As-You-Go
  • No upfront commitment
  • Billed per actual consumption
  • Services auto-entitle on enable
  • Good for exploratory projects
  • Can convert to CPEA later
CPEA
Cloud Platform Enterprise Agreement
  • Pre-purchased credit blocks
  • Flexible service consumption
  • Credits expire if unused
  • Recommended for large enterprises
  • Requires explicit entitlement assignment
Subscription
Fixed Subscription
  • Fixed monthly/annual fee
  • Specific services included
  • Predictable cost model
  • Best for single-service focus
  • No credit concept — quantity-based

Enterprise Example — DEWA

Dubai Electricity and Water Authority (DEWA) maintains a single Global Account dewa-btp-prod under a CPEA contract. This Global Account contains three top-level Directories aligned to business domains:

Utilities Operations
S/4 Extensions · HANA · Integration
6 subaccounts
Corporate Services
HR · Finance · Procurement apps
4 subaccounts
Smart City
IoT · Analytics · AI Services
4 subaccounts
CPEA Strategy
DEWA allocates CPEA credits per directory: 60% Utilities Operations, 25% Corporate Services, 15% Smart City — matching the relative size of each domain's BTP footprint.

Administration & Identity

Role Collections

Global Account access is controlled via role collections, not direct role assignments. The two key built-in role collections are:

  • Global Account Administrator
    Full management access — entitlements, directories, subaccounts, trust.
  • Global Account Viewer
    Read-only access — suitable for architects and auditors.

Trust Configuration

By default, BTP uses the SAP ID Service as the identity provider. For enterprise SSO, configure custom trust with SAP Identity Authentication Service (IAS).

  • Default: SAP ID Service (sap.default) — no MFA, no SCIM
  • Recommended: SAP IAS as trust anchor for SSO + MFA
  • Custom corporate IdP (AAD, Okta) federated via IAS
  • Trust configured at global account → cascades to subaccounts
  • SCIM provisioning from HR system via Identity Provisioning Service (IPS)

Managing via btp CLI

global-account-admin.sh
1# Login to BTP CLI
2btp login --url https://cpcli.cf.eu10.hana.ondemand.com
3
4# List global account details
5btp get accounts/global-account
6
7# List all subaccounts
8btp list accounts/subaccount
9
10# List directories
11btp list accounts/directory
12
13# View entitlements at global account level
14btp list accounts/entitlement
15
16# Add a global account administrator
17btp assign security/role-collection "Global Account Administrator"   --to-user admin@dewa.gov.ae   --of-idp sap.default

Best Practices

One Global Account per company

Centralise billing, entitlements, and governance. Multiple global accounts fragment cost visibility and complicate licence management.

Dedicated admin role collections

Create named role collections for Global Account admins — never assign the admin role directly to personal user accounts.

Enable custom IAS trust

Replace the default SAP ID Service with SAP IAS as the identity provider to enable MFA, SCIM provisioning, and corporate SSO.

Configure cost monitoring alerts

Set up budget alerts in the BTP Cockpit Cost Management section. Alert at 70% and 90% of CPEA credit consumption.

Choose the subdomain carefully

The Global Account subdomain (e.g., mycompany.accounts.ondemand.com) is immutable after creation. Use the company primary domain.

Document entitlement strategy first

Before provisioning subaccounts, define which services each department needs and pre-plan quota distribution across directories.

Common Pitfalls

Multiple Global Accounts for different departments
Creates billing fragmentation, separate entitlement pools, and duplicated administration overhead. Use Directories inside one Global Account instead.
Personal accounts as Global Account administrators
No offboarding plan exists for personal accounts. When an admin leaves, access cannot be cleanly revoked. Use shared admin accounts or IAS group-based assignments.
Immutable subdomain overlooked
The global account subdomain cannot be changed after creation. A poorly chosen name (e.g., using a project name instead of company name) becomes a permanent liability.
No entitlement quota review before QBRs
Unused entitlements expire in CPEA contracts at the end of a contract period. Quarterly reviews prevent wasted credits and enable reallocation.

Security Considerations

Global Account access is high-privilege
Global Account administrators can modify entitlements, delete subaccounts, and alter trust configuration for the entire BTP landscape. Treat this role with the same sensitivity as a cloud root account.
Enable MFA for all Global Account administrators via SAP IAS conditional authentication policies.
Restrict the Global Account Administrator role collection to a maximum of 3–5 named individuals.
Use SAP IAS as the trust anchor rather than the default SAP ID Service — IAS supports MFA and SCIM.
Audit global account access quarterly — remove stale admins and review role collection assignments.
Enable SAP BTP Audit Log service at the global account level to capture all administrative actions.

References

SAP BTP Cockpit
Central management console for all BTP global accounts, directories, and subaccounts.
SAP Help: Global Accounts
Official documentation on Global Account structure, entitlements, and administration.
SAP Discovery Center
Browse available BTP services, pricing, and regional availability.