Security

Zero Trust

OAuth 2.0

Audit Logging

BTP Security Architecture

End-to-end security architecture for SAP BTP — covering identity federation, OAuth 2.0 authorization, network security, audit logging, and data protection across runtimes and services.

BTP Security Architecture — Layered Model

Rendering diagram…

Executive Summary

SAP BTP security is built on a layered model: identity federation (IAS), OAuth 2.0 authorization (XSUAA), role-based access control (scopes + role collections), network security (Cloud Connector, Private Link, TLS), and audit logging. Every BTP application must implement all layers — there is no default security posture. Security is a shared responsibility between SAP (platform) and the customer (application configuration).

Identity Layer

SAP IASIdentity Authentication Service — the central IdP proxy. Federates corporate AD/LDAP via SAML 2.0. Issues OIDC tokens to BTP apps. One IAS tenant per SAP customer (bundled).

SAP IPSIdentity Provisioning Service — SCIM-based user sync from AD → IAS → BTP subaccounts. Automates joiner/mover/leaver lifecycle management.

Corporate IdPAzure AD, Okta, ADFS, or any SAML 2.0-compliant IdP. IAS acts as the SP (service provider) in the corporate IdP federation chain.

SAP ID ServiceDefault trust — acceptable for trial/sandbox only. No MFA, no SCIM, no corporate integration. Must be removed from production subaccounts.

Authorization Layer

XSUAAOAuth 2.0 Authorization Server on BTP. Issues JWT tokens with user identity, tenant, and granted scopes. Validates tokens for every API call.

ScopesDefined in xs-security.json. Checked in CAP via @requires/@restrict annotations, or manually via req.user.is() / @sap/xssec.

Role CollectionsAggregate multiple role templates. Assigned to users or AD groups (via IPS). The primary mechanism for granting access in BTP.

App RouterThe authentication gateway (@sap/approuter). Handles login redirect to IAS, SAML→JWT exchange, session management, and token forwarding to backend services.

Network Security

TLS 1.2+All BTP traffic is encrypted in transit. TLS 1.0/1.1 are not supported. Certificate pinning available for high-security scenarios.

Cloud ConnectorOutbound-only reverse proxy installed on-premise. Opens a secure tunnel to BTP — no inbound firewall rules required. Used for on-premise S/4HANA access.

Private LinkAzure / AWS private network connectivity for BTP. Avoids public internet routing entirely. Recommended for customers with strict network security policies.

Credential StoreBTP service for secure credential management. Store OAuth client secrets, API keys, and passwords — never in CF environment variables or K8s ConfigMaps.

xs-security.json — XSUAA Application Security Descriptor

Define scopes first, then role templates

Design scopes at the action level (viewer, editor, admin per domain), then aggregate them into role templates. Role templates map to Role Collections assigned to user groups.

xs-security.json

1{
2  "xsappname": "dewa-s4-extension",
3  "tenant-mode": "dedicated",
4  "scopes": [
5    {
6      "name": "$XSAPPNAME.viewer",
7      "description": "View extension data"
8    },
9    {
10      "name": "$XSAPPNAME.editor",
11      "description": "Edit extension data"
12    },
13    {
14      "name": "$XSAPPNAME.admin",
15      "description": "Administer extension settings"
16    }
17  ],
18  "role-templates": [
19    {
20      "name": "Viewer",
21      "scope-references": ["$XSAPPNAME.viewer"]
22    },
23    {
24      "name": "Editor",
25      "scope-references": ["$XSAPPNAME.viewer", "$XSAPPNAME.editor"]
26    },
27    {
28      "name": "Administrator",
29      "scope-references": ["$XSAPPNAME.viewer", "$XSAPPNAME.editor", "$XSAPPNAME.admin"]
30    }
31  ],
32  "oauth2-configuration": {
33    "token-validity": 3600,
34    "refresh-token-validity": 86400
35  }
36}

Audit & Compliance

Audit Log ServiceRecords all authentication events, BTP config changes, and sensitive data access. Required for SOC 2, ISO 27001, and UAE PDPL. Export to SIEM via Audit Log Management API.

SAP Data CustodianMonitors data residency compliance — ensures data stays within the contracted cloud region (e.g., UAE/ae1 for DEWA).

Credential StoreEncrypted credential management service. Rotation APIs available. Integrates with CF and Kyma via service bindings.

SIEM IntegrationAudit Log Management API provides a REST endpoint for streaming audit events to external SIEM tools (Sentinel, Splunk, QRadar).

Enterprise Example: DEWA Full Security Stack

DEWA Production Security Configuration

DEWA implements a complete BTP security stack: Azure AD → IAS (SAML federation) → XSUAA (OAuth JWT) → App Router → CAP Service. IPS syncs Azure AD groups to BTP Role Collections nightly. All connectivity to on-premise S/4HANA uses Cloud Connector with mutual TLS. Audit Log Service integrated with DEWA's SIEM (Microsoft Sentinel) via Audit Log Management API. MFA enforced for all BTP subaccount access via IAS Conditional Authentication rules.

Best Practices

Always use IAS as trust provider

Never use SAP ID Service in production — it lacks MFA, SCIM provisioning, and custom password policies required for enterprise compliance.

Define scopes at the most granular level

Avoid broad admin-only patterns. Fine-grained scopes enable least-privilege RBAC and make access reviews auditable.

Rotate XSUAA client credentials quarterly

Client credentials for service-to-service communication should be rotated on a defined schedule. Use BTP Credential Store to manage rotation safely.

Enable BTP Audit Log in every production subaccount

The Audit Log service records all authentication events, configuration changes, and data access. Required for SOC 2, ISO 27001, and UAE PDPL compliance.

Use Role Collections with group mapping via IPS

Assign Role Collections to AD groups (not individual users) via IPS. Individual assignments do not scale and are impossible to audit at enterprise scale.

Validate JWT tokens in every service

CAP does this automatically with XSUAA binding (@sap/xssec). For custom services, never skip token validation — even for internal service calls.

Common Pitfalls

SAP ID Service trust in production

No MFA enforcement, no SCIM provisioning, no custom password policy, and no integration with corporate IdP — a critical security gap.

Granting SubaccountAdministrator to developers

SubaccountAdministrator can modify trust configuration, billing, and entitlements. Developers need only Space Developer (CF) or specific service roles.

Not defining scopes in xs-security.json

Without explicit scopes, CAP services may allow unauthenticated access depending on the @requires annotation configuration.

Exposing CAP services without App Router

Direct exposure of CF or Kyma apps bypasses token validation and session management. App Router is the mandatory authentication gateway.

Missing audit log setup

Compliance violations discovered post-incident are significantly harder to remediate. Enable Audit Log at subaccount setup, not retroactively.

Zero Trust Security Checklist

Implement Zero Trust principles — verify every request even within BTP. Use principle of least privilege for all role assignments.

Enable MFA for all named user accounts via IAS Conditional Authentication

Set XSUAA token-validity to 3600s (1 hour) maximum for user tokens

Monitor Audit Log Service weekly and alert on anomalies

Perform quarterly access reviews on all BTP Role Collections

Remove SAP ID Service trust from all production subaccounts

Configure automatic token refresh — never extend token validity as a workaround

References

BTP Security Guide

Comprehensive SAP BTP security documentation and best practices

XSUAA documentation

Authorization and Trust Management service reference

IAS documentation

SAP Identity Authentication Service complete reference

Audit Log Service

Audit Log service setup and integration guide for CF and Kyma