SAP BTP security is often described in pieces—authentication, authorization, principal propagation. But in real enterprise landscapes, these are one connected flow, and the order matters. If you mix up where tokens are issued, how identities are passed, or where authorization is enforced, you can end up with inconsistent access, fragile integrations, and weak audit trails—especially in hybrid (cloud + on-prem) setups.
In this blog, I walk through two end-to-end authorization models on SAP BTP using numbered flows mapped to diagrams:
XSUAA-based flow — sign-in, token flow, and principal propagation to on-prem systemsAMS-based flow — centralized policy management with CAP CDS enforcement
Then I zoom out to the “why”: where XSUAA fits best, why it can become limiting at scale, and what AMS adds for consistent policies, clearer separation of responsibilities, and stronger auditability.
SAP BTP security is often described in pieces—authentication, authorization, principal propagation. But in real enterprise landscapes, these are one connected flow, and the order matters. If you mix up where tokens are issued, how identities are passed, or where authorization is enforced, you can end up with inconsistent access, fragile integrations, and weak audit trails—especially in hybrid (cloud + on-prem) setups.In this blog, I walk through two end-to-end authorization models on SAP BTP using numbered flows mapped to diagrams:XSUAA-based flow — sign-in, token flow, and principal propagation to on-prem systemsAMS-based flow — centralized policy management with CAP CDS enforcementThen I zoom out to the “why”: where XSUAA fits best, why it can become limiting at scale, and what AMS adds for consistent policies, clearer separation of responsibilities, and stronger auditability. Read More Technology Blog Posts by SAP articles
#SAP
#SAPTechnologyblog
