SAP BTP — Interview Questions Booklet (50 Q&A)
Global Accounts & Subaccounts • CF/Kyma/ABAP Env • Security (XSUAA, IAS/IPS) • Connectivity & Destinations • HANA Cloud & HDI • CAP & Multitenancy • Integration Suite & Event Mesh • DevOps & Transport
1) What is SAP BTP, and in which scenarios should an enterprise choose it?
Answer: BTP is SAP’s cloud platform to build, integrate, and extend SAP/non-SAP solutions. Use it for side-by-side extensions, governed integration, event/API hubs, data & AI services, and secure exposure of business capabilities.
2) How are global accounts, directories, and subaccounts related in BTP?
Answer: The global account is the commercial/tenant root; optional directories group subaccounts; subaccounts are isolated runtime containers (region+environment) where apps/services run and entitlements are consumed.
3) What runtime environments does BTP provide, and when is each appropriate?
Answer: Cloud Foundry for buildpack apps (Node/Java/CAP), Kyma for Kubernetes/microservices/serverless, and ABAP environment for RAP-based extensions to SAP apps.
4) How do entitlements and quotas work, and who assigns them?
Answer: Entitlements grant service/plan usage; quotas define the amount. Global account admins allocate to subaccounts; subaccount admins create instances within those limits.
5) Which hyperscalers and regions are available, and how should a customer choose?
Answer: BTP runs on AWS/Azure/GCP across many regions. Choose based on latency to SAP back ends, data residency, service availability, and enterprise cloud strategy.
6) What is the Cloud Foundry environment on BTP, and how are apps deployed?
Answer: It’s a managed PaaS using buildpacks. Deploy via cf push or MTA (mbt build + cf deploy); bind service instances; consume credentials through VCAP_SERVICES.
7) When should architects prefer Kyma (Kubernetes) over Cloud Foundry?
Answer: Choose Kyma for container control, sidecars, custom runtimes, Helm, serverless functions, or when leveraging existing K8s competencies and DevOps toolchains.
8) What is the SAP BTP ABAP environment, and what problems does it solve?
Answer: A managed ABAP stack to build RAP services/UI without modifying core SAP apps. It enables modern ABAP development, OData, and secure integration with SAP systems.
9) How should teams decide between buildpacks and container images?
Answer: Buildpacks (CF) give speed and managed patches for common stacks; containers (Kyma) give full runtime control, OS libs, and sidecars—best for specialized workloads.
10) What is a Multi-Target Application (MTA), and why is it recommended on BTP?
Answer: MTA packages multiple modules/resources (app, DB, XSUAA, Destination) with one lifecycle for repeatable deploy/rollback, consistent bindings, and transportability.
11) What is XSUAA, and how does it enforce authentication and authorization?
Answer: XSUAA issues/validates OAuth2 JWTs and manages scopes/roles defined in xs-security.json. Apps verify tokens and enforce scope checks.
12) How do Identity Authentication (IAS) and Identity Provisioning (IPS) differ?
Answer: IAS handles login (SAML/OIDC, MFA, branding). IPS syncs users/groups from corporate IdPs to IAS/BTP, keeping identities aligned across landscapes.
13) What is the difference between roles, scopes, and role collections in BTP?
Answer: Scopes are technical permissions; roles group scopes per app; role collections group roles for assignment to users/groups at subaccount level.
14) How are JSON Web Tokens (JWT) validated inside BTP applications?
Answer: Middleware checks signature, issuer, audience, expiry, and scopes. CAP/SAP libs provide guards; apps deny access on invalid/insufficient claims.
15) What is principal propagation, and how do you implement it securely?
Answer: It forwards the end-user identity to downstream systems. Use OAuth2 JWT Bearer for cloud-to-cloud and OAuth2 SAML Bearer via Cloud Connector for on-prem targets.
16) What problem does the Destination service solve, and how is it consumed?
Answer: It centralizes outbound connection settings (URL/auth/proxy). Apps read destinations via the Destination service/API, avoiding hardcoded endpoints.
17) How do the Destination and Connectivity services differ, and when is each required?
Answer: Destination stores connection definitions; Connectivity provides the on-prem proxy tunnel. For on-prem calls you typically need both plus Cloud Connector.
18) What is the purpose of the Cloud Connector, and how does it enhance security?
Answer: It creates a reverse tunnel from on-prem to BTP, exposing whitelisted resources only—no inbound firewall openings—enforcing least-privilege access.
19) How can end-user identity be propagated from BTP to an on-premise SAP system?
Answer: Configure OAuth2 SAML Bearer in the destination, trust between IAS and the ABAP/Java stack, and Cloud Connector system mappings for user resolution.
20) What is contained in VCAP_SERVICES, and how should apps use it safely?
Answer: It contains bound service credentials and metadata. Read it at startup, avoid logging secrets, rotate bindings, and prefer service bindings over manual keys.
21) What is SAP HANA Cloud on BTP, and which workloads does it support well?
Answer: A managed HANA (in-memory+disk) service for transactional + analytical workloads, with elastic scaling, HDI isolation, and SQL/Calc View support.
22) What are HDI containers, and how do they isolate database artifacts?
Answer: HDI provides “schema as a service.” Artifacts are owned by the container and accessed via technical users, separating app objects and privileges cleanly.
23) How are database artifacts built and deployed to an HDI container?
Answer: Use HDI deployer in an MTA to build .hdb* artifacts (tables, views, procedures) and deploy; manage grants with grantor/consumer roles.
24) How does HANA Cloud differ from the legacy HANA service on Neo, and why does it matter?
Answer: HANA Cloud is the current, region/hyperscaler-aligned service with elastic sizing and new features; Neo is legacy—choose HANA Cloud for new implementations.
25) What options exist for cross-container access in HANA Cloud, and when should each be used?
Answer: Use container-to-container grants/aliases for tight coupling or cross-container synonyms for looser coupling; both preserve isolation and auditability.
26) What is CAP, and why should teams adopt it for BTP development?
Answer: CAP accelerates service/UI development with CDS modeling, OData/REST out-of-the-box, hooks, and security integration for Node.js and Java.
27) How does CAP map CDS models to persistence in dev and prod?
Answer: In dev it can use SQLite; in prod it targets HANA Cloud via HDI. Migrations are generated and applied during build/deploy steps.
28) How are authentication and authorization implemented in CAP apps?
Answer: Integrate XSUAA, define roles/scopes in xs-security.json, and protect services/entities with @requires annotations and request handlers.
29) How is multitenancy implemented in CAP, and what isolation model is typical?
Answer: CAP MTX provisions tenant-specific HDI containers (schema-per-tenant), wires tenant bindings, and uses tenant context from JWT for isolation.
30) When should a project choose CAP Node.js versus CAP Java?
Answer: Node.js suits rapid prototyping and JS ecosystem; Java suits JVM shops needing strong typing, enterprise libraries, and complex integrations.
31) How do SaaS subscriptions work on BTP for providers and consumers?
Answer: Providers register in the SaaS registry; consumers subscribe from their subaccounts. The provider app receives onboarding callbacks to provision tenant resources and role collections.
32) What steps are required to onboard and offboard a tenant safely?
Answer: On subscribe: create tenant DB/container, bindings, and roles; test health. On unsubscribe: revoke access, export data if agreed, and drop tenant artifacts per retention policy.
33) How is tenant data isolated and secured in multitenant solutions?
Answer: Use schema-per-tenant (HDI per tenant) or strict row-level filtering with tenant IDs; encrypt at rest, audit access, and segregate secrets per tenant.
34) How do side-by-side extensions on BTP compare with in-app key-user extensions?
Answer: Side-by-side avoids core mods and scales independently using APIs/events; in-app uses key-user tools inside SAP apps for lightweight UI/data tweaks.
35) How can a provider expose tenant-aware APIs securely to subscribers?
Answer: Use an application router, XSUAA, and tenant-aware routes; validate tenant from JWT; restrict by role collections; throttle and log usage via API Mgmt.
36) What does SAP Integration Suite include, and when should it be used?
Answer: It provides Cloud Integration, API Management, Open Connectors, Integration Advisor, etc.—use it for process orchestration, API gateways, and partner/B2B connectivity.
37) How does API Management govern and protect APIs published from BTP?
Answer: Policies enforce OAuth2, quotas, spike arrest, transformations, and caching; portals onboard developers; analytics track usage and compliance.
38) What is SAP Event Mesh, and how does it support event-driven architectures?
Answer: It’s a managed broker (queues/topics) for async pub/sub across SAP and custom apps, enabling decoupling, back-pressure handling, and resilience.
39) How can business events from S/4HANA be enabled and consumed on BTP?
Answer: Enable Enterprise Event Enablement, route events to Event Mesh, create subscriptions in apps/flows, and implement idempotent handlers.
40) When should teams expose OData services versus building custom REST APIs?
Answer: Expose OData for straightforward entity CRUD/queries; build custom REST when aggregations/orchestration or non-entity resources are required.
41) What is Cloud Transport Management (CTM), and how does it differ from classic transports?
Answer: CTM moves non-ABAP artifacts (MTAs, Integration content) across subaccounts with approvals/audit. It complements, not replaces, ABAP transports.
42) How can CI/CD be implemented for BTP applications and content?
Answer: Use Project “Piper”, GitHub Actions, or Jenkins to build/test MTAs, run unit/e2e tests, and deploy to CF/Kyma; integrate CTM for promoted releases.
43) What logging and monitoring options exist for CF and Kyma workloads?
Answer: CF: cf logs, Application Logging, Cloud Logging. Kyma: Prometheus/Grafana/Loki, Kubernetes events. Set alerts on latency, error rates, and queue depth.
44) How should secrets and credentials be managed across environments?
Answer: Prefer service bindings and platform secrets; rotate keys; avoid committing secrets; use separate service instances per space/tenant for blast-radius control.
45) How can blue-green or zero-downtime deployments be achieved on BTP?
Answer: CF uses route-based blue-green; Kyma uses rolling updates and health probes. Keep DB changes backward compatible and leverage feature toggles.
46) Why might an application fail to read a destination at runtime, and how do you fix it?
Answer: Missing instance/binding, wrong destinationName, insufficient scopes (uaa.user/destination scopes), or subaccount vs. instance confusion—correct and redeploy.
47) What checks should you perform when on-premise calls fail through Cloud Connector?
Answer: Connector status, system mapping/whitelists, principal propagation trust, destination proxy type = OnPremise, and reachable internal host/port.
48) What causes “audience” or “scope” errors in JWT validation, and how are they resolved?
Answer: Mismatched xsappname/audience, wrong XSUAA instance, or missing role collections. Align app/router XSUAA, assign roles, and redeploy.
49) How do you resolve data access issues for a newly onboarded tenant in a multitenant CAP app?
Answer: Ensure onboarding created HDI/container and bindings, verify tenant context in JWT, run health checks/migrations, and re-provision if needed.
50) How should you remediate an MTA deployment that fails due to missing entitlements or quotas?
Answer: Allocate required entitlements/quotas to the subaccount, ensure plan availability in the region, retry service instance creation, then redeploy.