SAP BTP Cockpit: A Developer's Guide

The SAP BTP Cockpit is the web-based administration interface for SAP Business Technology Platform. If you build, deploy, or operate anything on BTP — Cloud Foundry applications, Kyma workloads, ABAP Environment systems, subscribed SaaS services — the cockpit is where you manage the accounts, entitlements, security, connectivity, and applications that make it run. This guide walks through what the cockpit is, its key sections, the day-to-day tasks developers and admins perform there, how it compares to the CLI alternatives, and how AI assistants can speed up BTP administration when given the right context.

How to Log In to the SAP BTP Cockpit

To access the SAP BTP cockpit:

1. Navigate to https://cockpit.<region>.hana.ondemand.com (e.g., https://cockpit.eu10.hana.ondemand.com for EU10).
2. Sign in with your SAP ID (the same S-user or P-user account you use for other SAP portals).
3. If your organization uses a custom identity provider (IdP) configured through SAP Cloud Identity Services, you will be redirected to your corporate login page.
4. After authentication, you land on your global account overview.

If you do not have an SAP account yet, you can register for free at https://account.sap.com and then either start a BTP trial or create a Pay-As-You-Go account to access the cockpit.

What is the SAP BTP Cockpit?

BTP is structured as a hierarchy: a global account (your commercial contract and top-level container) holds directories (optional grouping layer) and subaccounts. Each subaccount can host one or more environments — Cloud Foundry (with spaces and orgs), Kyma (Kubernetes-based), or the ABAP Environment. Entitlements (the right to use a service or runtime, measured in plans and quotas) are assigned at the subaccount level.

The cockpit is the primary UI for working with that hierarchy. It authenticates against your SAP Cloud Identity Services tenant and exposes every BTP administrative action: creating subaccounts, subscribing to multitenant services, creating service instances, assigning role collections, configuring destinations, and monitoring deployed applications. Every action is also available through the btp CLI or the relevant environment CLI (cf for Cloud Foundry, kubectl for Kyma), making the cockpit the human-facing surface of an API-driven platform.

Key Sections

Once you sign in, the cockpit organizes functionality into a handful of areas that every BTP developer should know.

Account Explorer

The top-level navigation shows your global account, directories, and subaccounts in a tree. From here you create subaccounts, move them between directories, and drill into a subaccount to manage its resources. The account structure you build here determines how entitlements, costs, and access are partitioned.

Subaccount Overview

Inside a subaccount, the overview shows enabled environments, assigned entitlements, usage against quotas, and quick links to Cloud Foundry/Kyma/ABAP administration. This is where you enable an environment for the subaccount (for example, enabling Kyma with a chosen cluster plan).

Services Marketplace and Instances

The Service Marketplace lists every service available to the subaccount based on its entitlements — HANA Cloud, Destination Service, Connectivity Service, AI Core, Datasphere, and hundreds of others. From here you create service instances (a provisioned, usable instance of a service plan) and service bindings (the credentials an application uses to talk to that instance). This is the BTP equivalent of provisioning a database or queue in any cloud platform.

Applications

For Cloud Foundry subaccounts, this section lists deployed applications by space, shows their state (started, stopped, crashed), instance counts, memory, and route URLs, and lets you start, stop, restart, and scale them. Logs and recent events are accessible inline. For Kyma, the link jumps to the Kyma dashboard where you manage workloads, services, and API rules.

Security

The Security section is where BTP's authorization model comes together:

• Users — members assigned to the subaccount or space, mapped to SAML/OIDC users from your identity provider.
• Role Collections — bundles of roles assigned to users. This is the unit of authorization in BTP. Examples: CloudConnectorAdministrator, XS.AuthorizationDataViewer, or service-specific collections like AIAPIScenarioUser.
• Roles — granular permissions, typically defined by service providers via XSUAA or AMS, bundled into role collections.
• Trust Configuration — the identity provider(s) the subaccount trusts (SAP Cloud Identity Services by default; you can federate corporate IdPs).

Connectivity

This section holds Destinations — reusable connection definitions (URL, authentication, additional properties) that BTP applications and services use to reach remote systems. Destinations support Basic auth, OAuth 2.0, Client Credentials, Principal Propagation (for user-flow propagation to on-premise systems via Cloud Connector), and more. Well-configured destinations let a CAP app or SAPUI5 frontend call an S/4HANA OData service without hardcoding credentials.

Common Administration Tasks

A short list of cockpit tasks covers most day-to-day BTP work:

1. Create a subaccount for a new project or environment (region, subdomain, org).
2. Assign entitlements — move quota for a service plan (for example, hana-cloud: hana: 1) from the global account to the subaccount.
3. Subscribe to a service — multitenant SaaS apps (SAP Build, Integration Suite, Datasphere) are subscribed rather than instantiated.
4. Create service instances — provision HANA Cloud, Destination Service, XSUAA, AI Core, etc., for your applications to bind to.
5. Assign role collections to users — grant access. Without this step a user can log in but cannot do anything.
6. Configure destinations — point applications at backend systems with the right auth scheme.
7. Deploy and monitor applications — push MTA archives, view logs, scale instances.

For repeatable setups (spinning up parallel dev/test/prod subaccounts, or onboarding a new team), these steps are almost always automated with the btp CLI rather than clicked through the UI.

Cockpit vs CLI

The cockpit is excellent for exploration, one-off changes, and visual monitoring, but does not scale to repeatable or audited operations. BTP provides complementary CLI tools:

• btp CLI (SAP BTP command-line interface) — automates account-level operations: subaccounts, entitlements, subscriptions, environment enablement, role collection assignment, and service instance/binding management. Right tool for provisioning scripts and CI/CD setup steps.
• cf CLI (Cloud Foundry CLI) — operates inside a Cloud Foundry environment: cf push, cf create-service, cf bind-service, cf logs. Used for application lifecycle and CF service instances.
• kubectl — for Kyma environments, native Kubernetes operations on workloads, CRDs, and API rules.

A typical workflow mixes all three: btp to create the subaccount and assign entitlements, cf to deploy the application and bind services, and the cockpit to spot-check configuration or hand off a visual to a reviewer.

AI-Assisted BTP Administration

BTP's authorization model (role collections vs. roles vs. scopes), entitlement mechanics, and destination configuration have a lot of SAP-specific detail that generic assistants get wrong: invented role names, incorrect OAuth grant types for Principal Propagation, or confused service-instance vs. subscription flows. Skill context fixes that.

A BTP-focused skill gives an assistant:

• Correct entitlement and quota terminology (plan, quota, assigned vs. available).
• The role collection model and how XSUAA scopes map to roles.
• Destination configuration patterns including Principal Propagation, Cloud Connector, and the WebIDEUsage/HTML5.DynamicDestination properties that SAPUI5 and CAP rely on.
• CLI command shape for btp and cf so generated scripts actually run.

Install the relevant skills to give your assistant accurate BTP context:

npx skills add secondsky/sap-skills --skill sap-btp-cloud-platform
npx skills add secondsky/sap-skills --skill sap-btp-best-practices
npx skills add secondsky/sap-skills --skill sap-btp-connectivity

With these loaded, an assistant can reliably scaffold entitlement scripts, draft destination configurations for Principal Propagation, generate role collection assignments, and explain why a service binding is missing scopes — turning the cockpit from a click-heavy UI into something you can reason about and automate with confidence.