https://help.sap.com/docs/btp/best-practices/setting-up-authentication
According to slide 20 of the SAP S/4HANA Cloud 3-system landscape - Onboarding Guide, SAP recommends to connect the non-productive IAS to the non-productive S/4HANA Cloud environments and the productive IAS to the productive S/4HANA Cloud environment and CALM.
Unfortunately, we cannot find any clear recommendation for the IAS setup for BTP. Do you recommend the same setup here (non-productive IAS for non-productive subaccounts, productive IAS for productive accounts)? Even for dev or test environments, we work with ‘productive’ identities. For this reason and from our point of view, these subaccounts should be connected to a productive IAS or at least the productive Azure AD. According to our experience, the non-productive AD is usually just used for internal testing purposes and never connected to any enterprise applications.
If this is SAP’s recommendation, this also means that the configuration effort for groups and groups assignments doubles compared to the setup of just using the productive IAS for all subaccounts that we usually see. Or is there any transport mechanism for delta changes planned from one IAS to another that could reduce these efforts? Alternatively, the groups could be assigned in AD, but as of our understanding SAP’s strategic recommendation is to assign the groups in the IAS and not in AD, is this correct?