For applications based on SAP Cloud Platform to participate in integration scenarios of the Intelligent Enterprise, the aspect of multitenancy must be decoupled from the aspect of subaccounts. Both aspects can have different IDs. The subaccount ID still identifies the subaccount. The new zone ID identifies the tenant for data isolation and for identity and access management.
Application developers must prepare their applications for this separation by using the correct ID. For now, subaccount and zone IDs remain identical. IDs will be different for newly created subaccounts in the future.
Single tenant applications are not affected typically since these applications don’t need to isolate data of different tenants.
Multitenant applications must adapt by using the zone ID instead of the subaccount ID as key for data isolation between tenants. For that purpose, the security client libraries offer a new getZoneId() method, reflecting claim zid in access tokens. Use this method instead of the getSubaccountId() method.
Commercialized multitenant applications with a need for metering and billing must still use the existing getSubaccountId() method as the identifier for the account to be billed. This identifier reflects claim ext_attr.subaccountid in access tokens.
For more information about our security client libraries, see Tutorials for Authorization and Trust Management.