/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PublicSymptom
You request clarification whether the SAP Datasphere tenant URL (UI endpoint) can be restricted from being publicly reachable via the internet.
Environment
SAP Datasphere
Cause
SAP Datasphere is delivered as a cloud service product and is designed as a publicly reachable HTTPS endpoint. Access control is enforced at the authentication and authorization layer rather than by restricting network reachability of the tenant URL.
Resolution
Today, SAP Datasphere tenant URLs are public HTTPS endpoints.
By design, the SAP Datasphere UI and endpoints are publicly reachable over the internet via a standard URL (e.g., <yourTenant>.<region>.cloud.sap). There is no native SAP Datasphere feature to completely hide or block the public access endpoint at the network edge as of current releases.
SAP’s official documentation and administrative guides do not include a mechanism for removing the public internet exposure of the UI URL itself. Access control is instead enforced at the application and authentication/authorization layer (roles, SSO, identity provider).
There is currently:
- No supported mechanism to disable public DNS resolution of the tenant URL.
- No supported feature to make the UI endpoint private or accessible only through a customer network.
- No configuration option to restrict the frontend endpoint to specific source IP ranges.
SAP Datasphere does not provide:
- Native IP allow-listing for inbound UI access
- Network-level firewall configuration for the tenant frontend
- Tenant-specific network isolation for the UI
Inbound access protection is handled through:
- Authentication (IAS / corporate IdP via SAML or OIDC)
- Role-based authorization within the tenant
Customers may implement conditional access policies at the Identity Provider (e.g., Azure AD Conditional Access, Okta network zones) to restrict login attempts based on IP range, device compliance, or geographic location. This restricts authentication but does not remove public network reachability of the URL.
Tenant-level network isolation of the SAP Datasphere frontend is not available as a supported feature at this time.
The security model instead relies on:
- Secure HTTPS access
- Strong authentication (SSO, MFA)
- Authorization controls
- Audit logging
For security best practices, SAP recommends:
- Enabling SAML SSO with corporate Identity Provider
- Enforcing MFA at the IdP level
- Implementing conditional access policies
- Reviewing role assignments and least-privilege access
- Monitoring audit logs
If stricter network-level isolation is required by policy, customers may submit a feature request via SAP Influence Portal.
See Also
- To create a new enhancement request, go to the following link and click "Submit Improvement": https://influence.sap.com/go/datasphere
- The following link can be followed to upvote existing ideas and enhancement requests: All Improvement Request Lists - Customer Influence (sap.com)
- Find the new features, as they are released, documented here: What's new in SAP Datasphere
- View the roadmap for new features here: SAP Roadmap Explorer
Keywords
KBA , DS-SEC , Security (Users, Roles) , DS-SEC-AUTN , Authentication: SSO/SAML, OAuth Client , Problem
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)