| Status | Approved |
| Owner | |
| Stakeholders | |
| LeanIX Link |
Introduction
Purpose
The purpose of this document is to outline the application architecture of SAP Cloud Integration as deployed by SyWayScope & Objectives
This document will describe the high-level architecture of the SAP Cloud Integration application.
Out of Scope:
- Since SAP Cloud Integration is a SaaS application, network and infrastructure architecture will NOT be covered.
- Product documentation and information that can be found online will not be documented here, but referenced using hyperlinks.
- Implementation details such as Integration Design or API Management Design may have different architectures.
Requirements
| Requirement Identifier | Requirement Description |
|---|---|
Application Architecture
Overview
Application Architecture Design
Application Architecture Components
| Component | Acronym | Description |
|---|---|---|
| Business Accelerator Hub | Business Accelerator is a centralized resource for developers and partners to build integrations and extensions for SAP solutions, access pre-built integration content, and accelerate digital transformation efforts. The key features of the hub is enabling the discovery of API, ability to use existing integration content provided by SAP and partners. | |
| Cloud Integration | CI, CPI | Formally known as Hana Cloud Integration (HCI), CI is the core capability enabling the integration design and execution wtih SAP and non-SAP, cloud, and on-premise applications. CI enables Integration design via web based User Interface, providing orchestration of integration processes, connectivity to SAP, non-SAP, Cloud and On-Premise systems and Data Transformation. |
| API Management | APIM | APIM provides governance, security and monitoring of API, enabling exposure, management and monetization of APIs. APIM brings together all components necessary to expose and consume APIs providing capabilities for complete lifecyle of APIs, including, discovery, security, mediation, traffic management, analytics and documentation. |
| Event Mesh ( & Advanced Event Mesh ) | EM ( & AEM ) | EM provides the core infrastructure for enterprise-grade broker for event-driven architecture. It allow asynchronous communication between SAP and non-SAP. |
| Open Connectors | A Central Hub to access configurable connectors for over 170 non-SAP applications through harmonised APIs, enabling simplification and acceleration of integrations. | |
| Integration Advisor & Trading Partner Management | IAE & TPM | IAE & TPM accelerate the development of business-oriented interfaces and mappings, generate runtime artifacts quickly, and significantly reduce efforts. Combined with AI-assisted tool for mapping and defining message interfaces, it provides industry-specific content based on standards like EDI, cXML, and assists in accelerated B2B/EDI mapping activity. A Central cockpit provides the ability centrally manage trading partner relationships. |
| Integration Assessment | Integration Assessment capability is a methodology and toolset for deciding when to use different integration techniques and patterns and provides guidance on integration strategy and helps standardize integration patterns across projects. | |
| Migration Assessment | Migration Assessment is helps organizations transition from legacy SAP Process Orchestration environments. | |
| Graph | Graph provides the ability centralise and manage APIs to provide a unified Enterprise API exposing data from multiple SAP sources |
Application Security
User Access
User Access to Integration Suite is via Web, and limited to technical user (developers, system administrators, support teams etc).
Authentication
- User Authentication to Cloud Integration is via Single Sign-on (SSO) using Syensqo EntraID federated to IdP. Username and Password logon are not permitted.
- System Authentication options include
- OAuth 2.0 - access tokens issued via XSUAA
- Basic Authentication
- Cloud Connector - for outbound traffic from Cloud Integration to On-Premise system - provides a TLS connection and authenticates via Principle Propagation
Authentication Flow
User accesses CPI tenant URL
- The request gets redirected to SAP IdP configured in SAP BTP subaccount for Cloud Integration
User is re-directed to Corporate Identity Provider (IdP) logon page - Microsoft
User authenticates to Microsoft using EntraID, if not already authenticated.
IdP validates and issues SAML 2.0 assertion back to BTP
SAP BTP maps the Role Collections assigned to the User
User accesses Cloud Integration
Authorisation
Standard Roles and Role Collections are assigned for User Access to Cloud Integration Components. Roles are assigned via SAP BTP Cockpit
| System | Administrator | Developer | General Access |
|---|---|---|---|
| Cloud Integration | PI_Administrator | PI_Integration_Developer | PI_Read_Only, PI_Business_Expert |
| API Management | APIPortal.Administrator, APIManagement.SelfService.Administrator, AuthGroup.SelfService.Admin, AuthGroup.API.Admin | APIPortal.Configurator, APIPortal.Developer, APIPortal.Tester, APIPortal.Service.CatalogIntegration | APIPortal.Guest |
Communication Security
For System-to-system communication, all data transfers are encrypted via a suitable mechanism - for example:
- HTTP Adapter which uses TLS 1.2 as the standard (HTTPS)
- FTP Adapter which uses SSH-2 (SFTP)
Data Security
SAP data centers are certified to comply with global security standards, such as ISO/IEC 27001 and SOC 2. We implement stringent security measures including encryption, 24/7 monitoring, and regular audits.Other Controls
System Availability SLA is 99.7% (documented in SAP Trust Center - Service Level Agreement for Cloud Services).System Landscape
Development Environment
https://syw-itg-dev-eu20.authentication.eu20.hana.ondemand.comProject Test Environment
TBA. FIGAF compositeQuality Environment
TBA FIGAF compositeProduction Environment
TBAOperation Architecture
Change and Configuration Management
Transport Management
Transporting code using the Figaf Tool for SAP Integration Suite involves a structured process that leverages its DevOps and change tracking capabilities.
1. Landscape Setup:
Configure Landscapes:
Define your system landscapes (e.g., Development, QA, Production) within Figaf's Configuration -> Landscapes page. Specify details like platform, automatic transport lookup, and landscape items.Synchronize Systems:
Synchronize your source system (e.g., your development environment) with Figaf to capture the current state of your integration objects.
- Generate Ticket: Navigate to DevOps -> Tickets and create a new development ticket, associating it with the relevant landscape. This ticket will track your changes.
3. Attach and Track Objects:
Attach Tracked Objects:
Within the ticket, go to the "Tracked Objects" tab. Attach the specific transport(s) or integration objects (e.g., iFlows, mappings) that contain the code you want to transport.Include Dependencies:
Use the "Attach all dependent objects" feature to ensure all necessary related objects are included in the transport.
4. Initiate Transport:
- Start Transport: Click the "Start transport" button. Figaf will then prepare the transport package for deployment.
5. Import and Verification:
Synchronize Target System:
Synchronize your target system (e.g., your QA or production environment) with Figaf.Automated Import Check:
Figaf automatically checks the import status of the transports after synchronization. The transport status will update to "IMPORTED" once successfully processed.
6. Resolve Ticket
- Resolve Ticket: Once the transport is complete and verified, you can resolve the development ticket in Figaf.
Key Features Facilitating Transport:
Version Control:
Figaf tracks changes to integration objects, allowing you to compare versions and understand modifications.Approval Workflows:
Implement approval processes within Figaf before transports are moved to higher environments.Testing Integration:
Leverage Figaf's testing capabilities to create and execute tests on your transported code, ensuring functionality after deployment.Virtual Tenants (for CPI):
Utilize virtual tenants for environments like QA, allowing reuse of development systems while maintaining governance through prefixes/postfixes and avoiding unnecessary deployments of certain objects like value mappings.
Release Management
SAP controllledMonitoring
Standard Monitoring
FIGAF
Application Monitoring
System Monitoring
SAP System Monitoring - CALM and other common componentsSizing
SAP monitors system load and utilization, and proactively scales up capacity during release deployment.High Availability
deployed across multiple availability zones with the following SLA:
- RPO - 4h
- RTO - 24h
Disaster Recovery
SAP data centers are designed with redundancy and disaster recovery plans to help ensure business continuity. In the event of an outage, data and services are automatically rerouted to other operational centers.Backup/Restore
SAP performs full backups with the following schedule to meet SAP's recovery point objective.
| T1 | Hourly | 8 Days |
| T2 | Daily | 35 Days |
| T3 | Every Sunday | 120 Days |
Maintenance Plan
Weekly Maintenance Windows for SAP Cloud Services – Standard Windows SAP weekly standard maintenance windows are scheduled as listed below for the Cloud Services in this section: Start Time in UTC per region MENA FRI 7 pm UTC APJ SAT 3 pm UTC Europe: SAT 10 pm UTC Americas SUN 4 am UTC The above-mentioned maintenance windows define the maximum scheduled downtime from which certain cloud services consume only partially
SAP Cloud Platform API Management SAP Cloud Platform Integration 2 Hours
Major Maintenance
Up to 4 times per year: APJ: FRI 2 pm – FRI 6 pm UTC Europe: FRI 10 pm – SAT 2 am UTC Americas: SAT 4 am – SAT 8 am UTC
Service Introduction
Application Category
Support Team
Skill required
SAP SCPI Developers, ArchitectsChecklist
Exceptions
See also
Change log
Workflow history
| Title | Last Updated By | Updated | Status | |
|---|---|---|---|---|
| There are no pages at the moment. | ||||