| Status | Approved |
| Owner | |
| Stakeholders | |
| LeanIX Link |
Introduction
SyWay adopts SAP Business Technology Platform (BTP) as the foundation to integrate, extend, and operate the programme’s SAP landscape. This document establishes a concise, region-agnostic application-architecture baseline that explains how the in-scope BTP services are organised into accounts and subaccounts, aligned to environments, and governed by platform-level guardrails for connectivity, security, operations, and lifecycle management. It is intended for Technical Architects and Operations.
Purpose
The purpose of this document is to provide a single, self-contained design baseline for SyWay’s BTP application architecture. It defines the target tenancy and placement model, high-level connectivity patterns (including the use of Destinations and Cloud Connector), the operational monitoring posture, and essential platform conventions such as naming and tagging. The document sets reusable guardrails to drive consistent design and operations, while intentionally excluding product-level configuration and detailed control frameworks handled elsewhere.
Scope & Objectives
This document applies to the following BTP services: SAP Integration Suite (including API Management), Forms Service by Adobe, SAP Process Integration Runtime, SAP Build Work Zone, SAP Task Center, SAP Build Process Automation, SAP Build Code, SAP Business Application Studio (BAS), SAP Cloud Transport Management, ActiveControl – UI, Cloud Identity (IAS and IPS), SAP Secure Login Service for SAP GUI, Identity Access Governance (IAG), SAP Datasphere, SAP Profitability and Performance Management Cloud (PaPM Cloud), Sustainability Footprint Management (SFM), Sustainability Control Tower, Green Ledger, Asset Performance Management, Group Reporting Data Collection, Advanced Financial Closing, SAP Risk and Assurance Management, SAP Business Network Global Track & Trace (GTT), Audit Log Viewer, Personal Data Manager, Authorization Apps for Freight Collaboration, Carrier Apps for Freight Collaboration, and Document Reporting Compliance (DRC). Within scope are the account/subaccount model and environment alignment, high-level connectivity and communication-security patterns, the monitoring/observability approach, and platform naming/tagging conventions required for SyWay—kept region-agnostic by design.
The objectives are to establish a consistent placement and operating baseline for the listed services, standardise platform connectivity and monitoring so delivery and run activities are predictable, and define concise guardrails that reduce ambiguity without duplicating service-specific detail. Out of scope are product-level configuration parameters, detailed identity/authorisation policy design, transport workflow specifics, business process design, and compliance framework mapping.
Key Decisions and Requirements
| Description | Rationale |
|---|---|
Identity & provisioning via region-specific IAS, federated to Microsoft Entra ID; IPS (connectivity plan) co-hosted with IAG | Ensures consistent SSO and policy enforcement per region while keeping sensitive provisioning under IAG governance and within plan limits. |
Encrypt in transit for all channels (HTTPS/TLS for web; SNC for SAP GUI/RFC) | Provides uniform confidentiality and integrity across user and system interfaces; removes weak protocol/cipher exposure. |
Standardised connectivity via SAP Cloud Connector (1× for non-prod; 2× HA for prod; Location IDs per connector; virtual hosts not publicly resolvable; secure Destinations with OAuth2/mTLS and principal propagation) | Delivers controlled, auditable access to back-ends, improves resilience for production, and avoids embedded credentials while preserving user identity end-to-end. |
Tenancy segmentation: three BTP global accounts with environment-specific subaccounts per domain | Maintains regional/environment isolation, aligns with service availability, and limits blast radius for changes. |
Monitoring baseline: SAP Cloud ALM as primary pane; Alert Notification and Audit Log Service as supporting controls | Centralises health, exceptions, and alerts while retaining product consoles for deep diagnostics; improves operational response and evidencing. |
Service placement conventions: co-host Work Zone + Task Center + BPA + Build Code + BAS per environment; co-locate Datasphere + PaPM Cloud in the analytics subaccount | Reduces cross-trust and latency, simplifies content federation and identity mappings, and streamlines connectivity and operations for analytics. |
Document Reporting Compliance (DRC) routing: DEV may connect to multiple S/4HANA back-ends; PRD connects to three production S/4HANA systems (Europe, China, US) | Supports multi-region compliance scenarios in production while retaining flexible integration/testing patterns in development. |
Application Architecture
Overview
SyWay’s SAP BTP landscape is organised into global accounts with environment-aligned subaccounts (DEV, INT, UAT, PAR, TRG, PRD), establishing clear tenancy boundaries for the in-scope services referenced in the BTP account model and enabling predictable deployment and operations without duplicating product-level detail. The design remains region-agnostic and centres on consistent placement and isolation across environments, with all services running on the SAP BTP Cloud Foundry runtime. Platform health and alerting are monitored centrally through SAP Cloud ALM, while service-specific patterns and placements are detailed in the Application Architecture Components section.
BTP Global Account & Subaccount Model
Runtime: Cloud Foundry (CF) for all subaccounts
Naming: syw-<area>-<env>-<region> (e.g., syw-itg-uat-eu20)
Environment codes: dev, int, uat, par, trg, prd
Europe — Global Account: Syensqo Main.
Account ID: 59549222-81b5-4701-afde-9a23643d0b00
Regions used: EU20 (Azure Europe – Netherlands), EU10 (AWS Europe – Frankfurt)
| Directory/Domain | Services | Region | Development Subaccount | Integration Test Subaccount | UAT Subaccount | Parallel Testing Subaccount | Training Subaccount | Production Subaccount |
| /SyWay/Shared Svcs / Integration (itg) | Integration Suite(API Management), Forms Service by Adobe, SAP Process Integration Runtime | EU20 | syw-itg-dev-eu20 | — | syw-itg-uat-eu20 | — | — | syw-itg-prd-eu20 |
| /SyWay/Shared Svcs / User Interface (ui) | SAP Build Work Zone, SAP Task Center, SAP Build Process Automation, SAP Build Code, BAS | EU20 | syw-ui-dev-eu20 | syw-ui-int-eu20 | syw-ui-uat-eu20 | syw-ui-par-eu20 | syw-ui-trg-eu20 | syw-ui-prd-eu20 |
| /SyWay/Shared Svcs / Deployment Mgmt (dep) | SAP Cloud Transport Management, ActiveControl -UI | EU20 | syw-dep-dev-eu20 | — | — | — | — | syw-dep-prd-eu20 |
| /SyWay/Shared Svcs / Identity Mgmt (sec) | Cloud Identity (IAS and IPS), SAP Secure Login Service for SAP GUI | EU20 | syw-sec-dev-eu20 | — | syw-sec-uat-eu20 | — | — | syw-sec-prd-eu20 |
| /SyWay/Shared Svcs / IAG (iag) | Identity Access Governance (IAG) | EU10 | syw-iag-dev-eu10 | — | syw-iag-uat-eu10 | — | — | syw-iag-prd-eu10 |
| /SyWay/Analytics (ana) | Datasphere, PaPM Cloud | EU20 | syw-ana-dev-eu20 | — | syw-ana-uat-eu20 | — | — | syw-ana-prd-eu20 |
| /SyWay/Sustainability (sus) | Sustainability Footprint Management(SFM), Sustainability Control Tower, Green Ledger | EU20 | syw-sus-dev-eu20 | — | syw-sus-uat-eu20 | — | — | syw-sus-prd-eu20 |
| /SyWay/Asset Performance Mgmt (apm) | Asset Performance Management | EU20 | syw-apm-dev-eu20 | syw-apm-int-eu20 | syw-apm-uat-eu20 | — | — | syw-apm-prd-eu20 |
| /SyWay/Finance (fin) | Group Reporting Data Collection, Advanced Financial Closing, SAP Risk and Assurance Management | EU10 | syw-fin-dev-eu10 | — | syw-fin-uat-eu10 | — | — | syw-fin-prd-eu10 |
| /SyWay/Logistics (gtt) | SAP Business Network Global Track and Trace(GTT), Audit Log Viewer, Personal Data Manager, Authorization Apps for Freight Collaboration,Carrier Apps for Freight Collaboration | EU10 | syw-gtt-dev-eu10 | — | — | — | — | syw-gtt-prd-eu10 |
| /SyWay/Document Reporting Compliance (drc) | Document Reporting Compliance | EU10 | syw-drc-dev-eu10 | — | — | — | — | syw-drc-prd-eu10 |
China — Global Account: Syensqo China
Account ID: (To be provisioned )
Region used: CN20 (Azure China North 3 – Hebei)
| Directory/Domain | Services | Region | Integration Test Subaccount | UAT Subaccount | Parallel Testing Subaccount | Training Subaccount | Production Subaccount |
| /SyWay/Shared Svcs / Integration (itg) | Integration Suite, API Management, Forms Service by Adobe | CN20 | — | syw-itg-uat-cn20 | — | — | syw-itg-prd-cn20 |
| /SyWay/Shared Svcs / User Interface (ui) | SAP Build Work Zone, SAP Task Center | CN20 | syw-ui-int-cn20 | syw-ui-uat-cn20 | syw-ui-par-cn20 | syw-ui-trg-cn20 | syw-ui-prd-cn20 |
| /SyWay/Shared Svcs / Identity Mgmt (sec) | Cloud Identity (IAS and IPS) | CN20 | — | syw-sec-uat-cn20 | — | — | syw-sec-prd-cn20 |
| /SyWay/Asset Performance Mgmt (apm) | Asset Performance Management | CN20 | syw-apm-int-cn20 | syw-apm-uat-cn20 | — | — | syw-apm-prd-cn20 |
United States Sovereign — Global Account: Syensqo USA
Account ID: (To be provisioned )
Region used: USG (SAP NS2 – US Gov)
| Directory/Domain | Services | Region | Integration Test Subaccount | UAT Subaccount | Parallel Testing Subaccount | Training Subaccount | Production Subaccount |
| /SyWay/Shared Svcs / Integration (itg) | Integration Suite, API Management, Forms Service by Adobe | USG | — | syw-itg-uat-usg | — | — | syw-itg-prd-usg |
| /SyWay/Shared Svcs / User Interface (ui) | SAP Build Work Zone, SAP Task Center | USG | syw-ui-int-usg | syw-ui-uat-usg | syw-ui-par-usg | syw-ui-trg-usg | syw-ui-prd-usg |
| /SyWay/Shared Svcs / Identity Mgmt (sec) | Cloud Identity (IAS and IPS) | USG | — | syw-sec-uat-usg | — | — | syw-sec-prd-usg |
| /SyWay/Asset Performance Mgmt (apm) | Asset Performance Management | USG | syw-apm-int-usg | syw-apm-uat-usg | — | — | syw-apm-prd-usg |
Application Architecture Design
Application Architecture Components
Conventions (component-level)
• UI co-hosting: SAP Build Work Zone, SAP Task Center, SAP Build Process Automation, SAP Build Code, and BAS are co-hosted within the User Interface subaccount per environment to simplify content federation and reduce cross-trust overhead.
• Analytics co-location: SAP Datasphere and PaPM Cloud are co-located in the Analytics subaccount per environment to share runtime and streamline connectivity.
Identity & Access
Cloud Identity Services – IAS / IPS
• Purpose: Single sign-on and identity provisioning for BTP services.
• Placement (subaccount codes):
• EU20: syw-sec-dev-eu20, syw-sec-uat-eu20, syw-sec-prd-eu20
• CN20: syw-sec-uat-cn20, syw-sec-prd-cn20
• USG: syw-sec-uat-usg, syw-sec-prd-usg
• Dependencies / back-ends: Microsoft Entra ID; S/4HANA provisioning via IPS connectors.
Identity Access Governance (IAG)
• Purpose: Access request workflows, SoD analysis, and provisioning governance.
• Placement: EU10: syw-iag-dev-eu10, syw-iag-uat-eu10, syw-iag-prd-eu10
• Dependencies / back-ends: S/4HANA; Cloud Identity Services (IAS/IPS).
SAP Secure Login Service (SLS) for SAP GUI
• Purpose: SNC-based secure access for SAP GUI/RFC.
• Placement: EU20: syw-sec-*-eu20 (as above)
• Dependencies / back-ends: SAP GUI/RFC endpoints on S/4HANA and related SAP systems.
Integration
SAP Integration Suite (incl. API Management)
• Purpose: Message-based integrations and governed API exposure.
• Placement:
• EU20: syw-itg-dev-eu20, syw-itg-uat-eu20, syw-itg-prd-eu20
• CN20: syw-itg-uat-cn20, syw-itg-prd-cn20
• USG: syw-itg-uat-usg, syw-itg-prd-usg
• Dependencies / back-ends: S/4HANA; partner/SaaS endpoints.
Forms Service by Adobe
• Purpose: PDF form rendering for business processes.
• Placement: co-resident with Integration (see syw-itg- subaccounts above).
• Dependencies / back-ends: Form templates; S/4HANA services.
SAP Process Integration Runtime (PIR)
• Purpose: Runtime for retained PI scenarios.
• Placement: co-resident with Integration (see syw-itg- subaccounts above).
• Dependencies / back-ends: S/4HANA; legacy SAP endpoints.
User Interface & Experience
SAP Build Work Zone; SAP Task Center; SAP Build Process Automation (BPA); SAP Build Code; SAP Business Application Studio (BAS)
• Purpose: Unified workspace, work-item aggregation, process automation, low-code development, and cloud IDE.
• Placement:
• EU20: syw-ui-dev-eu20, syw-ui-int-eu20, syw-ui-uat-eu20, syw-ui-par-eu20, syw-ui-trg-eu20, syw-ui-prd-eu20
• CN20: syw-ui-int-cn20, syw-ui-uat-cn20, syw-ui-par-cn20, syw-ui-trg-cn20, syw-ui-prd-cn20
• USG: syw-ui-int-usg, syw-ui-uat-usg, syw-ui-par-usg, syw-ui-trg-usg, syw-ui-prd-usg
• Dependencies / back-ends: BTP apps and S/4HANA (tiles/URLs); BPA connectors and repositories for Build Code/BAS.
Platform & Deployment
SAP Cloud Transport Management (cTMS); ActiveControl – UI
• Purpose: Centralised orchestration of BTP artefact promotions; change visualisation.
• Placement: EU20: syw-dep-dev-eu20, syw-dep-prd-eu20
• Dependencies / back-ends: Source/target BTP subaccounts and SAP change tooling.
Data & Analytics
SAP Datasphere; PaPM Cloud
• Purpose: Data integration/modeling and profitability/performance calculations.
• Placement: EU20: syw-ana-dev-eu20, syw-ana-uat-eu20, syw-ana-prd-eu20
• Dependencies / back-ends: S/4HANA connections; shared HANA Cloud runtime; Datasphere–PaPM integration objects.
Sustainability & Asset
Sustainability Footprint Management (SFM); Sustainability Control Tower (SCT); Green Ledger
• Purpose: Sustainability data capture, analytics, and accounting.
• Placement: EU20: syw-sus-dev-eu20, syw-sus-uat-eu20, syw-sus-prd-eu20
• Dependencies / back-ends: S/4HANA and sustainability data sources.
Asset Performance Management (APM)
• Purpose: Asset health, reliability, and performance management.
• Placement:
• EU20: syw-apm-dev-eu20, syw-apm-int-eu20, syw-apm-uat-eu20, syw-apm-prd-eu20
• CN20: syw-apm-int-cn20, syw-apm-uat-cn20, syw-apm-prd-cn20
• USG: syw-apm-int-usg, syw-apm-uat-usg, syw-apm-prd-usg
• Dependencies / back-ends: Plant/asset data sources and events.
Finance & Compliance
Group Reporting Data Collection (GRDC); Advanced Financial Closing (AFC); SAP Risk & Assurance Management
• Purpose: Group reporting data capture, closing orchestration, and risk/assurance processes.
• Placement: EU10: syw-fin-dev-eu10, syw-fin-prd-eu10
• Dependencies / back-ends: S/4HANA group reporting and finance systems.
Business Network Logistics
Global Track & Trace (GTT); Authorization Apps for Freight Collaboration; Carrier Apps for Freight Collaboration
• Purpose: Logistics event visibility and carrier collaboration.
• Placement: EU10: syw-gtt-dev-eu10, syw-gtt-prd-eu10
• Dependencies / back-ends: S/4HANA events; partner/carrier integrations.
Document Reporting Compliance
Document Reporting Compliance (DRC)
• Purpose: Country-specific e-document and statutory reporting.
• Placement: EU10: syw-drc-dev-eu10, syw-drc-prd-eu10
• Dependencies / back-ends: DEV connects to multiple S/4HANA back-ends for testing; PRD connects to three production S/4HANA systems (Europe, China, US).
Application Security
Classification
Authentication
SyWay standardises Single Sign-On on SAP BTP using region-specific SAP Identity Authentication Service (IAS) tenants federated to Microsoft Entra ID. Each BTP subaccount trusts its regional IAS tenant as the default identity provider; interactive sign-in between BTP subaccounts/services and IAS uses OIDC, while federation from IAS to Entra ID uses SAML 2.0. Conditional Access in Entra (including MFA and session controls) governs user access to BTP applications. Developer tooling (e.g., BAS/Build Code/CLI) follows the same IAS ↔ Entra flow—no separate SAP ID service identities. For service-to-service calls and Destinations, SyWay adopts standards supported by each target: OAuth 2.0 (including client credentials), OAuth2 SAML Bearer Assertion, or mutual TLS; Basic authentication is permitted only where a service does not support modern methods, and such exceptions are documented. Principal propagation is used where supported by the back-end/service pair. Identity provisioning is out of scope for this section and is addressed in the programme’s Identity Provisioning artefact. Detailed administrative posture and group/role design are governed by the programme’s Security/IAM design artefacts.
Authorisation
Authorization on SAP BTP follows a group-based RBAC model: IAS groups → BTP role collections, with no direct user assignments in subaccounts. Role collections are scoped per subaccount and environment to preserve separation across DEV/INT/UAT/PAR/TRG/PRD. Access to back-end systems via Destinations requires the appropriate OAuth scopes/authorities and alignment with corresponding S/4HANA authorizations (S/4 role design is out of scope here). User access provisioning and role assignment are executed using SAP Identity Access Governance (IAG) together with SAP Identity Provisioning Service (IPS); the provisioning workflows, mappings, and controls are documented in the Identity Access Provisioning Design document. Periodic access recertification applies to BTP role collections, with cadence and evidence requirements defined in the IAM artefacts.
Communication Security
Transport security: All endpoints expose HTTPS/TLS 1.2+ (TLS 1.3 preferred).
- SAP GUI/RFC: Access to SAP back-ends uses SNC via SAP Secure Login Service (SLS) to provide mutual authentication, encryption, and integrity.
- Connectivity pattern: Connectivity to RISE systems is exclusively via SAP Cloud Connector with minimal resource mappings and Location IDs per connector.
- Virtual hostnames: Destinations use non-resolvable virtual hosts; these are referenced only within BTP and not exposed publicly.
- Destination authentication: Use OAuth 2.0 variants (including client credentials) and mutual TLS only where required by the target; Basic authentication is permitted only when modern methods are not supported and must be documented at component level.
- IP allow-listing: Applied case-by-case where products support it.
- Certificates & PKI: Certificates (server, client/mTLS, SNC) are issued by the Syensqo enterprise CA, with 1-year validity and centrally managed rotation; subaccount trust stores include only required issuers.
- Regional specifics: Additional constraints for sovereign/regulated landscapes (e.g., CN/US Gov) will be documented when confirmed (TBC).
Data Security
SyWay’s data security posture on SAP BTP is framed by data classification and residency: datasets (e.g., Internal, Confidential, PII) are mapped to region-pinned subaccounts (EU20/EU10/CN20/USG), with cross-region movement permitted only by documented exception. Encryption at rest is provided by SAP’s platform controls for all managed services; direct database access is not in scope. Secrets are minimised and handled through approved stores, preferring OAuth2 or mutual-TLS–based Destinations; service keys have named owners and defined rotation, and are never embedded in source code or developer workspaces. Retention follows service-native policies with explicit purge procedures; where extended evidentiary storage is required, audit events are exported to the designated archive/SIEM. Outbound data paths are restricted to approved Destinations and Cloud Connector Location IDs; CN20 and US Gov (NS2) landscapes observe additional regulatory constraints. Identity, authorisation, and in-transit protections are defined separately in the Authentication, Authorization, and Communication Security sections.
Other Controls
SyWay maintains platform evidencing through the SAP BTP Audit Log Service, with identity-related events complemented by Cloud Identity audit trails; exports align with the programme’s retention policy and, where required, are forwarded to the central archive/SIEM. Configuration posture is tracked in SAP Cloud ALM – Configuration & Security Analysis, which captures baseline “config stores” for BTP services and records drift as reviewable findings. Operational notifications are routed via the Alert Notification service for SAP BTP, mapped to SyWay severity and on-call channels, and used alongside product consoles for incident context. Network and access boundaries rely on approved Destinations and Cloud Connector Location IDs, selective IP allow-listing where supported, and constrained public entry points. Certificate and key hygiene follows central rotation calendars with curated tenant trust stores; transport-layer protections are referenced in Communication Security. Data handling controls—such as use of Personal Data Manager and extended audit retention—are applied where applicable and referenced from Data Security.
System Landscape
see BTP Global Account & Subaccount Model
Operation Architecture
Transport Management
Please refer DD-TEC-170 Transport Management for Release 4
Monitoring
Application Monitoring
Service / Domain | SAP Cloud ALM – Monitor Types | In-Product Consoles (as needed) | Logs / Traces | Alerting |
|---|---|---|---|---|
Integration Suite (Cloud Integration, API Management), Forms Service by Adobe, SAP Process Integration Runtime | Integration & Exception Monitoring, Health Monitoring | Message Monitoring (Cloud Integration), API Mgmt Analytics/Policy Trace, Forms runtime dashboards | SAP Cloud Logging / Application Logging for custom adapters or extensions | Cloud ALM Alerting; optional Alert Notification for cTMS/API events |
Build Work Zone, Task Center | Real User Monitoring, Health Monitoring | Work Zone admin analytics; Task Center booster monitors | (If extended apps) forward to Cloud Logging | Cloud ALM Alerting |
Build Process Automation (BPA) | Job & Automation Monitoring, Health Monitoring | BPA Monitor (runs, queues) | Cloud Logging (optional) | Cloud ALM Alerting |
Build Code, BAS | Health Monitoring | Pipeline/CI logs; BAS workspace logs | Cloud Logging for pipeline outputs | Alert Notification webhooks (optional) + Cloud ALM (where integrated) |
Cloud Transport Management (cTMS), ActiveControl – UI | Health Monitoring (cTMS) | cTMS import/export logs; ActiveControl dashboards | — | Alert Notification subscriptions for cTMS events; Cloud ALM Alerting |
Cloud Identity (IAS, IPS), Secure Login Service (SLS) | Health Monitoring | IAS/IPS admin consoles; SLS logs | Audit Log Service (BTP) for security events | Cloud ALM Alerting |
Identity Access Governance (IAG) | Health Monitoring | IAG dashboards (access requests, SoD) | — | Cloud ALM Alerting |
Datasphere, PaPM Cloud | Health Monitoring | Datasphere space/job monitors; PaPM calculation monitors | — | Cloud ALM Alerting |
Sustainability: SFM, Sustainability Control Tower, Green Ledger | Health Monitoring | Product runtime/tenant monitors | — | Cloud ALM Alerting |
Asset Performance Management (APM) | Health Monitoring | APM analytics/diagnostics | — | Cloud ALM Alerting |
Finance: GRDC, AFC, Risk & Assurance Management | Health Monitoring | Product consoles (submission/status, closing calendars, risk dashboards) | — | Cloud ALM Alerting |
Business Network Logistics: GTT; Freight Collaboration (Authorization/Carrier Apps); Personal Data Manager; Audit Log Viewer | Health Monitoring | GTT/BN cockpits; PDM and Audit Log Viewer UIs | Audit Log Service (for audit events) | Cloud ALM Alerting |
Document Reporting Compliance (DRC) | Health Monitoring | DRC submission/queue dashboards | — | Cloud ALM Alerting |
System Monitoring
Service / Domain | SAP Cloud ALM – Health Monitoring (platform/service health) | BTP Platform Signals | Security / Compliance Signals | Notes |
|---|---|---|---|---|
Integration Suite / API Mgmt / Forms / PIR | Tenant/service availability, adapter/runtime KPIs | BTP Monitoring service (app/service metrics); Alert Notification for service events | Audit Log Service (subaccount events) | Use cTMS alerts for transport-related impacts |
Work Zone / Task Center | Availability and UX KPIs via CALM Health + RUM | Monitoring service for app instances | Audit Log Service | Task Center depends on same subaccount trust as Work Zone |
Build Process Automation | Job/queue health, runtime status | Monitoring service (runtime), Alert Notification | Audit Log Service | Map job failures to CALM alerts |
Build Code / BAS | Service health; workspace availability | Monitoring service; pipeline/webhook signals | Audit Log Service | Forward pipeline failures via Alert Notification |
Cloud Transport Management, ActiveControl – UI | cTMS tenant health | Alert Notification for import/export events | Audit Log Service | ActiveControl monitored in vendor UI; optionally feed CALM via webhooks |
IAS / IPS / SLS | Identity service health | — | IAS/IPS audit in product; BTP Audit Log for platform | Focus on auth failures, connector jobs |
IAG | Service health | — | IAG audit in product | SoD/job status as secondary signals |
Datasphere / PaPM Cloud | Tenant/space health, job statuses | Monitoring service where applicable | — | Watch connection health to S/4/Destinations |
SFM / SCT / Green Ledger | Service health | — | — | Green Ledger largely S/4—track via S/4 + CALM if applicable |
APM | Service health | — | — | — |
GRDC / AFC / Risk & Assurance | Service health | — | Product audit (where available) | Align with closing windows/SLAs |
GTT / Freight Collaboration / PDM / Audit Log Viewer | Service health | — | Audit Log Service central to PDM/ALV | Ensure retention/forwarding to SIEM if required |
DRC | Tenant health; submission pipeline status | Alert Notification for failures | Product audit (where available) | Distinguish DEV multi-backend vs PRD single backend routing |
Sizing
For SyWay, all in-scope SAP BTP services are SAP-managed SaaS; sizing focuses on selecting plans/entitlements and defining tenant counts per region/environment (EU20 shared SBX/DEV; CN20/USG start at UAT/PRD).
Capacity changes are requested via entitlement/licensing adjustments; no server-level actions are required from the customer.
No additional sizing beyond tenant/entitlement selection for IAS/IPS/SLS, IAG, cTMS, Work Zone/Task Center, GRDC/AFC/Risk, SFM/SCT, APM, GTT/DRC.
High Availability and Disaster Recovery
SAP operates HA and DR for all in-scope SAP BTP services under the Service Level Agreement for SAP Cloud Services; SyWay’s role is limited to monitoring in SAP Cloud ALM and executing runbooks when notified of incidents or maintenance. For SAP BTP specifically, SAP documents its HA/DR approach and recovery processes in the BTP resilience guidance.
Backup/Restore
Platform-managed: For SAP-managed BTP services, backups are handled by SAP; restore is service-specific and generally not customer-operated. Guidance is outlined in the BTP admin help (“Data Backups Managed by SAP”).
SAP HANA Cloud (used by services like Datasphere/PaPM): Continuous log backups enable point-in-time recovery within a configurable retention window (default 14 days; extendable up to 215 days). Restores are performed by creating a new database instance at the chosen time.
SAP Datasphere: Backup/restore follows the SAP HANA Cloud resiliency layer; recovery is handled by SAP for disasters within SAP’s control.
Audit evidence: BTP Audit Log Service stores subaccount audit data for 90 days by default; export/forward logs if longer retention is needed.
Maintenance Plan
SAP BTP follows continuous production releases. Teams should subscribe to What’s New for SAP Business Technology Platform to receive feature and fix updates. Regions are updated on a biweekly cadence (standard) with zero-downtime maintenance for most services. For more information about the biweekly updates, see Consolidated Release Schedules for SAP BTP
, Intelligent Enterprise Suite: Harmonized release calendar for SAP Cloud products. Immediate updates may occur for critical defects or security fixes and can require application restarts or brief downtime with prior notification; major upgrades are rare (up to four per year) and are announced four weeks in advance in line with the Service Level Agreement and harmonized release calendars. For the China (Shanghai) region, availability and planned maintenance are communicated via the regional status page, where subscription is available. For the US Government region, planned downtimes and outage notices are sent by e-mail to the initial administrator of the global account.
Service Introduction
Application Category
Support Team
Skill required
Checklist
Exceptions
See also
Change log
Workflow history
| Title | Last Updated By | Updated | Status | |
|---|---|---|---|---|
| There are no pages at the moment. | ||||