| Status | Approved |
| Owner | |
| Stakeholders | |
| LeanIX Link | SAP Integration Suite |
Introduction
Purpose
The purpose of this document is to outline the application architecture of SAP Cloud Integration as deployed by SyWayScope & Objectives
This document will describe the high-level architecture of the SAP Cloud Integration application.
Out of Scope:
- Since SAP Cloud Integration is a SaaS application, network and infrastructure architecture will NOT be covered.
- Product documentation and information that can be found online will not be documented here, but referenced using hyperlinks.
- Implementation details such as Integration Design or API Management Design may have different architectures.
Application Architecture
Overview
Application Architecture Design
Application Architecture Components
| Component | Acronym | Description |
|---|---|---|
| Business Accelerator Hub | Business Accelerator is a centralized resource for developers and partners to build integrations and extensions for SAP solutions, access pre-built integration content, and accelerate digital transformation efforts. The key features of the hub is enabling the discovery of API, ability to use existing integration content provided by SAP and partners. | |
| Cloud Integration | CI | Formally known as Hana Cloud Integration (HCI), CI is the core capability enabling the integration design and execution with SAP and non-SAP, cloud, and on-premise applications. CI enables Integration design via web based User Interface, providing orchestration of integration processes, connectivity to SAP, non-SAP, Cloud and On-Premise systems and Data Transformation. |
| API Management | APIM | APIM provides governance, security and monitoring of API, enabling exposure, management and monetization of APIs. APIM brings together all components necessary to expose and consume APIs providing capabilities for complete lifecycle of APIs, including, discovery, security, mediation, traffic management, analytics and documentation. |
| Event Mesh ( & Advanced Event Mesh ) | EM ( & AEM ) | EM provides the core infrastructure for enterprise-grade broker for event-driven architecture. It allow asynchronous communication between SAP and non-SAP. |
| Open Connectors | A Central Hub to access configurable connectors for over 170 non-SAP applications through harmonised APIs, enabling simplification and acceleration of integrations. | |
| Integration Advisor & Trading Partner Management | IAE & TPM | IAE & TPM accelerate the development of business-oriented interfaces and mappings, generate runtime artefacts quickly, and significantly reduce efforts. Combined with AI-assisted tool for mapping and defining message interfaces, it provides industry-specific content based on standards like EDI, cXML, and assists in accelerated B2B/EDI mapping activity. A Central cockpit provides the ability centrally manage trading partner relationships. |
| Integration Assessment | Integration Assessment capability is a methodology and toolset for deciding when to use different integration techniques and patterns and provides guidance on integration strategy and helps standardize integration patterns across projects. | |
| Migration Assessment | Migration Assessment assists the transition from legacy SAP Process Orchestration (SAP PO) environments to Integration Suite. | |
| Graph | Graph provides the ability centralise and manage APIs to provide a unified Enterprise API exposing data from multiple SAP sources |
Application Security
User Access
User Access to Integration Suite is via Web, and limited to technical user (developers, system administrators, support teams etc).
Authentication
- User Authentication to Cloud Integration is via Single Sign-on (SSO) using Syensqo Entra ID federated to IdP. Username and Password logon are not permitted.
- System Authentication options include
- OAuth 2.0 - access tokens issued via XSUAA
- Basic Authentication
- Cloud Connector - for outbound traffic from Cloud Integration to On-Premise system - provides a TLS connection and authenticates via Principal Propagation
Authentication Flow
User accesses Cloud Integration tenant URL
- The request gets redirected to SAP IdP configured in SAP BTP subaccount for Cloud Integration
User is re-directed to Corporate Identity Provider (IdP) logon page - Microsoft
User authenticates to Microsoft using Entra ID, if not already authenticated.
IdP validates and issues SAML 2.0 assertion back to BTP
SAP BTP maps the Role Collections assigned to the User
User accesses Cloud Integration
Authorisation
Standard Roles and Role Collections are assigned for User Access to Cloud Integration Components. Roles are assigned via SAP BTP Cockpit
| System | Administrator | Developer | General Access |
|---|---|---|---|
| Cloud Integration | PI_Administrator | PI_Integration_Developer | PI_Read_Only, PI_Business_Expert |
| API Management | APIPortal.Administrator, APIManagement.SelfService.Administrator, AuthGroup.SelfService.Admin, AuthGroup.API.Admin | APIPortal.Configurator, APIPortal.Developer, APIPortal.Tester, APIPortal.Service.CatalogIntegration | APIPortal.Guest |
Communication Security
For System-to-system communication, all data transfers are encrypted via a suitable mechanism - for example:
- HTTP Adapter which uses TLS 1.2 as the standard ( HTTPS )
- IDoc Adapter, which also uses TLS 1.2 as the standard ( HTTPS )
- SFTP Adapter which uses SSH-2
Data Security
SAP data centers are certified to comply with global security standards, such as ISO/IEC 27001 and SOC 2. SAP implements stringent security measures including encryption, 24/7 monitoring, and regular audits.Other Controls
System Availability SLA is 99.7% (documented in SAP Trust Center - Service Level Agreement for Cloud Services ).System Landscape
| Landscape Id | URL | Composite | Additional details |
|---|---|---|---|
| Development Environment | https://syw-itg-dev-eu20.authentication.eu20.hana.ondemand.com | Stand Alone | Rest of World only (EU) |
Project Test Environment | TBA | Test Composite | China, USA, Rest of World only (EU) |
| Quality Environment | TBA | Test Composite | China, USA, Rest of World only (EU) |
| Production Environment | TBA | Stand Alone | China, USA, Rest of World only (EU) |
Operation Architecture
Change and Configuration Management
Transport Management
Landscape Setup
Configure Landscape - Define your system landscapes (e.g., Development, QA, Production) within Figaf's Configuration -> Landscapes page. Specify details like platform, automatic transport lookup, and landscape items.
Synchronize Systems - Synchronize your source system (e.g., your development environment) with Figaf to capture the current state of your integration objects.
Create a Development Ticket
Generate Ticket - Navigate to DevOps -> Tickets and create a new development ticket, associating it with the relevant landscape. This ticket will track your changes.
Attach and Track Objects
Attach Tracked Objects - Within the ticket, go to the "Tracked Objects" tab. Attach the specific transport(s) or integration objects (e.g., iFlows, mappings) that contain the code you want to transport.
Release Management
SAP Release Management
Provides information on patch releases for hotfixes, bugfixes, and code enhancements. Patches for SAP Cloud Integration and Integration Advisor . Patch Release information covers the most recent changes made to the latest version of the software.
Monitoring
Monitoring available in SAP Cloud Integration (CI)
- Message Monitoring - This core feature of SAP Cloud Platform Integration (SCPI), used to track, analyse, and troubleshoot the flow of integration messages between systems. It provides visibility into message processing, status, and potential errors, ensuring smooth operation of integration scenarios. Note - payloads are not captured by default, these may only be captured through explicit tracing with sufficient privilege in the system.
- Integration Content - Deployed object status with associated error on failure.
- Security Content - List displays of existing credentials (obscured passwords), certificates with expiry and custom user roles. Additional tooling is available for connectivity testing etc.
- Datastore Monitoring - List display of local storage (global variables) for use by integration developers (correlations/aggregators).
Additional capability offered by FIGAF tooling - TBA
Monitoring available in API Management
Monitoring in SAP API Management provides transparency into how APIs are being consumed, their performance, and any potential errors. It allows administrators, developers, and business users to analyse API traffic, detect issues, and ensure APIs are meeting business and technical expectations.
- API Analytics and Monitoring
- Trace and Debug
Monitoring in Advanced Event Mesh
TBA
Application Monitoring
System Monitoring
SAP System Monitoring - CALM and other common componentsSizing
SAP monitors system load and utilization, and proactively scales up capacity during release deployment.High Availability
deployed across multiple availability zones with the following SLA:
- RPO - 4h
- RTO - 24h
Disaster Recovery
SAP data centers are designed with redundancy and disaster recovery plans to help ensure business continuity. In the event of an outage, data and services are automatically rerouted to other operational centers.Backup/Restore
SAP performs full backups with the following schedule to meet SAP's recovery point objective.
| Tier | Frequency | Rentention |
|---|---|---|
| T1 | Hourly | 8 Days |
| T2 | Daily | 35 Days |
| T3 | Every Sunday | 120 Days |
Maintenance Plan
Weekly Maintenance Windows for SAP Cloud Services – Standard Windows SAP weekly standard maintenance windows are scheduled as listed below for the Cloud Services in this section: Start Time in UTC per region MENA FRI 7 pm UTC APJ SAT 3 pm UTC Europe: SAT 10 pm UTC Americas SUN 4 am UTC The above-mentioned maintenance windows define the maximum scheduled downtime from which certain cloud services consume only partially
SAP Cloud Platform API Management SAP Cloud Platform Integration 2 Hours
Major Maintenance
Up to 4 times per year: UTC Europe: FRI 10 pm – SAT 2 am UTC Americas: SAT 4 am – SAT 8 am UTC