Introduction

Purpose

The purpose of this document is to outline the application architecture of the Syniti Platform for the SyWay project. It aims to provide a clear and structured view of the components, data flows, integration mechanisms, and security considerations that support the Syniti platform in its interaction with the Syensqo SAP ecosystem.

Syniti is an unified platform designed to manage, migrate, and govern enterprise data. In the SyWay project, it will remain as the primary platform for managing extraction, transformation, load and validation. Below diagram shows high level activities that can be performed with this platform:

Scope & Objectives

This document defines the architectural scope of the Syniti solution within the SyWay project, focusing on the deployment and integration of Syniti as the central platform for data extraction, transformation, loading (ETL), and validation activities.

The scope includes:

• The technical architecture of Syniti Platform and its supporting components.
• Landscape overview
• Application and components
• Application security and access
• Operational architecture

Out of scope:

• The data flow architecture, covering how data is extracted from source systems, transformed according to business rules, validated, and loaded into target SAP environments.

• The detailed functional design of migration objects, business rules, or data cleansing logic, which are addressed in separate deliverables.

• The list of required and approved tables to be extracted from source system is out of the scope of this document. This will be defined during the Data Stream design phase.

• It also excludes operational procedures post-migration, such as data governance or ongoing data quality monitoring, unless explicitly tied to the Syniti platform.

• As of writing this document, there are pending architectural decisions regarding North America & China, and RISE infrastructure. These designs will be added to this document as they are finalized.
• Security policies in Syniti SKP for application users.

Key Decisions and Requirements

Application Architecture

Architectural Decisions

Syensqo has decide to implement the Synity Hybrid Deployment Model. The Syniti Knowledge Platform (SKP)-Hybrid consists of the cloud-native, multi-tenant application platform with customer-hosted working databases and a series of remote services. The remote services are the platform components that run outside of the Syniti Knowledge Platform application and are designed to run close to the data stores that persist and transact data management activities. Below diagram provided by Syniti company shows an example of Syniti Hybrid Deployment model:

Application Architecture Design

Based on Hybrid Deployment , following Architecture will be implemented for Syensqo:

Application Architecture Components

The  Syniti architecture  is designed to support scalable, secure, and efficient data migration and governance. Breakdown of components:

• Syniti Knowledge Platform (SKP)
  • It is a cloud-based data management solution hosted on AWS Frankfurt for EU designed to help organizations transform their data into a strategic asset. SKP provides a secure, scalable, and strategic data management environment that supports various data-related activities such as data quality reporting, profiling, metadata scanning, and data migration.
  • It enables communication with systems in an organization's landscape through components called SKP connectors, which support metadata scanning, profiling, and data quality functionalities.
  • The platform uses a connector-based architecture to securely distribute execution outside of the SKP application environment, ensuring that customer master, transactional, and operational data are not persisted within the platform itself. Instead, only metadata and metrics are sent to SKP for storage and processing.
• Server 1 - Syniti Connector
  • The Syniti Server Connector , is a secure, Linux-based software component that enables communication between Syensqo SAP systems and the Syniti Knowledge Platform (SKP) in the cloud.
  • Purpose:
    • Secure Data Transfer: It securely transmits metadata and data between your enterprise systems and Syniti’s cloud platform using encrypted channels
    • Metadata Scanning: Enables the SKP to scan and analyze metadata from systems like SAP, Oracle, and SQL Server.
    • Data Governance & Migration: Supports Syniti’s tools for data quality, governance, and migration by providing real-time access to source systems.
• Server 2 - Replicate Server
  • The Syniti Replication Platform runs on a Windows Platform. The Replicate server is responsible for extract data from the source system and create source snapshots for the Migrate component to process.  It also connect to the Target system to extract data for post load data verification. 
• Server 3 - SQL Server for Working and Constructor Database
  • This SQL Server instance acts as the central repository for all working data during migration or data quality projects. It serves as the primary staging and processing environment for data transformations, validations, and migrations. Its components include:
    • Working Database. The Syniti Migrate Platform will work with several different databases for processing. This database may store Source snapshots (Production copy of source data), Data Transformations (Business Conversion rules), Target Snapshots (Copy of Target for load validation).
    • Construction Database. The Syniti Migrate Platform will use SQL server for Data Construction (User input for bad data or missing data elements) and for Value Mapping Cross Reference Table Values.
  • Architecture considerations.
    • The Working Database can be built on HANA, Oracle, or SQL Server. However, if Oracle or HANA are used, the Construction Database must be hosted on a separate server, which may require an additional license (especially in the case of HANA).Therefore, the requirement from the Product Team was to use SQL Server for both the Working and Construction Databases. 
• Server 4 - Tooling Server (Administrator Jump Server)
  • It is a secure intermediary VDI server used to access and manage systems that are otherwise isolated or protected within a private network. Securely connect to on-premise components like the Syniti Connector, Replicate, or Working Databases.
  • Only Syniti administrators users will have access to this server so they can perform admin activities like:
    • Connect to Syniti servers
    • System Administration and Operation Tasks
    • Troubleshooting and diagnostic
• Syensqo VDI TPA (Third Party Access)
  • The Syniti Migrate Platform will require that Syniti developers can develop business rules in the working database. This group of people will require access and development tools that will be installed on the Virtual Desktop Infrastructure being used for Syniti staff.
  • This VDI will contain following software required for developers activities:
    • Microsoft Office Applications
    • SAP GUI
    • Internet access
    • SQL Server Management Studio
• Source and target systems
  • The Syniti Migrate Platform will extract data from SAP Source Systems using RFC calls. Due to Syensqo security policies no access to Source HANA DB would be granted.

  • Syniti requires READ ONLY access to the PRODUCTION Source systems to get the most up to data for cleansing and conversion.

  • S/4HANA Rise system is the primary target system for Syniti data replication .
    • An important remark is that the Syniti instance will be integrated with multiple environments (Dev, QA , Prod) .
    • For data load in target system the recommended method is use Migration Cockpit tool connected to a Staging HANA schema in S/4HANA as described in following link . The Target system load method must be defined as part of the Data Migration strategy and is beyond the scope of this document . Different access methods will be granted depending on the selected approach. Potential alternatives include Migration Cockpit, BAPIs, Idocs, Custom objects etc...
• AWS S3 Bucket
  • Created for Syniti administrators users, will be used to download the required software to be installed in Syniti Servers.

Syniti Servers Details

Due to the nature of the use of the Syniti platform , it will have one single Production Instance for the whole Syensqo SAP Landscape. The table below describes the the corresponding servers deployed on AWS:

Network Architecture

Application Security

User Access

Below there is a list of required applications and systems to be used by Syniti Team activities and the mechanism to access it:

*Syniti Developers require to execute actions on SQL Databases available on Syniti Working DB, for that SQLServer Management Studio have been installed in TPA VDI Syniti Company so they can execute remotely required actions.

Authentication

• Administrators users: As part of the installation process of the Syniti servers Syensqo IT team created corresponding Admin users for every server at application level . Those users belong to Entra-ID group R99P833 and use User/Credentials mechanism in order to access corresponding applications.

• Non Administrators users: Authentication is performed using the standard SyWay approach by SSO with Microsoft Entra ID . Each user has an Entra-ID and a global user ID.

Authorization

• User management for Syniti developers team is managed by Data Administration Team.
• Administrator users are managed by Syensqo IT team, requests must be done trough Syra using following Catalog items: "Admin Accounts Request (AD)" and "Request for Active Directory (AD) Delegations

Data Security

Data elements inside the SAP Source applications are subject to export controls such as ITAR, EAR, or various UK or European Regulations. In order to integrate Syniti Platform on Syensqo Security Policies following approach is implemented:

• No direct access to the SAP HANA Source Database, only to the SAP Application layer.
• Syniti Replication Server will access to Source system data trough RFC Service user . This RFC Service user will have restricted ReadOnly authorization to specific SAP Tables and functions, see list of Service user authorization . (List of required and approved tables to be extracted from source system is out of the scope of this document, that will be decided during the design phase of Data stream.). See list of tables for which will be granted read access to Syniti RFC user.
• NextLabs tool is used to enable field level encryption in S/4HANA. This will encrypt ITAR-relevant data elements and the encrypted values will be stored in HANA DB. Data will be unencrypted on the fly when it is access by an authorized user. Therefore, Syniti will not be able to extract ITAR data unless the RFC service user is explicitly authorized.
• Enable at-rest TDE encryption in the SQL Syniti Working DB server for all generated databases.

Communication Security

All data in transit will be encrypted.

• SSL is used for all web traffic . 
• SNC is used for all RFC and SAPGUI communications. 
• SSL is used for all Syniti Server Working DB traffic, ensuring that the database only accepts TLS-encrypted connection requests. 

Operation Architecture

Roles and Responsibilities

RACI for Mobilize phase:

<Roles and responsibilities matrix for delivery phase is under review, will be added to the document once validated>

Transport Management

Application have a Single instance landscape, so this section is considered out of scope as they require minor configurations/changes or transports are executed via manual configurations.

Backup/Restore

• Backup Policies implemented for Syniti On Premise Servers can be found in following link . As per Syensqo policies have been implemented Daily, Weekly and Monthly Backup in Syniti Servers. Those BackUps are managed by Syensqo AWS IT team

• Database Backup. Additionally, Syway Data team have schedule nightly in ADMM Working DB the BackUp of following Databases:
  • CONSTRUCT
  • DASHBOARDS
  • MIGRATE
  • REPORT
  • REPORTL
  • SDRMETADATA
  • WRK% - all “working” databases (they start with WRK)

System Monitoring

Syenso AWS IT team will be monitoring from the infrastructure layer to the technical basis layer. In the event of an issue, automatic mail alerts notifications are sent to support team . They use Standard AWS Console Monitoring tool which is out of the scope of this document.

Maintenance Plan

• Syniti servers updates (OS patching).
  • Will be performed by Syensqo IT Team: For production environment Monthly on 3rd Sunday 00-03 UTC.
  • Maintenance calendar can be found in following link.
• Syniti software updates will be performed monthly by Syniti team on demand.

Components Upgrade

As part of the deployment of Syniti product subscription, periodic upgrades and releases are scheduled for the Application Tenant.

• With the Hybrid Model, the “Connector”, “Replicate”, & “Jump” servers will also require concurrent updates applied by Syniti Syway Team alongside with Syensqo AWS IT infrastructure support team.
• To skip an upgrade (due to cutover activity concerns), you must send an email to cloud.maintenance@syniti.com at least 3 days prior to the upgrade activity. 
• Maintenance Window 
  2nd Tuesday of the month - 11 PM through 3 AM (US Eastern time)

Service Introduction

Application Category

Support Team

Skill required

Checklist

Exceptions

See also

Change log