| Status | Approved |
| Owner | |
| Stakeholders | |
| LeanIX Link |
The purpose of this document is to describe the architecture of NextLabs application.
Out of Scope:
- NextLabs policy design and details will covered in a separate deliverable.
- Information related to product documentation and can be found online will not be documented here.
Key Decisions and Requirement
| Description | Rationale |
|---|---|
| NextLabs will be deployed in the same Azure region as S/4HANA | Since NextLabs makes real-time decisions on access, low latency network connection will be required between S/4HANA and NextLabs to prevent performance issues. |
| Shared file system between S/4HANA App server and Policy controller | Azure Files from NextLabs Azure tenant will be leveraged and this file system will be used to host NextLabs DAE binaries and logs from S/4HANA |
| Shared file system between NextLabs Policy Controller and ICENET VMs | Azure Files will be leveraged and this file system will be used to host Policy controller logs from Policy Controller. |
| Azure SQL Database (DaaS) will be leveraged for NextLabs | Azure SQL Database will be leveraged to reduce operational overhead. |
| Sensiive data will be protected using Format-Preserving Encryption (FPE). | |
| NextLabs built-in KMS will be leveraged | For ease of integration, the NextLabs built-in KMS will be used to manage encryption keys. |
| Single Sign-On (SSO) | As part of SyWay project, a common authentication mechanism (e.g., SAML) is adopted for ease of access and unified user experience. |
| Users must access NextLabs using HTTPS. | As part of SyWay standards, all data in transit must be encrypted. |
Application Architecture
Overview
The following products from NextLabs will be deployed for SyWay.
- NextLabs Data Access Enforcer (DAE) provides fine-grained, attribute-based access control (ABAC) for data, ensuring that only authorized users or applications can access sensitive data based on real-time policies and contextual information. For SyWay, it enforces authorization decisions to grant access and decrypt sensitive data.
- NextLabs Dynamic Authorization Management (DAM) extends native role-based authorization and enforces finer-grained, attribute-based controls to critical SAP applications. Its purpose is to ensure fine-grained access decisions that adapt in real-time to user, resource, and environmental contexts.
The following diagram describes the different NexLabs components.
Application Components
- Policy Controller: The NextLabs Policy Controller is a key component that evaluate data access request against the policies and makes the decisions to deny or allow (decrypt data) access to sensitive data.
- ICENET Servers: Distributes policy definitions from Management Server to Policy Controller and also clears the logs from the policy controllers by moving them to NextLabs's DB (MS SQL).
- Management Server:
Hosting Details
| Region | Cloud Provider | Disaster Recovery Region |
|---|---|---|
| Frankfurt, Germany | St. Ghislain, Belgium |
System Landscape
The BlackLine landscape consists of 2-tiers: Non-Production and Production. The non-PRD system is integrated with all non-PRD S/4HANA instances.
Following are the URLs for BlackLine instances:
- Non-Production: https://sapsyensqo.sbeu3.blackline.com
- Production: https://sapsyensqo.eu3.blackline.com
Application Security
User Access
BlackLine is a SaaS application and can be accessed by users over the internet via HTTPS using their web browser. No Syensqo infrastructure or application is required to access BlackLine.
User must have their IDs created and assigned with the correct role before they can login to BlackLine.
Authentication
BlackLine is configured to perform SAML SSO with Syensqo Entra ID. The use of SSO is mandatorily enforced via configuration, and users cannot bypass SSO to log in with a password.
Communication Security
Data in transit is encrypted using secure TLS protocols (v.1.2 or greater) with 2048-bit keys.
Data Security
The following controls are implemented to ensure data security:
- Client files and databases at rest are protected using 256-bit AES encryption.
- To ensure system and client data availability, production data is replicated to the DR site every hour.
- Backups are encrypted and have ransomware protection enabled with audit logging.
Other Controls
Blackline is covered by standard availability SLA for SAP Cloud Services - 99.7%
Operation Architecture
Change and Configuration Management
Blackline does not have a transport tool. Users will need to replicate configurations manual from non-PRD to PRD.
Monitoring
Blackline performs the following monitoring:
- Information Security monitoring: Network intrusion detection and unauthorized access.
- Cloud and Data Center Operations: Monitoring of critical hardware, software and performance.
- Backup: Monitoring of backup processes.
Blackline system availability can be monitored via Trust Blackline.
Sizing & Capacity Management
Blackline tenants allocates 2GB of storage per users and monitors the usage for the whole instance.
High Availability & Disaster Recovery
Blackline has implemented high availability throughout its environment to prevent single points of failure.
It has the following DR targets:
- RPO - 2h
- RTO - 24h
BlackLine conducts disaster recovery tests on an annual basis.
Backup/Restore
BlackLine does backups of Production and non-Production instances daily from 9pm to 1am Pacific Standard Time. Backups are retained for 30 days and this can be increase to a maximum of 90 days by opening a support ticket.
Users can request for their Blackline instance to be restored using the daily backups for the last 30 days
Maintenance Plan
Blackline maintenance schedule can be found in Trust Blackline. Syensqo BlackLine tenants are deployed to the following regions:
- Non-PRD: sbeu3
- PRD: eu3