Overview of Access and Interaction Model
The project follows a unified access model that ensures all users interact with SAP and enterprise solutions in a consistent and secure way, regardless of device type or location. Access methods are defined by the type of device, the data classification, and the nature of the user’s role. All corporate devices are managed through Intune, which ensures that laptops, PCs, and mobile devices remain compliant and secure before connecting to company systems.
In this document we describe access in terms of two concepts.
Access Channels
These are the devices and entry points that people use to reach our systems, for example a corporate laptop, a virtual desktop or a mobile device.
Digital Touchpoints
These are the applications and platforms where users perform their work, for example Work Zone Standard, S/4HANA Fiori, SuccessFactors, Ariba, Concur or SAP Analytics Cloud.
Layer | What it represents | Examples |
|---|---|---|
| Access Channels | How users physically reach SAP systems | Corporate Laptop, VDI, Mobile Device, TPA |
| Digital Touchpoints | Where users actually perform their work once inside | Work Zone Standard, Fiori Launchpad, SuccessFactors, Ariba, Concur, SAC |
Sascha, as document matures I can replace Example mappings with a interactive diagram that captures full list of Access Channels and their Digital Touchpoints.
Example mappings
These examples help visualise how Access Channels lead to Digital Touchpoints.
Corporate Laptop → Work Zone, S/4HANA, SuccessFactors, Concur, SAC
Virtual Desktop (CUI) → Work Zone (CUI), S/4HANA CUI
Kiosk → Work Zone, S/4HANA
- Managed Mobile → SAP Mobile Start → Work Zone, SuccessFactors
Industrial Mobile → S/4HANA (EAM, Warehouse apps), Neptune apps
TPA → Work Zone, selected S/4HANA or SaaS apps
External Portals → Ariba or other Supplier Portal, SDS Portal, other B2B portals
The following sections describe each Access Channel in more detail.
Access Channels
Access channels represent the devices and entry points through which users reach SAP and other enterprise systems. Each channel is defined by its level of control, security, and the type of data it can access. Together they ensure that every user, regardless of role or location, connects through a secure and consistent path that matches their work environment.
Syensqo Corporate Laptops
Corporate laptops are the standard way most employees access SAP systems. All corporate PCs and laptops are managed through Intune, Syensqo’s device management platform. This ensures that devices remain compliant and secure before connecting to company systems. The design principle is browser first, so business applications are accessed through a web browser rather than installed locally. CUI systems cannot be accessed from standard laptops, and security policies and technical controls are in place to block this.
Virtual Desktops for CUI
Virtual desktops are used only when accessing systems that hold CUI-classified data. They provide a secure and segregated environment so that sensitive information does not leave the controlled zone. This setup is required only for users at CUI sites or in roles that work with CUI data. Users still work in a browser inside the virtual desktop, so applications look and behave in a familiar way.
Kiosks
Kiosks are shared devices in plants, warehouses and other operational areas. The operating system runs under a generic account, but each person signs in when they open the browser. This allows users in shared environments to see their own view of Work Zone, Fiori and other applications. The project will refine sign-in and sign-out patterns so that frequent use remains simple and reliable.
Syensqo Managed Mobile Devices
Corporate mobile phones and tablets are managed centrally through Intune, Syensqo’s device management platform. This allows secure configuration, app deployment, and compliance control before a device connects to company systems. Applications are either pre-installed or made available through the company app catalogue. If more than half of a target population needs a specific app, such as SAP Mobile Start or SuccessFactors, the app is pushed automatically. Apps used by smaller populations, such as Concur, are available on demand. Managed mobile devices support single sign on, so users can move between approved apps without repeated logins.
Industrial Mobile Devices
Industrial mobile devices, such as rugged tablets or handheld scanners, are pre-configured for operational use. Only approved business applications are deployed on these devices. User authentication must stay simple and secure. The project will evaluate options such as badge-based login or shared-device patterns, with the goal of keeping user effort low while still enforcing access control.
Personal (Unmanaged) Mobile Devices
Personal mobile devices can be used for selected cloud applications, for example SuccessFactors or Concur, where this is allowed by security policy. Access to core S/4HANA systems and other higher-risk applications continues to require a corporate device or virtual desktop.
Third-Party Personnel without Corporate Laptops
Third-party personnel, such as contractors or consultants, access SAP systems through the Third-Party Access (TPA) environment. TPA provides a controlled workspace where selected business applications are available through a browser. This keeps external work separated from the Syensqo network while still giving a familiar browser-based experience.
External Portals
External portals support interactions with customers, suppliers and other business partners. Examples include supplier portals, B2B portals and customer access to Safety Data Sheets. These portals are separate from internal systems but follow similar principles for branding and ease of use.
Digital Touchpoints
Digital touchpoints represent the applications and platforms where users actually perform their work once they have accessed the environment through an approved Access Channel. The objective is to provide a consistent experience across SAP and related enterprise solutions, regardless of device or entry point.
Work Zone Standard
SAP Build Work Zone Standard is the central entry point for all user access. It connects directly to our S/4HANA systems to expose the role-based Fiori apps assigned to each user, and it also links to other enterprise and SaaS solutions such as SuccessFactors, Ariba, and Concur where the role requires them. This gives users one consistent environment to access everything they need for their work without having to remember system names or maintain separate logins.
Work Zone combines content from multiple systems into a single, role-based experience. For example, a procurement specialist can see both S/4HANA Fiori apps and supplier links, while an HR user can access Fiori workflows together with SuccessFactors content. This unified model is one of the core design decisions in our project, providing a consistent user experience and reducing fragmentation while keeping access governed.
How users access apps and tools in Work Zone
In Work Zone, users access applications and content through tiles or links. Tiles represent apps or actions and launch the underlying Fiori app, classic UI, or SaaS system. Each tile displays the app name, icon, and, where relevant, live data or status indicators.
The project uses Insight Tiles (KPI, Chart, Trend, and Comparison) where it makes sense to show key figures or status information directly on the tile. This gives users quick visibility of important metrics before opening the app.
Links are used where a full tile is not needed. They save space and are ideal for opening SaaS homepages, reports, or documentation that support the user’s role. This keeps pages clean and focused.
To maintain clarity as the number of tiles grows, the project follows the new Work Zone layout based on Spaces, Pages, and Sections. This structure keeps navigation consistent and reduces clutter:
Spaces group work by function or Line of Business, such as Finance, Procurement, or HR (maps to Signavio L3).
Pages organise tiles by activity or task type, such as Operational tasks or Analytics (maps to Signavio L4).
Sections further group tiles to make large collections more manageable and reduce visual clutter.
Tiles are the smallest display element and map to Signavio executables (L5).
See images below for examples of the structure and tile types used in Work Zone.
Spaces, Pages and Sections schematic
A schematic display of how Spaces, Pages, and Sections are structured in Work Zone.
Tile Examples image
Examples of different tile types including KPI, Comparison, Monitoring, and Link tiles.
How users access systems across multiple backends
The project operates three SAP Build Work Zone Standard tenants aligned with each regional S/4HANA system. This approach ensures faster access, maintains data segregation by geography, and supports compliance with local performance and regulatory requirements.
Some roles require access to applications in more than one regional instance, such as ROW, CUI, or China. From a user perspective, access across these environments is seamless. Users sign in once and can reach the Work Zone for their region without needing to manage multiple logins or credentials. Aside from the URL, there is no disruption to how users access or work with their applications.
Each Work Zone follows the same structural design so that navigation, pages, and tiles behave consistently across regions. The project is also exploring the use of regional theming to help visually distinguish each tenant, although this is still under review.
Within Work Zone, each tile indicates which backend it connects to, allowing users to identify the system before launching the app. This provides one unified entry point while keeping each region’s data and connectivity governed independently.
See KDD036 - User Access to Enterprise Systems for the technical rationale behind the multi-tenant design.
See images below for examples of how roles access multiple S/4HANA systems through Work Zone.
Individual tiles – used where users need to open separate apps per backend without displaying data. Each tile represents one system and is clearly labelled (for example, Manage Purchase Orders – ROW, CUI, or China).
UI cards – used where data or status values are meaningful at a glance, such as monitoring purchase orders or supplier confirmations across multiple systems. Cards summarise key values in one component, allowing quick comparison without opening separate apps. (Example: “Open PO counts by backend”)
SaaS Applications
- SuccessFactors – HR and Learning
Used for employee lifecycle processes, performance management, and learning activities. - Ariba / Supplier Portal – Procurement and Supplier Collaboration
Supports sourcing, procurement, and supplier management processes with integration to S/4HANA. - Concur – Travel and Expense Management
Used for travel requests, expense claims, and reimbursement workflows. - SAP Analytics Cloud (SAC)
Provides analytical dashboards, business insights, and reporting for multiple process areas. - Salesforce – Customer Relationship Management
CRM stuff - BlackLine
- Kinaxis Maestro
Note: Bring in complete project list once validated (include additional SaaS and enterprise applications currently in scope).
Industrial Applications
Industrial systems are accessed mainly through dedicated apps deployed on rugged or shared devices. These applications support plant, maintenance, and logistics operations where mobility and simplicity are key.
Examples include:
T&T, Blueworks, and other industrial or site-specific apps that extend S/4HANA for field operations.
Note: Insert all confirmed industrial applications here once finalised.
Mobile Solutions and Apps
Mobile access complements the digital touchpoints through SAP Mobile Start and other approved apps deployed via the company app catalog. The goal is to provide role-based access to tasks and data while maintaining a consistent experience between desktop and mobile.