Introduction

Purpose

The purpose of this document is to outline the infrastructure and network architecture of the Syniti Platform for the SyWay project. It aims to provide a clear and structured view of the components, data flows, integration mechanisms, and security considerations that support the Syniti platform in its interaction with the Syensqo SAP ecosystem.

Syniti is an unified platform designed to manage, migrate, and govern enterprise data. In the SyWay project, it will remain as the primary platform for managing extraction, transformation, load and validation. Below diagram shows high level activities that can be performed with this platform:

Scope & Objectives

This document defines the architectural scope of the Syniti solution within the SyWay project, focusing on the deployment and integration of Syniti as the central platform for data extraction, transformation, loading (ETL), and validation activities.

The scope includes:

• The technical architecture of Syniti Platform and its supporting components.
• The integration architecture between Syniti and SAP systems.
• The security and connectivity model, including configurations, RFC destinations, and access control mechanisms.
• The deployment model for the Rest of World (RoW) Landscape.

Out of scope:

• The data flow architecture, covering how data is extracted from source systems, transformed according to business rules, validated, and loaded into target SAP environments.

• The detailed functional design of migration objects, business rules, or data cleansing logic, which are addressed in separate deliverables.

• The list of required and approved tables to be extracted from source system is out of the scope of this document. This will be defined during the Data Stream design phase.

• It also excludes operational procedures post-migration, such as data governance or ongoing data quality monitoring, unless explicitly tied to the Syniti platform.

• As of writing this document, there are pending architectural decisions regarding North America & China, and RISE infrastructure. These designs will be added to this document as they are finalized.
• Security policies in Syniti SKP for application users.

Key Decisions and Requirements

Application Architecture

Architectural Decisions

Syensqo has decide to implement the Synity Hybrid Deployment Model. The Syniti Knowledge Platform (SKP)-Hybrid consists of the cloud-native, multi-tenant application platform with customer-hosted working databases and a series of remote services. The remote services are the platform components that run outside of the Syniti Knowledge Platform application and are designed to run close to the data stores that persist and transact data management activities. Below diagram provided by Syniti company shows an example of Syniti Hybrid Deployment model:

Application Architecture Design

Based on Hybrid Deployment , following Architecture will be implemented for Syensqo:

Application Architecture Components

The Syniti architecture is designed to support scalable, secure, and efficient data migration and governance. Breakdown of components:

• Syniti Knowledge Platform (SKP)
  • It is a cloud-based data management solution hosted on AWS Frankfurt for EU designed to help organizations transform their data into a strategic asset. SKP provides a secure, scalable, and strategic data management environment that supports various data-related activities such as data quality reporting, profiling, metadata scanning, and data migration.
  • It enables communication with systems in an organization's landscape through components called SKP connectors, which support metadata scanning, profiling, and data quality functionalities.
  • The platform uses a connector-based architecture to securely distribute execution outside of the SKP application environment, ensuring that customer master, transactional, and operational data are not persisted within the platform itself. Instead, only metadata and metrics are sent to SKP for storage and processing.
• Server 1 - Syniti Connector
  • The Syniti Server Connector , is a secure, Linux-based software component that enables communication between Syensqo SAP systems and the Syniti Knowledge Platform (SKP) in the cloud.
  • Purpose:
    • Secure Data Transfer: It securely transmits metadata and data between your enterprise systems and Syniti’s cloud platform using encrypted channels
    • Metadata Scanning: Enables the SKP to scan and analyze metadata from systems like SAP, Oracle, and SQL Server.
    • Data Governance & Migration: Supports Syniti’s tools for data quality, governance, and migration by providing real-time access to source systems.
• Server 2 - Replicate Server
  • The Syniti Replication Platform runs on a Windows Platform. The Replicate server is responsible for extract data from the source system and create source snapshots for the Migrate component to process.  It also connect to the Target system to extract data for post load data verification.
• Server 3 - Working Database and SQL Server
  • A windows server which acts as the central repository for all working data during a migration or data quality project. It serves as the primary staging and processing environment for data transformations, validations, and migrations.
  • Working and Construction Database. The Syniti Migrate Platform will work with several different databases for processing. This database may store Source snapshots (Production copy of source data), Data Transformations (Business Conversion rules), Target Snapshots (Copy of Target for load validation).
• Server 4 - Tooling Server (Administrator Jump Server)
  • It is a secure intermediary VDI server used to access and manage systems that are otherwise isolated or protected within a private network. Securely connect to on-premise components like the Syniti Connector, Replicate, or Working Databases.
  • Only Syniti administrators users will have access to this server so they can perform admin activities like:
    • Connect to Syniti servers
    • System Administration and Operation Tasks
    • Troubleshooting and diagnostic
• Syensqo VDI TPA (Third Party Access)
  • The Syniti Migrate Platform will require that Syniti developers can develop business rules in the working database. This group of people will require access and development tools that will be installed on VDI TPA created for Syniti Company.
  • This VDI will contain following software required for developers activities:
    • Microsoft Office Applications
    • SAP GUI
    • Internet access
    • SQL Server Management Studio
• Source and target systems
  • The Syniti Migrate Platform will extract data from SAP Source Systems using RFC calls. Due to Syensqo security policies no access to Source HANA DB would be granted.

  • Syniti requires READ ONLY access to the PRODUCTION Source systems to get the most up to data for cleansing and conversion.

  • The Target system load method must be determined during Design and Delivery phase , different access will be granted based upon the choice. Some alternatives are Migration Cockpit, BAPIs, Idocs, SAP Data Services, Custom objects etc...
• AWS S3 Bucket
  • Created for Syniti administrators users, will be used to download the required software to be installed in Syniti Servers.

Network Architecture

Firewall Rules:

Initial Firewall Implementation as part of servers creation can be found in following document: AWS Matrix Flow Template (FW & SG) . In below table are shown the connections and firewall rules implemented specifically for Mobilize phase:

Application Security

Authentication

• Syniti SKP.  Single Sign on integrated with Azure Entra ID (formerly Azure Active Directory) was configured as per following document.
• Syniti servers: As part of the installation process of the Syniti servers Syensqo IT team created corresponding Admin users for every server at application level. The objective is to have a minimal number of Admin users ( approximately 5 users) who are fully autonomous in executing administration and operational activities across all Syniti servers.
• Authentication for other Non Syniti applications is out of the scope of this document
• User management for Syniti developers team is under review and out of the scope of this document.

Authorisation

Data elements inside the SAP Source applications are subject to export controls such as ITAR, EAR, or various UK or European Regulations. In order to integrate Syniti Platform on Syensqo Security Policies following approach is implemented:

• No direct access to the SAP HANA Source Database, only to the SAP Application layer.
• Syniti Replication Server will access to Source system data trough RFC Service user . This RFC Service user will have restricted ReadOnly authorization to specific SAP Tables and functions, see list of Service user authorization . (List of required and approved tables to be extracted from source system is out of the scope of this document, that will be decided during the design phase of Data stream.). See list of tables for which will be granted read access to Syniti RFC user.
• NextLabs tool is used to enable field level encryption in S/4HANA. This will encrypt ITAR-relevant data elements and the encrypted values will be stored in HANA DB. Data will be unencrypted on the fly when it is access by an authorized user. Therefore, Syniti will not be able to extract ITAR data unless the RFC service user is explicitly authorized.
• Enable at-rest TDE encryption in the SQL Syniti Working DB server for all generated databases.

Communication Security

All data in transit will be encrypted.

• SSL is used for all web traffic . 
• SNC is used for all RFC and SAPGUI communications. 
• SSL is used for all Syniti Server Working DB traffic, ensuring that the database only accepts TLS-encrypted connection requests. 

Other Controls

Below there is a list of required applications and systems to be used by Syniti Team activities and the mechanism to access it:

*Syniti Developers require to execute actions on SQL Databases available on Syniti Working DB, for that SQLServer Management Studio have been installed in TPA VDI Syniti Company so they can execute required actions.

System Landscape

Production Environment

Due to the nature of the use of the Syniti platform , it will have one single Production Instance for the whole Syensqo SAP Landscape. The table below describes the the corresponding servers deployed on AWS:

Servers deployment was done by Syensqo IT teams under JIRA AWSCLOUD-75 . Detailed information regarding servers infrastructure can be found in following link: Syniti Servers . Below there is an extraction of most significant information:

Operation Architecture

Roles and Responsibilities

RACI for Mobilize phase:

<Roles and responsibilities matrix for delivery phase is under review, will be added to the document once validated>

Backup/Restore

• <Place holder>To confirm BackUp requirements from Syniti Development team for Working DB

Backup Policies implemented can be found in following link . As per Syensqo policies have been implemented Daily, Weekly and Monthly Backup in Syniti Servers.

Syniti recommend following Backup Policy in its own documentation:

• Syniti Connector OS —Daily snapshot
• Syniti Replicate OS —Daily snapshot
• Syniti Working Databases—Daily OS snapshot
  • SRC / TGT Databases—Daily SIMPLE backup
  • WRK Databases—Daily FULL backup (if possible), otherwise SIMPLE
  • MIGRATE Database—Daily FULL backup
  • REPORT Database(s)—Daily SIMPLE backup
• Syniti Construction Database(s)—Daily FULL backup
• Syniti Replicate Metadata Database—Daily SIMPLE backup

Maintenance Plan

• Syniti servers updates (OS patching) will be performed by Syensqo IT Team: For production environment Monthly on 3rd Sunday 00-03 UTC.
• Syniti software updates will be performed monthly by Syniti team on demand.

Service Introduction

Application Category

Support Team

Skill required

Checklist

Exceptions

See also

Change log