Status

Owner

KUMAR-ext, Anit 

StakeholdersThe business stakeholders involved in making, reviewing, and endorsing this decision. Type @ to mention people by name
LeanIX Link 

Introduction

This section provides the background, scope, and key requirements for SyWay’s adoption of SAP Business Technology Platform (BTP) as the cornerstone of its global SAP landscape.

Purpose

The purpose of this Application Architecture document is to define a single, authoritative blueprint for how SAP BTP services will be organized, secured, integrated, and managed across all programme phases and regions. It serves as the reference for solution architects, development teams, operations, and audit stakeholders when designing or reviewing any BTP‑based workload


Scope & Objectives

The architecture covers the full BTP footprint required for the SyWay programme, including— but not limited to—Integration Suite, Build Work Zone, Datasphere, PaPM Cloud, Sustainability solutions, Asset Performance Management, Advanced Financial Closing, Global Track & Trace, Document Reporting Compliance, Cloud Identity services, Observability tooling, and SAP Cloud Transport Management.
Primary objectives are to:

  1. Provide scalable and resilient platform services that meet a 99.9 % SLA for production.

  2. Ensure end‑to‑end security and compliance with EU GDPR, US SOX, and China cybersecurity regulations.

  3. Enable efficient DevSecOps with automated transport, continuous integration, and central logging.

  4. Minimise total cost of ownership through sub‑account consolidation, quota pooling, and auto‑suspend for non‑prod runtimes.

  5. Deliver a governed naming and role model that supports audit‑ready change control and segregation of duties.


Key Decisions and Requirements

The following table lists the core requirements that the BTP architecture must satisfy.


DescriptionRationale

Configure SSO for all BTP apps via SAP IAS (region-specific) federated to Microsoft Entra ID

Ensures a unified user experience and centralised policy enforcement; SSO is enforced in trust and application configurations.

Mandate encryption-in-transit (HTTPS/TLS for all web endpoints; SNC for SAPGUI/RFC)

Aligns with SyWay’s security standard to protect confidentiality and integrity; disable/redirect HTTP and require TLS 1.2+.

Operate three BTP Global Accounts with regional/environment segregation (EU, CN, US Sovereign; shared DEV in EU20; region-specific INT/TRN/UAT/PAR/PRD)

Supports regional sovereignty and service availability.

Govern change via central Cloud Transport Management (cTMS) with gated approvals

Delivers predictable, auditable promotions across BTP artefacts and enforces separation of duties.

Use Cloud Connector with Location IDs and principal propagation; secure Destinations (OAuth2/x509)

Provides controlled, audited access to SAP RISE endpoints, avoids embedded credentials, and preserves user identity across hops for fine-grained authorisation. Outbound access is restricted to approved destinations.

Use region-appropriate service placement and tenancy (e.g., Sustainability apps in Azure EU20; Finance/IAG/DRC/GTT in AWS EU10; China in CN20; US in NS2; DRC dev for all non-prod; DRC prod for production)

Reflects SAP service availability and sovereignty constraints; simplifies compliance boundaries and lifecycle management.

Use IPS (connectivity plan) co-hosted with the IAG subaccount for S/4HANA provisioning

Meets IPS plan constraints, centralises sensitive provisioning, and aligns governance with IAG while keeping application subaccounts lightweight.


Application Architecture

Architectural Decisions

Below Table provides the details of the architectural decisions made based on the rationale.

Architectural DecisionDescriptionRationale









Application Architecture Design

Insert the Architecture design below. Architecture can be designed in either Visio or word or another format.

Application Architecture Components

Provide the details of each and every major component used in the Application Architecture. Below are some of the sample application components provided as a reference.

Web Dispatcher

Provide the details of Web dispatcher

Gateway Server

Provide the details of Gateway Server

S/4HANA

Provide the details of SAP ERP Central Component

ADFS

Provide the details of ADFS

Application Security

Classification

Security configuration or hardening depends on the classification and the associated risks. Security controls are implemented depending on the classification of the data per IT policy and risk management policy.

Authentication

Provide the details of authentication architecture used for the application

Authorisation

Provide the authorization guidelines/principles followed for the application

Communication Security

Provide the details of the communication security controls implemented based on the classification

Data Security

Provide the details of the data security controls implemented based on the classification

Other Controls

Provide the details of any other controls implemented based on the classification


System Landscape

Development Environment

Include the DEV environment details

Project Test Environment

Include the Project Test environment details. Mention Not Applicable, if the environment is not relevant for the application

Quality Environment

Include the Quality environment details. Mention Not Applicable, if the environment is not relevant for the application

Production Environment

Include the PROD environment details


Operation Architecture

Change and Configuration Management

This section will include the details related to change and configuration management of SAP and non-SAP systems.

Transport Management

Provide the details on how transport management will be handled

Release Management

Provide the details on how release management will be handled

Monitoring

This section will include the details related to monitoring enabled for the application

Application Monitoring

Provide the details of application monitoring configuration

System Monitoring

Provide the details of System monitoring configuration

Sizing

Provide the details of sizing approach and the future recommendations

High Availability

Provide the details of High Availability. You may provide a reference to other document or attach a document, if the section contains lot of content

Disaster Recovery

Provide the details of Disaster Recovery. You may provide a reference to other document or attach a document, if the section contains lot of content

Backup/Restore

Provide the details of Backup/Restore. You may provide a reference to other document or attach a document, if the section contains lot of content

Maintenance Plan

Provide the details of system and application maintenance plan. This should follow the upgrade strategy


Service Introduction

Application Category

Provide the details of application category based on application classification. Application category is defined based on RPO, RTO requirements

Support Team

Provide the details of support team that may be required to support the application

Skill required

Provide the details of skills that are required to support this application

Checklist

Provide the checklist for support organization to support the application


Exceptions

This section covers any exceptions to the reference architecture. Some Applications may have limitations and may not meet the Enterprise Architecture, Reference Architecture and IT Policy guidelines. All exceptions should be included in this section.


See also

Provide links or references to relevant documents for further context on this architecture decision and its impact. Listing related architectural decisions here can clarify dependencies.


Change log

Workflow history