| Status | |
| Owner | |
| Stakeholders | The business stakeholders involved in making, reviewing, and endorsing this decision. Type @ to mention people by name |
| LeanIX Link |
Introduction
This section provides the background, scope, and key requirements for SyWay’s adoption of SAP Business Technology Platform (BTP) as the cornerstone of its global SAP landscape.
Purpose
The purpose of this Application Architecture document is to define a single, authoritative blueprint for how SAP BTP services will be organized, secured, integrated, and managed across all programme phases and regions. It serves as the reference for solution architects, development teams, operations, and audit stakeholders when designing or reviewing any BTP‑based workload
Scope & Objectives
The architecture covers the full BTP footprint required for the SyWay programme, including— but not limited to—Integration Suite, Build Work Zone, Datasphere, PaPM Cloud, Sustainability solutions, Asset Performance Management, Advanced Financial Closing, Global Track & Trace, Document Reporting Compliance, Cloud Identity services and SAP Cloud Transport Management.
Primary objectives are to:
Provide scalable and resilient platform services that meet a 99.9 % SLA for production.
Ensure end‑to‑end security and compliance with EU GDPR, US SOX, and China cybersecurity regulations.
Enable efficient DevSecOps with automated transport, continuous integration, and central logging.
Minimise total cost of ownership through sub‑account consolidation and quota pooling.
Deliver a governed naming and role model that supports audit‑ready change control and segregation of duties.
Key Decisions and Requirements
| Description | Rationale |
|---|---|
Configure SSO for all BTP apps via SAP IAS (region-specific) federated to Microsoft Entra ID | Ensures a unified user experience and centralised policy enforcement; SSO is enforced in trust and application configurations. |
Mandate encryption-in-transit (HTTPS/TLS for all web endpoints; SNC for SAPGUI/RFC) | Aligns with SyWay’s security standard to protect confidentiality and integrity; disable/redirect HTTP and require TLS 1.2+. |
Operate three BTP Global Accounts with regional/environment segregation (EU, CN, US Sovereign; shared DEV in EU20; region-specific INT/TRN/UAT/PAR/PRD) | Supports regional sovereignty and service availability. |
Govern change via central Cloud Transport Management (cTMS) with gated approvals | Delivers predictable, auditable promotions across BTP artefacts and enforces separation of duties. |
Use Cloud Connector with Location IDs and principal propagation; secure Destinations (OAuth2/x509) | Provides controlled, audited access to SAP RISE endpoints, avoids embedded credentials, and preserves user identity across hops for fine-grained authorisation. Outbound access is restricted to approved destinations. |
Use region-appropriate service placement and tenancy (e.g., Sustainability apps in Azure EU20; Finance/IAG/DRC/GTT in AWS EU10; China in CN20; US in NS2; DRC dev for all non-prod; DRC prod for production) | Reflects SAP service availability and sovereignty constraints; simplifies compliance boundaries and lifecycle management. |
Use IPS (connectivity plan) co-hosted with the IAG subaccount for S/4HANA provisioning | Meets IPS plan constraints, centralises sensitive provisioning, and aligns governance with IAG while keeping application subaccounts lightweight. |
Application Architecture
Architectural Decisions
Below Table provides the details of the architectural decisions made based on the rationale.
| Architectural Decision | Description | Rationale |
|---|---|---|
Application Architecture Design
Insert the Architecture design below. Architecture can be designed in either Visio or word or another format.Application Architecture Components
Provide the details of each and every major component used in the Application Architecture. Below are some of the sample application components provided as a reference.Web Dispatcher
Provide the details of Web dispatcherGateway Server
Provide the details of Gateway ServerS/4HANA
Provide the details of SAP ERP Central ComponentADFS
Provide the details of ADFSApplication Security
Classification
Security configuration or hardening depends on the classification and the associated risks. Security controls are implemented depending on the classification of the data per IT policy and risk management policy.Authentication
Authentication is implemented via Single Sign-On using SAP Identity Authentication Service (IAS) federated to Microsoft Entra ID, with separate IAS tenants per region (Europe, China, US Sovereign) and trust configured at the subaccount level. Authorisation bindings use Entra groups mapped to IAS groups and BTP role collections, with a small, named platform-administrator set operating under least-privilege and controlled break-glass procedures. All web access is enforced over HTTPS/TLS, while SAP GUI/RFC channels use SNC with client certificates via SAP Secure Login Service; application calls to backend systems employ principal propagation through Cloud Connector and approved Destinations. Identity Provisioning Service (IPS), using the connectivity plan and co-hosted with the IAG subaccount, supports S/4HANA user provisioning in line with plan limits. Authentication for systems outside SAP BTP is out of scope.
Authorisation
Authorization on SAP BTP follows role-based access control (RBAC) with Microsoft Entra groups mapped via IAS groups to BTP role collections; direct user assignments are not permitted. Role collections are scoped by subaccount, environment, and region to enforce least privilege and clear separation of duties across platform administration, transport governance (cTMS), integration development/operations, UI/Work Zone content administration, analytics (Datasphere/PaPM), sustainability/finance services, and read-only audit. Production privileges are minimised and time-bound; emergency access (“break-glass”) is granted via pre-approved, MFA-protected role collections with full logging. Service-specific authorizations (e.g., Integration Suite/API Management, Work Zone/Task Center, BPA/BAS, Datasphere/PaPM, DRC, GTT) are granted only through mapped collections, and Destinations/principal propagation are allowed solely when required scopes are present. All grants are change-controlled, auditable, and subject to periodic recertification.
Communication Security
Encrypt-in-transit by default. All BTP web endpoints (applications, services, app routers) enforce HTTPS with TLS 1.2+ (TLS 1.3 preferred).
Secure SAP GUI/RFC channels. SAP GUI and RFC communications use SNC with client X.509 certificates via SAP Secure Login Service, ensuring mutual authentication and integrity for administrative and operational access.
Controlled back-end connectivity via Cloud Connector. Connectivity to SAP S/4HANA Rise hosted is established through SAP Cloud Connector with TLS, Location IDs per connector, and minimal resource mappings. One connector serves all non-production, and two connectors in HA serve production. Virtual hostnames used in Destinations are not externally resolvable.
Hardened Destinations and principal propagation. BTP Destinations use OAuth2 SAML Bearer Assertion or mutual TLS; basic credentials are avoided. User identity is propagated end-to-end where required, and scopes/authorities are limited to least privilege.
Certificate and key management. Certificates (server and client) are lifecycle-managed with defined owners, rotation schedules, and audit trails; trust stores are curated per subaccount to avoid over-broad trust.
Egress and inbound controls. Outbound traffic from BTP is restricted to approved Destinations; inbound exposure is limited to necessary public entry points. IP allow-listing and service-level throttling are applied where available (e.g., API Management policies).
Monitoring and auditability. Transport security events (connector state, certificate expiry, failed auth, TLS errors) are monitored, alerted, and logged to the central observability stack for investigation and compliance.
Data Security
Provide the details of the data security controls implemented based on the classificationOther Controls
Provide the details of any other controls implemented based on the classificationSystem Landscape
Account Model - Global Account: Syensqo Main.
Account ID: 59549222-81b5-4701-afde-9a23643d0b00
| Directory | Services | Region | SandBox Subaccount | Development Subaccount | Integration Test Subaccount | Training Subaccount(tbd) | UAT Subaccount | Parallel Testing Subaccount(tbd) | Production Subaccount | Remarks/Rational |
| /SyWay/Shared Svcs / Integration | Integration Suite(API Management), Forms Service by Adobe, SAP Process Integration Runtime | Azure Europe (Netherlands) | — | syw-itg-dev-eu20 | — | — | syw-itg-uat-eu20 | — | syw-itg-prd-eu20 | - Centralized platform for integration - API Mgmt is provisioned as a capability inside Integration Suite. |
| /SyWay/Shared Svcs / User Interface | SAP Build Work Zone, SAP Task Center, SAP Build Process Automation, SAP Build Code, BAS | Azure Europe (Netherlands) | — | syw-ui-dev-eu20 | TBD | TBD | syw-ui-uat-eu20 | TBD | syw-ui-prd-eu20 | -Task Center federation booster expects Work Zone in the same sub-account - BPA integrates most smoothly when it shares a sub-account with Work Zone/Task Center (built-in content federation, no extra trust setup). Cross-sub-account operation is possible but adds configuration overhead. |
| /SyWay/Shared Svcs / Deployment Mgmt | SAP Cloud Transport Management, ActiveControl -UI | Azure Europe (Netherlands) | — | syw-dep-dev-eu20 | — | — | — | — | syw-dep-prd-eu20 | - cTMS is designed as a centralized service. - To facilitate role management and configure strict access control. |
| /SyWay/Shared Svcs / Identity Mgmt | Cloud Identity (IAS and IPS), SAP Secure Login Service for SAP GUI | Azure Europe (Netherlands) | — | syw-sec-dev-eu20 | TBD | — | — | — | syw-sec-prd-eu20 | - Centralized platform for identity authentication. - Restriction for IPS (20 source and 50 target system). - If IPS used for S/4HANA user provisioning then will need different plan "Cloud Identity Services connectivity plan" which means addtional subaccount or cohosting with IAG. Cloud Identity Services uses default (Application) service plan and for each service plan needs a separate subaccount. |
| /SyWay/Shared Svcs / IAG | Identity Access Governance (IAG) | AWS Europe (Frankfurt) | — | syw-iag-dev-eu10 | TBD | — | — | — | syw-iag-prd-eu10 | - Positioned in AWS due to service availability. - IAG isolated due to governance and compliance sensitivity. |
| /SyWay/Analytics | Datasphere, PaPM Cloud | Azure Europe (Netherlands) | — | syw-ana-dev-eu20 | — | — | syw-ana-uat-eu20 | — | syw-ana-prd-eu20 | -Tight Data Integration: PaPM Cloud consumes and writes Datasphere(BYOD: Subscribe to SAP Datasphere) objects via native replication/remote tables; same-sub-account placement removes cross-trust setup and latency. - One Connectivity Footprint: Both services hit the same S/4HANA APIs, so a single Cloud Connector mapping covers them, halving certificate and audit effort. - Quota & Transport Efficiency: They share the HANA Cloud runtime and can ride the same Cloud TMS track, pooling capacity and producing one audit-ready deployment log. Ian Barrow Please check the above for rational. |
| /SyWay/Sustainability | Sustainability Footprint Management(SFM), Sustainability Control Tower, Green Ledger | Azure Europe (Netherlands) | — | syw-sus-dev-eu20 | TBD | TBD | syw-sus-uat-eu20 | TBD | syw-sus-prd-eu20 | - Required Azure hosting due to SFM availability. |
| /SyWay/Asset Performance Mgmt | Asset Performance Management | Azure Europe (Netherlands) | — | syw-apm-dev-eu20 | TBD | TBD | syw-apm-uat-eu20 | TBD | syw-apm-prd-eu20 | |
| /SyWay/Finance | Group Reporting Data Collection, Advanced Financial Closing, SAP Risk and Assurance Management | AWS Europe (Frankfurt) | — | syw-fin-dev-eu10 | TBD | TBD | syw-fin-uat-eu10(tbd) | TBD | syw-fin-prd-eu10 | - all the four Services are available in AWS only. -Placing SAP Risk and Assurance Management inside the existing /SyWay/Finance is technically compliant, cost-efficient, and keeps all finance-compliance tooling in one governed cluster. Will Need a separate GRC directory only if internal control framework demands a standalone tenancy. Satya Madasu Please check. |
| /SyWay/Logistics | SAP Business Network Global Track and Trace(GTT), Audit Log Viewer, Personal Data Manager, Authorization Apps for Freight Collaboration,Carrier Apps for Freight Collaboration | AWS Europe (Frankfurt) | - | syw-gtt-dev-eu10 | — | — | TBD | — | syw-gtt-prd-eu10 | - Available in AWS only. |
| /SyWay/Document Reporting Compliance | Document Reporting Compliance | AWS Europe (Frankfurt) | — | syw-drc-dev-eu10 | — | — | — | — | syw-drc-prd-eu10 | - Services hosted in AWS due to availability limitations. - SAP DRC Cloud dev tenant could connect to multiple backend S/4HANA instance. |
Development Environment
Include the DEV environment detailsProject Test Environment
Include the Project Test environment details. Mention Not Applicable, if the environment is not relevant for the applicationQuality Environment
Include the Quality environment details. Mention Not Applicable, if the environment is not relevant for the applicationProduction Environment
Include the PROD environment detailsOperation Architecture
Change and Configuration Management
This section will include the details related to change and configuration management of SAP and non-SAP systems.Transport Management
Provide the details on how transport management will be handledRelease Management
Provide the details on how release management will be handledMonitoring
This section will include the details related to monitoring enabled for the applicationApplication Monitoring
Provide the details of application monitoring configurationSystem Monitoring
Provide the details of System monitoring configurationSizing
Provide the details of sizing approach and the future recommendationsHigh Availability
Provide the details of High Availability. You may provide a reference to other document or attach a document, if the section contains lot of contentDisaster Recovery
Provide the details of Disaster Recovery. You may provide a reference to other document or attach a document, if the section contains lot of contentBackup/Restore
Provide the details of Backup/Restore. You may provide a reference to other document or attach a document, if the section contains lot of contentMaintenance Plan
Provide the details of system and application maintenance plan. This should follow the upgrade strategyService Introduction
Application Category
Provide the details of application category based on application classification. Application category is defined based on RPO, RTO requirementsSupport Team
Provide the details of support team that may be required to support the applicationSkill required
Provide the details of skills that are required to support this applicationChecklist
Provide the checklist for support organization to support the applicationExceptions
This section covers any exceptions to the reference architecture. Some Applications may have limitations and may not meet the Enterprise Architecture, Reference Architecture and IT Policy guidelines. All exceptions should be included in this section.See also
Provide links or references to relevant documents for further context on this architecture decision and its impact. Listing related architectural decisions here can clarify dependencies.