| Status | |
| Owner | |
| Stakeholders | The business stakeholders involved in making, reviewing, and endorsing this decision. Type @ to mention people by name |
| LeanIX Link | SAP Integration Suite |
Introduction
Purpose
The purpose of this document is to outline the application architecture of SAP Cloud Integration Suite as deployed by SyWayScope & Objectives
This document will describe the high-level architecture of the SAP Cloud Integration Suite.
Out of Scope:
- Since SAP Cloud Integration Suite is a SaaS group of applications, network and infrastructure architecture will NOT be covered.
- Product documentation and information that can be found online will not be documented here, but referenced using hyperlinks.
- Implementation details such as Integration Design or API Management Design may have different architectures.
Application Architecture
Overview
Application Architecture Components
| Component | Acronym | Description |
|---|---|---|
| Business Accelerator Hub | Business Accelerator is a centralized resource for developers and partners to build integrations and extensions for SAP solutions, access pre-built integration content, and accelerate digital transformation efforts. The key features of the hub is enabling the discovery of API, ability to use existing integration content provided by SAP and partners. | |
| Cloud Integration | CI | Formally known as Hana Cloud Integration (HCI) and Cloud Platform Integration (CPI), CI is the core capability enabling the integration design and execution with SAP and non-SAP, cloud, and on-premise applications. CI enables Integration design via web based User Interface, providing orchestration of integration processes, connectivity to SAP, non-SAP, Cloud and On-Premise systems and Data Transformation. |
| API Management | APIM | APIM provides governance, security and monitoring of API, enabling exposure, management and monetization of APIs. APIM brings together all components necessary to expose and consume APIs providing capabilities for complete lifecycle of APIs, including, discovery, security, mediation, traffic management, analytics and documentation. |
| Event Mesh ( & Advanced Event Mesh ) | EM ( & AEM ) | EM provides the core infrastructure for enterprise-grade broker for event-driven architecture. It allow asynchronous communication between SAP and non-SAP. |
| Open Connectors | A Central Hub to access configurable connectors for over 170 non-SAP applications through harmonised APIs, enabling simplification and acceleration of integrations. | |
| Integration Advisor & Trading Partner Management | IAE & TPM | IAE & TPM accelerate the development of business-oriented interfaces and mappings, generate runtime artefacts quickly, and significantly reduce efforts. Combined with AI-assisted tool for mapping and defining message interfaces, it provides industry-specific content based on standards like EDI, cXML, and assists in accelerated B2B/EDI mapping activity. A Central cockpit provides the ability centrally manage trading partner relationships. |
| Integration Assessment | Integration Assessment capability is a methodology and toolset for deciding when to use different integration techniques and patterns and provides guidance on integration strategy and helps standardize integration patterns across projects. | |
| Graph | Graph provides the ability centralise and manage APIs to provide a unified Enterprise API exposing data from multiple SAP sources |
Application Security
User Access
User Access to Integration Suite is via Web, and limited to technical user (developers, system administrators, support teams etc).
Authentication
- User Authentication to Cloud Integration is via SAML Single Sign-on (SSO) using Syensqo Entra ID federated to IdP. Username and Password logon are not permitted.
- System Authentication options include
- OAuth 2.0 - access tokens issued via XSUAA
- Basic Authentication
- Cloud Connector - for outbound traffic from Cloud Integration to On-Premise system - provides a TLS connection and authenticates via Principal Propagation
Authentication Flow
User accesses Cloud Integration tenant URL
- The request gets redirected to SAP IdP configured in SAP BTP subaccount for Cloud Integration
User is re-directed to Corporate Identity Provider (IdP) logon page - Microsoft
User authenticates to Microsoft using Entra ID, if not already authenticated.
IdP validates and issues SAML 2.0 assertion back to BTP
SAP BTP maps the Role Collections assigned to the User
User accesses Cloud Integration
Authorisation
Standard Roles and Role Collections are assigned for User Access to Cloud Integration Components. Roles are assigned via SAP BTP Cockpit
| System | Administrator | Developer | General Access |
|---|---|---|---|
| Cloud Integration | PI_Administrator | PI_Integration_Developer | PI_Read_Only, PI_Business_Expert |
| API Management | APIPortal.Administrator, APIManagement.SelfService.Administrator, AuthGroup.SelfService.Admin, AuthGroup.API.Admin | APIPortal.Configurator, APIPortal.Developer, APIPortal.Tester, APIPortal.Service.CatalogIntegration | APIPortal.Guest |
Communication Security
For System-to-system communication, all data transfers are encrypted via a suitable mechanism - for example:
- HTTP Adapter which uses TLS 1.2 as the standard ( HTTPS )
- IDoc Adapter, which also uses TLS 1.2 as the standard ( HTTPS )
- SFTP Adapter which uses SSH-2
Data Security
SAP data centres are certified to comply with global security standards, such as ISO/IEC 27001 and SOC 2. SAP implements stringent security measures including encryption, 24/7 monitoring, and regular audits.Other Controls
System Availability SLA is 99.7% (documented in SAP Trust Center - Service Level Agreement for Cloud Services ).System Landscape
| Landscape Id | URL | Composite | Additional details |
|---|---|---|---|
| Development Environment | https://syw-itg-dev-eu20.authentication.eu20.hana.ondemand.com | Stand Alone | Rest of World only (EU) |
Integration Test Environment | TBA | Test Composite | China, USA, Rest of World only (EU) |
| User Acceptance Test Environment | TBA | Test Composite | China, USA, Rest of World only (EU) |
| Parallel run and TRG | TBA | Test Composite | China, USA, Rest of World only (EU) |
| Production Environment | TBA | Stand Alone | China, USA, Rest of World only (EU) |
Operation Architecture
Transport Management
Landscape Setup - initial setup for transport management | |
|---|---|
| Configure Landscape | Define your system landscapes (e.g., Development, QA, Production) within Figaf's Configuration -> Landscapes page. Specify details like platform, automatic transport lookup, and landscape items. |
| Synchronize Systems | Synchronize your source system (e.g., your development environment) with Figaf to capture the current state of your integration objects. Create a Development Ticket Generate Ticket - Navigate to DevOps -> Tickets and create a new development ticket, associating it with the relevant landscape. This ticket will track your changes. Attach and Track Objects Attach Tracked Objects - Within the ticket, go to the "Tracked Objects" tab. Attach the specific transport(s) or integration objects (e.g., iFlows, mappings) that contain the code you want to transport. |
End to End Transport Management | |
|---|---|
| Generate Ticket | Navigate to DevOps -> Tickets and create a new development ticket, associating it with the relevant landscape. This ticket will track your changes. |
| Attach Tracked Objects | Within the ticket, go to the "Tracked Objects" tab. Attach the specific transport(s) or integration objects (e.g., iFlows, mappings) that contain the code you want to transport. |
| Include Dependencies | Use the "Attach all dependent objects" feature to ensure all necessary related objects are included in the transport. |
| Start Transport | Click the "Start transport" button. Figaf will then prepare the transport package for deployment. |
| Synchronize Target System | Synchronize your target system (e.g., your QA or production environment) with Figaf |
| Automated Import Check | Figaf automatically checks the import status of the transports after synchronization. The transport status will update to "IMPORTED" once successfully processed |
| Resolve Ticket | Once the transport is complete and verified, you can resolve the development ticket in Figaf. |
| Key Features | |
|---|---|
| Version Control | Figaf tracks changes to integration objects, allowing you to compare versions and understand modifications. |
| Approval Workflows | Implement approval processes within Figaf before transports are moved to higher environments. |
| Testing Integration | Leverage Figaf's testing capabilities to create and execute tests on your transported code, ensuring functionality after deployment. |
| Virtual Tenants (for CPI) | Utilize virtual tenants for environments like QA, allowing reuse of development systems while maintaining governance through prefixes/postfixes and avoiding unnecessary deployments of certain objects like value mappings |
Release Management
SAP Release Management
Provides information on patch releases for hotfixes, bugfixes, and code enhancements. Patches for SAP Cloud Integration and Integration Advisor . Patch Release information covers the most recent changes made to the latest version of the software.
Monitoring
Monitoring in SAP Integration Suite provides end-to-end visibility into integration processes, APIs, and event-driven messaging across hybrid and cloud landscapes. It helps administrators, developers, and business stakeholders ensure that integrations run reliably, securely, and in compliance with business SLAs.
Monitoring in SAP Cloud Integration (CI)
- Message Monitoring - This core feature of SAP Cloud Platform Integration (SCPI), used to track, analyse, and troubleshoot the flow of integration messages between systems. It provides visibility into message processing, status, and potential errors, ensuring smooth operation of integration scenarios. Note - payloads are not captured by default, these may only be captured through explicit tracing with sufficient privilege in the system.
- Integration Content - Deployed object status with associated error on failure.
- Security Content - List displays of existing credentials (obscured passwords), certificates with expiry and custom user roles. Additional tooling is available for connectivity testing etc.
- Datastore Monitoring - List display of local storage (global variables) for use by integration developers (correlations/aggregators).
Additional capability offered by FIGAF tooling - TBA
Monitoring in API Management
Monitoring in SAP API Management provides transparency into how APIs are being consumed, their performance, and any potential errors. It allows administrators, developers, and business users to analyse API traffic, detect issues, and ensure APIs are meeting business and technical expectations.
- API Analytics and Monitoring
- Provides real-time and historical insights into API traffic
- Tracks metrics such as request counts, response times, error rates, latency, and throughput.
- Allows filtering by API proxies, applications, developers, or time ranges
- Helps identify usage trends including unusual traffic patterns for capacity planning and fraud detection.
- Trace and Debug
- Captures inbound and outbound request/response details
- Shows traffic distribution across APIs and consumers
Monitoring in Advanced Event Mesh
TBA
Sizing
SAP monitors system load and utilization, and proactively scales up capacity during release deployment.
- Log size limitations exist and can be extended at additional cost.
High Availability
With a single availability zone (az)
Disaster Recovery
SAP data centers are designed with redundancy and disaster recovery plans to help ensure business continuity.Backup/Restore
SAP performs full backups with the following schedule to meet SAP's recovery point objective.
| Tier | Frequency | Rentention |
|---|---|---|
| T1 | Hourly | 8 Days |
| T2 | Daily | 35 Days |
| T3 | Every Sunday | 120 Days |
Maintenance Plan
Cloud Integration Software Update
Service Introduction
Application Category
Provide the details of application category based on application classification. Application category is defined based on RPO, RTO requirementsSupport Team
Provide the details of support team that may be required to support the applicationSkill required
SAP Cloud Integration Developers, ArchitectsChecklist
Provide the checklist for support organization to support the applicationExceptions
This section covers any exceptions to the reference architecture. Some Applications may have limitations and may not meet the Enterprise Architecture, Reference Architecture and IT Policy guidelines. All exceptions should be included in this section.See also
Provide links or references to relevant documents for further context on this architecture decision and its impact. Listing related architectural decisions here can clarify dependencies.