The project follows a unified access model that ensures all users interact with SAP and enterprise solutions in a consistent and secure way, regardless of device type or location. Access methods are defined by the type of device, the data classification, and the nature of the user’s role. All corporate devices are managed through Intune, which ensures that laptops, PCs, and mobile devices remain compliant and secure before connecting to company systems.
In this document we describe access in terms of two concepts.
These are the devices and entry points that people use to reach our systems, for example a corporate laptop, a virtual desktop or a mobile device.
These are the applications and platforms where users perform their work, for example Work Zone Standard, S/4HANA Fiori, SuccessFactors, Ariba, Concur or SAP Analytics Cloud.
Layer | What it represents | Examples |
|---|---|---|
| Access Channels | How users physically reach SAP systems | Corporate Laptop, VDI, Mobile Device, TPA |
| Digital Touchpoints | Where users actually perform their work once inside | Work Zone Standard, Fiori Launchpad, SuccessFactors, Ariba, Concur, SAC |
Sascha, as document matures I can replace Example mappings with a interactive diagram that captures full list of Access Channels and their Digital Touchpoints
Example mappings
These examples help visualise how Access Channels lead to Digital Touchpoints.
Corporate Laptop → Work Zone, S/4HANA, SuccessFactors, Concur, SAC
Virtual Desktop (CUI) → Work Zone (CUI), S/4HANA CUI
Kiosk → Work Zone, S/4HANA
Industrial Mobile → S/4HANA (EAM, Warehouse apps), Neptune apps
TPA → Work Zone, selected S/4HANA or SaaS apps
External Portals → Ariba or other Supplier Portal, SDS Portal, other B2B portals
The following sections describe each Access Channel in more detail.
Corporate laptops are the standard way most employees access SAP systems. All corporate PCs and laptops are managed through Intune, Syensqo’s device management platform. This ensures that devices remain compliant and secure before connecting to company systems. The design principle is browser first, so business applications are accessed through a web browser rather than installed locally. CUI systems cannot be accessed from standard laptops, and security policies and technical controls are in place to block this.
Virtual desktops are used only when accessing systems that hold CUI-classified data. They provide a secure and segregated environment so that sensitive information does not leave the controlled zone. This setup is required only for users at CUI sites or in roles that work with CUI data. Users still work in a browser inside the virtual desktop, so applications look and behave in a familiar way.
Kiosks are shared devices in plants, warehouses and other operational areas. The operating system runs under a generic account, but each person signs in when they open the browser. This allows users in shared environments to see their own view of Work Zone, Fiori and other applications. The project will refine sign-in and sign-out patterns so that frequent use remains simple and reliable.
Corporate mobile phones and tablets are managed centrally through Intune, Syensqo’s device management platform. This allows secure configuration, app deployment, and compliance control before a device connects to company systems. Applications are either pre-installed or made available through the company app catalog. If more than half of a target population needs a specific app, such as SAP Mobile Start or SuccessFactors, the app is pushed automatically. Apps used by smaller populations, such as Concur, are available on demand. Managed mobile devices support single sign on, so users can move between approved apps without repeated logins.
Industrial mobile devices, such as rugged tablets or handheld scanners, are pre-configured for operational use. Only approved business applications are deployed on these devices. User authentication must stay simple and secure. The project will evaluate options such as badge-based login or shared-device patterns, with the goal of keeping user effort low while still enforcing access control.
Sascha, I could not locate a formal policy or guideline that explicitly confirms the use of personal mobile devices. The Syensqo separation program indicated that personal phones are permitted, but no supporting security policy has been identified. Clarification is also needed on whether specific devices, such as Huawei phones, are covered by this allowance.
Personal mobile devices can be used for selected cloud applications, for example SuccessFactors or Concur, where this is allowed by security policy. Access to core S/4HANA systems and other higher-risk applications continues to require a corporate device or virtual desktop.
Third-party personnel, such as contractors or consultants, access SAP systems through the Third-Party Access (TPA) environment. TPA provides a controlled workspace where selected business applications are available through a browser. This keeps external work separated from the Syensqo network while still giving a familiar browser-based experience.
External portals support interactions with customers, suppliers and other business partners. Examples include supplier portals, B2B portals and customer access to Safety Data Sheets. These portals are separate from internal systems but follow similar principles for branding and ease of use.
Sascha, below is a draft mainly for us to confirm if this is roughly the direction you want. Once you agree on the structure, I can expand it with more details and add links to the KDD and other supporting documents.
Digital touchpoints represent the applications and platforms where users actually perform their work once they have accessed the environment through an approved Access Channel. The objective is to provide a consistent experience across SAP and related enterprise solutions, regardless of device or entry point.
Work Zone Standard is the primary entry point for users. It provides a unified experience that surfaces SAP Fiori applications, tasks, notifications, and contextual links to other platforms. It is the preferred starting point for browser-based access across all regions.
Note: Bring in complete project list once validated (include additional SaaS and enterprise applications currently in scope).
Industrial systems are accessed mainly through dedicated apps deployed on rugged or shared devices. These applications support plant, maintenance, and logistics operations where mobility and simplicity are key.
Examples include:
T&T, Blueworks, and other industrial or site-specific apps that extend S/4HANA for field operations.
Note: Insert all confirmed industrial applications here once finalised.
Mobile access complements the digital touchpoints through SAP Mobile Start and other approved apps deployed via the company app catalog. The goal is to provide role-based access to tasks and data while maintaining a consistent experience between desktop and mobile.