| Status | Approved |
| Owner | |
| Stakeholders | |
| LeanIX Link |
Introduction
This section provides the background, scope, and key requirements for SyWay’s adoption of SAP Business Technology Platform (BTP) as the cornerstone of its global SAP landscape.
Purpose
The purpose of this Application Architecture document is to define a single, authoritative blueprint for how SAP BTP services will be organized, secured, integrated, and managed across all programme phases and regions. It serves as the reference for solution architects, development teams, operations, and audit stakeholders when designing or reviewing any BTP‑based workload
Scope & Objectives
This document describes the high-level architecture for the following SAP Business Technology Platform (BTP) services. It defines the target state and guiding standards, including identity and connectivity patterns, regional/environment alignment, and guardrails for change management, monitoring, and operations.
• SAP Integration Suite (including API Management), Forms Service by Adobe
• SAP Build Work Zone, SAP Task Center
• SAP Build Code, SAP Business Application Studio (BAS)
• SAP Cloud Transport Management, ActiveControl – UI
• SAP Cloud Identity Services: Identity Authentication (IAS) and Identity Provisioning (IPS)
• SAP Secure Login Service for SAP GUI
• SAP Identity Access Governance (IAG)
• SAP Datasphere
• SAP Profitability and Performance Management Cloud (PaPM Cloud)
• Sustainability Footprint Management (SFM)
• Sustainability Control Tower
• Green Ledger
• Asset Performance Management
• Group Reporting Data Collection
• Advanced Financial Closing
• SAP Risk and Assurance Management
• SAP Business Network Global Track and Trace (GTT)
• Document Reporting Compliance
Key Decisions and Requirements
| Description | Rationale |
|---|---|
Configure SSO for all BTP apps via SAP IAS (region-specific) federated to Microsoft Entra ID | Ensures a unified user experience and centralised policy enforcement; SSO is enforced in trust and application configurations. |
Mandate encryption-in-transit (HTTPS/TLS for all web endpoints; SNC for SAPGUI/RFC) | Aligns with SyWay’s security standard to protect confidentiality and integrity; disable/redirect HTTP and require TLS 1.2+. |
Operate three BTP Global Accounts with regional/environment segregation (EU, CN, US Sovereign; shared Development in Europe; region-specific INT/TRN/UAT/PAR/PRD) | Supports regional sovereignty and service availability. |
Govern change via central Cloud Transport Management (cTMS) with gated approvals | Delivers predictable, auditable promotions across BTP artefacts and enforces separation of duties. |
Use Cloud Connector with Location IDs and principal propagation; secure Destinations (OAuth2/x509) | Provides controlled, audited access to SAP RISE endpoints, avoids embedded credentials, and preserves user identity across hops for fine-grained authorisation. Outbound access is restricted to approved destinations. |
Use region-appropriate service placement and tenancy (e.g., Sustainability apps in Azure EU20; Finance/IAG/DRC/GTT in AWS EU10; China in CN20; US in NS2) | Reflects SAP service availability and sovereignty constraints; simplifies compliance boundaries and lifecycle management. |
Use IPS (connectivity plan) co-hosted with the IAG subaccount for S/4HANA provisioning | Meets IPS plan constraints, centralises sensitive provisioning, and aligns governance with IAG while keeping application subaccounts lightweight. |
Application Architecture
Overview
The SyWay SAP BTP landscape is organized into three global accounts (Europe, China, US Sovereign) with shared SBX/DEV in EU20 and region-specific INT/TRN/UAT/PAR/PRD, implemented as segregated subaccounts per domain (e.g., itg, ui, dep, sec, iag, ana, sus, apm, fin, gtt, drc). Identity is federated via region-specific SAP IAS tenants proxied to Microsoft Entra ID, and connectivity to S/4HANA RISE/on-premise endpoints is mediated by SAP Cloud Connector using approved Destinations and principal propagation. Integration and API exposure are delivered through Integration Suite (including API Management), user-facing capabilities through Work Zone/Task Center/BPA/Build Code/BAS, and data/finance/sustainability workloads through Datasphere, PaPM Cloud, GRDC/AFC/DRC, GTT, and related services; change promotion is governed by Cloud Transport Management. Operations and observability rely on SAP Cloud ALM and service-native consoles, ensuring consistent security, transport control, and run-state oversight across regions and environments.
BTP Global Account & Subaccount Model
Global Account: Syensqo Main.
Account ID: 59549222-81b5-4701-afde-9a23643d0b00
| Directory | Services | Region | Development Subaccount | Integration Test Subaccount | UAT Subaccount | Parallel Testing Subaccount | Training Subaccount | Production Subaccount |
| /SyWay/Shared Svcs / Integration | Integration Suite(API Management), Forms Service by Adobe, SAP Process Integration Runtime | Azure Europe (Netherlands) | syw-itg-dev-eu20 | — | syw-itg-uat-eu20 | — | — | syw-itg-prd-eu20 |
| /SyWay/Shared Svcs / User Interface | SAP Build Work Zone, SAP Task Center, SAP Build Process Automation, SAP Build Code, BAS | Azure Europe (Netherlands) | syw-ui-dev-eu20 | syw-ui-int-eu20 | syw-ui-uat-eu20 | syw-ui-par-eu20 | syw-ui-trg-eu20 | syw-ui-prd-eu20 |
| /SyWay/Shared Svcs / Deployment Mgmt | SAP Cloud Transport Management, ActiveControl -UI | Azure Europe (Netherlands) | syw-dep-dev-eu20 | — | — | — | — | syw-dep-prd-eu20 |
| /SyWay/Shared Svcs / Identity Mgmt | Cloud Identity (IAS and IPS), SAP Secure Login Service for SAP GUI | Azure Europe (Netherlands) | syw-sec-dev-eu20 | — | syw-sec-uat-eu20 | — | — | syw-sec-prd-eu20 |
| /SyWay/Shared Svcs / IAG | Identity Access Governance (IAG) | AWS Europe (Frankfurt) | syw-iag-dev-eu10 | — | syw-iag-uat-eu10 | — | — | syw-iag-prd-eu10 |
| /SyWay/Analytics | Datasphere, PaPM Cloud | Azure Europe (Netherlands) | syw-ana-dev-eu20 | — | syw-ana-uat-eu20 | — | — | syw-ana-prd-eu20 |
| /SyWay/Sustainability | Sustainability Footprint Management(SFM), Sustainability Control Tower, Green Ledger | Azure Europe (Netherlands) | syw-sus-dev-eu20 | — | syw-sus-uat-eu20 | — | — | syw-sus-prd-eu20 |
| /SyWay/Asset Performance Mgmt | Asset Performance Management | Azure Europe (Netherlands) | syw-apm-dev-eu20 | syw-apm-int-eu20 | syw-apm-uat-eu20 | — | — | syw-apm-prd-eu20 |
| /SyWay/Finance | Group Reporting Data Collection, Advanced Financial Closing, SAP Risk and Assurance Management | AWS Europe (Frankfurt) | syw-fin-dev-eu10 | — | syw-fin-uat-eu10(tbd) | — | — | syw-fin-prd-eu10 |
| /SyWay/Logistics | SAP Business Network Global Track and Trace(GTT), Audit Log Viewer, Personal Data Manager, Authorization Apps for Freight Collaboration,Carrier Apps for Freight Collaboration | AWS Europe (Frankfurt) | syw-gtt-dev-eu10 | — | — | — | — | syw-gtt-prd-eu10 |
| /SyWay/Document Reporting Compliance | Document Reporting Compliance | AWS Europe (Frankfurt) | syw-drc-dev-eu10 | — | — | — | — | syw-drc-prd-eu10 |
Global Account: [TBC Syensqo China]
Account ID: TBC
| Directory | Services | Region | Integration Test Subaccount | UAT Subaccount | Parallel Testing Subaccount | Training Subaccount | Production Subaccount |
| /SyWay/Shared Svcs / Integration | Integration Suite, API Management, Forms Service by Adobe | Microsoft Azure China North 3 (Hebei) | — | syw-itg-uat-cn20 | — | — | syw-itg-prd-cn20 |
| /SyWay/Shared Svcs / User Interface | SAP Build Work Zone, SAP Task Center | Microsoft Azure China North 3 (Hebei) | syw-ui-int-cn20 | syw-ui-uat-cn20 | syw-ui-par-cn20 | syw-ui-trg-cn20 | syw-ui-prd-cn20 |
| /SyWay/Shared Svcs / Identity Mgmt | Cloud Identity (IAS and IPS) | Microsoft Azure China North 3 (Hebei) | — | — | — | — | syw-sec-prd-cn20 |
| /SyWay/Asset Performance Mgmt | Asset Performance Management | Microsoft Azure China North 3 (Hebei) | syw-apm-int-cn20 | syw-apm-uat-cn20 | — | — | syw-apm-prd-cn20 |
Global Account: [TBC Syensqo USA]
Account ID: TBC
| Directory | Services | Region | Integration Test Subaccount | UAT Subaccount | Parallel Testing Subaccount | Training Subaccount | Production Subaccount |
| /SyWay/Shared Svcs / Integration | Integration Suite, API Management, Forms Service by Adobe | SAP NS2 (US Gov) | — | syw-itg-uat-usg | — | — | syw-itg-prd-usg |
| /SyWay/Shared Svcs / User Interface | SAP Build Work Zone, SAP Task Center | SAP NS2 (US Gov) | syw-ui-int-usg | syw-ui-uat-usg | syw-ui-par-usg | syw-ui-trg-usg | syw-ui-prd-usg |
| /SyWay/Shared Svcs / Identity Mgmt | Cloud Identity (IAS and IPS) | SAP NS2 (US Gov) | — | — | — | — | syw-sec-prd-usg |
| /SyWay/Asset Performance Mgmt | Asset Performance Management | SAP NS2 (US Gov) | syw-apm-int-usg | syw-apm-uat-usg | — | — | syw-apm-prd-usg |
Application Architecture Design
Application Architecture Components
This section inventories the SAP BTP components in scope and records their essential architecture attributes. Placement references the BTP Account Model above.
Identity & Access
• Cloud Identity Services – IAS/IPS; Secure Login Service (SLS)
• Purpose: Authentication (SSO via IAS), provisioning (IPS), SAP GUI/RFC security (SLS).
• Placement: EU: syw-sec-dev-eu20, syw-sec-uat-eu20, syw-sec-prd-eu20; China syw-sec-prd-cn20; US Gov syw-sec-prd-usg.
• Identity & Access: Region-specific IAS tenants; Entra ID federation; role collections mapped to Entra groups (TBC: group mappings).
• Connectivity: Destinations for principal propagation as required (TBC: Destinations & Location IDs).
• Change & Transport: N/A for IAS; SLS configuration tracked via platform change records.
• Observability: Cloud ALM Health Monitoring; Audit Log Service for security events.
• Notes: IPS uses connectivity plan co-hosted with IAG subaccount.
• Identity Access Governance (IAG)
• Purpose: Access request workflows, SoD analysis, provisioning governance.
• Placement: EU: syw-iag-dev-eu10, syw-iag-uat-eu10, syw-iag-prd-eu10.
• Dependencies: Connectors to S/4 and IAS/IPS (TBC: connected systems & rule sets).
• Observability: Cloud ALM Health Monitoring.
Integration
• SAP Integration Suite (incl. API Management), Forms Service by Adobe, SAP Process Integration Runtime
• Purpose: Integration flows, API exposure and governance, forms rendering, legacy PI scenarios where applicable.
• Placement: EU: syw-itg-dev-eu20, syw-itg-uat-eu20, syw-itg-prd-eu20; CN: syw-itg-uat-cn20, syw-itg-prd-cn20; US Gov: syw-itg-uat-usg, syw-itg-prd-usg.
• Identity & Access: IAS trust; API Mgmt policies (TBC: baseline policies—auth, rate limits, IP allow-lists).
• Connectivity: Cloud Connector with Location IDs; Destinations for backends (TBC: Location IDs & Destination list).
• Change & Transport: Figaf Tool.
• Observability: Cloud ALM Integration/Exception Monitoring; API Analytics (in product).
UI & Experience
• SAP Build Work Zone, SAP Task Center, SAP Build Process Automation, SAP Build Code, BAS
• Purpose: Portal/launchpad, work item aggregation, automation, dev/build, IDE.
• Placement: EU: syw-ui-dev-eu20, syw-ui-uat-eu20, syw-ui-prd-eu20; CN: syw-ui-uat-cn20, syw-ui-prd-cn20; US Gov: syw-ui-uat-usg, syw-ui-prd-usg.
• Identity & Access: IAS trust; content/admin role collections (TBC: role collections).
• Connectivity: Destinations to backend apps/services (TBC).
• Change & Transport: BPA/Work Zone content via cTMS where supported; pipelines for Build Code/BAS (TBC: pipeline refs).
• Observability: Cloud ALM Real-User/Health Monitoring; BPA job monitoring.
Data & Analytics
• SAP Datasphere; PaPM Cloud
• Purpose: Data modeling/integration; profitability & performance calculations.
• Placement: syw-ana-dev-eu20, syw-ana-uat-eu20, syw-ana-prd-eu20 (co-located).
• Identity & Access: IAS trust; space-level roles (TBC).
• Connectivity: Shared HANA Cloud/runtime; single Cloud Connector mapping; Destinations to S/4 (TBC: spaces, connections, Location IDs).
• Change & Transport: Single cTMS track for co-located services.
• Observability: Cloud ALM Health Monitoring; product job/model monitors.
Sustainability & Asset
• SFM; Sustainability Control Tower; Green Ledger; Asset Performance Management
• Purpose: Sustainability data capture/analytics; asset health/performance.
• Placement: Sustainability: syw-sus-dev-eu20, syw-sus-uat-eu20, syw-sus-prd-eu20; APM: syw-apm-dev-eu20, syw-apm-uat-eu20, syw-apm-prd-eu20.
• Dependencies: S/4 and analytics endpoints (TBC: sources & volumes).
• Observability: Cloud ALM Health Monitoring.
• Note: Green Ledger primarily S/4 scope; referenced here for dependency.
Finance & Compliance
• GRDC; AFC; Risk & Assurance Management
• Purpose: Group reporting data collection; financial closing; risk/assurance processes.
• Placement: syw-fin-dev-eu10, syw-fin-uat-eu10, syw-fin-prd-eu10.
• Connectivity: Destinations to S/4 systems per environment (TBC: exact backends).
• Change & Transport: Product-native plus cTMS where applicable.
• Observability: Cloud ALM Health Monitoring; product dashboards.
Business Network Logistics & Privacy
• Global Track & Trace (GTT); Authorization/Carrier Apps for Freight Collaboration; Personal Data Manager; Audit Log Viewer
• Purpose: Logistics event visibility; freight collaboration; privacy tooling; audit visibility.
• Placement: syw-gtt-dev-eu10, syw-gtt-prd-eu10.
• Connectivity: Partner/carrier integrations via API Mgmt (TBC: onboarding approach & Destinations).
• Observability: Cloud ALM Health Monitoring; Audit Log Service integration.
Document Reporting Compliance
• DRC
• Purpose: Country-specific e-document and reporting compliance.
• Placement: syw-drc-dev-eu10, syw-drc-prd-eu10.
• Connectivity: Dev may connect to multiple S/4 backends; Prod connects to a single backend (TBC: system IDs).
• Change & Transport: Product-native plus alerting via Cloud ALM/Alert Notification.
• Observability: Cloud ALM Health Monitoring; submission/queue monitoring (product).
⸻
Common defaults (apply unless stated otherwise): IAS federated to Entra ID; Destinations secured (OAuth2/mTLS), principal propagation via Cloud Connector; 1× Cloud Connector for all non-prod and 2× (HA) for prod with Location IDs; virtual hosts not publicly resolvable; promotions via cTMS; monitoring via SAP Cloud ALM with service-native consoles as needed.
Application Security
Classification
Authentication
Authentication is implemented via Single Sign-On using SAP Identity Authentication Service (IAS) federated to Microsoft Entra ID, with separate IAS tenants per region (Europe, China, US Sovereign) and trust configured at the subaccount level. Authorisation bindings use Entra groups mapped to IAS groups and BTP role collections, with a small, named platform-administrator set operating under least-privilege and controlled break-glass procedures. All web access is enforced over HTTPS/TLS, while SAP GUI/RFC channels use SNC with client certificates via SAP Secure Login Service; application calls to backend systems employ principal propagation through Cloud Connector and approved Destinations. Identity Provisioning Service (IPS), using the connectivity plan and co-hosted with the IAG subaccount, supports S/4HANA user provisioning in line with plan limits. Authentication for systems outside SAP BTP is out of scope.
Authorisation
Authorization on SAP BTP follows role-based access control (RBAC) with Microsoft Entra groups mapped via IAS groups to BTP role collections; direct user assignments are not permitted. Role collections are scoped by subaccount, environment, and region to enforce least privilege and clear separation of duties across platform administration, transport governance (cTMS), integration development/operations, UI/Work Zone content administration, analytics (Datasphere/PaPM), sustainability/finance services, and read-only audit. Production privileges are minimised and time-bound; emergency access (“break-glass”) is granted via pre-approved, MFA-protected role collections with full logging. Service-specific authorizations (e.g., Integration Suite/API Management, Work Zone/Task Center, BPA/BAS, Datasphere/PaPM, DRC, GTT) are granted only through mapped collections, and Destinations/principal propagation are allowed solely when required scopes are present. All grants are change-controlled, auditable, and subject to periodic recertification.
Communication Security
Encrypt-in-transit by default. All BTP web endpoints (applications, services, app routers) enforce HTTPS with TLS 1.2+ (TLS 1.3 preferred).
Secure SAP GUI/RFC channels. SAP GUI and RFC communications use SNC with client X.509 certificates via SAP Secure Login Service, ensuring mutual authentication and integrity for administrative and operational access.
Controlled back-end connectivity via Cloud Connector. Connectivity to SAP S/4HANA Rise hosted is established through SAP Cloud Connector with TLS, Location IDs per connector, and minimal resource mappings. One connector serves all non-production, and two connectors in HA serve production. Virtual hostnames used in Destinations are not externally resolvable.
Hardened Destinations and principal propagation. BTP Destinations use OAuth2 SAML Bearer Assertion or mutual TLS; basic credentials are avoided. User identity is propagated end-to-end where required, and scopes/authorities are limited to least privilege.
Certificate and key management. Certificates (server and client) are lifecycle-managed with defined owners, rotation schedules, and audit trails; trust stores are curated per subaccount to avoid over-broad trust.
Egress and inbound controls. Outbound traffic from BTP is restricted to approved Destinations; inbound exposure is limited to necessary public entry points. IP allow-listing and service-level throttling are applied where available (e.g., API Management policies).
Monitoring and auditability. Transport security events (connector state, certificate expiry, failed auth, TLS errors) are monitored, alerted, and logged to the central observability stack for investigation and compliance.
Data Security
SyWay’s data security posture on SAP BTP is framed by data classification and residency: datasets (e.g., Internal, Confidential, PII) are mapped to region-pinned subaccounts (EU20/EU10/CN20/USG), with cross-region movement permitted only by documented exception. Encryption at rest is provided by SAP’s platform controls for all managed services; direct database access is not in scope. Secrets are minimised and handled through approved stores, preferring OAuth2 or mutual-TLS–based Destinations; service keys have named owners and defined rotation, and are never embedded in source code or developer workspaces. Retention follows service-native policies with explicit purge procedures; where extended evidentiary storage is required, audit events are exported to the designated archive/SIEM. Outbound data paths are restricted to approved Destinations and Cloud Connector Location IDs; CN20 and US Gov (NS2) landscapes observe additional regulatory constraints. Identity, authorisation, and in-transit protections are defined separately in the Authentication, Authorization, and Communication Security sections.
Other Controls
System Landscape
see BTP Global Account & Subaccount Model
Operation Architecture
Transport Management
Please refer DD-TEC-170 Transport Management for Release 4
Monitoring
Application Monitoring
Service / Domain | SAP Cloud ALM – Monitor Types | In-Product Consoles (as needed) | Logs / Traces | Alerting |
|---|---|---|---|---|
Integration Suite (Cloud Integration, API Management), Forms Service by Adobe, SAP Process Integration Runtime | Integration & Exception Monitoring, Health Monitoring | Message Monitoring (Cloud Integration), API Mgmt Analytics/Policy Trace, Forms runtime dashboards | SAP Cloud Logging / Application Logging for custom adapters or extensions | Cloud ALM Alerting; optional Alert Notification for cTMS/API events |
Build Work Zone, Task Center | Real User Monitoring, Health Monitoring | Work Zone admin analytics; Task Center booster monitors | (If extended apps) forward to Cloud Logging | Cloud ALM Alerting |
Build Process Automation (BPA) | Job & Automation Monitoring, Health Monitoring | BPA Monitor (runs, queues) | Cloud Logging (optional) | Cloud ALM Alerting |
Build Code, BAS | Health Monitoring | Pipeline/CI logs; BAS workspace logs | Cloud Logging for pipeline outputs | Alert Notification webhooks (optional) + Cloud ALM (where integrated) |
Cloud Transport Management (cTMS), ActiveControl – UI | Health Monitoring (cTMS) | cTMS import/export logs; ActiveControl dashboards | — | Alert Notification subscriptions for cTMS events; Cloud ALM Alerting |
Cloud Identity (IAS, IPS), Secure Login Service (SLS) | Health Monitoring | IAS/IPS admin consoles; SLS logs | Audit Log Service (BTP) for security events | Cloud ALM Alerting |
Identity Access Governance (IAG) | Health Monitoring | IAG dashboards (access requests, SoD) | — | Cloud ALM Alerting |
Datasphere, PaPM Cloud | Health Monitoring | Datasphere space/job monitors; PaPM calculation monitors | — | Cloud ALM Alerting |
Sustainability: SFM, Sustainability Control Tower, Green Ledger | Health Monitoring | Product runtime/tenant monitors | — | Cloud ALM Alerting |
Asset Performance Management (APM) | Health Monitoring | APM analytics/diagnostics | — | Cloud ALM Alerting |
Finance: GRDC, AFC, Risk & Assurance Management | Health Monitoring | Product consoles (submission/status, closing calendars, risk dashboards) | — | Cloud ALM Alerting |
Business Network Logistics: GTT; Freight Collaboration (Authorization/Carrier Apps); Personal Data Manager; Audit Log Viewer | Health Monitoring | GTT/BN cockpits; PDM and Audit Log Viewer UIs | Audit Log Service (for audit events) | Cloud ALM Alerting |
Document Reporting Compliance (DRC) | Health Monitoring | DRC submission/queue dashboards | — | Cloud ALM Alerting |
System Monitoring
Service / Domain | SAP Cloud ALM – Health Monitoring (platform/service health) | BTP Platform Signals | Security / Compliance Signals | Notes |
|---|---|---|---|---|
Integration Suite / API Mgmt / Forms / PIR | Tenant/service availability, adapter/runtime KPIs | BTP Monitoring service (app/service metrics); Alert Notification for service events | Audit Log Service (subaccount events) | Use cTMS alerts for transport-related impacts |
Work Zone / Task Center | Availability and UX KPIs via CALM Health + RUM | Monitoring service for app instances | Audit Log Service | Task Center depends on same subaccount trust as Work Zone |
Build Process Automation | Job/queue health, runtime status | Monitoring service (runtime), Alert Notification | Audit Log Service | Map job failures to CALM alerts |
Build Code / BAS | Service health; workspace availability | Monitoring service; pipeline/webhook signals | Audit Log Service | Forward pipeline failures via Alert Notification |
Cloud Transport Management, ActiveControl – UI | cTMS tenant health | Alert Notification for import/export events | Audit Log Service | ActiveControl monitored in vendor UI; optionally feed CALM via webhooks |
IAS / IPS / SLS | Identity service health | — | IAS/IPS audit in product; BTP Audit Log for platform | Focus on auth failures, connector jobs |
IAG | Service health | — | IAG audit in product | SoD/job status as secondary signals |
Datasphere / PaPM Cloud | Tenant/space health, job statuses | Monitoring service where applicable | — | Watch connection health to S/4/Destinations |
SFM / SCT / Green Ledger | Service health | — | — | Green Ledger largely S/4—track via S/4 + CALM if applicable |
APM | Service health | — | — | — |
GRDC / AFC / Risk & Assurance | Service health | — | Product audit (where available) | Align with closing windows/SLAs |
GTT / Freight Collaboration / PDM / Audit Log Viewer | Service health | — | Audit Log Service central to PDM/ALV | Ensure retention/forwarding to SIEM if required |
DRC | Tenant health; submission pipeline status | Alert Notification for failures | Product audit (where available) | Distinguish DEV multi-backend vs PRD single backend routing |
Sizing
For SyWay, all in-scope SAP BTP services are SAP-managed SaaS; sizing focuses on selecting plans/entitlements and defining tenant counts per region/environment (EU20 shared SBX/DEV; CN20/USG start at UAT/PRD).
Capacity changes are requested via entitlement/licensing adjustments; no server-level actions are required from the customer.
No additional sizing beyond tenant/entitlement selection for IAS/IPS/SLS, IAG, cTMS, Work Zone/Task Center, GRDC/AFC/Risk, SFM/SCT, APM, GTT/DRC.
High Availability and Disaster Recovery
SAP operates HA and DR for all in-scope SAP BTP services under the Service Level Agreement for SAP Cloud Services; SyWay’s role is limited to monitoring in SAP Cloud ALM and executing runbooks when notified of incidents or maintenance. For SAP BTP specifically, SAP documents its HA/DR approach and recovery processes in the BTP resilience guidance.
Backup/Restore
Platform-managed: For SAP-managed BTP services, backups are handled by SAP; restore is service-specific and generally not customer-operated. Guidance is outlined in the BTP admin help (“Data Backups Managed by SAP”).
SAP HANA Cloud (used by services like Datasphere/PaPM): Continuous log backups enable point-in-time recovery within a configurable retention window (default 14 days; extendable up to 215 days). Restores are performed by creating a new database instance at the chosen time.
SAP Datasphere: Backup/restore follows the SAP HANA Cloud resiliency layer; recovery is handled by SAP for disasters within SAP’s control.
Audit evidence: BTP Audit Log Service stores subaccount audit data for 90 days by default; export/forward logs if longer retention is needed.
Maintenance Plan
SAP BTP follows continuous production releases. Teams should subscribe to What’s New for SAP Business Technology Platform to receive feature and fix updates. Regions are updated on a biweekly cadence (standard) with zero-downtime maintenance for most services. For more information about the biweekly updates, see Consolidated Release Schedules for SAP BTP
, Intelligent Enterprise Suite: Harmonized release calendar for SAP Cloud products. Immediate updates may occur for critical defects or security fixes and can require application restarts or brief downtime with prior notification; major upgrades are rare (up to four per year) and are announced four weeks in advance in line with the Service Level Agreement and harmonized release calendars. For the China (Shanghai) region, availability and planned maintenance are communicated via the regional status page, where subscription is available. For the US Government region, planned downtimes and outage notices are sent by e-mail to the initial administrator of the global account.
Service Introduction
Application Category
Support Team
Skill required
Checklist
Exceptions
See also
Change log
Workflow history
| Title | Last Updated By | Updated | Status | |
|---|---|---|---|---|
| There are no pages at the moment. | ||||