Introduction

Purpose

The purpose of this document is to outline the application architecture of the Syniti Platform for the SyWay project. It aims to provide a clear and structured view of the components, data flows, integration mechanisms, and security considerations that support the Syniti platform in its interaction with the Syensqo SAP ecosystem.

Syniti is a unified platform designed to manage, migrate, and govern enterprise data. In the SyWay project, it will remain as the primary platform for managing extraction, transformation, load and validation. Below diagram shows high level activities that can be performed with this platform:

Scope & Objectives

This document defines the architectural scope of the Syniti solution within the SyWay project, focusing on the deployment and integration of Syniti as the central platform for data extraction, transformation, loading (ETL), and validation activities.

The scope includes:

• The technical architecture of Syniti Platform and its supporting components.
• Landscape overview
• Application and components
• Application security and access
• Operational architecture

Out of scope:

• The data flow architecture, covering how data is extracted from source systems, transformed according to business rules, validated, and loaded into target SAP environments.

• The detailed functional design of migration objects, business rules, or data cleansing logic, which are addressed in separate deliverables.

• The list of required and approved tables to be extracted from source system is out of the scope of this document. This will be defined during the Data Stream design phase.

• It also excludes operational procedures post-migration, such as data governance or ongoing data quality monitoring, unless explicitly tied to the Syniti platform.

• As of writing this document, there are pending architectural decisions regarding North America & China, and RISE infrastructure. These designs will be added to this document as they are finalized.
• Security policies in Syniti SKP for application users.

Key Decisions and Requirements

Application Architecture

Architectural Decisions

Syensqo has decided to implement the Syniti Hybrid Deployment Model. The Syniti Knowledge Platform (SKP)-Hybrid consists of the cloud-native, multi-tenant application platform with customer-hosted working databases and a series of remote services. The remote services are the platform components that run outside of the Syniti Knowledge Platform application and are designed to run close to the data stores that persist and transact data management activities. Below diagram provided by Syniti company shows an example of Syniti Hybrid Deployment model:

Application Architecture Design

Based on Hybrid Deployment, following Architecture will be implemented for Syensqo:

NOTE: Current Infrastructure is hosted in AWS, but eventually will be migrated to Azure as per Syensqo Roadmap.

Application Architecture Components

The Syniti architecture is designed to support scalable, secure, and efficient data migration and governance. Breakdown of components:

• Syniti Knowledge Platform (SKP)
  • It is a cloud-based data management solution hosted on AWS Frankfurt for EU designed to help organizations transform their data into a strategic asset. SKP provides a secure, scalable, and strategic data management environment that supports various data-related activities such as data quality reporting, profiling, metadata scanning, and data migration.
  • It enables communication with systems in an organization's landscape through components called SKP connectors, which support metadata scanning, profiling, and data quality functionalities.
  • The platform uses a connector-based architecture to securely distribute execution outside of the SKP application environment, ensuring that customer master, transactional, and operational data do not persist within the platform itself. Instead, only metadata and metrics are sent to SKP for storage and processing.
• Server 1 - Syniti Connector
  • The Syniti Server Connector is a secure Linux-based software component that enables communication between Syensqo SAP systems and the Syniti Knowledge Platform (SKP) in the cloud.
  • Purpose:
    • Secure Data Transfer: It securely transmits metadata and data between your enterprise systems and Syniti’s cloud platform using encrypted channels
    • Metadata Scanning: Enables the SKP to scan and analyze metadata from systems like SAP, Oracle, and SQL Server.
    • Data Governance & Migration: Supports Syniti’s tools for data quality, governance, and migration by providing real-time access to source systems.
• Server 2 - Replicate Server
  • The Syniti Replication Platform runs on a Windows Platform. The Replicate server is responsible for extracting data from the source system and creating source snapshots for the Migrate component to process. It also connects to the Target system to extract data for post load data verification. 
• Server 3 - SQL Server for Working and Constructor Database
  • This SQL Server instance acts as the central repository for all working data during migration or data quality projects. It serves as the primary staging and processing environment for data transformations, validations, and migrations. Its components include:
    • Working Database. The Syniti Migrate Platform will work with several different databases for processing. This database may store Source snapshots (Production copy of source data), Data Transformations (Business Conversion rules), Target Snapshots (Copy of Target for load validation).
    • Construction Database. The Syniti Migrate Platform will use SQL server for Data Construction (User input for bad data or missing data elements) and for Value Mapping Cross Reference Table Values.
  • Architecture considerations.
    • The Working Database can be built on HANA, Oracle, or SQL Server. However, if Oracle or HANA are used, the Construction Database must be hosted on a separate server, which may require an additional license (especially in the case of HANA). Therefore, the requirement from the Product Team was to use SQL Server for both the Working and Construction Databases. 
    • The Syway Data team performs activities related to data migration and data cleansing from SAP ECC environments (PF2/WP2), using snapshots from the source SAP systems. They need to run Migration and Cleansing processes  simultaneously using different snapshots and with different frequency executions, see additional information in Working in Multiple Execution Environments . For that reason, two SQL instances are required in same Working Database Server:
      • Migration SQL Instance.
      • Cleansing SQL Instance.
      • Code in both instances will be aligned using mechanism described in following link: Working DB Object Promotion
• Server 4 - Tooling Server (Administrator Jump Server)
  • It is a secure intermediary VDI server used to access and manage systems that are otherwise isolated or protected within a private network. Securely connect to on-premises components like the Syniti Connector, Replicate, or Working Databases.
  • Only Syniti administrator users will have access to this server so they can perform admin activities like:
    • Connect to Syniti servers
    • System Administration and Operation Tasks
    • Troubleshooting and diagnostic
• Syensqo VDI TPA (Third Party Access)
  • The Syniti Migrate Platform should enable Syniti developers to develop business rules in the working database. This group of people will require access and development tools that will be installed on the Virtual Desktop Infrastructure being used for Syniti staff.
  • This VDI will contain following software required for developers activities:
    • Microsoft Office Applications
    • SAP GUI
    • Internet access
    • SQL Server Management Studio
• Source and target systems
  • The Syniti Migrate Platform will extract data from SAP Source Systems using RFC calls. Due to Syensqo security policies, no access to Source HANA DB is granted.

  • Syniti requires READ ONLY access to the PRODUCTION Source systems to get the most up to date data for cleansing and conversion.

  • S/4HANA Rise system is the primary target system for Syniti data replication.
    • An important remark is that the Syniti instance will be integrated with multiple environments (Dev, QA , Prod).
    • For data load in target system the recommended method is use Migration Cockpit tool connected to a Staging HANA schema in S/4HANA as described in following link. The Target system load method must be defined as part of the Data Migration strategy and is beyond the scope of this document. Different access methods will be granted depending on the selected approach. Potential alternatives include Migration Cockpit, BAPIs, Idocs, Custom objects, etc..
• AWS S3 Bucket
  • Created for Syniti administrator users, will be used to download the required software to be installed in Syniti Servers.

Syniti Servers Details

Due to the nature of the use of the Syniti platform, it will have one single Production Instance for the whole Syensqo SAP Landscape. The table below describes the corresponding servers deployed on AWS:

Network Architecture

Application Security

User Access

Below there is a list of required applications and systems to be used by Syniti Team activities and the mechanism to access it:

*Syniti Developers require to execute actions on SQL Databases available on Syniti Working DB, for that SQLServer Management Studio has been installed in TPA VDI Syniti Company so they can execute remotely required actions.

Authentication

• Administrator users: As part of the installation process of the Syniti servers, Syensqo IT team created corresponding Admin users for every server at application level. Those users belong to Entra ID group R99P833 and use User/Credentials mechanism in order to access corresponding applications.

• Non Administrator users: Authentication is performed using the standard SyWay approach by SSO with Microsoft Entra ID. Each user has an Entra ID and a global user ID.

Authorization

• User management for Syniti developers team is managed by Data Administration Team.
• Administrator users are managed by Syensqo IT team, requests must be made trough Syra using following Catalog items: "Admin Accounts Request (AD)" and "Request for Active Directory (AD) Delegations".

Data Security

Data elements inside the SAP Source applications are subject to export controls such as ITAR, EAR, or various UK or European Regulations. In order to integrate Syniti Platform on Syensqo Security Policies following approach is implemented:

• No direct access to the SAP HANA Source Database, only to the SAP Application layer.
• Syniti Replication Server will access Source system data trough RFC Service user. This RFC Service user will have restricted ReadOnly authorization to specific SAP Tables and functions, see list of Service user authorization. (List of required and approved tables to be extracted from source system is out of the scope of this document, that will be decided during the design phase of Data stream.). See list of tables for which will be granted read access to Syniti RFC user.
• NextLabs tool is used to enable field level encryption in S/4HANA. This will encrypt ITAR-relevant data elements and the encrypted values will be stored in HANA DB. Data will be unencrypted on the fly when it is accessed by an authorized user. Therefore, Syniti will not be able to extract ITAR data unless the RFC service user is explicitly authorized.
• Enable at-rest TDE encryption in the SQL Syniti Working DB server for all generated databases.

Communication Security

All data in transit will be encrypted.

• TLS is used for all web traffic.
• SNC is used for all RFC and SAPGUI communications. 
• TLS is used for all Syniti Server Working DB traffic, ensuring that the database only accepts TLS-encrypted connection requests. 

Operation Architecture

Roles and Responsibilities

Transport Management

Application has a Single instance Production landscape, so this section is considered out of scope as they require minor configurations/changes or transports are executed via manual configurations.

Backup/Restore

• Backup Policies implemented for Syniti On Premise Servers can be found in following link. As per Syensqo policies, Backups in Syniti Servers have been implemented Daily, Weekly and Monthly. Those Backups are managed by Syensqo AWS IT team.

• ADMM Working DB. Additionally, Syway Data team have scheduled nightly in the Backup of following Databases:
  • CONSTRUCT
  • DASHBOARDS
  • MIGRATE
  • REPORT
  • REPORTL
  • SDRMETADATA
  • WRK% - all “working” databases (they start with WRK)

System Monitoring

Syensqo AWS IT team will be monitoring from the infrastructure layer to the technical basis layer. In the event of an issue, automatic mail alerts notifications are sent to support team . They use Standard AWS Console Monitoring tool which is out of the scope of this document.

Maintenance Plan

• Syniti servers updates (OS patching).
  • Will be performed by Syensqo IT Team: For production environment Monthly on 3rd Sunday 00-03 UTC.
  • Maintenance calendar can be found in following link.
• Syniti Software Components Upgrade. As part of the deployment of Syniti product subscription, periodic upgrades and releases are scheduled for the Application Software. 
  • With the Hybrid Model, the “Connector”, “Replicate”, & “Jump” servers will also require concurrent updates applied by Syniti Syway Team alongside with Syensqo AWS IT infrastructure support team. 
  • Maintenance Window: 2nd Tuesday of the month - 11 PM through 3 AM (US Eastern time). Automatic notifications are sent to Syway Syniti application owners with detailed information and impact analysis.
  • In following link can be found the scheduled Maintenance windows.

Service Introduction

Application Category

Support Team

Skill required

Checklist

See also

Syniti Product Documentation

Change log