| Status | Approved |
| Owner | |
| Stakeholders | |
| LeanIX Link |
Introduction
SAP Ariba is a cloud-based procurement and supply chain management solution that enables organizations to digitally transform their sourcing, procurement, contract management, and supplier collaboration processes. As part of the SAP Business Network, Ariba facilitates seamless integration between buyers and suppliers, promoting transparency, efficiency, and compliance across procurement operations.
In the context of enterprise architecture, SAP Ariba serves as a strategic component for automating and optimizing the Source-to-Pay (S2P) lifecycle. It supports integration with ERP systems (such as SAP S/4HANA or other third-party platforms) through standardized APIs and middleware, ensuring data consistency and process alignment across financial, operational, and procurement domains.
Scope & Objectives
This document defines the architectural scope of the Ariba solution within the SyWay program, focusing on the deployment and integration of Ariba as the central platform for their sourcing, procurement, contract management, and supplier collaboration processes.
The scope includes:
- The technical architecture of Ariba Platform and its supporting components.
- The integration architecture between Ariba and SAP systems.
- The security and connectivity model, including configurations and access control mechanisms.
- The deployment model for the Ariba Landscape.
Key Decisions and Requirements
| Description | Rationale |
|---|---|
| Brownfield | Ariba is brownfield system and the landscape will be used for both Production support and SyWay Release 4 |
| Landscape | 3 Tier landscape for Syway project: Supplemental, Test, PRD. Will coexist with current Ariba BAU landscape |
| SSO | As part of SyWay project, a common authentication mechanism (e.g., SAML) will be adopted |
| SSL will be configured for Ariba to encrypt all traffic | Based on SyWay implementation approach, all data in transit must be encrypted. |
| Provision users in Ariba Sourcing based on IAG | The purpose of this integration is to automate the provisioning, update, and deprovisioning of user accounts and authorizations in Ariba via IAG, ensuring that access remains controlled, compliant, and aligned |
Terminology
| Term | Description |
|---|---|
| Parent Realm | Use for Strategic Procurement and supplier enablement activities. Acts as a central Hub to :
|
| Child Realm | Use for Operational Procurement activities only (Guided Buying). Can represent subsidiaries / regions / Business units . Acts as subordinate structure to :
|
| Upstream | Refer to all pre-purchase activities as Sourcing / Strategic Sourcing / Supplier Collaboration / Spend Visibility |
| Downstream | Refer to all procurement execution as Purchasing and Ordering (incl. catalog management) / Receipt processing/ Spend Management and reporting. |
| Supplemental Realm | Refer to an additional realm to :
|
Application Architecture
Overview
Application Architecture Components
Ariba Network
It is a cloud-based platform that connects buyers, suppliers, and partners to streamline procurement, supply chain, and collaboration processes.
Ariba Sourcing
SAP Ariba Sourcing is a SAAS strategic sourcing solution that enables organizations to manage sourcing events such as RFIs, RFPs, and auctions in a centralized and collaborative platform. It helps procurement teams identify the best suppliers, negotiate optimal terms, and drive cost savings.
Ariba Buying
SAP Ariba Buying is a cloud-based procurement solution designed to help organizations manage their purchasing processes more efficiently. It’s part of the SAP Ariba suite, which focuses on source-to-pay processes.
Ariba Cloud Integration Gateway (CIG)
The Ariba Cloud Integration Gateway (CIG) is SAP’s standardized integration platform that simplifies and accelerates the connection between SAP Ariba and external systems. It provides a unified framework for integrating Ariba with SAP ERP Platforms, Third party applications or Middleware platforms.
CIG acts as a bridge between Ariba’s cloud services and on-premise or cloud-based ERP systems, enabling seamless data exchange for processes such as purchase order creation, invoice submission, goods receipt, and supplier onboarding.
Icertis
Icertis is a contract lifecycle management (CLM) platform that helps organizations manage contracts digitally from creation to execution and compliance. It’s widely used by enterprises to improve visibility, reduce risk, and ensure compliance across all types of contracts.The "Ariba connector for Icertis" refers to the Icertis Contract Intelligence (ICI) for SAP Ariba integration, which extends SAP Ariba's procurement capabilities with Icertis's advanced contract lifecycle management (CLM) features. This integration synchronizes data between the two platforms, allowing users to manage contracts from sourcing through to payment, leveraging AI and automation for tasks like contract authoring, risk assessment, and compliance tracking.
Keelvar
Keelvar is a strategic sourcing and procurement automation platform that uses AI and optimization technology to help organizations run more efficient sourcing events and manage supplier negotiations.
SAP Cloud Connector
The SAP Cloud connector acts as a reverse invocation proxy to establish network connection between SAP RISE systems and Ariba Cloud Integration Gateway (CIG). Due to its reverse invoke capabilities, the network traffic originates from SAP Cloud connector to SAP Ariba CIG and once the link as been established, data can be exchanged between SAP RISE systems and Ariba. HTTPS or RFC protocols are used between SAP Cloud Connector and S/4HANA, and HTTPS protocol is used between Cloud Connector and SAP Ariba CIG.
A 2 tier landscape will be adopted for SAP cloud connector: non-PRD and PRD. The non-PRD cloud connector will be shared across all non-PRD landscape.
Network Architecture
System Landscape
Ariba will have 3 realms: Supplemental, Test and Production. Each realm will have the following modules: Sourcing, Buying Parent, Buying Child (one for each S/4HANA) and CIG. Ariba is also brownfield system and the landscape will be used for both Production support and SyWay Release 4. Additional landscape information can be found in instance plan document .
Modules / Tier | Supplemental | Test | Prod |
|---|---|---|---|
Ariba Sourcing | 745255310-SS-T | 744368466-T | 744368466 |
| Ariba Buying Parent | 745255310-SS-T | 744368466-T | 744368466 |
| Ariba Buying Child (BAU) | N/A | 744368466-CHILD1-T | 744368466-CHILD1 |
| Ariba Buying Child (SyWay) | 745255310-SS-1-T | TBC | TBC |
| Ariba Business Network | AN11228658404-T | AN11204137717-T | AN11204137717 |
| Ariba CIG | AN11228658404-T | AN11204137717-T | AN11204137717 |
The landscape path will be modified based on 2 phases:
- From SyWay R4 Build to End of UAT phase:
- Production support will be managed by Syensqo IT and will use Test tenant for build and test.
- SyWay R4 team will use Supplemental tenant for Build, Integration test and UAT.
- A retrofit process will be required to ensure BAU changes are validated during R4.
- From SyWay R4 Parallel Run to R4 Go-Live
- Ariba will be as shared landscape: Supplemental tenant will act as the DEV instance and Test tenant will act as the test instance.
- R4 changes will be migrated to Test tenant and regression test will be executed on Test Tenant.
System Access
SAP Ariba solutions are thin client solutions. Cloud solution customers (users) access the solution through a browser and use HTML and JavaScript for presentation. The client browser communicates with the Web server tier using HTTPS over any connection to the Internet. SAP Ariba solutions support various browsers on Windows and Mac platforms. The login page indicates the browsers supported.
System | Users | Access Method |
|---|---|---|
Ariba | Business users | Web |
Support users | Web |
See below list of URL access to the Ariba instances:
| Application | Region | SBX | DEV | INT | UAT | PAR | TRG | PROD |
|---|---|---|---|---|---|---|---|---|
| Ariba - Sourcing | EU | - | Supplemental (745255310-SS-T) | Test | Supplemental (745255310-SS-T) | PRD (744368466) | ||
Ariba - Buying Parent | EU | - | Supplemental (745255310-SS-T) | Test | Supplemental (745255310-SS-T) | PRD (744368466) | ||
| Ariba - Buying Child | EU | - | Supplemental-EU (745255310-SS-1-T) | Test-EU | Supplemental-EU (745255310-SS-1-T) | PRD-EU | ||
| US | - | Supplemental-US | Test-US | Supplemental-US | PRD-US | |||
| CN | - | Supplemental-CN | Test-CN | Supplemental-CN | PRD-CN | |||
| Ariba Network | EU | - | Supplemental (AN11228658404-T) | Test (AN11204137717-T) | Supplemental (AN11228658404-T) | PRD | ||
Application Security
Authentication
Authentication is performed using the standard SyWay approach. Each user has an Entra-ID and a global user ID. The end to end Single Sign On is accomplished with SAML 2.0.
Authorization
SAP Ariba utilizes Role-Based Access Control (RBAC) to manage user access. This means that user permissions are assigned based on their job within the organization. Each group corresponds to a specific set of tasks or responsibilities within the SAP Ariba platform.
- Standard Groups: SAP Ariba provides several standard groups that are pre-configured for typical user needs, such as Procurement Manager, Buyer, Supplier, and System Administrator.
- Custom Groups: Custom groups are tailored to specific needs, allowing for a more granular level of control over user permissions.
Authorization checks related to procurement activities are performed in S/4 HANA using RBAC and then pushed to Ariba.
In Ariba, users can be restricted based on templates specific to a country. A sourcing template is created with the relevant attributes and fields, and access is assigned only to users from the same country. For example, users from the UK or Belgium will be mapped to their respective country's sourcing template.
The sourcing template can also be linked to multiple projects, with each project being assigned to a user as the project owner.
For Ariba Buyer/Supplier, the access design follows the same custom groups, tailored to specific business needs.
Addtional details can be found in Security Approach document..
Communication Security
- SAP Ariba uses both encryption-at-rest and encryption-in-transit to secure your data as it flows into the cloud environment of SAP Ariba solutions.All data in transit will be encrypted.
- SSL is used for all web traffic (Systems are configured to reject HTTP access or redirect to HTTPS).
- All data transmissions via the Ariba Cloud use TLS/SSL encryption to secure communications.
SAP Ariba provides X.509 certificate-based authentication. SAP Ariba stores private keys for its certificates in a secured and hardened key management infrastructure. In certain environments, this is further protected by a FIPS 140-2 Level 2 Hardware Security Module (HSM).
Data Security
SAP Ariba solutions apply encryption-at-rest solutions at different layers to mitigate different types of threats pertaining to unauthorized access. These include:
- Storage-layer encryption, also known as transparent disk encryption, is implemented through self-encrypting disks. All content of a disk drive is encrypted and tied to a specific physical system. If a disk drive is removed and connected to another system, the data will not be able to be read.
- Database-layer encryption, also known as transparent database encryption, is enabled on our SAP HANA database. The full database is encrypted, and all writes of data to storage are encrypted before write.
- Application-layer encryption is used to assure that data is encrypted before it is inserted into the database. Therefore, the application performs the access control and policy enforcement duties. If the database administrator directly queries the database, all that will be returned are records that contain ciphertext.
- Key management services (KMS) provide a secure infrastructure for managing encryption keys and other types’ secrets. The KMS of SAP Ariba solutions is backed by a FIPS-140-2–compliantInformation published on non-SAP site hardware security module (HSM) for additional security. The KMS is integrated into operational procurement, strategic procurement, and SAP Business Network.
- SAP Ariba solutions have standardized on 256-bit AES encryption, using Java Cryptography Extension (JCE). This is used to apply an additional layer of encryption to sensitive fields, in addition to the full database encryption which also uses 256-bit AES encryption. The solutions securely generate unique and random keys and manage them on behalf of the client. These keys are stored in the aforementioned key management service, backed by a hardware security module.
- Customer user passwords are one-way hashed using SHA256 and salted with random data.
Other Controls
- Cloud Services for Ariba Solutions. The cloud service for SAP Ariba solutions is a true SaaS model-IV solution.
Cloud services are deployed to multiple data centers throughout the world. The data centers are geographically located in regional pairs. Data is replicated between the regional pairs so that data remains in the region of deployment.
An SaaS IV system is scalable to an arbitrarily large number of customers because the number of servers and instances on the back end can be increased or decreased as necessary to match demand. As a result, scaling resources does not require any rearchitecting of the applications, so changes and fixes can be rolled out to thousands of tenants as easily as for a single tenant.
SAP Ariba solutions are powered by high-performance servers and utilize a network infrastructure designed for scalability, reliability, and security. SAP Ariba solutions implement an n-tier network architecture that physically segments Web, application, and data tiers. The communication protocols used between the systems are TCP/IP-based. The Cloud Engineering Services team constantly monitors and maintains all systems. Redundant load balancing and security firewall devices are inserted between each tier of SAP Ariba solutions.
- Customer Data retention: Ariba retains the customer data for the duration of the active contract. If the customer leaves, they can request that data be destroyed OR after 180 days, their realm will be destroyed and their data deleted. The customer can request a 'Certificate of Destruction' as confirmation the data was destroyed.
- Audit Logging. SAP Ariba Buying integrates with the SAP Audit Log Viewer for the Cloud Foundry Environment, that displays the audit logs for your Cloud Foundry account. To find more details on the SAP Audit Log Viewer and how to subscribe to it, see Audit Log Viewer for the Cloud Foundry Environment.
Operation Architecture
Change and Configuration Management
Please refer to document DD-TEC-170 Transport Management for Release 4.
Monitoring
- SAP Ariba Operational Status. SAP Business Network hosts a user-accessible Trust Center platform that disseminates notifications about operational issues of cloud services. It also contains archived notifications from the previous 60 days. The trust center displays the same event notifications sent through email. Users can view the current availability and performance history of SAP Business Network by going to the Trust Center at https://www.sap.com/about/trust-center/cloud-service-status.htmlInformation published on SAP site. The website is available 24 hours a day, 7 days a week.
- Use of SAP Cloud ALM as Monitoring tool baseline. Centralizes health, exceptions, and alerts while retaining product consoles for deep diagnostics; improves operational response and evidencing.SAP Cloud ALM monitors the SAP Ariba solution end-to-end, enabling operational excellence and business continuity through monitoring and alerting:
- SAP Ariba Cloud Integration Gateway (CIG)
- SAP Ariba Network
- SAP Ariba Buying
- SAP Ariba Sourcing
- Message log information and exceptions from other Ariba integration-scenario relevant components, like SAP S/4HANA (e.g., IDoc, WS messages, App Logs, OData,Logs, AIF messages)
High Availability & Disaster Recovery
- SAP Ariba applications are SAP-operated SaaS; platform high availability and disaster recovery are provided under SAP’s published targets. For SAP Ariba, the documented disaster-recovery objectives are RPO ≤ 5 minutes and RTO ≤ 4 hours , with service execution and failover managed by SAP. SyWay’s responsibility is limited to monitoring and incident execution per runbooks; no server-level HA/DR activities are in scope for this document.
- SAP Ariba solutions maintain redundant copies of all critical software subsystems. When a failure occurs, failover is triggered automatically to prevent disruption of service. Similarly, the solutions’ hardware infrastructure is implemented with automatic failover mechanisms as well. To establish connection redundancy, SAP Ariba solutions are connected to the Internet via two different ISPs running through physically separate conduits to the upstream provider.
Backup/Restore
- SAP Ariba Business Network:
- SAP Ariba performs regular backups of your SAP Business Network data—registration and account information, uploaded customer catalogs, transactions, and discrete data (uploaded files). Backups do not interrupt the normal operation of SAP Business Network.
- Database Backups:
- Database transaction logs are copied from disk to tape four times per day in each datacenter.
- Database copy-on-write snapshot disk backups are completed twice per day in each datacenter. Database transaction logs are saved to disk and to tape from the point in time of each database disk backup in each datacenter.
- Database physical disk backups are completed once per week in each datacenter, copied to physically separate disks from the database data and transaction log volumes. Database transaction logs are saved to disk and to tape from the point in time of each database disk backup in each datacenter.
- Full database backup copies are written to tape once per week in each datacenter.
- SAP Ariba Buying:
SAP Ariba Buying schedules data backup at regular intervals. The backups are replicated to a secondary site, from where they can be restored in case of a disaster.
When there is an inadvertent data destruction, within the primary data center, the data is recovered using the data that was last backed up.
SAP Ariba Buying schedules jobs to execute an automated backup of customer’s data. Additionally, a backup of the log files is automatically taken at 15-minute intervals.
As part of the RPO, when SAP Ariba Buying restores the data and restores the system, the loss of data would be a maximum of 15 minutes.
The data backups that SAP Ariba Buying maintains are retained in an encrypted format for a period of 14 days. SAP Ariba Buying follows best practices and ensures that all the necessary steps are taken to prevent data failure to the best of its capability.
Maintenance Plan
Cadence. SAP operates monthly updates (standard), immediate updates for critical fixes, and quarterly releases (usually on Feb-May-Aug-Nov).
What’s New & release calendars is available in following link. Teams to track feature deliveries and maintenance windows.
Major upgrades. SAP provides ≥ 4 weeks’ advance notice of major upgrades; SyWay reviews impact and coordinates any required readiness actions as documented in System upgrade plan.
Release information can be found on SAP Note 3453776 - SAP Ariba Release Information and Release Schedule:
- https://connectsupport.ariba.com/sites#item-view&/206826 - Release Calendar and dates for SAP Ariba Applications
- https://connectsupport.ariba.com/sites#item-view&/208558 - Release Readiness Page (here you can found all information about the release.
- https://help.sap.com/whats-new/a688ba9fa69e4d4fadf9c67df17f3485?locale=en-US - The Help Portal page with release information for SAP Ariba Strategic Sourcing Solution, here you can find features being delivered on the release.