Overview of Access and Interaction Model
The project follows a unified access model that ensures all users interact with SAP and enterprise solutions in a consistent and secure way, regardless of device type or location. Access methods are defined by the type of device, the data classification, and the nature of the user’s role. All corporate devices are managed through Intune, which ensures that laptops, PCs, and mobile devices remain compliant and secure before connecting to company systems.
In this document we describe access in terms of two concepts.
Access Channels
These are the devices and entry points that people use to reach our systems, for example a corporate laptop, a virtual desktop or a mobile device.
Digital Touchpoints
These are the applications and platforms where users perform their work, for example Work Zone Standard, S/4HANA Fiori, SuccessFactors, Ariba, Concur or SAP Analytics Cloud.
Layer | What it represents | Examples |
|---|---|---|
| Access Channels | How users physically reach SAP systems | Corporate Laptop, VDI, Mobile Device, TPA |
| Digital Touchpoints | Where users actually perform their work once inside | Work Zone Standard, Fiori Launchpad, SuccessFactors, Ariba, Concur, SAC |
Sascha, as document matures I can replace Example mappings with a interactive diagram that captures full list of Access Channels and their Digital Touchpoints.
Example mappings
These examples help visualise how Access Channels lead to Digital Touchpoints.
Corporate Laptop → Work Zone, S/4HANA, SuccessFactors, Concur, SAC
Virtual Desktop (CUI) → Work Zone (CUI), S/4HANA CUI
Kiosk → Work Zone, S/4HANA
- Managed Mobile → SAP Mobile Start → Work Zone, SuccessFactors
Industrial Mobile → S/4HANA (EAM, Warehouse apps), Neptune apps
TPA → Work Zone, selected S/4HANA or SaaS apps
External Portals → Ariba or other Supplier Portal, SDS Portal, other B2B portals
The following sections describe each Access Channel in more detail.
Access Channels
Access channels represent the devices and entry points through which users reach SAP and other enterprise systems. Each channel is defined by its level of control, security, and the type of data it can access. Together they ensure that every user, regardless of role or location, connects through a secure and consistent path that matches their work environment.
Syensqo Corporate Laptops
Corporate laptops are the standard way most employees access SAP systems. All corporate PCs and laptops are managed through Intune, Syensqo’s device management platform. This ensures that devices remain compliant and secure before connecting to company systems. The design principle is browser first, so business applications are accessed through a web browser rather than installed locally. CUI systems cannot be accessed from standard laptops, and security policies and technical controls are in place to block this.
Virtual Desktops for CUI
Virtual desktops are used only when accessing systems that hold CUI-classified data. They provide a secure and segregated environment so that sensitive information does not leave the controlled zone. This setup is required only for users at CUI sites or in roles that work with CUI data. Users still work in a browser inside the virtual desktop, so applications look and behave in a familiar way.
Kiosks
Kiosks are shared devices in plants, warehouses and other operational areas. The operating system runs under a generic account, but each person signs in when they open the browser. This allows users in shared environments to see their own view of Work Zone, Fiori and other applications. The project will refine sign-in and sign-out patterns so that frequent use remains simple and reliable.
Syensqo Managed Mobile Devices
Corporate mobile phones and tablets are managed centrally through Intune, Syensqo’s device management platform. This allows secure configuration, app deployment, and compliance control before a device connects to company systems. Applications are either pre-installed or made available through the company app catalogue. If more than half of a target population needs a specific app, such as SAP Mobile Start or SuccessFactors, the app is pushed automatically. Apps used by smaller populations, such as Concur, are available on demand. Managed mobile devices support single sign on, so users can move between approved apps without repeated logins.
Industrial Mobile Devices
Industrial mobile devices, such as rugged tablets or handheld scanners, are pre-configured for operational use. Only approved business applications are deployed on these devices. User authentication must stay simple and secure. The project will evaluate options such as badge-based login or shared-device patterns, with the goal of keeping user effort low while still enforcing access control.
Personal (Unmanaged) Mobile Devices
Personal mobile devices can be used for selected cloud applications, for example SuccessFactors or Concur, where this is allowed by security policy. Access to core S/4HANA systems and other higher-risk applications continues to require a corporate device or virtual desktop.
Third-Party Personnel without Corporate Laptops
Third-party personnel, such as contractors or consultants, access SAP systems through the Third-Party Access (TPA) environment. TPA provides a controlled workspace where selected business applications are available through a browser. This keeps external work separated from the Syensqo network while still giving a familiar browser-based experience.
External Portals
External portals support interactions with customers, suppliers and other business partners. Examples include supplier portals, B2B portals and customer access to Safety Data Sheets. These portals are separate from internal systems but follow similar principles for branding and ease of use.
Digital Touchpoints
Digital touchpoints represent the applications and platforms where users actually perform their work once they have accessed the environment through an approved Access Channel. The objective is to provide a consistent experience across SAP and related enterprise solutions, regardless of device or entry point.
Work Zone Standard
SAP Build Work Zone Standard is the central entry point for all user access. It connects directly to our S/4HANA systems to expose the role-based Fiori apps assigned to each user, and it also links to other enterprise and SaaS solutions such as SuccessFactors, Ariba, and Concur where the role requires them. This gives users one consistent environment to access everything they need for their work without having to remember system names or maintain separate logins.
Work Zone combines content from multiple systems into a single, role-based experience. For example, a procurement specialist can see both S/4HANA Fiori apps and supplier links, while an HR user can access Fiori workflows together with SuccessFactors content. This unified model is one of the core design decisions in our project, providing a consistent user experience and reducing fragmentation while keeping access governed.
How users access apps and tools in Work Zone
In Work Zone, users access applications and content through tiles or links. Tiles represent apps or actions and launch the underlying Fiori app, classic UI, or SaaS system. Each tile displays the app name, icon, and, where relevant, live data or status indicators.
The project uses Insight Tiles (KPI, Chart, Trend, and Comparison) where it makes sense to show key figures or status information directly on the tile. This gives users quick visibility of important metrics before opening the app.
Links are used where a full tile is not needed. They save space and are ideal for opening SaaS homepages, reports, or documentation that support the user’s role. This keeps pages clean and focused.
To maintain clarity as the number of tiles grows, the project follows the new Work Zone layout based on Spaces, Pages, and Sections. This structure keeps navigation consistent and reduces clutter:
Spaces group work by function or Line of Business, such as Finance, Procurement, or HR (maps to Signavio L3).
Pages organise tiles by activity or task type, such as Operational tasks or Analytics (maps to Signavio L4).
Sections further group tiles to make large collections more manageable and reduce visual clutter.
Tiles are the smallest display element and map to Signavio executables (L5).
See images below for examples of the structure and tile types used in Work Zone.
Spaces, Pages and Sections schematic
A schematic display of how Spaces, Pages, and Sections are structured in Work Zone.
Tile Examples image
Examples of different tile types including KPI, Comparison, Monitoring, and Link tiles.
How users access systems across multiple backends
The project operates three SAP Build Work Zone Standard tenants aligned with each regional S/4HANA system. This approach ensures faster access, maintains data segregation by geography, and supports compliance with local performance and regulatory requirements.
Some roles require access to applications in more than one regional instance, such as ROW, CUI, or China. From a user perspective, access across these environments is seamless. Users sign in once and can reach the Work Zone for their region without needing to manage multiple logins or credentials. Aside from the URL, there is no disruption to how users access or work with their applications.
Each Work Zone follows the same structural design so that navigation, pages, and tiles behave consistently across regions. The project is also exploring the use of regional theming to help visually distinguish each tenant, although this is still under review.
Within Work Zone, each tile indicates which backend it connects to, allowing users to identify the system before launching the app. This provides one unified entry point while keeping each region’s data and connectivity governed independently.
See KDD036 - User Access to Enterprise Systems for the technical rationale behind the multi-tenant design.
See images below for examples of how roles access multiple S/4HANA systems through Work Zone.
Individual tiles – used where users need to open separate apps per backend without displaying data. Each tile represents one system and is clearly labelled (for example, Manage Purchase Orders – ROW, CUI, or China).
UI cards – used where data or status values are meaningful at a glance, such as monitoring purchase orders or supplier confirmations across multiple systems. Cards summarise key values in one component, allowing quick comparison without opening separate apps. (Example: “Open PO counts by backend”)
Where you see approvals (Task Centre)
Workflow approvals and tasks are accessed through the Task Centre, which is embedded directly in SAP Build Work Zone Standard. This gives users a single consolidated view of approvals from S/4HANA, SuccessFactors, Ariba, Concur, and any other connected systems. Users can review, approve, or forward tasks without leaving Work Zone, creating a consistent and efficient experience.
The technology team will assess each SAP and non-SAP system to determine whether Task Centre integration is feasible. The SaaS Applications table (See Below) reflects this assessment with three outcomes:
- Yes where integration is supported
- No where it is not
- Conditional where further investigation is required. Conditional cases depend on the system APIs and whether the required task data can be exposed through a Task Provider.
Where you see alerts (Notifications)
Notifications can be surfaced in SAP Build Work Zone Standard to give users a single place to view important updates from S/4HANA and other connected systems. This includes alerts, status changes, reminders, and Task Centre items, since workflow tasks can also generate notifications. Users can open the related application or record directly from Work Zone, helping them stay informed without switching between systems.
The technology team will assess each SAP and non-SAP system to confirm whether notification integration is possible. The SaaS Applications table (See Below) reflects this with three outcomes:
- Yes where the system can publish notifications to Work Zone
- No where this is not supported
- Conditional where further analysis is required. Conditional cases depend on the system’s ability to expose event or notification APIs that Work Zone can consume.
Figure: Example of notifications displayed in SAP Build Work Zone Standard
Deep Linking
Deep linking allows users to open an application or a specific record through a direct URL. Inside S/4HANA and the Fiori ecosystem this works consistently because Fiori supports true deep links and Work Zone acts as the central entry point for navigation.
Outside S/4HANA the experience varies. Each SAP SaaS and non-SAP SaaS product uses its own navigation model, so record-level deep linking is not always available. Some systems support it, others offer only app-level links, and some do not support deep linking at all.
When the business requests a deep link to an external system, the technology team will review the requirement. If the request is valid and within scope, we will assess the capabilities of the target system and confirm what is technically possible. These situations are marked as “Conditional” in the SaaS Applications table below.
SaaS Applications
| System / SaaS | Description | Task Centre | Notification | Deep Links |
| S/4HANA (TPA) | Core enterprise system supporting finance, supply chain, manufacturing, and operational processes. | Yes | Yes | Yes |
| SAP GTS | SAP software that helps companies manage and automate international trade processes, focusing on compliance, customs, and logistics | Conditional | Conditional | Yes |
| SAP Ariba | Comprehensive, cloud-based software solution for managing all stages of the procurement and supply chain process, from sourcing to payment | Yes | Yes | Conditional |
| SAP Concur | Cloud travel and expense system used to submit claims, process travel, and manage reimbursements. | Yes | Conditional | No |
| SAP SuccessFactors | Cloud HR suite managing core employee data, talent processes, and workforce performance. | Yes | Yes | Conditional |
| SAP Analytic Cloud (SAC) | Analytics and planning platform for dashboards, forecasts, and business reporting. | No | Conditional | Yes |
| SAP Advanced Financial Closing | Cloud workflow tool coordinating and monitoring period-end financial closing tasks. | Yes | Yes | Yes |
| SAP Document Reporting Compliance | Cloud service enabling real-time electronic tax reporting and country-specific compliance. | Yes | Yes | Yes |
| SAP Group Reporting Data Collection | Cloud application used to collect, validate, and prepare financial data for group consolidation. | Yes | Yes | Yes |
| SAP Profitability & Performance Mgmt. | Financial modelling and profitability analysis platform supporting scenario-based insights. | Conditional | Conditional | Conditional |
| SAP Sustainability Footprint Mgmt. | Cloud application calculating product-level environmental footprints. | Conditional | Conditional | Conditional |
| SAP Sustainability Control Tower | Sustainability reporting platform consolidating KPIs across the enterprise. | Conditional | Conditional | Conditional |
| SAP Green Ledger | Carbon accounting ledger aligning environmental metrics with financial structures. | Conditional | Conditional | Conditional |
| SAP BN Global Track & Trace | Shipment visibility platform providing real-time tracking across logistics partners. | Conditional | Conditional | Conditional |
| SAP BN Freight Collaboration | Cloud service connecting shippers and carriers to manage freight orders and status updates. | Conditional | Conditional | Conditional |
| SAP Asset Performance Mgmt. | Cloud solution for monitoring equipment health and improving maintenance outcomes. | Conditional | Conditional | Conditional |
| SAP Risk and Assurance Mgmt. | Cloud platform used to document risks, controls, and assurance activities. | Yes | Yes | Conditional |
| PCN Opesus (SAP add-on) | Product compliance notification tool used for EU and UK regulatory submissions. | Conditional | Conditional | N/A |
| Salesforce | Cloud CRM platform supporting sales, service, and customer engagement processes. | Conditional | Conditional | Conditional |
| Icertis | Cloud contract lifecycle management solution used to create, negotiate, and store commercial agreements. | Conditional | Conditional | Conditional |
| Keelvar | AI-enabled sourcing optimisation solution supporting complex procurement categories. | Conditional | Conditional | Conditional |
| Kinaxis Maestro | Supply chain planning platform supporting scenario planning and forecasting. | Conditional | Conditional | Conditional |
| (3E Optimize)/VSDS Loader | Cloud service supporting chemical safety data and regulatory information handling. | No | No | Conditional |
| AVEVA PI-AF (MES) | Manufacturing data historian capturing process data for analysis and reporting. | No | No | Conditional |
| CASS | Freight audit and payment service validating logistics invoices and charges. | No | No | Conditional |
| Blackline | Finance cloud solution automating account reconciliations and financial close activities. | Conditional | Conditional | Conditional |
| Esker | AP automation platform supporting invoice capture, routing, and approval workflows. | Conditional | Conditional | Conditional |
| EDICOMM | e-Invoicing and EDI compliance platform used for country-specific reporting. | Conditional | Conditional | Conditional |
| Vertex O Series | Cloud tax engine calculating indirect taxes for sales and invoicing processes. | Conditional | Conditional | Conditional |
| Worldline (SWIFT) | Banking connectivity service enabling SWIFT messaging for treasury operations. | No | No | Conditional |
| OpenText | Document management platform integrating structured content with SAP business objects. | Conditional | Conditional | Conditional |
| Bloomberg | Financial market data service providing pricing, rates, and analytics for treasury processes. | No | No | Conditional |
| UPS | International courier and logistics provider supporting parcel shipping and delivery tracking. | No | No | Conditional |
| FEDEX | Global parcel and freight carrier used to book shipments, generate labels, and track deliveries. | No | No | Conditional |
| DHL | Global express and freight logistics provider used for outbound shipments and tracking. | No | No | Conditional |
| Project44 | Logistics visibility platform providing real-time shipment tracking across carriers. | Conditional | Conditional | Conditional |
| Sunland Infor | Asian logistics partner providing warehousing, distribution, and transport services. | No | No | Conditional |
| Kenco | North American logistics provider offering warehousing, distribution, and transportation services. | No | No | Conditional |
| TMS4S / E2Open (BluJay) | Transportation management system supporting carrier bookings, loads, and tracking. | Conditional | Conditional | Conditional |
| Mitsui Soko | Japanese logistics and warehousing provider supporting storage and transport operations. | No | No | Conditional |
| PML CN | China-based logistics partner supporting regional warehousing and transportation activities. | No | No | Conditional |
| Transwide TMS | Transportation planning and tendering platform used for carrier selection and load execution. | Conditional | Conditional | Conditional |
| Katoen Natie 3PL (Belgium) | International 3PL providing storage, handling, and distribution for Syensqo sites in Belgium. | No | No | Conditional |
| Katoen Natie (Global) | Global 3PL provider offering warehousing, handling, and logistics services across multiple regions. | No | No | Conditional |
| Arcese 3PL Italy | Third-party logistics provider supporting warehousing and transport operations in Italy. | No | No | Conditional |
Joule and AI Assistance
Joule is SAP’s built-in generative AI assistant that helps users work faster and with fewer manual steps. It can answer questions, summarise information, create insights, and guide users through processes using natural language. In our S/4HANA landscape Joule will support everyday business activities such as reviewing transactions, analysing documents, identifying issues, and recommending actions based on the data in the system.
For business users the main benefit is simplicity. Instead of navigating multiple screens or searching for the right application, users can ask Joule a question or describe what they want to do. Joule can open the correct app, retrieve relevant information, or complete routine tasks on the user’s behalf. This creates a more intuitive and productive experience, especially for infrequent users or users who work across multiple systems.
We will make Joule available through SAP Build Work Zone Standard as one of the core access points for AI support. Users will be able to launch Joule directly from Work Zone to ask questions, request guidance, or trigger actions in S/4HANA and connected systems. As SAP expands Joule’s capabilities, the assistant will become a central touchpoint for insights, help, troubleshooting, and process support.
During the project the technology and functional teams will work with SAP to test Joule in realistic business scenarios. This includes validating how well Joule understands our processes, the accuracy of its responses, and how it can speed up tasks for each Line of Business. The objective is to identify high-value use cases and provide guidance to users so the organisation gets the most benefit from the AI capabilities SAP delivers.
Supported Browsers
SAP Build Work Zone Standard and the related SAP Fiori applications require a modern, fully supported web browser. Using the latest version ensures the best performance, security, and user experience. Older or unsupported browsers can cause missing features, display issues, or login problems.
See SAP documentation: Browser and Platform Support
Figure: Supported browsers for accessing SAP Build Work Zone and Fiori apps
Note: The content below is temporary working notes only and not part of the final document. All items will be removed before finalisation.
SaaS Applications
- SuccessFactors – HR and Learning
Used for employee lifecycle processes, performance management, and learning activities. - Ariba / Supplier Portal – Procurement and Supplier Collaboration
Supports sourcing, procurement, and supplier management processes with integration to S/4HANA. - Concur – Travel and Expense Management
Used for travel requests, expense claims, and reimbursement workflows. - SAP Analytics Cloud (SAC)
Provides analytical dashboards, business insights, and reporting for multiple process areas. - Salesforce – Customer Relationship Management
CRM stuff - BlackLine
- Kinaxis Maestro
Note: Bring in complete project list once validated (include additional SaaS and enterprise applications currently in scope).
Industrial Applications
Industrial systems are accessed mainly through dedicated apps deployed on rugged or shared devices. These applications support plant, maintenance, and logistics operations where mobility and simplicity are key.
Examples include:
T&T, Blueworks, and other industrial or site-specific apps that extend S/4HANA for field operations.
Note: Insert all confirmed industrial applications here once finalised.
Mobile Solutions and Apps
Mobile access complements the digital touchpoints through SAP Mobile Start and other approved apps deployed via the company app catalog. The goal is to provide role-based access to tasks and data while maintaining a consistent experience between desktop and mobile.