Xient
DE EN
← Back to Xient Bridge

Xient Bridge · Architecture & Security

How Xient Bridge works - in detail.

For IT, security and architecture: the overall architecture, the data flow, the SAP API Policy readiness and the identity model behind Xient Bridge. Read-only first, fully auditable - and your data stays in your own tenant.

Book an intro call See an example

Example

What an answer looks like.

One question in Microsoft Teams, one focused answer - with sources, limits and an audit ID. Several SAP views become one traceable answer, without anyone needing to know the transactions.

XB
Xient BridgeMicrosoft Teams
I have an invoice for €12,480. Is there a supplier, a purchase order and a goods receipt?

Supplier found: Mustermann GmbH (released).

Purchase order: 4500012345, net €11,900.

Goods receipt: partially posted (80%).

Invoice amount exceeds the order value - review by purchasing recommended.

Supplier masterPurchase orderGoods receiptInvoice
read-only · SAP roles checked · Audit ID XB-2026-00184
Illustrative depiction of the flow in Microsoft Teams - for illustration, not a screenshot of a production system.

Overall architecture

From question to evidenced answer.

Every request runs via your identity, a deterministic dispatcher and exclusively released functions to SAP - and back as an answer with sources. The AI phrases it, SAP provides the facts. There is no intermediate server and no copy of your data at Xient.

Architecture of Xient Bridge: from Microsoft Teams via identity, deterministic dispatcher and SAP Access Layer to SAP, Answer Composer and audit.Microsoft Teams / CopilotThe question starts in the workplaceXient BridgeOrchestrates the answerIdentity & rolesEntra ID, mapped to SAP authorisationsDeterministic dispatcherOnly released functions - no free agent chainSAP Access LayerOData / CDS / BAPI / SAP Gateway / BTP / customer facadeSAPS/4HANA · BW/4HANA · IS-U · ECCAnswer ComposerAnswer with sources, limits and next stepAudit & loggingAzure API Management + SAP - fully traceable
Read-only first. Write actions stay with people, under the four-eyes principle.

Data flow

Where does your data go?

The most important question first - answered transparently. In short: there is no data storage at Xient.

Data typeWhereStorageAccess
User questionTeams / Xient BridgeAudit log per policyCustomer
User identityEntra ID, mapped to SAP rolesminimal, contextualCustomer
SAP datastays in SAP, only in the answer contextno copy at XientCustomer
Answer + sourcesMicrosoft Teamsper your retentionCustomer
Logs / auditAzure API Management + SAPdefined retentionAdmin / auditor
Customer data at Xient-nonenobody

SAP API Policy readiness

Cleanly aligned with SAP's interface requirements.

The current SAP API Policy puts the focus on how interfaces are used - especially for AI and non-SAP access. For Xient Bridge that's not an obstacle but part of the design:

  • No direct table access
  • Only released, documented APIs - or cleanly encapsulated customer facades
  • No free LLM access to SAP
  • API allowlist per use case
  • Rate limits and monitoring
  • Complete audit logging
  • Purpose limitation per process
  • Clarified in the pilot: which APIs are official, which need customer-specific encapsulation

Identity & control

Access only through your own rules.

Entra ID → SAP roles

Sign-in via your existing identities, mapped to your SAP authorisations.

Least privilege

Everyone sees only what their SAP role permits - nothing more.

Read-only first

Information before action. Write steps stay with people.

Central audit

Every access and every answer logged and traceable.

Next step

Ready for a controlled pilot?

We review the relevant SAP interfaces, the role model and the audit concept with you - and show Xient Bridge on one of your processes.

Book an intro call