Architecture Validation Rules
This document contains all the validation rules used by the Architecture Validator. These rules ensure that your architecture diagrams follow SAP best practices and guidelines.
Note
This document is auto-generated and updated automatically.
Validation Rules
| # | Rule Name | Rule Description |
|---|---|---|
| 1 | AI Copilot Integration with SAP Applications must happen via Joule | When integrating an AI agent or Copilot into SAP CAP applications, the communication must occur via SAP Joule. |
| 2 | Integration of External Identity Providers Must Go Through IAS | Any third-party identity providers must be integrated through SAP Cloud Identity Services, not directly integrated with the application. |
| 3 | GenAI Models Must Be Consumed via SAP Generative AI Hub/SAP AI Core | All generative AI and LLM services must be accessed via SAP Generative AI Hub or SAP AI Core. |
| 4 | SAP Build Components Must Be Grouped Under SAP Build SuperArea | All SAP Build components (e.g., Process Automation, Build Apps, Workzone) must be contained within a superArea named 'SAP Build'. |
| 5 | Missing SAP Event Services in event-driven architectures | Cloud provider event services (e.g., AWS SQS, Azure Service Bus) must not be used directly with SAP applications; they must integrate via SAP Event services. |
| 6 | MCP usage must be flagged and requires OCTO Review Form approval | MCP servers built on core business processes and SAP cloud solutions must be flagged and be advised strictly for internal usage only. The requirement must pass through the OCTO Review Form. |
| 7 | All MCP connections must be routed through SAP Joule | Ensures that any Model Context Protocol (MCP) server, whether inside or outside SAP BTP, is connected via SAP Joule for proper governance and integration. |
| 8 | SAP Build Workzone Recommended with SAP Build Apps and CAP Applications | When SAP Build Apps is used in conjunction with SAP CAP applications, the use of SAP Build Workzone is recommended. |
| 9 | All data egress from SAP systems must go through BDC or use Delta Share/BDC Connect | Data egress from SAP Data Sources to external data platforms like Databricks or Snowflake must use compliant connectors such as Delta Share, BDC Connect, or be routed through Business Data Cloud/Datasphere. |
| 10 | SAP AI Core Requires Management Interface | When SAP AI Core, SAP Generative AI Hub, or a contained Orchestration service is present, at least one management interface (SAP AI Launchpad or SAP AI Core API) must also be present. |
| 11 | CAP-to-External Integration Requires Destination Service | If a CAP application integrates with an external system residing in a different subaccount, the integration must be established using the SAP Destination Service. |
| 12 | Integration to SAP S4HANA must use Cloud Connector or Private Link | If a CAP application connects to an SAP S/4HANA or On-Premise system, the integration must use the Cloud Connector or Private Link service. |
| 13 | The connection between SAP Joule and the A2A Server must be established using the A2A protocol | The connection between SAP Joule and the A2A Server must be established using the A2A protocol |
Total Rules
This validator currently checks against 13 validation rules.