How Atlan connects to SAP ECC Public Preview

Atlan connects to SAP ECC to extract metadata from your SAP system while maintaining network security and compliance requirements. Your SAP environment remains protected behind your firewall with no inbound internet connections required.

How it works

The connection between Atlan and SAP ECC involves three core components:

• Atlan Cloud: The central platform that orchestrates metadata extraction and catalogs your SAP assets
• Secure Agent: A lightweight service deployed within your network that acts as a secure bridge
• SAP ECC System: Your on-premises or private cloud SAP system containing the metadata to be cataloged

As shown in the diagram:

• The secure agent sits within your network perimeter, establishing an outbound HTTPS connection to Atlan Cloud while maintaining a local connection to your SAP system.
• When you configure a SAP ECC connection, the secure agent translates Atlan's metadata extraction requests into SAP RFC (Remote Function Call) calls and returns the results securely to Atlan Cloud for processing and cataloging.
• This architecture ensures your SAP system never needs to expose ports to the internet—all connections are initiated from within your network.

How it protects your data

SAP systems contain sensitive business data and critical operational information. This connection model protects your environment by ensuring metadata extraction never requires opening your network to inbound connections or storing credentials outside your enterprise perimeter.

• Network isolation and encrypted communication: Your SAP system remains behind your firewall with all connections initiated from within your network—never inbound. The secure agent requires only outbound HTTPS access to Atlan Cloud (with support for corporate proxies) and local network access to your SAP system. All data transmission uses TLS 1.2 encryption over HTTPS, protecting metadata from interception during transit.

• Authentication and credential protection: The secure agent authenticates with Atlan using API keys stored in your enterprise-managed secret vaults (AWS Secrets Manager, Azure Key Vault, or Kubernetes Secrets). SAP connection credentials also remain within your enterprise security perimeter—retrieved dynamically from your secret vaults only when needed and never transmitted to or stored in Atlan Cloud. The agent only accesses metadata about your SAP data structures—such as tables, fields, and modules. Business data from your SAP tables remains in your SAP system and is never extracted.

• Read-only operations: All SAP RFC calls made by the secure agent are read-only queries that extract metadata without modifying any SAP data or configuration.

See also

• Secure Agent 2.0 architecture: Core components and data flow of Secure Agent 2.0
• Secure Agent 2.0 security: Security architecture, authentication, and encryption for Secure Agent 2.0
• System requirements: Hardware and OS specifications for setting up Secure Agent
• Set up SAP ECC: Configure user accounts and permissions for metadata extraction