Knogin
[Developers]

SAP IS-U / SAP PM Connector

The SAP IS-U / SAP PM Connector links a utility's SAP Industry Solution for Utilities and SAP Plant Maintenance systems to Argus through a single registration flow, so the SAP record of truth and the live operational pic

Back to All Modules
Category: Data IntegrationLast Updated: May 26, 2026
data-integrationcompliance

Overview#

The SAP IS-U / SAP PM Connector links a utility's SAP Industry Solution for Utilities and SAP Plant Maintenance systems to Argus through a single registration flow, so the SAP record of truth and the live operational picture stay in step.

Energy, water, and gas distributors that run SAP IS-U as their enterprise system rarely want to replace it, and they should not have to. This connector lets a utility keep its existing SAP investment while adding modern operational capabilities on top. Once a SAP connection is registered, the SAP asset hierarchy populates the Argus geographic zone maps automatically, SAP maintenance orders appear in the unified work queue beside orders from every other source, and an outage detected or managed in Argus can raise the matching SAP malfunction notification without anyone re-keying it.

The result is a closed loop between operational intelligence and the work-management record of truth. Duplicate data entry falls away, information no longer lags behind the response, and crews act on one consistent set of facts.

Key Features#

  • One-Step SAP Registration: Register each SAP API Gateway endpoint once with its client credentials, and the connector handles tokens, paging, and reconciliation from then on.
  • Encrypted Credentials at Rest: SAP client identifiers and secrets are stored encrypted with authenticated AES-GCM, with each value bound to its own owning record so a stolen ciphertext cannot be replayed elsewhere.
  • Live Connectivity Test: Validate a connection on demand by acquiring a real token from the SAP API Gateway and reporting both success and round-trip latency.
  • Functional Location Mapping: Read SAP Functional Locations and map them onto the Argus zone hierarchy, with top-level locations becoming supply zones and sub-level locations becoming distribution zones, each keyed by its SAP reference for stable reconciliation.
  • Maintenance Order Ingestion: Pull SAP Plant Maintenance orders over paged data queries into the unified work queue, keeping titles, descriptions, and status in step on every run.
  • Outage Push to SAP: Raise the matching SAP Plant Maintenance malfunction notification for an Argus outage event, carrying the title, functional location, plant, and a reference back to the originating record.
  • Operational Picture Emission: Mapped locations and ingested orders are published as live operational entities, so they join the common operating picture without extra wiring.
  • Full Audit Trail and Tenant Scoping: Every read, write, and connectivity test is scoped to the calling organisation and written to an immutable interoperability audit log.

Use Cases#

  • Electricity Distribution Operators: Bring the SAP feeder, substation, and breaker asset structure into the zone map, ingest planned and corrective maintenance orders, and raise SAP malfunction notifications the moment an outage is confirmed.
  • Water Utilities: Map pumping stations, treatment works, and pressure districts from SAP Functional Locations into supply and distribution zones, then track the maintenance backlog against live operational events.
  • Gas Distributors: Keep the SAP asset register and the operational picture aligned, so a detected loss of supply automatically opens the corresponding SAP notification for the field response.
  • Multi-System Utilities: Run the SAP connector alongside other source connectors, with maintenance orders from SAP landing in the same unified work queue as orders from every other system.
  • Reliability and Asset Teams: Use the audited record of mapped locations, ingested orders, and pushed notifications to study recurring faults and target preventive work.

Integration#

The connector publishes its capabilities through an authenticated, organisation-scoped GraphQL interface, so a customer plugs in by registering one connection and then driving everything else from their own applications or the Argus console.

  • SAP Connections: The read field sapIsuConnections lists the organisation's registered endpoints, while registerSapIsuConnection persists a new or updated endpoint with its encrypted credentials.
  • Connectivity Validation: testSapIsuConnection acquires a live token from the SAP API Gateway and returns success with latency, so a customer can confirm reachability before relying on it.
  • Asset and Order Onboarding: The location read action triggerSapFunctionalLocationSync and the order read action triggerSapMaintenanceOrderSync bring the SAP hierarchy and work backlog into Argus with consistent, repeatable reconciliation.
  • Outage Write-Back: pushOutageToSap raises a type-M2 malfunction notification in SAP Plant Maintenance for an Argus outage event, closing the loop into the SAP system of record.
  • SAP API Gateway: Argus talks to SAP over its own published gateway, acquiring tokens and reading or writing through standard data services, so no bespoke component has to be deployed inside the SAP landscape.
  • Identity and Downstream Workflows: Access is governed by OAuth2-issued JSON Web Tokens scoped to the calling organisation, and once orders and events land in the platform the existing notification, alerting, and dispatch workflows pick them up for crews and customers.

Open Standards#

  • OAuth 2.0 (RFC 6749): the connector authenticates to the SAP API Gateway using the client-credentials grant, exchanging a client identifier and secret for a bearer token at the gateway's /oauth/token endpoint.
  • OData (OASIS Open Data Protocol): SAP reads and writes use the gateway's published OData services under /sap/opu/odata/sap/, covering the Functional Location, Maintenance Order, and Notification entity sets, with paged retrieval over the standard skip and top options.
  • REST: all SAP interaction follows a resource-oriented architectural style over plain HTTP verbs and resource paths.
  • RFC 8259 JSON: SAP requests and responses, and the normalised records stored in Argus, are exchanged as standard structured JSON.
  • RFC 8446 TLS / HTTPS: every call to the SAP API Gateway runs over transport-layer security, protecting credentials and asset data in transit.
  • JSON Web Token (RFC 7519): organisation-scoped caller access is carried in signed JWT bearer tokens.
  • GraphQL: the public surface is a typed, schema-described contract for predictable, organisation-scoped requests.
  • NIST SP 800-38D AES-GCM: stored SAP credentials are protected with authenticated AES in Galois/Counter Mode, binding each ciphertext to its own record.
  • ISO 8601: order and event timestamps use the standard date-time representation for unambiguous, comparable records.

Security & Compliance#

  • Encrypted Credentials at Rest: SAP client identifiers and secrets are never held in clear text. Each is encrypted with authenticated AES-GCM and tied to its specific connection record, so a stolen value cannot be replayed against another row.
  • Strict Tenant Isolation: Every read, write, sync, and connectivity test is scoped to the calling organisation, so one customer can never see or act on another customer's connections, zones, orders, or outages.
  • Authenticated Surface: All operations require an authenticated, authorised caller, and anonymous access is rejected.
  • Token-Based SAP Access: The connector acquires a short-lived OAuth token for each SAP interaction rather than holding a standing session, reducing the window of exposure.
  • Immutable Audit Logging: Connectivity tests, location and order reads, and every outage pushed to SAP are written to an append-only interoperability audit trail for review and compliance reporting.

Last Reviewed: 2026-05-26 Last Updated: 2026-05-26

Ready to Build?

Get started with our APIs or contact our integration team for support.