FileRelayDocumentation
Try for Free

How FileRelay Works

Understand the architecture of FileRelay — how documents flow from SAP (ArchiveLink, CMIS, or OData) through the connector to your destinations.

Architecture overview

FileRelay has two components, both deployed inside your perimeter:

  1. Connector (Micronaut app) — implements the three SAP ingest protocols (ArchiveLink HTTP Content Server, CMIS 1.1 client, OData consumer). Receives or pulls documents from SAP, verifies authenticity, and queues them for routing.
  2. Control plane (this app) — manages workspaces, destinations, routing rules, the audit log, and the dashboard. The connector hands documents to the control plane for forwarding to destinations.
                ArchiveLink (push)
SAP ECC / S/4 ─────────────────────────────► FileRelay Connector
                                                     │
                                                     │ pulls
SAP S/4 Cloud ◄──── CMIS / OData ─────────── FileRelay Connector
                                                     │
                                                     ▼
                                       [ Redis queue + shared buffer ]
                                                     │
                                                     ▼
                                       FileRelay Control Plane
                                                     │
                            ┌────────────────────────┼────────────────────────┐
                            ▼                        ▼                        ▼
                    Cloud storage           Document mgmt              File / API
                  (S3, Azure, GCS,             (SharePoint,          (SFTP, HTTP, Email,
                   R2, MinIO)                Box, Drive, ...)         Slack, Teams, SMB)

Ingest protocols

FileRelay receives documents from every commercial SAP edition via three SAP-published protocols. The downstream shape is identical regardless of source.

Protocol Direction SAP-side config SAP editions
ArchiveLink (BC-HCS 4.5) SAP pushes to FileRelay Transaction OAC0 — Content Repository ECC 6.0, S/4HANA on-prem, S/4HANA Cloud Private (RISE)
CMIS (1.1) FileRelay pulls (poll or Event Mesh) Communication Arrangement SAP_COM_0552 S/4HANA Cloud Public + Private (RISE)
OData (v2/v4 released APIs) FileRelay pulls (poll or Event Mesh) Communication Arrangement SAP_COM_0204, SAP_COM_0276, etc. S/4HANA Cloud Public + Private (RISE)

Document flow

ArchiveLink (push)

  1. SAP archives a document via ArchiveLink (e.g. from FB03, VA03, or print archiving).
  2. The request hits the FileRelay Connector at the Content Server URL configured in OAC0.
  3. The connector verifies the request signature (if certificates are exchanged), saves the file to the shared buffer, and queues a job in Redis.
  4. A background worker picks up the job and resolves the workspace + source repository.
  5. The worker looks up all active connections and their destinations.
  6. The document is forwarded to each destination in parallel via the appropriate forwarder (S3, SharePoint, email, etc.).
  7. Delivery status is tracked per-destination with a full audit trail.

CMIS / OData (pull)

  1. The connector polls the configured CMIS repository or OData service on a schedule (or subscribes via Event Mesh for push-style triggering).
  2. For each new attachment, the connector fetches the binary via authenticated OAuth and saves it to the shared buffer.
  3. From step 4 onward, the flow is identical to the ArchiveLink path — same routing, same destinations, same audit trail.

Operating models

FileRelay is on-prem only — it always runs inside your perimeter. Three operating models trade off control vs ops responsibility. The product, protocols, and destinations are identical across all three.

Model Hosted by Documents traverse Best for Time to deploy
Self-hosted You — Helm chart or Docker Compose, your cluster (OpenShift, EKS, AKS, GKE, bare metal). Air-gapped supported. Your network only Teams with an existing ops capability who want maximum control and customer-managed secrets (Vault, KMS). 1–2 weeks
Managed on-prem We deploy and operate FileRelay inside your cloud account / VPC. 24/7 monitoring, SLA, zero-touch upgrades. Your network only Teams that need data residency without running it themselves. 2–5 days
FileRelay-hosted We host on dedicated single-tenant infrastructure built for you. Same product as self-hosted. A dedicated environment we operate Teams that want the on-prem isolation story without provisioning any infra. 1–3 days

Contact us to pick a model — pilots are free, production licensing is quoted per deployment.

Cross-cutting features

The following apply to every operating model:

Feature Behavior
Connector Runs inside your perimeter
Dashboard Self-hosted under your domain (e.g. filerelay.acme.internal)
Buffer storage Your MinIO / S3 / disk (Self-hosted), or operated by us inside your tenant (Managed on-prem / FileRelay-hosted)
SMB / Network Shares Native — connector has direct network access
Documents leave your perimeter No
SSO / SAML Yes
SLA Negotiated per deployment

Security

  • All credentials are encrypted at rest with envelope encryption under a per-customer KMS key
  • TLS for all connections (FileRelay's HTTPS endpoint, outbound destinations, SAP-side OAuth)
  • ArchiveLink request signatures are verified against the active certificate
  • Per-workspace isolation — no data leaks between tenants
  • Full audit trail of every document received and every delivery attempt
  • The provisioning and security model for each operating model is documented separately for customers during the scoping call