Skip to content

Jiandong Pei

Independent SAP BTP Architect — Boundary Model

Postman worked. Work Zone failed.

Direct API success looked like proof. The governed entry path exposed that runtime reachability and production boundary validity were never the same thing.

Situation

A SAP BTP extension exposed services that behaved correctly in direct tests. Requests succeeded in Postman, payloads looked right, and the application team could demonstrate that the backend logic was sound. The production path, however, was meant to run through AppRouter and Work Zone with governed identity propagation, scope checks, routing, and user context.

Surface symptom

Users entering through Work Zone saw authorization gaps, redirect loops, missing claims, or inconsistent behavior between shells and direct endpoints. The direct test remained green, which kept confidence in the implementation path longer than it should have.

Why internal handling did not converge

Application teams pointed to the successful API call. Platform teams checked routes and destinations. Security teams focused on scopes, trust, and role collections. Each observation was locally correct. The debate did not converge because the direct path had become the wrong proof. It confirmed endpoint reachability, not governed entry-path validity.

What the issue actually was

The real failure sat at the identity and runtime boundary between direct testing and the production entry path. AppRouter, Work Zone, token propagation, route handling, and claims semantics belonged to the architecture being judged. The system had a protected success path and an invalid governed path.

What an independent verdict would need to clarify

  • Whether the production entry path or the direct test should define architectural truth.
  • Which identity and routing assumptions are invalid under real user entry conditions.
  • Whether technical-user shortcuts are preserving motion while weakening boundary validity.
  • What must change before the governed path can be considered legitimate.

Why this case matters

This pattern appears often because direct testing is easy to demonstrate and easy to over-trust. For SAP BTP extensions, entry-path truth is part of the architecture. When Work Zone and AppRouter invalidate the path, the issue is not just a failing request. It is a wrong proof standard.

See failure patterns → · Post-go-live failure assessment → · Services →