ZMCP Security & Architecture Whitepaper
17-section technical reference covering trust model, authorization architecture, tool risk classification, hard-coded safety limits, data masking, audit logging, license verification, GDPR / POPIA / ISO 27001 control mapping, and a pre-deployment security checklist. Written for SAP architects, security teams, and IT auditors evaluating ZMCP for production deployment.
How does ZMCP work? What are the deployment options?
ZMCP installs as pure ABAP on your SAP system and exposes 190+ tools via a standard MCP endpoint (/sap/bc/zmcp_jit). There are two deployment modes:
1. ZMCP-only mode (single SAP system) — One ABAP MCP server installed inside one SAP system. Users connect via the built-in browser Chat UI inside SAP Fiori, which calls an LLM provider (Claude, OpenAI, Gemini, Deepseek, or SAP Joule) directly via API key. No middleware, no extra hosts. The simplest possible install. Best for teams managing a single SAP system.
2. Orchestration mode (multi-system landscape) — A lightweight Node.js CLI bridge on a Linux host connects several ZMCP-equipped SAP systems behind one AI session. A single prompt can read from DEV, compare against QAS, and verify in PRD — in one turn. The bridge routes through your existing AI CLI subscription (Claude Code, OpenAI Codex CLI, or Google Gemini CLI) or via API key, your choice. Flat-rate AI cost via the CLI subscription path — no per-token surprises. Best for MSPs, multi-tenant SAP estates, and anyone needing cross-landscape analysis.
Optional: Private AI Gateway. In either mode you can route traffic through a private AI gateway (AWS Bedrock, Azure OpenAI, SAP BTP AI Core) for compliance environments where data must stay inside your own cloud account. The gateway sits transparently in the request path between ZMCP and the public AI provider.
See "Which AI provider should I use?" below for a detailed cost comparison.
Do I need data masking? Trusted vs. untrusted AI providers
It depends on your AI provider and your data classification requirements.
Trusted (no masking needed):
- Claude Enterprise (Max/Team with contractual data privacy) — Anthropic guarantees your data is not used for training and is not accessible to other customers.
- AWS Bedrock / Azure OpenAI / 3rd party AI Gateways — AI models run within your own cloud account. Data never leaves your infrastructure.
- SAP BTP AI Core / Joule — SAP's own AI infrastructure with enterprise data handling agreements.
Untrusted (masking recommended):
- Claude Pro/Max (consumer subscription) — No contractual guarantee that data isn't used for training. Claude Code CLI falls in this category unless you have an enterprise agreement.
- Deepseek API — Third-party provider based in China. Inexpensive but data handling policies may not meet enterprise requirements.
- OpenAI API (standard) — Unless you have an enterprise agreement, data may be used for model improvement.
ZMCP provides per-API-key masking controls. In the Chat UI settings, each API key has a "Mask output" toggle. When enabled, ZMCP applies 326 ABAP data element rules to pseudonymize personal and sensitive data before it reaches the AI provider. The masking is reversible — authorized users can unmask tokens in the Chat UI.
Important: Data masking is provided on a best-effort basis. It covers standard SAP fields (names, addresses, bank details, employee IDs, etc.) but cannot guarantee complete coverage for custom fields, free-text entries, or non-standard data structures. Datastroom IT accepts no liability for data that passes through the masking layer undetected. Customers are responsible for evaluating whether the masking coverage is sufficient for their data classification and compliance requirements.
What counts as one "system"?
One SAP System ID (SID) + client combination. For example, PRD client 100 is one system. If you have DEV/100, QAS/100, and PRD/100, that's 3 systems. Note that approximately 90% of ZMCP's tools are client-independent (system monitoring, HANA diagnostics, ABAP development, transport management, OS monitoring, profile parameters, etc.) — they return the same results regardless of which client you connect to. Client-dependent tools (background jobs, audit log, user management, business data) are the exception. In practice, most Basis teams only need one client per SID.
Are there per-user or per-query fees?
No. The license is per system. Unlimited users can access ZMCP through the Chat UI or MCP clients. There are no per-query charges from ZMCP. Your AI provider (Claude, Deepseek, etc.) may have their own costs depending on their pricing model.
What happens when my subscription expires?
ZMCP has a 14-day grace period after expiry. During this time, all tools continue to work normally. After 14 days, tool calls are blocked until you renew. The software remains installed — no data is lost.
Can I try before I buy?
Contact us at support@zmcp.app for a 14-day trial license.
Does ZMCP send my SAP data to the cloud?
ZMCP itself runs entirely on-premise as pure ABAP. No data leaves your SAP system through ZMCP. However, when you connect an AI assistant (Claude, Deepseek, OpenAI), the AI provider processes the tool results. You control which tools are enabled and can configure data masking per API key for untrusted providers. For maximum data privacy, use an enterprise AI account or a private AI gateway (AWS Bedrock, SAP BTP AI Core).
What SAP versions are supported?
S/4HANA 2021 and higher with ABAP Platform 7.57+. Tested on S/4HANA 2022 SP1 and 2025 SP1. Requires SAP HANA database.
Is the data masking guaranteed to catch all sensitive data?
No. Data masking is provided as a best-effort feature based on 326 ABAP data element rules and configurable infrastructure patterns. It covers standard SAP fields (names, addresses, bank details, etc.) but cannot guarantee complete coverage for custom fields, free-text entries, or non-standard data structures. Customers are responsible for evaluating whether masking is sufficient for their data classification requirements.
Which AI provider should I use?
ZMCP's Chat UI works with any LLM that offers an API, and the CLI bridge additionally supports Claude Code, OpenAI Codex CLI, and Google Gemini CLI subscriptions. Per-token API rates as of April 2026:
| Provider & model | Input (per 1M tokens) | Output (per 1M tokens) |
|---|---|---|
| Deepseek V3.2 | $0.28 | $0.42 |
| Deepseek V4 | $0.30 | $0.50 |
| OpenAI GPT-5 | $1.25 | $10.00 |
| Google Gemini 2.5 Pro | $1.25 | $10.00 |
| Google Gemini 3.1 Pro | $2.00 | $12.00 |
| OpenAI GPT-5.4 | $2.50 | $15.00 |
| Anthropic Claude Sonnet 4.6 | $3.00 | $15.00 |
| Anthropic Claude Opus 4.6 | $5.00 | $25.00 |
| SAP Joule (Generative AI Hub)† | ~$3–7 | ~$16–33 |
| Claude Code CLI (subscription) | flat-rate, all queries included | |
| OpenAI Codex CLI (subscription) | flat-rate, all queries included | |
| Google Gemini CLI (subscription) | flat-rate, all queries included | |
Per-token rates for the API providers verified April 2026 from each vendor's public API pricing page. Subject to change. Cached input rates and batch-API discounts (typically 50–90% off) not shown.
† SAP Joule prices are a ZMCP estimate, not an official SAP figure. SAP does not publish a USD per-token rate. The range is calculated from SAP Note 3437766 ("Availability of Generative AI Models", v136, 9 April 2026), which gives an official conversion of 2.23 GenAI billing tokens per 1M input model tokens and 10.87 per 1M output for Claude Sonnet 4.6 via the SAP Generative AI Hub. The USD figures above assume a price of $1.50–$3.00 per GenAI billing token (consistent with publicly reported SAP enterprise SKUs; the TDD/partner SKU is around €0.65). Actual prices vary by region, contract, and bundled "AI Units" inventory — contact SAP for an authoritative quote.
A typical ZMCP query involves 50K–200K tokens (system prompt + tool discovery + tool results + response). At API rates that's roughly $0.02–$0.10 per query with Deepseek V3.2, $0.10–$2 with GPT-5 or Gemini 2.5 Pro, and $0.50–$5 with Claude Opus 4.6. With a CLI subscription (Claude Code, Codex CLI, or Gemini CLI), all queries are included in the flat monthly fee — effectively $0 per query once you're paying the subscription.
Recommendations by use case:
- Heavy daily use (50+ queries) — A CLI subscription via the orchestration-mode bridge. Flat rate, no token anxiety. Pick Claude Code, OpenAI Codex CLI, or Google Gemini CLI based on which subscription you already have.
- Occasional use / cost-sensitive — Deepseek V3.2 or V4 via the Chat UI. Extremely cheap per query. Enable data masking for privacy since Deepseek's data-handling terms may not meet enterprise requirements.
- Enterprise data privacy — Get an Enterprise model and keep your data inside your company, or route via a Private AI Gateway: AWS Bedrock, Azure OpenAI, or SAP BTP AI Core. Data stays within your contractual boundary — no masking needed.
- Best quality answers — Anthropic Claude Opus 4.6 (via API or via the Claude Code CLI subscription). Most capable model for complex SAP analysis. Highest API cost per token, but the CLI subscription includes it for a flat fee.
- SAP-native — SAP Joule via the Generative AI Hub. Fully within the SAP ecosystem and procurement model. Pricing is bundled in “AI units” rather than per-token.