…and yes, the promotion path from SAP Basis Security Administrator to AI Agent Manager didn’t exist before.
Much is written about strategies for adopting GenAI, Agentic Orchestration, and their transformative potential for organizations. But many articles stop short of explaining how to actually start and design high-impact agentic solution. This article gives a practical look at how Workato’s SAP Center of Excellence (CoE) is developing a scalable, end-to-end agentic solution for our internal SAP landscape using Workato ONE.
⚠️ Disclaimers:
1) Every SAP estate is unique, and what works for us may not be a 1:1 fit for every other organization.
2) Our SAP-focused agentic solution is evolving alongside Workato’s platform capabilities and is in internal beta.
SAP Basis Genie in Workato GO
Starting with Why?
Gartner predicts that around 40% of agentic AI projects will be canceled by the end of 2027. (Interestingly, that’s also when mainstream support for SAP ECC ends!) So before diving into the “How,” let’s take a step back and explore the “Why.”
At Workato, we manage multiple SAP ERP systems — from the legacy ECC to S/4HANA with the latest FPS — across a variety of use cases including demos, POCs, training, development, and testing. These systems host several clients (CLNTs) for Sandbox, Development, QA, and more, and we support all five SAP user types. Often, our end users don’t require UI access, but instead need connectivity (e.g., RFC, OData) for their SAP orchestrations.
We don’t use SAP GRC, IDM, CUA, or any non-SAP tools like SailPoint for centralized user governance across SAP systems. Our goal is to build an agentic solution — entirely on Workato’s AI stack — with zero custom ABAP coding in the SAP ERPs.
Our organization has an in-house SAP Basis Administrator responsible for user governance. The agentic solution — internally known as SAP Basis Genie — is designed to support a rapidly growing SAP user base, scale with organizational needs, assist with user lifecycle operations, and enable anomaly detection across SAP user accounts. It should operate both with and without human intervention, serving three primary personas:
- Users without SAP expertise requesting API access
- Users with SAP expertise requesting both UI and API access
- SAP Basis Admins and BT teams who need proactive insights and automation
Ultimately, our goals are to:
- Empower users through conversational AI and self-service scenarios
- Free up SAP Basis Administrator time for strategic initiatives
- Eliminate the need to invest in third-party SAP user governance tools
- Enable AI-driven proactive SAP user sanity checks and alerts
Architecture
Our focus is on creating an agentic solution that is scalable, modular, and robust, with strong governance and seamless integration points with other Workato projects within the same workspace.
SAP Architecture Overview
UIs and Agentic Apps
These interfaces are tailored to specific end-user personas and their respective user journeys. Most users interact with Genie through Workato GO, while the SAP Basis Administrator has access to all interaction channels — and additional capabilities — thanks to MCP integration.
Genies
Each Genie bundles together Skills, Grounding, and Events with a specific LLM and UI, forming a purpose-built Workato Agent. Keep in mind that LLMs vary in performance and SAP literacy. Depending on the user persona, user journey, and chosen interaction channel (e.g., Workato GO, Slack, MS Teams), you may need to maintain multiple versions or variations of the same Genie to optimize experience and accuracy.
Skill Recipes
In this design, Skill recipes are fully decoupled from direct SAP and non-SAP application connections or orchestration logic. This approach ensures scalability and a clear separation between the Agentic and Orchestrate layers within Workato.
Knowledge Base (KB) and Event Recipes
Knowledge Base recipes focus on managing documents within the KBs assigned to SAP Basis Genie.
Event recipes, on the other hand, maintain a strict focus on reactivity and proactivity: most are reactive (responding to user prompts), but in certain scenarios, Genies act proactively, triggered by defined events or schedules.
API Recipes and MCP Enablement
This is one of the most exciting aspects of the solution. The potential of Workato as an MCP server is often underrated. Unlike traditional API recipes, MCP API recipes are treated as another set of Agent Skills, scoped specifically to MCP clients—just as Skills are scoped to Workato Genies.
Function Recipes
Function recipes are driven primarily by your agentic solution requirements. They form the core logic layer, designed for maximum reusability across multiple Agent Skills and APIs exposed to MCP clients. These functions are also composable (e.g., Function A can be called by Functions B and C).
Example: an atomic check for user account availability in a specific SAP system.
Utility Recipes
These are your cross-solution helpers, used throughout the Workato workspace by multiple projects and builders. Each Utility should have a well-defined purpose — keep it simple, reusable, and generic. Any use-case-specific extensions should be implemented outside the Utility layer, using a bolt-on approach to maintain modularity and control.
Connections
Your SAP connections are mission-critical. Configure them once for high stability, security, and zero downtime. Treat them as “VIPs” — with dedicated administration and governance models to ensure reliability and compliance across all environments.
Practical Advice
Keep the Whole Solution in View
Workato Genies and the Agentic framework exist to deliver the business value your architecture is designed to achieve. Always design with that broader purpose in mind.
Build a Coherent SAP Genie Skillset
Focus on creating a cohesive Workato SAP Genie skillset, not isolated Skills. Maintain visibility into how your Functions, Skills, and MCP APIs are interconnected. Identify and consolidate shared patterns to avoid redundant or overlapping Skills that complicate maintenance and scalability.
Balance Agentic and Orchestration Layers
Avoid restricting your Orchestration layer to simple connectivity plumbing. Doing so leads to duplicated logic across Skills, making your solution harder to scale and maintain. Instead, design a reusable orchestration foundation that your Agentic components can build upon — ensuring consistency, modularity, and long-term efficiency.
Create a Specialist SAP Genie, Not a Generalist AGI
Your goal isn’t to build a general-purpose AGI, but a specialized SAP Genie with a clearly defined role. Use the “What instructions should this Genie follow?” section in the Genie’s profile not only to define its role, tone, and skills, but also to set explicit boundaries — specifying what your SAP Genie will not do. Clear constraints lead to focused, reliable, and secure behavior.
Genie Dos and Don’ts
Results so Far
Today, our SAP Basis Genie has over 20 curated SAP skills, capabilities include but are not limited to:
- Full lifecycle management of all 5 SAP user types (Dialog, Service, System etc.) across SAP ECC and S/4HANA systems.
- User account comparison.
- Role and profile assignments.
- Bulk user account locking based on risk criteria.
- Notifications for dormant accounts, failed logins (SAP_ALL users), unusual login patterns etc.
- Visual dashboards for SAP user activity.
- Proactive remediation recommendations.
An Example of a Proactive Notification on Anomalies
An Example of a Visual Report
Example of another Visual Report
Interested in building Agentic Solutions for your SAP ecosystem?
See what the Workato GO Platform can do for you today.