| Status |
| |
| Owner | ||
| Stakeholders |
Introduction
PurposeThe purpose of this document is to outline the
detailed design of the BlackLine application, components, configurations and landscapeapplication architecture of Signavio as deployed by SyWay, i.e. the Signavio Process Manager and Collaboration Hub modules.
Scope & Objectives
This document will describe the high-level architecture of BlackLine application and integration with other componentsthe Signavio application.
Out of Scope:
- Since BlackLine Signavio is a SaaS aaplicationapplication, network and infrastructure architecture will be considered as out of Scopecovered.
- Information related to product Product documentation and information that can be found online will not be documented here, but referenced using hyperlinks.
- Modules such as Signavio Process Insights or Process Intelligence which are not used, and which may have different architectures.
Key Decisions and
RequirementRequirements
| Description | Rationale |
|---|---|
| Configure SSO for |
| Signavio | As part of SyWay project, a common authentication mechanism (i.e |
| . |
| SAML) will be adopted for ease of access and unified user experience. The use of SSO is also enforced via configuration. |
| Users must |
| access Signavio using HTTPS |
Based on SyWay implementation approach, all data in transit |
must be encrypted. |
Application Architecture
Application Architecture Design
Application Architecture Components
Web Dispatcher
Gateway Server
S/4HANA
ADFS
|
Application Architecture
Overview
Signavio is deployed at Syensqo to model, analyze, and optimize business processes. Its primary use case is to document business processes using BPMN 2.0 and assists identifying areas for process improvement. The Process Manager and Process Collaboration Hub modules are activated in Syensqo's Signavio tenant.
Signavio is integrated with LeanIX so that application and business process data is replicated between the two systems as shown below. Signavio also publishes selected business processes to SAP Cloud ALM so that these can be used to organise Integration and User Acceptance Testing scopes. Signavio is also configured to perform SAML SSO with Syensqo's Entra ID.
| draw.io Diagram | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| Info |
|---|
Business process replication from Signavio to LeanIX is planned to be activated after SyWay design phase is completed and the processes are more stable (estimated Q1 2026). |
Hosting Details
| Region | Region ID | Data Center ID | Infrastructure Provider |
|---|---|---|---|
Germany: Frankfurt | XAF | EU10 | AWS |
System Landscape
Since Signavio is a tool to model business process, only a single productive instance has been deployed in Syensqo.
Application Security
User access
Signavio is a SaaS application and can be accessed by users over the internet via HTTPS using their web browser. No Syensqo infrastructure is required to access Signavio, and no application needs to be deployed into Syensqo equipment.
When users login for the first time using SSO, Signavio will automatically create a user ID with read-only access and assign a Collaboration Hub license to that user.
Authentication
Signavio is configured to perform SAML SSO with Syensqo Entra ID. The use of SSO is mandatorily enforced via configuration, and users cannot bypass SSO to log in with a password.
Authorization
Effective authorizations are determined by the combination of a user's permissions to data inside the application (e.g. process models, dictionary objects), and the license assigned to the user.
Authorisations to documents (such as process models) and dictionary objects (such as IT Systems, Executables, etc.) are controlled via custom Groups. The following Groups exist:
- Users: Provides read access to the BPMN process models, the ability to create and edit QuickModels, and display-only access to the Dictionary and reference content such as SAP's Best Practice models.
- Key Users: Provides the same access as the Users group, but adds full edit access to process models and the ability to create new Dictionary objects in selected folders, and to delete process models to help keep the repository tidy.
- Administrators: provides access to edit Signavio configuration, modelling conventions, and dictionary objects. Also provides permissions to publish models to the Collaboration Hub.
The license assigned to a user also controls the functionality to which a user has access. The following license types exist:
- Collaboration Hub: The default license assigned for auto-provisioned users. This provides access to the Collaboration Hub only to display and comment on models, and to create new draft models using the "Quick Model" functionality.
- Enterprise Plus Edition: Provides full access to the Signavio Process Manager tool to create and edit BPMN process models, including access to the Dictionary.
Effective authorizations are determined by the combination of a user's Group assignment and License assignment. For example, auto-provisioned users are assigned the Users group and Collaboration Hub license, thus providing read-only access to all models via the Collaboration Hub. Editing of models is prevented by the lack of a license that permits editing.
Communication Security
SAP uses TLSv1.2 to encrypt customer data during transmission outside of the SAP-controlled network.
Data Security
The following controls are implemented to ensure data security:
- Data is segregated such that customers/tenants can only view or access their own data.
- Sensitive data such as passwords are stored in encrypted form using a secret key that is created explicitly for the application.
- All data stored in Signavio is encrypted via database encryption at a disk level.
- Backups, read replicas, and snapshots are encrypted.
- Backups are replicated to multiple availability zones.
Other Controls
Signavio's System Availability SLA is 99.7% (documented in SAP Trust Center - Service Level Agreement for Cloud Services).
Application Security
Classification
Authentication
Authorisation
Communication Security
Data Security
Other Controls
System Landscape
Development Environment
Project Test Environment
Quality Environment
Production EnvironmentOperation Architecture
Change and Configuration Management
Transport Management
Release Management
Monitoring
Application Monitoring
System Monitoring
Sizing
High Availability
Disaster Recovery
Backup/Restore
Maintenance Plan
Service Introduction
Application Category
Support Team
Skill required
Checklist
Since Signavio is a single instance landscape, change and configuration management is not applicable.Monitoring
Signavio's availability can be monitored through SAP for Me portal using:
Sizing
SAP monitors system load and utilization, and proactively scales up capacity during release deployment.High Availability & Disaster Recovery
Signavio is deployed across multiple availability zones with the following SLA:
- RPO - 4h
- RTO - 24h
Backup/Restore
SAP performs full backups with the following schedule to meet SAP's recovery point objective.
| Backup Tier | Frequency | Retention Period |
|---|---|---|
| T1 | Hourly | 8 Days |
| T2 | Daily | 35 Days |
| T3 | Every Sunday | 120 Days |
Release & Maintenance Plan
SAP has defined two windows for Signavio maintenance:
- Weekly maintenance windows - Every Saturday 2pm UTC (2h).
- Major Upgrade Window - Up to 12 times a year and SAP will notify customers at least 5 business days in advance. Saturday 8pm UTC (6h).
The definition of regular maintenance windows does not mean that maintenance outages will actually occur in each window.
SAP is continuously improving and expanding the capabilities of Signavio. The following links provide more information on releases:
See also
- KDD073 - Business Process Modelling for Syensqo
- Business Process Modelling Standard
- LeanIX Factsheet - SAP Signavio Process Manager
Exceptions
See also
Change log
| Change History | ||
|---|---|---|
|
Workflow history
| Workflow Report | ||||||
|---|---|---|---|---|---|---|
|