The purpose of this document is to outline the application architecture of Signavio as deployed by SyWay, i.e. the Signavio Process Manager and Collaboration Hub modules.

Scope & Objectives

This document will describe the high-level architecture of the Signavio application.

Out of Scope:

• Since Signavio is a SaaS application, network and infrastructure architecture will be covered.
• Product documentation and information that can be found online will not be documented here, but referenced using hyperlinks. 
• Modules such as Signavio Process Insights or Process Intelligence which are not used, and which may have different architectures. 

Key Decisions and Requirements

Application Architecture

Overview

Signavio is deployed at Syensqo to model, analyze, and optimize business processes. Its primary use case is to document business processes using BPMN 2.0 and assists identifying areas for process improvement. The Process Manager and Process Collaboration Hub modules are activated in Syensqo's Signavio tenant.

Signavio is integrated with LeanIX so that application and business process data is replicated between the two systems as shown below. Signavio also publishes selected business processes to SAP Cloud ALM so that these can be used to organise Integration and User Acceptance Testing scopes. Signavio is also configured to perform SAML SSO with Syensqo's Entra ID.

Hosting Details

System Landscape

Since Signavio is a tool to model business process, only a single productive instance has been deployed in Syensqo.

Application Security

User access

Signavio is a SaaS application and can be accessed by users over the internet via HTTPS using their web browser. No Syensqo infrastructure is required to access Signavio, and no application needs to be deployed into Syensqo equipment. 

When users login for the first time using SSO, Signavio will automatically create a user ID with read-only access and assign a Collaboration Hub license to that user.

Authentication

Signavio is configured to perform SAML SSO with Syensqo Entra ID. The use of SSO is mandatorily enforced via configuration, and users cannot bypass SSO to log in with a password. 

Authorization

Effective authorizations are determined by the combination of a user's permissions to data inside the application (e.g. process models, dictionary objects), and the license assigned to the user. 

Authorisations to documents (such as process models) and dictionary objects (such as IT Systems, Executables, etc.) are controlled via custom Groups. The following Groups exist:  

1. Users: Provides read access to the BPMN process models, the ability to create and edit QuickModels, and display-only access to the Dictionary and reference content such as SAP's Best Practice models. 
2. Key Users: Provides the same access as the Users group, but adds full edit access to process models and the ability to create new Dictionary objects in selected folders, and to delete process models to help keep the repository tidy. 
3. Administrators: provides access to edit Signavio configuration, modelling conventions, and dictionary objects. Also provides permissions to publish models to the Collaboration Hub. 

The license assigned to a user also controls the functionality to which a user has access. The following license types exist: 

1. Collaboration Hub: The default license assigned for auto-provisioned users. This provides access to the Collaboration Hub only to display and comment on models, and to create new draft models using the "Quick Model" functionality. 
2. Enterprise Plus Edition: Provides full access to the Signavio Process Manager tool to create and edit BPMN process models, including access to the Dictionary. 

Effective authorizations are determined by the combination of a user's Group assignment and License assignment. For example, auto-provisioned users are assigned the Users group and Collaboration Hub license, thus providing read-only access to all models via the Collaboration Hub. Editing of models is prevented by the lack of a license that permits editing. 

Communication Security

SAP uses TLSv1.2 to encrypt customer data during transmission outside of the SAP-controlled network. 

Data Security

The following controls are implemented to ensure data security:

• Data is segregated such that customers/tenants can only view or access their own data. 
• Sensitive data such as passwords are stored in encrypted form using a secret key that is created explicitly for the application.
• All data stored in Signavio is encrypted via database encryption at a disk level.
• Backups, read replicas, and snapshots are encrypted.
• Backups are replicated to multiple availability zones.

Other Controls

Signavio's System Availability SLA is 99.7% (documented in SAP Trust Center - Service Level Agreement for Cloud Services).

Operation Architecture

Change and Configuration Management

Monitoring

Signavio's availability can be monitored through SAP for Me portal using:

• Customer Insights Dashboard
• Signavio system dashboard

Sizing

High Availability & Disaster Recovery

Signavio is deployed across multiple availability zones with the following SLA:

• RPO - 4h
• RTO - 24h

Backup/Restore

SAP performs full backups with the following schedule to meet SAP's recovery point objective.

Release & Maintenance Plan

SAP has defined two windows for Signavio maintenance:

• Weekly maintenance windows - Every Saturday 2pm UTC (2h).
• Major Upgrade Window - Up to 12 times a year and SAP will notify customers at least 5 business days in advance. Saturday 8pm UTC (6h). 

The definition of regular maintenance windows does not mean that maintenance outages will actually occur in each window. 

SAP is continuously improving and expanding the capabilities of Signavio. The following links provide more information on releases:

• Announcements and future release dates.
• Detailed information on releases. 

See also

• KDD073 - Business Process Modelling for Syensqo
• Business Process Modelling Standard
• LeanIX Factsheet - SAP Signavio Process Manager

Change log