Manage security settings

To enhance IT security, you can limit the access to your workspace by filtering IP addresses. In addition, you can define password policies to enforce strong passwords.

The security settings apply to every user currently in the workspace and also to all future users.

Set up IP address filtering

Users of the on premises edition cannot set up IP address filters.

The IP address filter allows you to define a list of trusted IP addresses that can access SAP Signavio Process Manager and SAP Signavio Process Collaboration Hub. Devices with unlisted IP addresses can't access the workspace even with a valid username/password combination. This can be useful, for example, if you want to restrict access to your workspace or SAP Signavio Process Collaboration Hub to one or more specific companies.

For specifying IP addresses, the following rules apply:

  • The IP address filter is based on IPv4, therefore IPv6 addresses cannot be added to the list of trusted IP addresses.

  • Only Internet IP addresses are accepted. Local area network (LAN) IP addresses can't be listed because they depend on the local network configuration.

  • You must specify IP addresses in classless inter-domain routing (CIDR) notation. With the CIDR suffix, you specify whether to filter for an exact IP address or a range of IP addresses. The smaller the number after the slash, the greater the range of IP addresses.

    Example:

    99.123.134.246/8 –> range from 99.0.0.0 to 99.255.255.255

    99.123.134.246/16 –> range from 99.123.0.0 to 99.123.255.255

    99.123.134.246/24 –> range from 99.123.134.0 to 99.123.43.255

    99.123.134.246/32 –> exactly 99.123.134.246

The operating administrator's IP address is added automatically, so if you are setting up the list of trusted IP addresses and are using a static IP address, you get access from your current device automatically.

To filter for IP addresses, follow these steps:

  1. In the explorer, click Setup > Edit security configuration.

  2. Check Activate IP Filtering.

  3. Enter a CIDR IP address and click Add.
    The IP address is added to the list of trusted addresses.

  4. Save your changes.
    The IP address filter is active.

To remove an IP address from the list of trusted addresses, select the IP address and click Remove.

To completely deactivate the IP address filtering, disable the option Activate IP Filtering.

Trusted domains

SAP Signavio Process Collaboration Hub can only be embedded in third-party systems via iframes if trusted domains are used. If a domain not included in the trusted domains is used, web browsers don't load the page, and instead show a security violation page to the users.

To embed SAP Signavio products in an iframe using trusted domains, you have the following options:

  • Use one of the public trusted domains

  • Add workspace-specific trusted domains

Use public trusted domains

Some common third-party tools use domains that are public trusted domains.

When you embed SAP Signavio Process Collaboration Hub in the following domains, no further action is required on your side:

  • *.atlassian.net

  • *.sharepoint.com

  • *.force.com

Add workspace-specific trusted domains

When you want to embed SAP Signavio Process Collaboration Hub in other third-party tools, you have to add the domains to the security configuration and adapt the URLs.

Follow these steps:

  1. In the Explorer, open Setup> Edit security configuration.

  2. In the section Domain policies, add the trusted domains.

  3. Add the parameter ?t=<workspace_id> to the URLs used for embedding.

Define a password policy

To enforce the use of secure passwords, you can implement a password policy . This allows you to prevent access security issues even if many users have access to your workspace.

Password policy applies whenever users set a password.

To define a password policy, follow these steps:

  1. In the explorer, click Setup > Edit security configuration.

  2. In the section Password policies, select the requirements that passwords have to fulfill (see list Configuration options for password policy).

  3. Save your changes.
    The password policy is active and users need to choose a password that fulfills the password policy.

Configuration options for the password policy

  • Enforce SSO login

    Define whether users can log in using their email and password on the login page or whether to enforce SSO using SAML. Read more in section Single sign-on using SAML.

  • Complexity requirements

    A password is accepted when it contains at least three of the following requirements:

    • at least one capital letter (A to Z)

    • at least one lower case letter (a to z)

    • at least one number (0-9)

    • at least one special character (!,§,$,%,&,?,#)

  • Consider user name

    Users can't use their first or last name in a password, no matter if written in upper or lower case.

  • Consider user name (strict)

    Users can't use three or more letters in the same order as in the user's first or last name in a password, no matter if written in upper or lower case.

  • Minimum password age

    Users can't change a password, unless the specified number of days since the last change has passed.

  • Maximum password age

    Users are prompted to change their password after the specified number of days has passed

    We recommend to set a maximum password age.

  • Minimum password length

    Define the minimum length of a password. Usually, longer passwords are more secure than shorter ones.

  • Maximum password length

    Define the maximum length of a password.

  • Password history

    Users can't reuse passwords immediately. For example, if the number is set to 5, the last 5 used passwords can't be set as a new password.