Sign Avio Administration Guide

12/19/2022
Administration Guide for SAP Signavio

Process Insights
Generated on: 2022-12-19 00:18:12 GMT+0000
SAP Signavio Process Insights | Cloud
PUBLIC
Original content: https://help.sap.com/docs/BPI/f5642e5272c1465986661c763b56213d?locale=en-

US&state=PRODUCTION&version=CLOUD
Warning
This document has been generated from the SAP Help Portal and is an incomplete version of the official SAP product
documentation. The information included in custom documentation may not re ect the arrangement of topics in the SAP Help
Portal, and may be missing important aspects and/or correlations to other topics. For this reason, it is not for productive use.
For more information, please visit the https://help.sap.com/docs/disclaimer.
This is custom documentation. For more information, please visit the SAP Help Portal 1
12/19/2022
Administration Guide for SAP Signavio Process Insights

This administration guide describes the steps you need to perform as an administrator to set up and run SAP Signavio Process
Insights.
This guide addresses the following target audiences:
System administrators
Technical consultants
About SAP Signavio Process Insights
Overview
SAP Signavio Process Insights is a cloud solution running on SAP Business Technology Platform (SAP BTP) that delivers data-
driven insights into business processes and their usage based on data from multiple ERP systems. It helps organizations to
achieve business process excellence by helping to identify where processes can be improved, allowing users to drill down to
understand root causes, and providing recommendations on how to improve. It allows users to navigate through their business
process transformation journey from insight to action to maximize process excellence.
Features
The primary features of the solution are the following:
Process ows
Performance indicators
Correction recommendations
Innovation recommendations
For more information about the features and their bene ts, see the Application Help on SAP Help Portal.
System Landscape
The following diagram outlines the system landscape and what SAP systems, applications, and components are involved.
12/19/2022
Technical Prerequisites
Understand the prerequisites for your ERP systems and network settings as well as the steps to prepare to set up SAP Signavio
Process Insights at a glance.
The following prerequisites apply to all ERP systems connected to SAP Signavio Process Insights:
1. Managed ERP System Requirements 4. Users Required in ERP System
Your ERP system must meet the

following product and software A background user with the following A dialog user with the following
component version requirements: authorizations: PFCG roles and authorizations:
PFCG role SAP_SDF_ALM_SETUP

Product software versions: SAP
SAP_SDF_ALM_METRIC_PUSH_FND
ERP 6.0 with Enhancement Access to SE16, ST13,
Package 7 or 8 or SAP PFCG role SLG1
S/4HANA (any version in SAP_SDF_ALM_METRIC_PUSH_BPMON
maintenance)
PFCG role
Software component versions SAP_MANAGED_BPOANA_ALL
for your system:
Authorization object M_MTDI_ORG
SAP_BASIS 740 (Organizational Levels for Material
(SAP NetWeaver 7.4) Requirements Planning), authorization
SP20 or higher for activity category L MRP (MRP list,
(accordingly individual display).
SAP_BASIS 750 (SAP
NetWeaver 7.5) SP04)
See also: Setting Up a Data Connection
Or SAP_BASIS 740
(SAP NetWeaver 7.4)
SP09-SP19 or 5. Certi cate, Parameters, and Settings
12/19/2022
SAP_BASIS 750 (SAP Certi cate Parameters
NetWeaver 7.5) SP01-
SP03 when SAP Note Install the certi cate required in your ERP system The pro le parameter
2283880 is as outlined under Installing the Required icm/HTTPS/client_sni_enabled is set to

implemented Certi cate. TRUE in your managed system as outlined in the
prerequisites under Setting Up a Data
Connection.
 Note
The SAP Signavio Process Insights Proxy Settings Network Settings
solution doesn't currently support
SAP S/4HANA Cloud as a source The connection between the managed system Ensure that your company's network settings
system for ERP data. However, SAP and SAP Signavio Process Insights is established permit outbound communications to the internet
S/4HANA private cloud is supported. using an HTTPS connection. If your organization through port 443 (HTTPS) to the domains for the
uses proxies, the proxies must be maintained solution.
when establishing the connection using
See also: Also ensure your company's IT specialist permits
transaction /n/SDF/ALM_SETUP or directly in
the system connection using transaction SM59. the URLs and IP addresses required by the SAP
Additional Software
Signavio Process Insights solution for
2. ERP System Plug-Ins Required See also: communication as outlined under Con guring
Your Network Settings.
Setting Up a Data Connection
The following minimum versions are
See also:
required: Checking the Data Collection
Con guration Preparing for the Outbound HTTP Connection
ST-PI 7.40 SP16
Issues While Setting Up the Data
ST-A/PI 01U_731 SP3
Connection
See also:
Additional Software
6. Identity Provider and Browsers
Installing ST-PI and ST-A/PI Plug-Ins
Identity Provider Supported Browsers
3. SAP Notes Required
The solution works with an identity provider that You can use the latest versions of Google
The SAP Notes listed below must be you choose. If you use a custom identity provider Chrome, Microsoft Edge, Mozilla Firefox, or
implemented for your ST-PI and ST-A/PI that isn't the default identity provider of SAP Apple Safari on macOS. Microsoft Internet
versions. Business Technology Platform, the solution Explorer isn't supported.
authenticates users based on SAML 2.0. To use
 Tip this SAML-based authentication, you must  Note
Keep in mind that newer versions of maintain an identity provider that supports
We recommend that you view the application
SAP Notes become available over SAML 2.0. See also Con guring Your Identity
with a minimum screen resolution of 1440 x
time. Plan to implement new Provider Service.
900.
versions when they become
available. You can ensure you're
noti ed about new versions of an
SAP Note by opening it and choosing 7. Setup Steps
 Mark as Favourite for each SAP
Note. Also ensure in the noti cation For an overview of the setup and onboarding steps, which include steps in SAP BTP and your managed
settings for your Support Portal user ERP system, see Onboarding.
(under Manage Noti cations) that
noti cations are active for My SAP
Notes & KBA.
 Caution
Not installing the required SAP
Notes may result in technical issues,
which may have a negative impact
on your business operations.
ST-PI Version SAP Note
ST-PI 7.40 SP20 3240966
ST-PI 7.40 SP18 3196078

and SP19
12/19/2022
ST-PI 7.40 SP17 3133333
ST-PI 7.40 SP16 3104662
ST- SAP ERP SAP

A/PI System S/4HANA
Version System
ST-A/PI SAP ERP: SAP

01V_731 3194251 S/4HANA:
SP0 3194259
and
Framework: and
3159166
SAP ERP:
3194251
and
Framework:
3159166
ST-A/PI SAP ERP: SAP

01U_731 3111576 S/4HANA:
SP3 3111641
and
and
Framework:
3070521 SAP ERP:
3111576
and
Framework:
3070521
See also: Installing ST-PI and ST-A/PI

Plug-Ins
Related Information
Additional Software
Additional Services
Browsers Supported
Other Prerequisites
Troubleshooting
Additional Software
The following is required to be able to use the features of the solution.
To collect your process and process performance data, the following product and software component versions are
required:
Product software versions: SAP ERP 6.0 with Enhancement Package 7 or 8 or SAP S/4HANA (any version in
maintenance)
Software component versions for your system:
12/19/2022
SAP_BASIS 740 (SAP NetWeaver 7.4) SP20 or higher (accordingly SAP_BASIS 750 (SAP NetWeaver 7.5)
SP04)
Or SAP_BASIS 740 (SAP NetWeaver 7.4) SP09-SP19 or SAP_BASIS 750 (SAP NetWeaver 7.5) SP01-
SP03 when SAP Note 2283880 is implemented
 Note
The SAP Signavio Process Insights solution doesn't currently support SAP S/4HANA Cloud as a source system for
ERP data. However, SAP S/4HANA private cloud is supported.
The following minimum versions of the ST-PI and ST-A/PI plug-ins or higher:
ST-PI 7.40 SP16
ST-A/PI 01U_731 SP3
 Caution
It's technically possible to use ST-A/PI 01U_731 SP2. However, if you don't install SP3, not all the data required by the
newest performance indicators is collected. Some boxes in process ows will therefore be fully missing metrics, for
example, and may appear to contain 0 business object instances as a result.
 Tip
You can check what versions are installed in your ERP system and whether you need to update to a newer version by
using transaction SE38 to run report RTCCTOOL. A red traffic light in the report's output lets you know if you need to
update your ST-PI or ST-A/PI versions.
However, the latest versions are recommended.
 Note
For the ST-PI plug-in, the latest version is ST-PI 7.40 SP20.
For the ST-A/PI plug-in, the latest version is ST-A/PI 01V_731 SP0.
You also need to ensure the relevant SAP Notes are implemented for your ST-PI and ST-A/PI versions.
 Tip
Keep in mind that newer versions of SAP Notes become available over time. Plan to implement new versions when they
become available. You can ensure you're noti ed about new versions of an SAP Note by opening it and choosing  Mark as
Favourite for each SAP Note. Also ensure in the noti cation settings for your Support Portal user (under Manage
Noti cations) that noti cations are active for My SAP Notes & KBA.
 Caution
Not installing the required SAP Notes may result in technical issues, which may have a negative impact on your business
operations.
ST-PI 7.40 SP20 3240966
ST-PI 7.40 SP18 and SP19 3196078
ST-PI 7.40 SP17 3133333
12/19/2022
ST-PI 7.40 SP16 3104662
ST-A/PI Version SAP ERP System SAP S/4HANA System
ST-A/PI 01V_731 SP0 SAP ERP: 3194251 SAP S/4HANA: 3194259
and and
Framework: 3159166 SAP ERP: 3194251
and
Framework: 3159166
ST-A/PI 01U_731 SP3 SAP ERP: 3111576 SAP S/4HANA: 3111641
and and
and
Framework: 3070521
Additional Services
The solution works with an identity provider that you choose. If you use a custom identity provider that isn't the default identity
provider of SAP Business Technology Platform, the solution authenticates users based on SAML 2.0. To use this SAML-based
authentication, you must maintain an identity provider that supports SAML 2.0. See also Con guring Your Identity Provider
Service.
Browsers Supported
You can use the latest versions of Google Chrome, Microsoft Edge, Mozilla Firefox, or Apple Safari on macOS. Microsoft Internet
Explorer isn't supported.
 Note
We recommend that you view the application with a minimum screen resolution of 1440 x 900.
Other Prerequisites
Ensure you can meet any additional prerequisites to implementing the solution.
To allow communication between the managed system on your local network and your cloud tenant for SAP Signavio Process
Insights, you must ensure that your network settings permit outbound communications to the internet through port 443
(HTTPS) to the domains for the solution.
You also need to ensure the required certi cate can be imported to your SAP ECC or SAP S/4HANA system to allow
communication between your managed system and your cloud tenant.
For more information about what's required in relation to network settings and installing the required certi cate, see Preparing
for the Outbound HTTP Connection.
12/19/2022
Onboarding
As a new customer of SAP Signavio Process Insights, you want to understand the overall onboarding process and what steps
and stages are involved to get things up and running.
Before you start to onboard as a new customer, ensure you understand and can meet the technical prerequisites:
Please note that image maps are not interactive in PDF output.
The following interactive image provides an overview of the onboarding process.
 Tip
Click each stage to show more information.
Please note that image maps are not interactive in PDF output.
 Tip
How you can best handle your subaccounts and subscriptions depends on the solution package you have:
If you have the SAP Signavio Process Insights, base package, we recommend that you use the two tenants available
to you as separate tenants for validation and production use.
Use the test service plan in one subaccount to connect the solution to a quality system rst so you can
validate the data collection process.
Like this, you can connect the solution to multiple quality systems to validate the data collection process for
each system.
12/19/2022
Once you've successfully validated the process with data from your quality system in your rst subaccount,
proceed to connect the solution to your production system in your second subaccount with the subscription for
the production tenant (standard service plan).
If you're accessing the solution using the SAP Signavio Process Insights, starter pack as part of the business process
transformation starter pack for RISE with SAP, we recommend that you proceed as follows to rst validate the
process using your quality system:
First connect the solution to your quality system to validate the data extraction process. Once you've
successfully validated the process in your quality system, you can proceed to connect the solution to your
production system.
To be able to connect your production system, unregister your managed system to remove the connection
from this system to your cloud tenant. For information about connecting and disconnecting your managed
system, see Setting Up a Data Connection. Once you've unregistered your quality system, unsubscribe from
the application in the SAP BTP cockpit. This fully resets the database for you before you subscribe to the
application again to connect to your production system.
This approach also applies if you're an SAP partner with a cloud test and demonstration license and you're
subscribing to the application using the partner application plan.
 Note
Since time factors are relevant in data collected for performance indicators, only data collected from your production
system can be considered valid data.
For more information, see Setting Up Data Collection in Managed Systems.
Related Information
Initial Setup in SAP BTP
Con guring Your Identity Provider Service
User Management
Setting Up Data Collection in Managed Systems
Initial Setup in SAP BTP

Understand what you need to do in SAP Business Technology Platform (SAP BTP) to prepare your cloud tenant for SAP Signavio
Process Insights.
Related Information
Subscribing to the Application
Getting Your Service Key Details

You've signed a contract that gives you access to SAP Signavio Process Insights and you're ready to subscribe to the
application.
Once you have access to your SAP BTP global account, you can use the booster available to prepare your account for SAP
Signavio Process Insights. The booster is a wizard that guides you through some short steps to automate the following tasks:
12/19/2022
Create a new subaccount or select an existing subaccount in your global account.
Assign entitlements from your global account to the subaccount.
Create the relevant subscriptions.
Create and assign role collections to you as subaccount administrator. You can also specify other users to be assigned
the role collections in the subaccount.
Create a default space, a service instance, and a service key
Watch this video to understand how you can prepare your account for SAP Signavio Process Insights in SAP BTP using the
available booster:
Open this video in a new window
For more information about the concept of boosters, see Boosters in the SAP BTP documentation.
 Note
As a customer of the SAP Signavio Process Insights, base package, you're entitled to two tenants for the solution and
storage of up to 50 GB. This means you can have a subaccount for each of the two subscriptions you're entitled to. This
allows you to do the following:
Work in a quality tenant that you use to connect to your quality system (using the test application plan
subscription).
Work in a standard tenant that you use to connect to your production system (using the standard application plan
subscription).
This means you might want to run the booster twice to prepare each of the subaccounts for the test and standard
service plans subscriptions of your SAP Signavio Process Insights application.
If you have access to the SAP Signavio Process Insights solution as part of the RISE with SAP package, you're entitled to just
one application subscription (using the rise application plan). The same is true if you're an SAP partner with a cloud test
and demonstration license and you're subscribing to the application using the partner application plan.
12/19/2022
Preparing an Account for SAP Signavio Process Insights

Prepare an account for SAP Signavio Process Insights in SAP BTP using the available booster.
Prerequisites
You've received a welcome email from SAP BTP about your global account set up in SAP BTP. This email is sent to the
email address speci ed in your contract.
You have administrator access to your global account in SAP BTP and this account has the entitlements for the SAP
Signavio Process Insights application and the API service.
 Tip
The person in your organization named as the main IT contact in your contract is the person who is then given access
to the global account and is assigned the entitlements. So, this person is the only person who is initially the global
account administrator.
If you're new to working with SAP BTP, see Log On to Your Global Account in the SAP BTP documentation for
information.
For information about how your initial global account administrator can assign the Global Account Administrator
role collection to another person who's to prepare your account, see Add Members to Your Global Account in the
SAP BTP documentation.
 Tip
If you're unsure who your global account administrator is or they're no longer available to grant access to
another person, see Onboarding in the SAP BTP for information about how to proceed.
You can check the entitlements of your global account in the SAP BTP cockpit. To do this, choose Entitlements
Service Assignments and select SAP Signavio Process Insights to see what plan entitlements are con gured.
Procedure
1. From your global account in the SAP BTP cockpit, choose Boosters.
2. Search for SAP Signavio Process Insights.
12/19/2022
3. Get more information about what the booster does by choosing the tile.
4. Launch the booster by choosing Start.
The booster wizard loads and the prerequisite checks run automatically. These checks ensure that your user account has
the required authorizations to subscribe to services and that your SAP BTP global account has the entitlements for SAP
Signavio Process Insights.
12/19/2022
5. When the check has completed successfully, choose Next.
If the checks aren't successful, check that the prerequisites outlined above are met.
6. In the Select Scenario step, specify whether you want to create a new subaccount or select an existing one.
 Note
If you select an existing subaccount, Cloud Foundry must already be enabled for this subaccount.
7. In the Con gure Subaccount step, provide the details for your subaccount.
a. Select the plan you want to subscribe to based on your entitlements. Only those plans that you're entitled to are
available.
Refer to the following information outlining what plans to select.
Name Plan Type Description
12/19/2022
Name Plan Type Description
SAP Signavio Process test Subscription This application plan is

Insights available if you have the
SAP Signavio Process
(technical name: process-
Insights, base package.
insights) Select this plan when you
want to subscribe to the
application in your
subaccount intended for
quality and validation
purposes.
standard Subscription This application plan is

available if you have the
SAP Signavio Process
Insights, base package.
Select this plan when you
want to subscribe to the
application in your
subaccount intended for
productive use.
rise Subscription This application plan is

available if you have access
to the solution as part of
your RISE with SAP
package. Select this plan as
a RISE with SAP customer.
partner Subscription This application plan is

available if you have access
to the solution as an SAP
partner with a cloud test
and demonstration license.
SAP Signavio Process standard Instance This service plan is

Insights available in addition to the
application plan for your
(technical name: process-
subscription. You must
insights-api) subscribe to this service
plan for the API service in
addition to an application
plan.
b. Specify the relevant details for the subaccount if you're creating a new one.
12/19/2022
You can select from the following providers and regions.
Infrastructure Provider Region Region ID
Amazon Web Services Australia (Sydney) ap10
Amazon Web Services Canada (Montreal) ca10
Amazon Web Services Europe (Frankfurt) eu10
Amazon Web Services Europe (Frankfurt) eu11
Amazon Web Services Japan (Tokyo) jp10
Amazon Web Services U.S. East (VA) us10
Microsoft Azure Europe (Netherlands) eu20
Microsoft Azure U.S. West (WA) us20
Each region consists of multiple data centers in different locations.
 Note
The AWS data center in Europe (Frankfurt) with region ID eu11 is only available if you're explicitly eligible for EU
access only in line with the terms of your contract. If you still require a European data center, you can choose
the AWS data center in Europe (Frankfurt) with region ID eu10, or alternatively, choose Microsoft Azure as the
provider and Europe (Netherlands) as the region (eu20).
For more information about the data centers supported, see Where does the solution store data? under Data
Security and Storage Questions in the Frequently Asked Questions for Administrators.
8. In the Add Users step, enter the email addresses of any users who are to be assigned role.
 Note
Any users you enter here will also be assigned role collections for SAP BTP. If your users don't need SAP BTP role
collections assigned to them or if you want to assign role collections to user groups de ned in your identity provider,
assign the role collections later as outlined under User Management.
12/19/2022
The users you enter for Administrators are assigned role collections for administrators and business users of SAP
Signavio Process Insights, together with the Subaccount Administrator role collection for SAP BTP.
The users you enter for Developers are assigned role collections for SAP Signavio Process Insights business users,
together with the Subaccount Viewer role collection for SAP BTP.
For more information about the SAP Signavio Process Insights roles, see User Management.
 Note
If your organization is using SAP ID service as the identity provider and users have an SAP Universal ID, it's possible
that the email addresses for SAP Universal ID and SAP ID service aren't the same. In this case, it's the email
associated with their SAP ID service that users must enter in the SAP BTP cockpit ( Security Users ).
 Note
As the administration user running the booster, your user is automatically assigned all roles, so you don't need to
enter your own details.
The booster also creates the SAP Signavio Process Insights Data Privacy Administrator role
collection, which contains the DATA_PRIVACY_ADMIN role intended for data privacy and protection officers. This
isn't assigned to any users as part of the booster. If you want to assign this role collection to a user, do it manually.
See Assigning Role Collections to Users or User Groups under Assigning Role Collections to Users or User Groups.
9. In the nal Review step, review all the details you entered or selected and choose Finish.
12/19/2022
The booster now runs and the processing progress of the various tasks is shown.
 Note
In some cases, service instance creation may fail. If this happens, you can create your service instance manually. For
more information, see Manually Creating a Service Instance for the API Service.
10. Once the booster has completed, open the SAP Signavio Process Insights application as follows:
a. Choose Navigate to Subaccount.
b. Choose Services Instances and Subscriptions .
c. Under Subscriptions, choose Go to Application for the SAP Signavio Process Insights application listed. This
provides the URL to the application.
Next Steps
You've now prepared your subaccount for SAP Signavio Process Insights and are ready to connect an ERP system to your cloud
tenant. To do this, you'll need the details of the service key that was created with the service instance. For more information
about how to get your service key, see Getting Your Service Key Details.
Getting Your Service Key Details

12/19/2022
Once you've successfully run the booster for SAP Signavio Process Insights, a service instance is created in the space in your
subaccount that contains your SAP Signavio Process Insights subscription. A service key is also created for that service instance
in the SAP BTP cockpit.
The service key is what allows you to con gure your managed ERP system so that it can connect to the SAP Signavio Process
Insights API service instance. So, you need to get the following parameters from the service key so you can connect your ERP
system:
clientid and clientsecret: Client ID and client secret to access the service
url: Token endpoint to generate the authorization token
uri: Application base URL
Prerequisites
Your user has the Administrator role in your global account.
You can verify that you have this authorization in the SAP BTP cockpit by navigating to the global account that contains
your SAP Signavio Process Insights entitlement and choosing Members. If you don't have this role, the global account
administrator can assign it to as outlined in Add Members to Your Global Account.
Your user has the Org Manager role in your organization.
You can verify that you have this authorization by choosing Cloud Foundry Org Members . If you don't have this role,
the org manager can assign it to you as outlined in Add Org Members Using the Cockpit.
The booster has been run to prepare the account or somebody has manually completed the steps handled by the
booster that are outlined under Subscribing to the Application.
Procedure
You can get the service key details as follows:
1. Go to your subaccount in the SAP BTP cockpit of SAP Business Technology Platform. This is typically the subaccount you
created when you subscribed to the application using the booster as outlined under Subscribing to the Application.
2. In your subaccount, choose Instances and Subscriptions in the side menu.
3. Under Instances, you should see a service instance for SAP Signavio Process Insights. Choose the link for the key that
was created for the service instance.
4. Copy or download the JSON so you have the details and can paste them into your managed ERP system. You need these
details when you set up the connection as outlined under Setting Up a Data Connection.
 Caution
Outside of the SAP BTP cockpit, service keys must be stored securely since it's the key that allows data to be sent to
your tenant. If you need a service key, create the service key directly in the SAP BTP cockpit, and access it from there
whenever you need it.
The service key contains the following parameters required to connect your managed system to the SAP Signavio
Process Insights API service instance:
12/19/2022
Next Steps
You later need the details of this service key to set up the connection between the HTTP destination service of your managed
system and SAP Signavio Process Insights.
For information about setting up the connection, see Setting Up a Data Connection.
Con guring Your Identity Provider Service

SAP Signavio Process Insights works with a supported identity provider that you choose. You must ensure that you've
con gured your identity provider correctly and securely.
Identity Provider
SAP Signavio Process Insights runs in the Cloud Foundry environment of SAP Business Technology Platform (SAP BTP). The
default identity provider of SAP BTP is SAP ID service. Trust to SAP ID service in your subaccount is precon gured in the Cloud
Foundry environment by default. So, you can start using it without further con guration.
If you don't intend to use SAP ID service, you must establish trust to a custom identity provider that supports SAML 2.0. This
identity provider can be SAP Cloud Identity Services - Identity Authentication, for example. So, you can use one of the following
identity providers:
Identity Provider Identity Provider Type Related Information
SAP ID service Default identity provider of SAP BTP Default Identity Federation with SAP ID
Service in the Cloud Foundry Environment
SAP Cloud Identity Services - Identity Custom identity provider from SAP that can What Is Identity Authentication?
Authentication be used with a separate subscription to the
service
Another SAML 2.0 identity provider Custom identity provider from a third-party See the relevant third-party documentation.
provider, must support SAML 2.0
 Note
If your organization is using SAP ID service, the default identity provider of SAP Business Technology Platform (SAP BTP) as
the identity provider for SAP Signavio Process Insights, all users who want to access the solution must have an SAP ID
service account.
For information about setting up an SAP ID service account, see Default Identity Provider in the SAP BTP documentation.
Con guration
If you use a custom identity provider, you must establish trust and federation between your identity provider and the User
Account and Authentication (UAA) service. Doing this typically involves establishing trust with your identity provider in a
subaccount and then registering the subaccount in the identity provider.
Depending on what identity provider you use, you establish trust as outlined in the relevant documentation:
Identity Provider Identity Provider Type Establishing Trust and Federation
12/19/2022
Identity Provider Identity Provider Type Establishing Trust and Federation
SAP ID service Default identity provider Default Identity Federation with SAP ID
Service in the Cloud Foundry Environment
 Note
Trust to SAP ID service in your
subaccount is precon gured in the
Cloud Foundry environment by default.
You can optionally add additional trust
settings or set the default trust to
inactive.
SAP Cloud Identity Services - Identity Custom identity provider Establish Trust and Federation Between
Authentication UAA and Identity Authentication
Manually Establish Trust and Federation

Between UAA and Identity Authentication
Another SAML 2.0 identity provider Establish Trust and Federation with UAA
Using Any SAML Identity Provider
Authentication
In your identity provider, you must set up users that can be assigned the role collections that contain the roles of the
application. If you use a custom identity provider, you can also set up user groups that can be assigned to role collections.
For more information about user management and role assignment, see User Management.
Security
To ensure your identity provider is con gured securely, you must ensure best practices are applied, for example:
The identity provider correctly veri es a person's identity before granting access.
You assign unique user IDs.
You never reassign the user ID of a user that no longer exists to another user.
You con gure a session timeout so that sessions can remain idle for no more than a speci c period of time, following
which users are logged off automatically.
Related Information
SAP Cloud Identity Services - Identity Authentication
User Management
Understand how to manage users and assign them roles depending on the identity provider that you use.
The following prerequisites must be met before users can be granted access to the solution:
Trust has been established between your identity provider and your tenant. To see for which identity provider trust has
been established, in your subaccount in SAP BTP, choose Security Trust Con guration . If the entry Default identity
provider is the only identity provider listed, SAP ID service is currently the only identity provider being used.
12/19/2022
For more information about the identity providers supported and how to establish trust, see Con guring Your Identity
Provider Service.
User accounts have been set up for each of the users in the identity provider that you're using.
 Note
If your organization is using SAP ID service, the default identity provider of SAP Business Technology Platform (SAP
BTP) as the identity provider for SAP Signavio Process Insights, all users who want to access the solution must have
an SAP ID service account.
For information about setting up an SAP ID service account, see Default Identity Provider in the SAP BTP
documentation.
 Note
If your organization is using a custom identity provider to authenticate users and you want to con gure access rights
using mass assignments, user groups must be set up in your identity provider.
User Creation
To be able to manage users, one of the following must happen:
Default identity provider: Shadow users are created in your SAP BTP subaccount.
A shadow user is a user in your SAP BTP subaccount that is a copy of the user in your identity provider. Shadow users are
created automatically in your subaccount for those users you speci ed when you ran the booster (Add Users step). You
must create shadow users manually for users you add later. For more information about how to do this, see Create Users
in the SAP BTP documentation.
If you or other users have an S-user, this S-user must be linked to an SAP Universal ID account. Users can link their S- or
P-user to their SAP Universal ID at https://account.sap.com/core/create/login-linking . If a user doesn't yet have an S-
user or a P-user, creating an SAP Universal ID account automatically creates a P-user for them.
 Note
If your organization is using SAP ID service as the identity provider and users have an SAP Universal ID, it's possible
that the email addresses for SAP Universal ID and SAP ID service aren't the same. In this case, it's the email
associated with their SAP ID service that users must enter in the SAP BTP cockpit ( Security Users ).
Custom identity provider: Users or user groups are set up in your custom identity provider. If you're not using user
groups in your identity provider, shadow users must be created in your SAP BTP subaccount as described above.
User Roles and Access Rights

The solution uses the concept of role collections to group together different roles that can be applied to application users. A
number of role templates are de ned for the application. These role templates contain role de nitions.
Role Templates
The following list indicates what role templates are available for the application and what each role template allows users to do
in the various system components.
Role Templates User Access To
12/19/2022
ADMIN Administration area of the application
 Note
This role template allows access to the administration features
only and not to any of the features for business users.
E2E_Process_DTR Data for the Governance end-to-end process
E2E_Process_HTR Data for the Recruit to Retire end-to-end process
E2E_Process_ITM Data for the Idea to Market end-to-end process
E2E_Process_OTC Data for the Lead to Cash end-to-end process
E2E_Process_PLANTP Data for the Plan to Ful ll end-to-end process
E2E_Process_PTP Data for the Source to Pay end-to-end process
E2E_Process_RTR Data for the Finance end-to-end process
E2E_Process_RTS Data for the Acquire to Decommission end-to-end process
LOB_AM Data for the Asset Management line of business
LOB_COMMERCE Data for the Commerce line of business
LOB_FINANCE Data for the Finance line of business
LOB_HR Data for the Human Resources line of business
LOB_MANUF Data for the Manufacturing line of business
LOB_MARKETING Data for the Marketing line of business
LOB_RDE Data for the R&D/Engineering line of business
LOB_SALES Data for the Sales line of business
LOB_SERVICE Data for the Service line of business
LOB_SOUR_PROC Data for the Sourcing & Procurement line of business
LOB_SUP_CHAIN Data for the Supply Chain line of business
MONETARY_VALUES Data relating to monetary values
PERSONAL_DATA Data considered to be personal data, such as customer, supplier, or

user IDs
DATA_PRIVACY_ADMIN Data Privacy Managment area of the application
 Note
This role template allows access to the data privacy
management area only and not to any of the features for
business users.
You can nd this list of role templates in your subaccount under Security Roles . These role templates are the role
templates available for the process-insights application.
Creating Role Collections
12/19/2022
Role templates can be grouped into role collections. You can create any role collections you need based on these role
templates. If you ran the booster to set up your account and subscribe to the application, some role collections were created
automatically. You can see any role collections that were created in your subaccount under Security Role Collections .
If you want to de ne your own role collections, see De ne a Role Collection in the SAP BTP documentation.
 Tip
When you select which roles you want to add to your role collection, in the dropdown box for Application Identi er, choose
the entry for process-insights to see the roles speci c to the SAP Signavio Process Insights application.
If you want to add roles to an existing role collection, see Add Roles to a Role Collection in the SAP BTP documentation.
Assigning Role Collections to Users or User Groups
Whether you assign role collections to users or user groups depends on which type of identity provider you use. If you ran the
booster to set up your subaccount and subscribe to the application, you could have already speci ed users to be assigned the
default role collections.
Default identity provider: The concept of user groups doesn't apply when you use SAP ID service as the identity provider.
In your subaccount, you create your users and assign role collections to them under Security Users . You can assign
role collections both to SAP BTP administration users and to business users of the application here.
See Assign Users to Role Collection in the SAP BTP documentation.
Custom identity provider: If you're using a custom identity provider and have set up user groups, assign your user groups
to the role collections based on your requirements. You assign your user groups to the role collections in your
subaccount under Security Role Collections . The ID for the user group is based on what's de ned in your identity
provider.
See Assign User Groups to Role Collections in the SAP BTP documentation.
If you haven't set up user groups, you assign role collections to individual users, assuming shadow users have been
created in the subaccount as previously described.
See Assign Users to Role Collection in the SAP BTP documentation.
Related Information
Roles in Default Role Collections
Roles in Default Role Collections

Understand what roles are included in the default role collections created when you use the booster to prepare your account for
SAP Signavio Process Insights.
Role Collection Description Role Templates Included
12/19/2022
Role Collection Description Role Templates Included
SAP Signavio Process Insights User Business user access to the solution
E2E_Process_DTR
E2E_Process_HTR
E2E_Process_ITM
E2E_Process_OTC
E2E_Process_PLANTP
E2E_Process_PTP
E2E_Process_RTR
E2E_Process_RTS
LOB_AM
LOB_COMMERCE
LOB_FINANCE
LOB_HR
LOB_MANUF
LOB_MARKETING
LOB_RDE
LOB_SALES
LOB_SERVICE
LOB_SOUR_PROC
LOB_SUP_CHAIN
MONETARY_VALUES
PERSONAL_DATA
SAP Signavio Process Insights Administrative access to the solution ADMIN

Administrator
SAP Signavio Process Insights Data Privacy Access to the data privacy management DATA_PRIVACY_ADMIN
Administrator feature of the solution
Setting Up Data Collection in Managed Systems

This section outlines how to set up data collection for SAP Signavio Process Insights in your managed systems.
 Tip
How you can best handle your subaccounts and subscriptions depends on the solution package you have:
If you have the SAP Signavio Process Insights, base package, we recommend that you use the two tenants available
to you as separate tenants for validation and production use.
Use the test service plan in one subaccount to connect the solution to a quality system rst so you can
validate the data collection process.
12/19/2022
Like this, you can connect the solution to multiple quality systems to validate the data collection process for
each system.
Once you've successfully validated the process with data from your quality system in your rst subaccount,
proceed to connect the solution to your production system in your second subaccount with the subscription for
the production tenant (standard service plan).
If you're accessing the solution using the SAP Signavio Process Insights, starter pack as part of the business process
transformation starter pack for RISE with SAP, we recommend that you proceed as follows to rst validate the
process using your quality system:
First connect the solution to your quality system to validate the data extraction process. Once you've
successfully validated the process in your quality system, you can proceed to connect the solution to your
production system.
To be able to connect your production system, unregister your managed system to remove the connection
from this system to your cloud tenant. For information about connecting and disconnecting your managed
system, see Setting Up a Data Connection. Once you've unregistered your quality system, unsubscribe from
the application in the SAP BTP cockpit. This fully resets the database for you before you subscribe to the
application again to connect to your production system.
This approach also applies if you're an SAP partner with a cloud test and demonstration license and you're
subscribing to the application using the partner application plan.
 Note
Since time factors are relevant in data collected for performance indicators, only data collected from your production
system can be considered valid data.
Related Information
Preparing for the Outbound HTTP Connection
Setting Up Data Connections
Excluding Monetary and User Information from Data Collection
Preparing for the Outbound HTTP Connection

As your organization's IT specialist or ERP administrator, understand what you need to do to prepare your network and systems
for the outbound HTTP connection required by SAP Signavio Process Insights.
Related Information
Con guring Your Network Settings
Installing the Required Certi cate
Con guring Your Network Settings

As your organization's IT specialist, ensure your network settings permit communication required for the SAP Signavio Process
Insights solution.
12/19/2022
URLs to Be Permitted
To allow communication between the managed system on your local network and your cloud tenant, you must ensure that your
network settings permit outbound communications to the internet through port 443 (HTTPS) to the domains for the solution.
You need to permit communication with the following URLs:
Application base URL
This is the uri property obtained by your SAP Business Technology Platform (SAP BTP) administrator from the service
key created by running the booster to subscribe to the application. For information about how to get the service key
details, see Getting Your Service Key Details.
bpi-pia-core-api.cfapps.<region ID>.hana.ondemand.com
Authentication URL
This is your tenant-speci c authentication URL that matches the url property also obtained by your SAP BTP
administrator from the service key that they created:
<subdomain>.authentication.<region ID>.hana.ondemand.com
The subdomain is the subdomain of the subaccount used to create a subscription to the application in the SAP BTP cockpit. The
region ID is the region of the data center of the subaccount. Data centers are available in the following regions and from the
following providers:
Each region consists of multiple data centers in different locations.
 Note
If you're running SAP Signavio Process Insights in the AWS Europe (Frankfurt) region with region ID eu10, please specify
eu10-004 as the region ID.
 Note
If you use a network security device such as Cisco Web Security Appliance (WSA) for example, ensure that an exception has
been con gured to allow communication between your ERP system and permitted SAP Signavio Process Insights URLs and
that certi cates used in the communication are not overwritten.
IP Addresses to Be Permitted
Your network must allow the required IPs for the SAP BTP, Cloud Foundry environment.
For information about which IPs are required, see Regions and API Endpoints Available for the Cloud Foundry Environment in the
SAP BTP documentation. The information in the LB IPs (ingress, for incoming requests) column indicates which IPs are required
depending on your data center.
 Note
If you're running SAP Signavio Process Insights in the AWS Europe (Frankfurt) region with region ID eu10, please use the IPs
indicated for landscape cf-eu10-004.
Related Information
Issues While Setting Up the Data Connection
12/19/2022
Installing the Required Certi cate

Ensure you install and trust the required certi cate.
SAP Signavio Process Insights uses the framework provided by SAP Cloud ALM to let you connect your ERP system to your
cloud tenant for SAP Signavio Process Insights. In any ERP systems that you connect, you must install and trust the required
certi cate as outlined under Setup STRUST in the information for SAP Cloud ALM on SAP Support Portal.

Ensure you've installed the latest versions of ST-PI and ST-A/PI in your ERP system.
Context
Before you can set up a data connection between your managed ERP system and your cloud tenant for SAP Signavio Process
Insights, you must ensure you're running the latest versions of the ST-PI and ST-A/PI plug-ins in your ERP system.
The ST-PI plug-in contains the Service Data Control Center (SDCC), which controls the collection and transfer of data. It also
contains function modules and reports needed for data collection. This plug-in therefore contains the code needed to establish
the system connection and con gure the system to periodically retrieve process performance indicator (PPI) data and transfer
this data to your cloud tenant for SAP Signavio Process Insights.
The ST-A/PI plug-in contains application-speci c data collectors that contribute to data collection with SDCC and business
process monitoring, for example. This plug-in contains the metadata for performance indicators along with the code required to
collect the performance indicator data.
 Note
There are no dependencies between these plug-ins and the code in your ERP system. You can therefore add these plug-ins to
your productive systems without implications for productive features.
Procedure
1. Open Tools for Support Service Sessions on SAP Support Portal.
2. Use the options provided to download the latest versions of ST-PI and ST-A/PI.
 Note
We recommend that you install the latest versions and also keep your plug-ins up to date.
 Note
For the ST-PI plug-in, the latest version is ST-PI 7.40 SP20.
For the ST-A/PI plug-in, the latest version is ST-A/PI 01V_731 SP0.
 Remember
As indicated under Additional Software, there's a strict requirement to use the minimum versions supported, which
are:
ST-PI 7.40 SP16
ST-A/PI 01U_731 SP3
12/19/2022
 Caution
It's technically possible to use ST-A/PI 01U_731 SP2. However, if you don't install SP3, not all the data required by the
newest performance indicators is collected. Some boxes in process ows will therefore be fully missing metrics, for
example, and may appear to contain 0 business object instances as a result.
 Tip
You can check what versions are installed in your ERP system and whether you need to update to a newer version by
using transaction SE38 to run report RTCCTOOL. A red traffic light in the report's output lets you know if you need to
update your ST-PI or ST-A/PI versions.
3. Install the ST-PI and ST-A/PI plug-ins. For information about installing ST-PI and ST-A/PI or using RTCCTOOL, see SAP
Notes 539977 and 69455 .
4. Ensure the latest correction instructions are implemented for ST-PI and ST-A/PI.
 Caution
Not installing the required SAP Notes may result in technical issues, which may have a negative impact on your
business operations.
a. For ST-PI 7.40, ensure you implement the relevant SAP Note based on your ST-PI 7.40 version:
ST-PI 7.40 SP20 3240966
ST-PI 7.40 SP18 and SP19 3196078
ST-PI 7.40 SP17 3133333
ST-PI 7.40 SP16 3104662
b. For ST-A/PI, ensure you implement the relevant SAP Notes from the following list based on your ST-A/PI version.
 Tip
Keep in mind that newer versions of SAP Notes become available over time. Plan to implement new versions
when they become available. You can ensure you're noti ed about new versions of an SAP Note by opening it
and choosing  Mark as Favourite for each SAP Note. Also ensure in the noti cation settings for your Support
Portal user (under Manage Noti cations) that noti cations are active for My SAP Notes & KBA.
ST-A/PI 01V_731 SP0 SAP ERP: 3194251 SAP S/4HANA: 3194259
and and
and
Framework: 3159166
12/19/2022
ST-A/PI 01U_731 SP3 SAP ERP: 3111576 SAP S/4HANA: 3111641
and and
and
Framework: 3070521
 Tip
For an overview of all SAP Notes containing corrections to be implemented for ST-A/PI plug-ins, see 2865793
(Required ST-A/PI notes for business process analytics).
Results
Once you've installed the latest ST-PI plug-in, you can set up your data connection so that you can schedule, retrieve, and send
your data for process performance indicators to your cloud tenant for SAP Signavio Process Insights.
Setting Up Data Connections

Set up the data connection in your ERP system that allows you to schedule, retrieve, and send your data for process
performance indicators to your cloud tenant for SAP Signavio Process Insights.
Watch this video to understand how to set up data collection in your ERP system and transfer the data collected to SAP
Signavio Process Insights:
Open this video in a new window
Before You Set Up a Data Connection

12/19/2022
Before you set up the data connection between your ERP system and cloud tenant for SAP Signavio Process Insights, ensure
that you've ful lled all prerequisites.
In SAP BTP
Your administrator in SAP BTP has run the booster in the SAP BTP cockpit that helps prepare your subaccount and
subscribe to the application as outlined under Subscribing to the Application. Alternatively, they have completed these
steps manually.
You have the details of the service key from the SAP BTP cockpit, which can be retrieved by an administrator in the SAP
BTP cockpit as outlined under Getting Your Service Key Details.
In All Managed Systems
You've installed the latest versions of the ST-PI and ST-A/PI plug-ins in your managed system as indicated under
Installing ST-PI and ST-A/PI Plug-Ins.
 Note
It's important that you've installed the required minimum versions.
You've ensured that your network settings allow communication with the cloud tenant and the required certi cate has
been installed and trusted as outlined under Preparing for the Outbound HTTP Connection.
You know whether your organization uses a proxy and have obtained the details required (host and port) from your
organization's IT department or specialist.
 Note
If your proxy uses authentication, ensure you've installed the latest version of the following SAP Notes depending on
your ST-PI version:
ST-PI 7.40 SP20 3240966
ST-PI 7.40 SP18 and SP19 3196078
ST-PI 7.40 SP17 3133333
ST-PI 7.40 SP16 3104662
This is required to ensure that proxies with authentication are supported by SAP Cloud ALM, the framework used to
connect your managed ERP system to the cloud tenant.
Check that the pro le parameter icm/HTTPS/client_sni_enabled is set to TRUE in your managed system. You can
check the value using transaction RZ11 and change the value using transaction RZ10. In transaction RZ10, you select
the relevant pro le and change the value from FALSE to TRUE. See also SAP Note 510007 (Additional considerations
for setting up SSL on Application Server ABAP).
You've set up a user in your managed system that can be used as a background user to transfer the data. This user must
have the authorizations outlined in the table provided here in the prerequisites.
The following roles and access to transactions are required by either the dialog user setting up the connection and
running transaction /SDF/ALM_SETUP or the background user used for the data collection:
Role/Transaction Authorization Dialog User Background User Reason Required

Required (Person setting up (Technical user for
the connection) actual data collection)
12/19/2022
Role/Transaction Authorization Dialog User Background User Reason Required

Required (Person setting up (Technical user for
the connection) actual data collection)
PFCG role SAP_SDF_ALM_SETUP X To run transaction

/SDF/ALM_SETUP.
PFCG roles: X To run the data collection jobs.

SAP_SDF_ALM_METRIC_PUSH_FND
 Note
and
SAP_SDF_ALM_METRIC_PUSH_BPMON You download the latest version
of the roles from SAP Note
3054258
PFCG role X For analysis reasons.

SAP_MANAGED_BPOANA_ALL
 Note
 Caution
This role is required
If this user is an SAP
for the background
consultant, for data privacy
user once version 28
reasons, ensure that
of SAP Note
BENCHMARKING_ADV_USR is
2985521 is
implemented. removed from the authorization
eld FUNC_MS in authorization
object SM_BPM_DET of role
SAP_MANAGED_BPOANA_ALL.
Adjusting this authorization
prevents user information from
being analyzed.
See also: Excluding Monetary and

User Information from Data
Collection
Authorization object M_MTDI_ORG, X To obtain data for performance

activity category L MRP indicator MRP elements to be
canceled per material
(KPPP000410) and related
correction recommendations
Transactions SE16, TAANA, and ST13 X For analysis reasons, to verify data
in the managed system, for
example.
In addition to ensuring the relevant roles are assigned, you've ensured that the role pro les are generated in transaction
PFCG for role maintenance. You need to generate role pro les if they've been adjusted, for example.
Setting Up a Data Connection

You're ready to establish the connection between your ERP system and your cloud tenant for SAP Signavio Process Insights.
This also allows you to get the relevant con guration for process performance indicators, along with the prede ned schedules
to retrieve your data and send this data to your cloud tenant.
Prerequisites
See Before You Set Up a Data Connection
12/19/2022
Context
Using transaction /n/SDF/ALM_SETUP (Set up integration with SAP Cloud ALM) in your ERP system, you maintain the HTTP
destination of your SAP Signavio Process Insights cloud tenant and set up the push mechanism to push the data for your
performance indicators to your cloud tenant.
 Note
Transaction /n/SDF/ALM_SETUP (Set up integration with SAP Cloud ALM) is only available as of ST-PI 7.40 SP14.
 Remember
You must repeat the following steps in all managed systems you want to connect to SAP Signavio Process Insights.
Procedure
1. Call transaction /n/SDF/ALM_SETUP (Set up integration with SAP Cloud ALM) in your ERP system.
2. Create your Target ALM Destination, which is the HTTP destination of your SAP Signavio Process Insights cloud tenant,
by choosing an existing destination using the F4 help or providing a new destination name and pressing Enter .
3. Choose Create/Update Destination to specify the details of your HTTP destination.
a. Manually enter the following service key information for the service instance created for the API service and
con rm your entries.
Your administrator in SAP BTP can get the service key details as outlined in Getting Your Service Key Details.
Token Endpoint
 Note
When you enter the token endpoint URL, it must have the following format:
https://<identifier>.authentification.<region
ID>.hana.ondemand.com/oauth/token
This ensures that the HTTP destination has the required pre x path.
Client ID
Secret
If your organization uses a proxy, ensure that you enter the following information speci c to your proxy server:
Proxy Host
Proxy Port
If your proxy uses authentication, also enter the following information:
Proxy User
Proxy Password
You can get this information from your organization's IT department or specialist.
 Note
If your proxy uses authentication, ensure you've installed the latest version of the required SAP Notes as
outlined in the prerequisites above.
b. Enter your registration target:
12/19/2022
For Root URL, enter the application base URL (uri property) for the SAP Signavio Process Insights service. As
before, your administrator can provide this details from the service key created in SAP BTP.
 Note
When you enter the uri into the Root URL eld, it must have the following pattern:
https://bpi-pia-core-api.cfapps.<region ID>.hana.ondemand.com
This means you must remove the suffix /api/v1 from the end before you register the system.
4. Enter your background user and register your system.
a. Enter the background user created in your managed system to perform the data collection. This user must have
the required PFCG roles and authorizations outlined here in the table under Prerequisites.
b. Choose Register to call your SAP Signavio Process Insights cloud tenant and register the system. If the
registration is successful, the system retrieves and displays an LMS ID.
 Tip
If you later want to stop data collection for your system, choose Unregister here to stop all data collection and
unregister the system from the target URL.
5. Choose Activate Use Cases and select Business Process Monitoring.
Selecting this use case triggers several background jobs, two of which are relevant for SAP Signavio Process Insights. For
more information about the two jobs and their functions, see ERP Background Jobs for SAP Signavio Process Insights.
Results
You've now set up the data connection between your ERP system and the cloud tenant for SAP Signavio Process Insights. You
can use transaction SM59 in the managed system to check that the connection is appearing under HTTP Connections to
External Server.
Next Steps
Make sure to check for any errors that can occur during data collection. For more information, see Data Collection in the
Troubleshooting section.
Pay special attention to short dumps and other common errors for data collection runs. For more information, see Common
Errors Logged for Data Collection Runs.
ERP Background Jobs for SAP Signavio Process Insights

Understand which background jobs are triggered in your ERP system after you've set up the data connection to SAP Signavio
Process Insights.
CRBPA:AUTODISCOVERY
This job runs every hour by default. It requests the lastest data collection settings from SAP Signavio Process Insights system.
The data collection settings determine for which performance indicators data is to be collected and how often it is collected.
As an answer to the request from the CRBPA:AUTODISCOVERY job, the SAP Signavio Process Insights system sends a list of all
performance indicators with the Data Collection Status set to Active, together with the prede ned data collection frequency
for each performance indicator.
12/19/2022
CRBPA:DC_CONTROLLER
This job runs every minute. It checks the available work processes, triggers data collection, and sends the data collected to SAP
The CRBPA:DC_CONTROLLER only collects data for those performance indicators that are on the list the ERP system received
from SAP Signavio Process Insights as a response to the latest request from the CRBPA:AUTODISCOVERY job.
It also collects data based on the frequency de ned for each performance indicator.
The following diagram outlines how data is exchanged between your ERP system and SAP Signavio Process Insights. It shows
how the ERP background jobs determine the data to be collected and sent to SAP Signavio Process Insights.
Dependencies Between ERP Background Jobs and Data Collection Status
 Note
If you change the Data Collection Status for a performance indicator in SAP Signavio Process Insights, your changes will only
take effect after the settings have been synchronized with your ERP system. The CRBPA:AUTODISCOVERY job needs to
request the latest settings and SAP Signavio Process Insights needs to provide them.
We recommend you keep the default job frequency and let it run hourly. Like this, you can avoid a delay between the data
collection settings you make in SAP Signavio Process Insights and these settings taking effect when data is collected from your
ERP system.
For more information about activating or deactivating data collection, see Monitoring and Con guring Data Collection Runs.
Changing the Frequency of the CRBPA:AUTODISCOVERY Job
 Note
Changing the frequency of the CRBPA:AUTODISCOVERY job causes a delay between the data collection settings you make
in SAP Signavio Process Insights and these settings taking effect when data is collected from your ERP system.
If you still want to change the recommended job frequency, proceed like this:
12/19/2022
1. Open transaction SM37 (Job Selection) in your managed system.
2. In the Simple Job Selection eld, enter the Job Name CRBPA:AUTODISCOVERY* and choose Execute.
3. Select an entry from the list.
4. In the job details, go to Step and verify that the program name is /SDF/CRBPA_AUTODISCOVERY.
Make sure you don't select a job with the /SDF/CALM_AUTO_DISCOVERY program instead.
5. Exit the Step List Overview and go to Job Change .
6. Go to Start Condition and select Period Values to change the frequency.
Excluding Monetary and User Information from Data Collection

Understand how you can exclude elds that contain monetary information or user identi ers from the data collected in your
ERP system.
Context
You can exclude elds that contain monetary information or user identi ers from the data collected and sent to your SAP
Signavio Process Insights tenant. You exclude this information by adjusting the authorization object for the
SAP_MANAGED_BPOANA_ALL role in your ERP system. It's possible to exclude personal information relating to elds with user
identi ers, but not for elds with customer or supplier identi ers.
 Note
Excluding these elds restricts the information available to your users of SAP Signavio Process Insights. Without this
information, you lose some valuable insights otherwise available for performance indicators.
If you want to prevent this information from being sent to your SAP Signavio Process Insights tenant, adjust these
authorizations before you set up the connection between your ERP system and your cloud tenant.
To exclude this information, here's what you do in your ERP system:
Procedure
1. Call transaction PFCG (Role Maintenance).
2. Open the role SAP_MANAGED_BPOANA_ALL.
3. Switch to the Authorizations tab and choose Display Authorization Data.
4. Expand the node for Object Class SMPI so you can see authorization object SM_BPM_DET and the elds it contains.
5. Display the information for eld FUNC_MS.
6. Ensure the following authorizations are removed if you want to prevent data being collected and sent to SAP Signavio
Process Insights:
BENCHMARKING_ADV_USR: To prevent user IDs from being collected.
BENCHMARKING_ADV_VAL: To prevent monetary values from being collected.
7. Save any changes you make and generate the role pro le when you’ve made your changes.
Related Information
Regenerate the Authorization Pro le Following Changes
12/19/2022
Application Con guration

If you have the administration role (ADMIN), you can access the Administration area of the SAP Signavio Process Insights
application. Here you can con gure your industry, as well as monitor and con gure data collection.
Related Information
Con guring Your Industry
Monitoring and Con guring Data Collection Runs
Application Con guration Questions
Con guring Your Industry

Select the industry that's most relevant for your organization to see industry-speci c innovation recommendations and industry
benchmarking information.
On the Industry Selection tab, you can select the industry that's most relevant for your organization.
 Note
If you've connected multiple systems to SAP Signavio Process Insights, the industry selection applies to all systems and
clients.
Specifying your industry has multiple bene ts.
For industry-speci c recommendations
By specifying your industry, you allow the solution to provide your users with industry-speci c innovation recommendations and
content so they can make more tailored decisions to improve your organization’s business processes.
When you specify your organization's industry, your users get industry-speci c innovation recommendations in addition to
general cross-industry recommendations for supported industries.
Industry-speci c recommendations are innovation recommendations speci c to your industry that are currently available for
the following categories and types:
Innovation Category Innovation Type
SAP S/4HANA Capabilities SAP S/4HANA
SAP Process Automation Automations
Work ow Management
Intelligent Technologies
Machine Learning
SAP Intelligent Robotic Process Automation
Situation Handling
User Experience SAP Fiori Apps
Other SAP Solutions Industry Cloud Solutions
12/19/2022
Specifying your industry also allows your users to see the industry popularity of some innovation recommendations. The
industry popularity helps your organization to understand the degree of adoption of a recommendation based on how many
industry peers are using it.
For benchmarking
Specifying an industry also allows your users to see your benchmark performance for performance indicators when
benchmarking data is available. If you don’t select an industry, industry benchmark performance can’t be calculated and the
benchmark performance information for supported performance indicators isn't displayed.
Monitoring and Con guring Data Collection Runs

Monitor and con gure the data collection runs that transfer data from your ERP systems to SAP Signavio Process Insights.
Monitor Data Collection

The Data Collection Runs tab of the Administration area provides you with all the information you need to monitor data
collection.
Information Needed Information Location Details
How much data is being stored Under Storage Settings, see The volume of storage used by all systems in your SAP Signavio
by SAP Signavio Process Storage Used by All Systems Process Insights tenant. The storage volume is based on the data
Insights for all managed size of all performance indicators for which data's been collected
systems and also other technical objects relating to business object data.
How many collections runs have In the Performance Indicator The number of collection runs varies for different performance
taken place for a particular Data table, refer to the indicators. The reason for this is that data for performance
performance indicator and when Collection Runs column indicators is collected at different intervals. Examples of these
intervals are 1 day, 3 days, 1 week, or 30 days.
When the data was collected In the Performance Indicator The collection date indicates the dates of the rst and last
Data table, refer to the collection runs for which data was collected and is currently stored.
Collection Date column
How much data is being stored In the Performance Indicator While the exact volume of data stored for each performance
for each performance indicator Data table, refer to the Object indicator is not available, the number of objects that have been
Count column collected for each performance indicator across all collection runs
can help you to understand and troubleshoot data storage issues,
for example, which performance indicators have the most data.
Whether a collection run is (Data collection is currently The status indicator that shows that the collection run for a
currently in progress for a running for this performance performance indicator is currently in progress is not dynamic. You
performance indicator indicator) must refresh your browser to see a status change.
Whether the last collection run (Last data collection has The error indicator gives the time of failed collection runs in your
for a performance indicator failed) timezone, which is dependent on your browser's language settings.
failed
See also: Analyzing Failed Data Collection
Whether data collection for a In the Performance Indicator Data collection is active for many performance indicators by
performance indicator is active Data table, refer to the Data default. For some performance indicators, however, you need to
or inactive Collection Status column activate data collection for that performance indicator when it's
released. For more information, see the Reference Guide for
Performance Indicators.
For more information about activating or deactivating performance

indicators, see Activate or Deactivate Data Collection for Individual
12/19/2022
 Note
On the Data Collection Runs tab, you as an administrator see information for all available performance indicators. However,
if data collection shows that a performance indicator isn't relevant for your organization (typically when no data is collected
from the managed system), then it's hidden from end users.
Con gure Maximum Number of Collection Runs Stored
 Note
This option is only available if you have the SAP Signavio Process Insights, base package.
Under Storage Settings, you can specify the maximum number of data collection runs you want to be stored for each
performance indicator. The setting you select applies to all source system and client combinations. The volume of storage used
is based on the data size of all performance indicator data collected and also other technical objects relating to business object
data.
Setting a limit to the number of collection runs lets you control the growth of data in your tenant.
If you reduce the limit so that it's smaller than the number of collection runs already stored for at least one performance
indicator, you’re prompted to con rm that you want data to be scheduled for deletion.
Data deletion runs are started every 12 hours. The deletion runs check for each performance indicator if there are more
collection runs stored than the maximum number con gured. The deletion run then deletes older collection runs until the limit
is no longer exceeded. If data has been collected from multiple systems, the deletion job is executed when the number of data
collection runs for one performance indicator exceeds the maximum number of collections runs that may be stored.
The value that you set for Maximum No. of Collection Runs Stored applies globally to all systems. The following table shows an
example of the deletion logic for multiple systems based on the value that you set.
System A System B System C
Maximum No. of Collection Runs Stored 6 6 6
Lowest No. Collection Runs Stored 10 8 6
Collection Runs Deleted 4 2 0
Activate or Deactivate Data Collection for Individual Performance Indicators
 Note
Choose Edit and select or deselect the Active checkbox in the Data Collection Status column to activate or deactivate data
collection for individual process performance indicators. Then choose Save.
Once your changes are synchronized with your ERP system, they take effect with the subsequent data collection run. You can
check the date information for the Performance Indicator Data table to see when the last synchronization happened. Data
collection runs are triggered at different intervals, such as daily, every 3 days, weekly, or every 30 days, depending on the
performance indicator. For more information about the background jobs for synchronization and data collection, see ERP
Background Jobs for SAP Signavio Process Insights.
 Note
12/19/2022
Data collection is active for many performance indicators by default. For some performance indicators, however, you need to
activate data collection for that performance indicator when it's released. For more information, see the Reference Guide for
When you deactivate data collection for a performance indicator, end users continue to see data from the last data
collection run before deactivation.
Delete Performance Indicator Data for One or All Systems
 Note
Deleting all data currently stored is useful if you want start data collection from scratch, or if you have unregistered a system
and you now want to remove all associated data. To delete data, select the system and client whose data you want to delete (or
All Systems if you want to delete all data for all systems) and choose Delete All Data.
Deletion may take a few minutes, depending on the size of the data, but the system noti es you on completion. Deletion results
in the following changes:
If you deleted data from a system that was unregistered
The system no longer appears on the Data Collection Runs tab and end users can no longer select the system in the
navigation.
 Remember
If you unregister a system but do not delete its data, end users can still select the system in the side panel and see
previously collected data. Furthermore, if you register the same system again later, previously collected data will be
reassociated with the system.
If you deleted data from a system that is still registered
Immediately after deletion, both the number of collection runs and the object count for individual performance indicators
is 0. However, because data collection itself is still active, these indicators start to increase once deletion has completed.
You can verify that new data is being collected by referring to the information under Collection Date. End users can still
select the system in the side panel and analyze new incoming data.
 Remember
If you want to stop collecting data from a system permanently, you must unregister the system as a connection. You
do this in the ERP system using transaction /SDF/ALM_SETUP (Set up integration with SAP Cloud ALM). We
recommend that you delete the data of a system before you unregister it.
Application Con guration Questions

Find answers to questions about con guration options for the application.
Can I control how much data is stored in my tenant?
Yes, as an administrator, you can access the Administration area of the application. On the Data Collection Runs tab, you nd
the features for data collection runs for performance indicators.
Under Storage Settings, you can specify the maximum number of data collection runs you want to be stored for each
performance indicator. The setting you select applies to all source system and client combinations. The volume of storage used
12/19/2022
is based on the data size of all performance indicator data collected and also other technical objects relating to business object
data.
Can I con gure when and how often data is collected?
No, the con guration both of the data collection and the frequency of collection is prede ned in the solution.
When data is collected depends on the date and time your managed system was rst connected to SAP Signavio Process
Insights. The initial system connection serves as a reference point for these intervals. Process ow data is collected once a week
and data for standard performance indicators is collected at various intervals, such as daily, every 3 days, weekly, or every 30
days.
For information about the de ned collection interval for a speci c process performance indicator, see the corresponding topic
under Standard Performance Indicators in the Reference Guide for Performance Indicators.
 Example
Let's say your managed system was rst connected to SAP Signavio Process Insights at 2 p.m. on a Monday. The next data
collection run for process performance indicators with daily intervals is then triggered on Tuesday around 2 p.m. And the next
data collection for process ows is triggered at around 2 p.m. the following Monday.
Can I con gure what data is to be collected?
You can activate and deactivate data collection for individual performance indicators on the Data Collection Runs tab in the
Administration area. For more information, see Monitoring and Con guring Data Collection Runs in the Administration Guide for
SAP Signavio Process Insights.
What happens if I set the data collection status of a performance indicator to inactive?
If you deactivate data collection for a performance indicator, data is no longer collected for this performance indicator. If you
want to resume collecting data, you can activate data collection again.
 Note
Data collection is active for many performance indicators by default. For some performance indicators, however, you need to
activate data collection for that performance indicator when it's released. For more information, see the Reference Guide for
When you deactivate data collection for a performance indicator, end users continue to see data from the last data
collection run before deactivation.
What happens if I reduce the maximum number of collection runs stored?
If you reduce the collection run limit so that it's smaller than the limit previously con gured but you haven't already stored this
number of collection runs for any performance indicators, your setting is simply updated.
If you reduce the limit so that it's smaller than the number of collection runs already stored for at least one performance
indicator, you’re prompted to con rm that you want data to be scheduled for deletion.
Data deletion runs are started every 12 hours. The deletion runs check for each performance indicator if there are more
is no longer exceeded. If data has been collected from multiple systems, the deletion job is executed when the number of data
collection runs for one performance indicator exceeds the maximum number of collections runs that may be stored.
12/19/2022
The value that you set for Maximum No. of Collection Runs Stored applies globally to all systems. The following table shows an
example of the deletion logic for multiple systems based on the value that you set.
System A System B System C
Maximum No. of Collection Runs Stored 6 6 6
Lowest No. Collection Runs Stored 10 8 6
Collection Runs Deleted 4 2 0
When is data deleted?
Data deletion runs are scheduled to run every 12 hours. They check for each performance indicator whether there are more
is no longer exceeded.
If you reduce the collection run limit so that it's smaller than the number of collection runs already stored for at least one
performance indicator, you’re prompted to con rm if you want data to be scheduled for deletion.
A data deletion run is also triggered when you choose to delete all of the data stored for one or all systems.
Can I check what data was deleted?
When data is deleted, this is logged by the SAP Audit Log service for SAP Business Technology Platform (SAP BTP), since SAP
BTP is where the data collected is stored. You can see what data was deleted by accessing these audit logs.
You can access the audit logs for your subaccount by subscribing to the SAP Audit Log service. You can then view your logs in
the application provided in the SAP BTP cockpit. For more information about using the Audit Log Viewer, see Audit Log Viewer
for the Cloud Foundry Environment in the SAP BTP documentation.
How frequently are data collection settings synchronized with my ERP system?
By default, the settings are synchronized hourly.
If you've changed the frequency for the CRBPA:AUTODISCOVERY background job that takes care of the synchronizing, a
different time period might apply.
For more information about the CRBPA:AUTODISCOVERY job, see ERP Background Jobs for SAP Signavio Process Insights in
the Onboarding section of the Administration Guide .
Why does the status set for Data Collection Status not re ect the current data collection behavior?
This problem occurs if the con guration in your ERP system isn't synchronized with your data collection settings from SAP
The CRBPA:AUTODISCOVERY job takes care of the synchronizing. You can check the date information for the Performance
Indicator Data table to see when settings were last synchronized with your ERP system and when the
CRBPA:AUTODISCOVERY job last ran.
If you've changed the Data Collection Status since the last run, wait for the next run to happen. By default, the job runs hourly. If
you've changed the frequency for this job, a different time period might apply.
For more information about the CRBPA:AUTODISCOVERY job, see ERP Background Jobs for SAP Signavio Process Insights in
the Onboarding section of the Administration Guide .
What data does the Aggregated transaction and report usage (PETST03N01) performance indicator collect?
12/19/2022
This performance indicator collects data about the usage of transactions and reports in your ERP system. The data is used to
determine how relevant an innovation recommendation is for your organization.
For more information about recommendation relevance, see What is recommendation relevance based on? under Innovation
Recommendation Questions in the Frequently Asked Questions for Business Users.
Why is no data being collected for the Aggregated transaction and report usage (PETST03N01) performance
indicator, even though data collection is active?
Data collection for the Aggregated transaction and report usage (PETST03N01) performance indicator can fail because the
corresponding data isn't collected in your ERP system and therefore can't be transferred to SAP Signavio Process Insights.
To check if your ERP system collects data about the transactions and reports that are being used, follow these steps:
1. Start transaction ST03N (Workload Monitor).
2. In Expert Mode go to Workload Total Month and select a month.
3. Check if records are listed in the Workload Overview table.
To check which transactions and reports were used in detail, choose Transaction Pro le Standard in the Analysis
Views menu.
If you've deactivated the collection of usage data in your ERP system, you need to activate it again. For more information, see
Displaying and Changing the Scheduling of Performance Collectors in the help for SAP NetWeaver 7.4, SPS20.
If usage data is collected in your ERP system, but it doesn't reach SAP Signavio Process Insights, contact SAP Support by going
to https://support.sap.com/incident and following the information provided there or creating an incident under the
component BPI-PI.
Security
In this section, you can nd information about security topics relating to SAP Signavio Process Insights. It outlines the security
measures in place as well as any security-related steps that you must take as an administrator.
SAP Signavio Process Insights uses an SAP Business Technology Platform ( SAP BTP) environment for its back end. For more
information about security on SAP BTP, see Security in the SAP BTP documentation.
Related Information
User Administration, Authentication, and Authorizations
Session Security Protection
Network and Communication Security
Data Storage Security
Audit Logging
Data Protection and Privacy
User Administration, Authentication, and Authorizations

SAP Signavio Process Insights uses SAP Business Technology Platform (SAP BTP) mechanisms to authenticate and authorize
users. For more information about identity and access management in SAP BTP environments, see SAP Authorization and Trust
Management Service in the Cloud Foundry Environment in the SAP BTP documentation.
12/19/2022
User Administration
Access to features of the solution is managed using roles. The solution works with either the default identity provider of SAP
BTP or a custom SAML 2.0 identity provider that you control. You must ensure that you’ve done the following, for example:
Con gured your IdP correctly and securely.
Established trust between your IdP and the application in your tenant by exchanging metadata.
If you're using a custom IdP:
Created user groups and assigned users to these user groups in your IdP.
Mapped the user groups from your IdP to the role collections of the application in SAP BTP.
User Roles and Access Rights

The solution uses the concept of role collections to group together different roles that can be applied to application users. A
number of role templates are de ned for the application. These role templates contain role de nitions.
The following list indicates what role templates are available for the application and what each role template allows users to do
in the various system components.
ADMIN Administration area of the application
 Note
This role template allows access to the administration features
only and not to any of the features for business users.
E2E_Process_DTR Data for the Governance end-to-end process
E2E_Process_HTR Data for the Recruit to Retire end-to-end process
E2E_Process_ITM Data for the Idea to Market end-to-end process
E2E_Process_OTC Data for the Lead to Cash end-to-end process
E2E_Process_PLANTP Data for the Plan to Ful ll end-to-end process
E2E_Process_PTP Data for the Source to Pay end-to-end process
E2E_Process_RTR Data for the Finance end-to-end process
E2E_Process_RTS Data for the Acquire to Decommission end-to-end process
LOB_AM Data for the Asset Management line of business
LOB_COMMERCE Data for the Commerce line of business
LOB_FINANCE Data for the Finance line of business
LOB_HR Data for the Human Resources line of business
LOB_MANUF Data for the Manufacturing line of business
LOB_MARKETING Data for the Marketing line of business
LOB_RDE Data for the R&D/Engineering line of business
LOB_SALES Data for the Sales line of business
12/19/2022
LOB_SERVICE Data for the Service line of business
LOB_SOUR_PROC Data for the Sourcing & Procurement line of business
LOB_SUP_CHAIN Data for the Supply Chain line of business
MONETARY_VALUES Data relating to monetary values
PERSONAL_DATA Data considered to be personal data, such as customer, supplier, or

user IDs
DATA_PRIVACY_ADMIN Data Privacy Managment area of the application
 Note
This role template allows access to the data privacy
management area only and not to any of the features for
business users.
The following best practices are recommended for user administration:
Grant users only the minimum level of authorization that is necessary for their work.
Ensure that authorizations are removed as soon as they're no longer needed, for example, if an employee leaves the
company.
For more information about user management, see User Management.
Authentication
Users of SAP Signavio Process Insights are authenticated using SAML 2.0 when a custom SAML 2.0 IdP is used.
For more information about con guring your IdP for SAP Signavio Process Insights, see Con guring Your Identity Provider
Service.
Multifactor Authentication
Multifactor authentication adds an additional layer of protection to user names and passwords in preventing unauthorized
access to sensitive data. For increased security, we recommend that multifactor authentication is enabled for users whenever
it's supported in the IdP.
Authorizations
The authorization concept of the solution is based on roles. Users are assigned one of the available roles. User access
management is in place to determine which roles are assigned to users and ensure users can only execute actions permitted
for their roles.
Session Security Protection

SAP Signavio Process Insights uses mechanisms in the SAP Business Technology Platform, Cloud Foundry environment to
protect session security.
12/19/2022
Network and Communication Security
Communication Channels
All data transmitted to and from components of the solution is protected.
As shown in the gure above, all communication between the following channels uses the HTTPS protocol:
ST-PI and ST-A/PI plug-ins of the ERP system
ST-PI plug-in of the ERP system and the solution's back end in SAP Business Technology Platform (SAP BTP)
Process ows report for end users, running in an SAP BTP environment and the solution's back end in SAP BTP
For information about data storage security, see Data Storage Security.
Data Storage Security

SAP Signavio Process Insights runs in a multitenant environment with a tenant for each customer. Customer data is therefore
stored in separate tenants. The solution also uses mechanisms in the SAP Business Technology Platform (SAP BTP) Cloud
Foundry environment to support data storage security.
Data collected from your ERP system is stored in encrypted form in SAP HANA Cloud running on SAP BTP.
For more information about data storage security in SAP HANA Cloud, see Data Storage Security in the SAP HANA Cloud, SAP
HANA Database Security Guide.
 Note
12/19/2022
The SAP HANA Cloud, SAP HANA database used by SAP Signavio Process Insights isn't accessible to you as a customer. As a
result, you can't connect it to other services or solutions such as the SAP Data Custodian key management service or SAP
Analytics Cloud.
Other security features of the SAP HANA Cloud, SAP HANA database are used by SAP Signavio Process Insights but any
con guration for these features can't be changed by you since this con guration is internal to the SAP Signavio Process
Insights cloud application.
Audit Logging
To prevent potential security issues, the SAP Signavio Process Insights solution logs security-related and other events using the
SAP Audit Log service for SAP Business Technology Platform (SAP BTP), since SAP BTP is where the data collected by
components is stored.
Security Events
The following events are logged as security events:
When a user attempts to access a service they're not authorized for. This is also logged as a security event for the
subaccount.
Attempts to send data to the cloud tenant without a service key token or with an incorrect service key token.
When a managed system is registered or unregistered as a connection using the transaction provided in a managed
system. This includes information about which user triggered the register or deregister event in the managed system,
which system it relates to, and when the event took place.
When data cleanup jobs are run and data is deleted. This happens in the following cases:
When an administrator changes the maximum number of data collection runs to be stored or to ensure the limit
is not exceeded.
When an administrator manually deletes all performance indicator data collected for one or all systems.
The information logged includes any errors during the data cleanup, for which performance indicators the data is
deleted, and what storage limit is set for data collection runs.
When a user triggers a CSV le download for a performance indicator, and when this le is downloaded successfully.
 Note
There are some security events that are logged by features of SAP BTP. These are events relating to account data changes,
which are logins, logouts, and password changes.
Data Access Events
The following events are logged as data access events.
When a user views, downloads, or deletes personal data in the Data Privacy Management area.
The information logged includes the following information:
What elds containing personal data were accessed.
System ID of the connected ERP system for which the data was accessed.
Semantic reference to the data subject elds.
12/19/2022
Con guration Change Events
The solution also logs changes made to tenant preferences. The changes currently logged are changes to the following settings
in the Administration area:
The industry selected.
The storage setting for data collection runs.
Activation status of a performance indicator. The information logged includes the IDs of the performance indicators
activated or deactivated and which user made the change.
You can access the audit logs for your subaccount by subscribing to the SAP Audit Log service. You can then view your logs in
the application provided in the SAP BTP cockpit. For more information about using the Audit Log Viewer, see Audit Log Viewer
for the Cloud Foundry Environment in the SAP BTP documentation.
Data Protection and Privacy

Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with general
data protection and privacy acts, it is necessary to consider compliance with industry-speci c legislation in different countries.
SAP provides speci c features and functions to support compliance with regard to relevant legal requirements, including data
protection. SAP does not give any advice on whether these features and functions are the best method to support company,
industry, regional, or country-speci c requirements. Furthermore, this information should not be taken as advice or a
recommendation regarding additional features that would be required in speci c IT environments. Decisions related to data
protection must be made on a case-by-case basis, taking into consideration the given system landscape and the applicable legal
requirements.
 Note
SAP does not provide legal advice in any form. SAP software supports data protection compliance by providing security
features and speci c data protection-relevant functions. In many cases, compliance with applicable data protection and
privacy laws will not be covered by a product feature. De nitions and other terms used in this document are not taken from a
particular legal source.
 Caution
The extent to which data protection is supported by technical means depends on secure system operation. Network security,
security note implementation, adequate logging of system changes, and appropriate usage of the system are the basic
technical requirements for compliance with data privacy legislation and other legislation.
For general information about data protection and privacy in SAP Business Technology Platform (SAP BTP) environments, see
the SAP BTP documentation under Data Protection and Privacy.
Related Information
Personal Data
Retrieval of Personal Data
Deletion of Personal Data
Glossary for Data Protection and Privacy
Personal Data
12/19/2022
SAP Signavio Process Insights doesn't process any sensitive personal data. However, it does process or collect personal data.
User Data
The solution receives the rst name and last name of your users on demand from the identity provider for which trust has been
established in your subscription account. This identity provider is one that you choose and in which you manage and store your
user data. The solution derives each user's initials based on this user information. It doesn't store this data but uses it only to
display the name and initials on the user interface.
If your organization is using the default identity provider (SAP ID Service) for SAP Business Technology Platform (SAP BTP) and
creates shadow users in your SAP BTP subaccount, see also Data Protection and Privacy in the SAP BTP documentation.
Process Data
The SAP Signavio Process Insights solution can potentially store and process personal data, such as customer, supplier, and
user identi ers collected for some performance indicators that it receives from your ERP system. SAP therefore acts as the
data processor. The solution displays the data in detail lists to allow users to analyze and lter performance data based on
customers and suppliers.
For information about excluding elds that contain monetary or user information from the data collected and sent to your SAP
Signavio Process Insights tenant, see Excluding Monetary and User Information from Data Collection.
To provide insights on your organization's benchmarking performance compared to industry peers, the solution also extracts
process data to create benchmarks that can be used to extend the basis for benchmarking data. However, no personal data is
extracted for the purposes of benchmarking. The benchmarks that are created are aggregated so that speci c companies or
attributes about companies can't be identi ed.
For more information about how benchmarking data is handled, see Data Protection and Privacy Questions.
Retrieval of Personal Data
User Data
To nd out what personal data is stored for a user, you use the features of the identity provider you're using with the solution to
retrieve this data, since this is where this data is stored and maintained. User data is not stored in the solution. The solution
simply displays the name and initials of the users received from the identity provider on the user interface.
Process Data
To retrieve the personal data stored for a customer, supplier, or user in your process data in SAP Signavio Process Insights, you
can use the search and download feature of the Data Privacy Management area. Access to this area is restricted to authorized
users only, who must be assigned a role collection with the DATA_PRIVACY_ADMIN role for these features.
For information about how to assign roles to a user, see User Management.
As an authorized user with the DATA_PRIVACY_ADMIN role, you can retrieve and download records with personal data as
follows:
1. Open SAP Signavio Process Insights.
12/19/2022
2. In the Data Privacy Management area, select the system and client combination for which you want to nd data and the
type of ID (customer, supplier, user, CRM partner, or utilities invoicing party) that you want to search for.
3. Enter the relevant identi er from your ERP system and choose Find Data.
If data is stored for this identi er, a list of all performance indicators that contain records with this identi er is shown
along with the number of occurrences found.
4. You can use the download option to then download the data for individual performance indicators.
Deletion of Personal Data
User Data
If a user would like the personal user data processed by the solution to be deleted, they won't be able to continue to use the
solution. This personal data would need to be deleted from the identity provider that you're using with the solution. The solution
needs to receive this data for user management, so once deleted from the identity provider you use, the user can no longer
access the solution. No personal user data is stored in the solution.
Process Data
To delete the personal data stored for a customer, supplier, or user in your process data in SAP Signavio Process Insights, you
can use the deletion feature of the Data Privacy Management area. Access to this area is restricted to authorized users only,
who must be assigned a role collection with the DATA_PRIVACY_ADMIN role for these features.
For information about how to assign roles to a user, see User Management.
As an authorized user with the DATA_PRIVACY_ADMIN role, you can delete elds that contain personal data (identi ers) as
follows:
1. Open SAP Signavio Process Insights.
2. In the Data Privacy Management area, select the system and client combination for which you want to nd data and the
type of ID (customer, supplier, user, CRM partner, or utilities invoicing party) that you want to search for.
3. Enter the relevant identi er from your ERP system and choose Find Data.
If data is stored for this identi er, a list of all performance indicators that contain records with this identi er is shown
along with the number of occurrences found.
4. Choose Delete ID to delete the identi ers from these records in the data for your selected system and client.
 Note
The ID is deleted only from the SAP Signavio Process Insights solution and not from the data in your ERP system from
which the data was transferred. If the ID you've deleted isn't deleted from your ERP system, it will be sent to SAP
Signavio Process Insights again with the next data collection run.
Glossary for Data Protection and Privacy

The following terms are general to SAP products. Not all terms may be relevant for this SAP product.
12/19/2022
Term De nition
Blocking A method of restricting access to data for which the primary

business purpose has ended.
Business Purpose The legal, contractual, or in other form justi ed reason for the
processing of personal data to complete an end-to-end business
process. The personal data used to complete the process is
prede ned in a purpose, which is de ned by the data controller.
The process must be de ned before the personal data required to
ful ll the purpose can be determined.
Consent The action of the data subject con rming that the usage of his or
her personal data shall be allowed for a given purpose. A consent
functionality allows the storage of a consent record in relation to a
speci c purpose and shows if a data subject has granted,
withdrawn, or denied consent.
Data Subject Any information relating to an identi ed or identi able natural

person ("data subject"). An identi able natural person is one who
can be identi ed, directly or indirectly, in particular by reference to
an identi er such as a name, an identi cation number, location
data, an online identi er, or to one or more factors speci c to the
physical, physiological, genetic, mental, economic, cultural, or
social identity of that natural person.
Deletion Deletion of personal data so that the data is no longer available.
End of Business De nes the end of active business and the start of residence time
and retention period.
End of Purpose (EoP) The point in time when the processing of a set of personal data is
no longer required for the primary business purpose, for example,
when a contract is ful lled. After the EoP has been reached, the
data is blocked and can only be accessed by users with special
authorizations (for example, tax auditors).
End of Purpose (EoP) Check A method of identifying the point in time for a data set when the
processing of personal data is no longer required for the primary
business purpose. After the EoP has been reached, the data is
blocked and can only be accessed by users with special
authorization, for example, tax auditors.
Personal Data Any information relating to an identi ed or identi able natural

person ("data subject"). An identi able natural person is one who
can be identi ed, directly or indirectly, in particular by reference to
an identi er such as a name, an identi cation number, location
data, an online identi er, or to one or more factors speci c to the
physical, physiological, genetic, mental, economic, cultural, or
social identity of that natural person.
Purpose The information that speci es the reason and the goal for the
processing of a speci c set of personal data. As a rule, the purpose
references the relevant legal basis for the processing of personal
data.
Residence Period The period of time between the end of business and the end of
purpose (EoP) for a data set during which the data remains in the
database and can be used in case of subsequent processes
related to the original purpose. At the end of the longest con gured
residence period, the data is blocked or deleted. The residence
period is part of the overall retention period.
12/19/2022
Term De nition
Retention Period The period of time between the end of the last business activity
involving a speci c object (for example, a business partner) and
the deletion of the corresponding data, subject to applicable laws.
The retention period is a combination of the residence period and
the blocking period.
Sensitive Personal Data A category of personal data that usually includes the following type
of information:
Special categories of personal data, such as data revealing

racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade union membership, genetic
data, biometric data, data concerning health or sex life or
sexual orientation.
Personal data subject to professional secrecy
Personal data relating to criminal or administrative offenses
Personal data concerning insurances and bank or credit

card accounts
Troubleshooting
Get help resolving and analyzing issues with SAP Signavio Process Insights.
 Note
If any problems or errors occur, you must ensure that the system is con gured correctly according to the information
presented in this guide. If problems persist, you can contact SAP Product Support by visiting
https://support.sap.com/en/my-support/product-support.html and following the information provided there, or creating
an incident under the component BPI-PI.
Related Information
Account Setup and User Management in SAP BTP
Data Collection
SAP Signavio Process Insights Application
Account Setup and User Management in SAP BTP

Get help resolving issues that occur in SAP BTP while preparing your cloud tenant for SAP Signavio Process Insights and setting
up user access to the solution.
Related Information
Issues While Running the SAP Signavio Process Insights Booster
Manually Creating a Service Instance for the API Service
Issues with User Management
12/19/2022
Issues While Running the SAP Signavio Process Insights Booster

Get help resolving speci c issues while running the Prepare an Account for SAP Signavio Process Insights booster in the SAP
BTP cockpit.
Service instance creation fail
Symptom Service instance creation fails.
Root cause Currently unknown
Suggested action Create the service instance manually. See Manually Creating a Service Instance for the API Service.
Role collection creation fails
Symptom Creation of role collections fails.
Suggested action Delete the service key, service instance, subscription, and subaccount (in that order) and run the
booster again.
Assignment of role collections fails
Symptom Assignment of role collections fails.
Suggested action Check that the role collections SAP Signavio Process Insights Administrator and SAP Signavio Process
Insights User have in fact not be assigned to users and assign if necessary. See also User
Management.
Related Information
Manually Creating a Service Instance for the API Service

If service instance creation fails when you run the Prepare an Account for SAP Signavio Process Insights booster in the SAP BTP
cockpit, you need to create your service instance manually. This involves creating a service instance for the SAP Signavio
Process Insights API service and a service key to allow your managed system to communicate with the back end of the solution.
The service instance for the API service provides a secure way of creating the credentials required to allow the SAP Signavio
Process Insights API receiving data to securely identify requests coming from your managed system. You set up a service
instance for the SAP Signavio Process Insights API service for this purpose and you use this service instance to create a service
key.
The service key contains the following parameters required to connect your managed system to the SAP Signavio Process
Insights API service instance:
12/19/2022
Prerequisites
You have the Administrator and Org Manager roles in your global account.
You can verify that you have this authorization in the SAP BTP cockpit by navigating to the global account that contains
your SAP Signavio Process Insights entitlement and choosing Members. If you don't have this role, the global account
administrator can assign it to you as outlined in Add Members to Your Global Account.
The subaccount in which you want to create the service instance has already been created and meets the following
prerequisites:
Cloud Foundry has been enabled and a Cloud Foundry Runtime environment instance exists.
A space in which to create the service instance exists.
A subscription to the SAP Signavio Process Insights application exists.
To create the service instance in your subaccount, you complete the following tasks:
1. Creating a Service Instance
2. Creating a Service Key
Creating a Service Instance

Create a service instance for the SAP Signavio Process Insights API service in the space created for your subaccount.
Procedure
1. Navigate to your subaccount and choose Instances and Subscriptions.
2. Create a service instance by choosing Create and con rming or entering the following details:
Service: SAP Signavio Process Insights
Plan: standard
Runtime Environment: Cloud Foundry
Space: Space in your subaccount
Instance Name: Name for your instance
12/19/2022
3. Choose Create.
Results
Once the instance has been created, it appears in your subaccount.
Creating a Service Key

Create a service key for the service instance you created in the space for your subaccount.
Context
Once you've created a service instance in the space in your subaccount that contains your SAP Signavio Process Insights
subscription, you're ready to create the service key for that service instance in the SAP BTP cockpit.
The service key is what allows you to con gure your managed system so that it can connect to the SAP Signavio Process
Insights API service instance.
Procedure
12/19/2022
1. For the service instance you created, choose  (Actions) and select Create Service Key.
2. Enter a name for your service key and choose Create.
3. Next to the service key you've created, choose  (Actions) and select View.
4. You can now see your service key in JSON format.
The service key contains the following parameters required to connect your managed system to the SAP Signavio
Process Insights API service instance:
 Caution
Outside of the SAP BTP cockpit, service keys must be stored securely since it's the key that allows data to be sent to
your tenant. If you need a service key, create the service key directly in the SAP BTP cockpit, and access it from there
whenever you need it.
You later need the details of this service key to set up the connection between the HTTP destination service of your
managed system and SAP Signavio Process Insights.
For information about setting up the connection, see Setting Up a Data Connection.

Get help resolving issues related to user management in SAP BTP.
Users can't be authenticated by external identity provider
Symptom Users report seeing the following error when trying to log on to SAP Signavio Process Insights:
There was an error when authenticating against the external identity provider. The user account
must be precreated. Please contact your system administrator.
Root cause Your organization is using the default identity provider of SAP BTP (SAP ID service) but the required
shadow user hasn't yet been created in the subaccount prepared for SAP Signavio Process Insights.
12/19/2022
Suggested action Create the required user. For more information, see Create Users.
 Note
If your organization is using SAP ID service as the identity provider and users have an SAP
Universal ID, it's possible that the email addresses for SAP Universal ID and SAP ID service aren't
the same. In this case, it's the email associated with their SAP ID service that users must enter in
the SAP BTP cockpit ( Security Users ).
Users are not authorized to see data in the application
Symptom Users report seeing the following authorization error when they log on, typically for the rst time:
No authorization for reports
Sorry, it looks like you’re not authorized to access these reports.
Root cause The most likely reason for this is that your users haven't yet been assigned the required authorizations
in SAP Business Technology Platform (SAP BTP).
The problem can also occur if your custom identity provider, such as Microsoft Azure Active Directory
is sending incorrect user groups or too many user groups to SAP BTP.
Suggested action The action you need to take depends on the identity provider your organization is using:
Default identity provider:
If your organization is using the default identity provider of SAP BTP (SAP ID service), ensure
the user is created as a shadow user and that the role collections are assigned to this user. See
the following sections in the SAP BTP documentation:
Create Users
Assign Users to Role Collections
Custom identity provider:
If you're using a custom identity provider, such as SAP Cloud Identity Services - Identity
Authentication or another third-party SAML 2.0 identity provider, ensure the following:
If you're using user groups, ensure the user group de ned in your identity provider is
assigned to the role collection in SAP BTP. See the following section in the SAP BTP
documentation:
Assign User Groups to Role Collections
If you're not using user groups, ensure the user is created as a shadow user and that
the role collections are assigned to this user. See the following sections in the SAP BTP
12/19/2022
documentation:
Create Users
If your organization is using Microsoft Azure Active Directory (Azure AD) as a custom
identity provider, you've probably integrated Microsoft Azure AD with the SAP BTP,
Cloud Foundry environment as outlined in this Integrate Microsoft Azure AD with SAP
BTP, Cloud Foundry environment tutorial, for example.
If users are still not authorized to access data, the problem could be that the number
of user groups being sent in the SAML access token is too large and the information is
truncated. You can try reducing the number of tokens sent by selecting Groups
assigned to the application when you con gure the Groups attribute for the
application you created to use with your subaccount for SAP Signavio Process Insights.
If the number of user groups associated with the Security groups setting isn't too
large, this set of user groups might also be small enough. What works for you depends
on how many user groups are de ned in your identity provider.
Users can't log on to the application
Symptom User can't log on to SAP Signavio Process Insights even though the user is correctly con gured in SAP
BTP.
Root cause Your organization is using the default identity provider of SAP BTP (SAP ID service) but the user's S- or
P-user isn't yet linked to their SAP Universal ID.
Suggested action Instruct the user to link their S- or P-user to their SAP Universal ID at
https://account.sap.com/core/create/login-linking .
Data Collection
Get help resolving and analyzing issues related to setting up data collection in managed systems.
Related Information
Issues with Data Collection
Analyzing Failed Data Collection
Data Connection and Collection Checks
12/19/2022

Get help resolving speci c issues related to setting up the connection between your ERP system and your cloud tenant for SAP
SAP Cloud ALM certi cate not trusted
Symptom You're setting up the data connection between your ERP system and your cloud tenant as outlined in
Setting Up a Data Connection and you get the following message when you've nished con guring your
settings and you try to register your system or check the connection:
ICM_HTTP_SSL_PEER_CERT_UNTRUSTED
Root cause This problem occurs if the SAP Cloud ALM certi cate hasn't been imported into your SAP ECC or SAP
S/4HANA system using transaction STRUST (Trust Con guration).
Suggested action Import the required certi cate to ensure it's trusted. See Installing the Required Certi cate.
Missing or incorrect proxy con guration
Symptom You're setting up the data connection between your ERP system and your cloud tenant as outlined in Setting Up a Data C
get one of the following messages when you've nished con guring your settings and you try to register your system or
<subdomain>.authentication.<region ID>.hana.ondemand.com:443 Failed: NIECONIL REFUS
Connect to <subdomain>.authentication.<region ID>.hana.ondemand.com 443 failed: NIE

OTR-Based Exception of Class: /SDF/CX CALM CONNECTOR
Root cause This problem can occur if your organization is using a proxy but a proxy host and port weren't speci ed (or were incorre
connection between your ERP system and your cloud tenant when the connection was set up using transaction /SDF/AL
integration with SAP Cloud ALM). You can get this information from your organization's IT department or specialist.
Suggested action To add the missing information, proceed as follows:
1. In your ERP system, call transaction /SDF/ALM_SETUP.
2. In the Target ALM Destination eld, select the HTTP destination that was set up to connect your ERP system to
3. Choose Update Destination to maintain your HTTP destination.
4. Enter your proxy host and proxy port into the Proxy Host and Proxy Port elds.
You also need to update the proxy information manually in transaction SM59 (Con guration of RFC Connections) as fo
1. In your ERP system, call transaction SM59.
2. Expand the node for HTTP Connections to External Server and locate the RFC destination that was set up for y
(ZSDF_ <target ALM description defined using transaction /SDF/ALM_SETUP>).
3. Open the details for the RFC destination. On the Technical Settings tab, check the information under HTTP Prox
4. If your proxy host and proxy port are missing from the Proxy Host and Proxy Service elds, edit the RFC conne
missing information.
 Note
If your proxy uses authentication, ensure you've installed the latest version of the following SAP Notes depending on y
ST-PI 7.40 SP20 3240966
12/19/2022
ST-PI 7.40 SP18 3196078

and SP19
ST-PI 7.40 SP17 3133333
ST-PI 7.40 SP16 3104662
This is required to ensure that proxies with authentication are supported by SAP Cloud ALM, the framework used to co
managed ERP system to the cloud tenant.
Outbound connection blocked
SSL handshake with bpi-pia-core-api.cfapps.<region ID>.hana.ondemand.com:443 failed

OTR-Based Exception of Class: /SDF/CX CALM CONNECTOR
SSL handshake with bpi-pia-core-api.cfapps.<region ID>.hana.ondemand.com failed: SS
Root cause This problem occurs when outbound connection from your managed system isn't permitted. The managed system can't
Suggested action Ensure that your network settings permit outbound communication. See Con guring Your Network Settings.
SNI not enabled for client connections
Setting Up a Data Connection and you get the following message when you call transaction
/SDF/ALM_SETUP (Set up integration with SAP Cloud ALM):
Profile parameter icm/HT TPS/ dient_sni_enabled not set to TRUE
Root cause This problem occurs if you haven't set the pro le parameter icm/HTTPS/client_sni_enabled to
TRUE in your managed ERP system.
Suggested action Check the value of the parameter using transaction RZ11 (Edit Pro le Parameters) and change it
using transaction RZ10 by selecting the relevant pro le and changing the value from FALSE to TRUE.
Empty pre x path of SM59 destination
Setting Up a Data Connection and you get the following exception when you've nished con guring your
settings and you try to register your system or check the connection:
OAuth access_token not found in Destination: SAP Cloud ALM (HTTP/1.1 302 Found)
OTR-Based Exception of Class: /SDF/CX_CALM_CONNECTOR
Root cause There is no pre x path entered for the HTTP destination that was generated after you set up your
connection with transaction /SDF/ALMSETUP (Setup integration with SAP Cloud ALM).
Suggested action 1. In your ERP system, call transaction SM59 (Con guration of RFC Connections).
2. Expand the node for HTTP Connections to External Server (connection type G) and locate the
RFC destination that was set up for your cloud tenant: ZSDF_ <target ALM description
defined using transaction /SDF/ALM_SETUP>.
12/19/2022
3. Open the RFC connection for editing and under Technical Settings, enter the path pre x
/oauth/token.
4. Under Logon & Security, re-enter the password for basic authentication.
Re-entering the password is necessary after a manual change of an RFC destination using SM39.
The password is the client secret of the service key of your SAP Signavio Process Insights service
instance. For more information, see Getting Your Service Key Details.
RFC destination unauthorized
Symptom You're setting up the data connection between your ERP system and your cloud tenant as outlined in Setting Up a Data
Connection and you get the following error when you've nished con guring your settings:
OAuth access_token not found from Destination: <destination name> (HTTP/1.1 401 Unauthori
When you then try to test your connection in transaction SM59 (Con guration of RFC Connections), you're prompted t
enter logon data (user name and password).
Root cause This problem can occur if there's an issue with the Process Insights API service. This shouldn't happen and needs to b
addressed using the available support channels.
Suggested action Create an incident (component BPI-PI) using the SAP ONE Support Launchpad
Network infrastructure overwrites ERP certi cates
SSL handshake with bpi-pia-core-api.cfapps.<region ID>.hana.ondemand.com:443 failed: SSS

Root cause During the SSL/TLS handshake process, your network infrastructure overwrites the certi cate sent by your ERP system
Suggested action Provide your network administrator with the list of permitted URLs (see Con guring Your Network Settings) and request
Issues with Data Collection

Get help resolving speci c issues related to the data collection in your ERP system before the data is sent to your cloud tenant
for SAP Signavio Process Insights.
CRBPA:AUTODISCOVERY job takes long time to run
Symptom You've set up the data connection between your ERP system and your cloud tenant as outlined in
Setting Up a Data Connection. The data is being collected and sent to your cloud tenant.
However, the CRBPA:AUTODISCOVERY job is taking too long to run, sometimes even up to an hour or
more. This job typically runs for some minutes. You can check the duration for this job using
transaction SM37 (Overview of job selection).
Root cause This problem can occur in some cases when an older version of ST-PI 7.40 is installed. The latest
version is always recommended.
Suggested action Stopping these background jobs can have a negative impact on data collected in data collection runs.
So, it's best to let the jobs complete.
To resolve the issue, install the latest version of ST-PI 7.40, or at minimum, ST-PI 7.40 SP18. For more
information, see Installing ST-PI and ST-A/PI Plug-Ins.
12/19/2022
For more information about the background jobs that run, see ERP Background Jobs for SAP Signavio
Process Insights.

Get help nding the root cause of why data collection has failed or cannot run.
Known Reasons for Failed Data Collection

If you've set up the data connection between your ERP system and your cloud tenant correctly and an LMS ID has been
retrieved and displayed successfully, table /SDF/DCCLOGHDR still may indicate that no data was collected. The following are
known reasons that can cause data collection to fail or prevent it from running:
Data collection can fail if the latest correction notes for ST-PI and ST-A/PI haven't been implemented as outlined under
Data collection can also fail if authorizations are missing or if the relevant role pro les aren't generated that allow
communication with the cloud tenant. Ensure that the required roles are assigned (see Setting Up a Data Connection)
and that the role pro les are generated in transaction PFCG for role maintenance. You need to generate role pro les if
they've been adjusted, for example.
Data collection can sometimes fail to start although the connection was set up successfully. When you check for errors in
table /SDF/V_DCCLOG as outlined under Checking for Errors in Data Collection Runs, no errors are logged.
This can be resolved by resetting the user buffer for the background user that was used to set up the data connection as
outlined in Setting Up a Data Connection. You can do this as follows:
1. Call transaction SU56.
2. Ensure the user authorizations are displayed for the background user. If required, choose Display for different
user/authorization object in the toolbar.
3. Choose Authorization Values Reset User Buffer in the menu.
Investigating Failed Data Collection

If issues of unknown cause appear to be preventing data from reaching the cloud tenant, you can analyze the situation in your
ERP system as follows:
Check that the required ST-PI and ST-A/PI SPs have been installed and all relevant correction notes have been applied.
See Installing ST-PI and ST-A/PI Plug-Ins.
Check that the background user set up in the ERP system to transfer the data has the correct roles and authorizations.
See Setting Up a Data Connection.
Use transaction /SDF/ALM_SETUP to check that the connection to the cloud tenant is set up correctly. See Checking
the Connection to Cloud Tenant and ensure that an LMS ID is retrieved and displayed.
Check table /SDF/DCKPICFG to con rm that data con guration is set up, and to see what data is collected, how often
data collection is scheduled to run, and when your data collection con guration information was last retrieved. See
Checking the Data Collection Con guration.
Check table /SDF/DCCLOGHDR to see what data was collected when and cross-check this with the information in table
/SDF/DCPARAMCFG. This lets you verify if this matches the reference periods for data collection. Also cross-check the
information using transaction ST13 to verify the number of records returned. See Checking Details for Data Collection
Runs.
Use transaction SM37 to look at the job overview for jobs associated with the technical user used to run
/SDF/ALM_SETUP. Check to see if any jobs were aborted. Aborted jobs could be a reason why data doesn't reach the
cloud tenant.
12/19/2022
Related Information
Issues While Using the SAP Signavio Process Insights Application
Data Connection and Collection Checks

The following checks can help when troubleshooting issues with data collection.
Related Information
Checking the Connection to Cloud Tenant
Checking the Data Collection Con guration
Checking Details for Data Collection Runs
Checking for Errors in Data Collection Runs
Checking the Connection to Cloud Tenant

Get an overview of how to check the RFC connection to your cloud tenant.
Context
You've set up the data connection between your ERP system and your cloud tenant but need to troubleshoot the connection
and check that no information is missing.
Procedure
1. In your ERP system, call transaction /n/SDF/ALM_SETUP.
2. In the Target ALM Destination eld, select the destination that was set up to connect to your cloud tenant.
3. Under Maintain HTTP destination, choose Create/Update destination and check that the following elds are all
maintained correctly:
Token Endpoint
Client ID
Secret
Proxy Host and Proxy Port (must be maintained if your organization uses a proxy)
Root URL
For information about maintaining these elds, see the steps in Setting Up a Data Connection.
4. Under Enter background user and register system, check that the following elds are maintained correctly and the
expected information is shown:
Ensure Background User is maintained correctly and that this user has the following authorizations:
PFCG role SAP_SDF_ALM_METRIC_PUSH_FND
PFCG role SAP_SDF_ALM_METRIC_PUSH_BPMON
PFCG role SAP_MANAGED_BPOANA_ALL
Authorization object M_MTDI_ORG (Organizational Levels for Material Requirements Planning),

authorization for activity category L MRP (MRP list, individual display).
Ensure the status System registered at target ALM is shown.
12/19/2022
Ensure an LMS ID is shown (displayed automatically when the connection is set up successfully).
For information about maintaining these elds, see the steps in Setting Up a Data Connection.
5. Under Choose use cases to be collected, choose Activate use cases and ensure that the entry for Business Process
Monitoring is selected.
Checking the Data Collection Con guration

Get an overview of how to check the prede ned con guration parameters for data collection.
Context
You've set up the data connection between your ERP system and your cloud tenant and want to understand at what intervals
data is collected for process performance indicators. In table /SDF/DCKPICFG in your ERP system, you check what data is
collected, the frequency of data collection, and when the data collection con guration was last retrieved.
Procedure
1. In your ERP system, call transaction SE16.
2. Enter /SDF/DCKPICFG as the table name and choose Enter.
3. In the CALM_ID eld, enter the name of the Target ALM Destination that was previously set up in transaction
/SDF/ALM_SETUP and choose Execute.
4. Examine the entries in the KEYFIGURE_ID column. These entries indicate for which performance indicators the data
collection is currently con gured.
This information helps you understand for what performance indicators you can expect data to be collected.
5. Examine the time indicated in the COLL_PERIOD column. For each performance indicator listed in the KEYFIGURE_ID
column, the COLL_PERIOD value indicates in minutes the time that elapses between data collection runs.
This information helps you understand how often data collection is scheduled. Used with the information about when
data was last retrieved as outlined in Checking Details for Data Collection Runs, it helps you understand when the next
data collection is scheduled to run.
 Tip
For performance indicators for process ows, data is currently collected at intervals of 1 week (10,080 minutes). For
other performance indicators, the frequency of data collection depends on the performance indicator. The data is
collected at intervals of 1 day (1,440 minutes), 1 week (10,080 minutes), or 30 days (43,200 minutes).
6. Examine the time indicated in the CONFIG_VER column. This time indicates when the con guration information was last
retrieved. For example, 20210701095030 indicates July 1, 2021 at 09:50:30.
This information can help you identify if there has been an issue retrieving a new version of the con guration
information.
Next Steps
If there is missing data or missing entries in the table /SDF/DCKPICFG, unregister the ERP system and register it again. See
Setting Up Data Collection in Managed Systems.
Checking Details for Data Collection Runs

Get an overview of how to check when data was collected and how many data records were collected.
12/19/2022
Context
You've set up the data connection between your ERP system and your cloud tenant and want to check when data was collected
for performance indicators.
In table /SDF/DCCLOGHDR in your ERP system, you can nd out for which performance indicators data was collected, when
collection started and completed, and how many records were retrieved.
Procedure
2. Enter /SDF/DCCLOGHDR as the table name and choose Enter.
/n/SDF/ALM_SETUP and choose Execute.
4. Examine the entries in the following columns to understand more about your data collection:
Table Column * Description Use
KEYFIGURE_ID Indicates for which performance indicators the To understand whether data was collected for speci c
data collection has run. performance indicators.
START_TSTMP Indicates when data collection last started and To understand if data was collected successfully for a
and END_TSTMP completed for the performance indicators in the performance indicator based on the prede ned
KEYFIGURE_ID column. reference periods con gured.
ROW_COUNT Indicates how many records were returned. To understand what entries you can expect to see in
your detail list.
 Note
* If you see different column names in your system, call transaction SE11 and display the table details there to
understand the eld names.
5. Using transaction SE16 again, display table /SDF/DCPARAMCFG to cross-check the reference periods de ned there for
performance indicators.
Examine the entries in the following columns to understand more about your data collection:
This table contains con guration information with the names of the parameters retrieved and reference period for which
the data is collected.
Table Column Description Use
KEYFIGURE_ID Indicates the ID of the performance To understand to which performance

indicator for which data is collected. indicators the reference dates refer.
PARAM_NAME Indicates the parameter to which the To understand which parameter is used
selection options are applied. as the reference for the data retrieval.
SELOPT_LOW Indicates the earliest day relative to the To understand the start day of the data
current day for which the data is collection.
collected for the speci ed performance
indicator.
SELOPT_HIGH Indicates the latest day relative to the To understand the last day of the data
current day for which the data is collection.
collected for the speci ed performance
indicator.
12/19/2022
6. Now, call transaction ST13 to cross-check whether the number of records returned is correct.
a. Enter TBI_REPORTS as the tool name and choose Execute.
b. In the Monitoring Object eld, enter the name of the performance indicator that you want to check, such as
KPPURCH261, and choose Go To.
c. Under Document Date, enter the earliest and latest data collection dates for the performance indicators as
indicated previously in table /SDF/DCPARAMCFG, such as -42 and -1, and choose Execute.
The results show how many records are found for each performance indicator based on the reference period you
entered. This number should match the value previously displayed in the ROW_COUNT column of the
/SDF/DCCLOGHDR table. You can display the detail list for a performance indicator by double-clicking it.
Checking for Errors in Data Collection Runs

Understand how to check what errors caused data collection to fail for performance indicators.
Context
Users have reported that they can see an error indicator for a process ow or standard performance indicator that shows that
one or more data collections have failed.
In table /SDF/V_DCCLOG in your ERP system, you can nd out what errors occurred during data collection for performance
indicators.
Procedure
2. Enter /SDF/V_DCCLOG as the table name and choose Enter.
/n/SDF/ALM_SETUP and choose Execute.
4. In the MESSAGE_TYPE column, choose the context menu and set a lter for message type E to lter for error messages
only.
5. Optional: In the KEYFIGURE_ID column, lter for any particular performance indicators you want to examine.
6. Examine the information in the MESSAGE column to understand what errors have occurred.
Related Information
Common Errors Logged for Data Collection Runs
Common Errors Logged for Data Collection Runs

This table lists common error messages in table /SDF/V_DCCLOG and what you can do to solve these errors.
Common Errors in /SDF/V_DCCLOG
Message Text Message Type What to Do
A previous DC Controller is still running for Information No action required. The data collection
CALM ID <ID>- this instance will not be controller will automatically start again
started. later.
12/19/2022
Maximum parallel degree <PARAMETER Information No action required. The problem usually
ID>=<MAXIMUM PARALLEL DEGREE> has resolves itself when the scheduled data
been reached. collection next starts.
Wait for running data collection tasks to

nish before starting new task.
No authorization. Error Call transaction SU53 and check if you're

authorized for authorization object
/SDF/E2E with activity 03.
If you're not authorized, contact your

system administrator.
No result was returned for KPI. Information No action required. The message indicates
that the value for this process performance
indicator is zero.
The value zero could indicate that this

process performance indicator isn't
relevant in your business context.
RFC resource failure (see note 99284). Information See SAP Note 99284 .
Unknown error when trying to start new data Error Check if you've implemented the required
collector task. SAP Notes for your current ST-PI or ST-A/PI
plug-in version. For more information, see
If problems persist, you can contact SAP

Support by going to
https://support.sap.com/incident and
following the information provided there or
creating an incident under the component
BPI-PI.
HTTP 500 (Internal Server Error): Timeout Error If data collection runs simultaneously for
while waiting for lock on entity <Entity ID>. multiple process performance indicators,
these runs can potentially block each other
and cause a deadlock. The problem usually
resolves itself when the scheduled data
collection next starts.

Support by going to
BPI-PI.
12/19/2022
Data collection for <PPI ID> aborted. Abort Check transaction ST22 for related dumps.
Possible causes: Runtime error of the data
collector or TIME_OUT. Check if you've implemented the required
SAP Notes for your current ST-PI or ST-A/PI
plug-in version. For more information, see

Support by going to
BPI-PI.
If you open an incident, SAP may be able to

resolve the issue by adjusting the
con guration for the data collection for that
performance indicator. This could involve
reducing the period for which the data's
collected or running data collection in batch
mode, for example.
Cannot create HTTP client: No authorization Error Call transaction SU53 and check if you're
for destination <Destination ID>. authorized for authorization object S_ICF.
If you're not authorized, contact your
system administrator.
SAP Signavio Process Insights Application

Get help resolving issues with the SAP Signavio Process Insights application.
Related Information
Application Con guration Issues
Issues While Using the SAP Signavio Process Insights Application
Application Con guration Issues

Get help resolving issues with application con guration settings.
Checking Usage Data Collection

Data collection for Aggregated transaction and report usage (PETST03N01) is active but no data is coming in
Symptom Data Collection Status for Aggregated transaction and report usage (PETST03N01) is set to Active
but no data is coming in.
As a consequence, business users can't see Relevance information for innovation recommendations.
Root cause Data collection for Aggregated transaction and report usage (PETST03N01) can fail because the
corresponding data isn't collected in your ERP system.
Suggested action Check if your ERP system collects information about the transactions and reports that are being used.
12/19/2022
1. Start transaction ST03N (Workload Monitor).
2. In Expert Mode go to Workload Total Month and select a month.
3. Check if records are listed in the Workload Overview table.
To check which transactions and reports were used in detail, choose Transaction Pro le
Standard in the Analysis Views menu.
If your ERP system isn't collecting usage data yet, activate data collection.
If usage data is collected in your ERP system, but it doesn't reach SAP Signavio Process Insights,
contact SAP Support by going to https://support.sap.com/incident and following the information
provided there or creating an incident under the component BPI-PI.
Issues While Using the SAP Signavio Process Insights

Application
Get help resolving speci c issues users experience using the SAP Signavio Process Insights application.
User Authentication and Authorization

No user account in SAP BTP
Symptom Users report seeing the following error when trying to log on to SAP Signavio Process Insights:
There was an error when authenticating against the external identity provider. The user account
must be precreated. Please contact your system administrator.
Root cause Your organization is using the default identity provider of SAP BTP (SAP ID service) but the required
shadow user hasn't yet been created in the subaccount prepared for SAP Signavio Process Insights.
Suggested action Create the required user. For more information, see Create Users.
 Note
If your organization is using SAP ID service as the identity provider and users have an SAP
Universal ID, it's possible that the email addresses for SAP Universal ID and SAP ID service aren't
the same. In this case, it's the email associated with their SAP ID service that users must enter in
the SAP BTP cockpit ( Security Users ).
Symptom Users report seeing the following authorization error when they log on, typically for the rst time:
12/19/2022
Sorry, it looks like you’re not authorized to access these reports.
Root cause The most likely reason for this is that your users haven't yet been assigned the required authorizations
in SAP Business Technology Platform (SAP BTP).
The problem can also occur if your custom identity provider, such as Microsoft Azure Active Directory
is sending incorrect user groups or too many user groups to SAP BTP.
Suggested action The action you need to take depends on the identity provider your organization is using:
Default identity provider:
If your organization is using the default identity provider of SAP BTP (SAP ID service), ensure
the user is created as a shadow user and that the role collections are assigned to this user. See
the following sections in the SAP BTP documentation:
Create Users
Custom identity provider:
If you're using a custom identity provider, such as SAP Cloud Identity Services - Identity
Authentication or another third-party SAML 2.0 identity provider, ensure the following:
If you're using user groups, ensure the user group de ned in your identity provider is
assigned to the role collection in SAP BTP. See the following section in the SAP BTP
documentation:
Assign User Groups to Role Collections
If you're not using user groups, ensure the user is created as a shadow user and that
the role collections are assigned to this user. See the following sections in the SAP BTP
documentation:
Create Users
If your organization is using Microsoft Azure Active Directory (Azure AD) as a custom
identity provider, you've probably integrated Microsoft Azure AD with the SAP BTP,
Cloud Foundry environment as outlined in this Integrate Microsoft Azure AD with SAP
BTP, Cloud Foundry environment tutorial, for example.
If users are still not authorized to access data, the problem could be that the number
of user groups being sent in the SAML access token is too large and the information is
truncated. You can try reducing the number of tokens sent by selecting Groups
assigned to the application when you con gure the Groups attribute for the
application you created to use with your subaccount for SAP Signavio Process Insights.
12/19/2022
If the number of user groups associated with the Security groups setting isn't too
large, this set of user groups might also be small enough. What works for you depends
on how many user groups are de ned in your identity provider.
Data Collection Issues

Failed data collection (general)
Symptom Users report seeing the following error for a process ow that indicates that data collection has failed:
We were unable to load the latest data for this process ow from your ERP system. The data was
last loaded on <date> at <time>. The latest attempt to load on <date> at <time>. Please contact
your administrator.
Root cause Data collection can fail for a number of reasons. Reasons can include connection issues, timeout errors
resulting from large volumes of data, or incorrect data being retrieved.
Suggested action Check what errors have been logged for speci c performance indicators. For more information, see
Checking for Errors in Data Collection Runs and Analyzing Failed Data Collection.
Incorrect data for process ow Materials touched by MRP last week (KPMRP00260)
Symptom Users report an incorrect number of business object instances for process ow Materials touched by
MRP last week (KPMRP00260) where the managed system is an SAP S/4HANA system.
Root cause Incorrect customizing was delivered with ST/A-PI 01U SP3 for the performance indicator for this
process ow.
12/19/2022
Suggested action Modify the metadata of the process ow manually as described in SAP Note 2839722 .
 Remember
Process ow data is collected weekly, so it can take some time to see correct data in the
application.
Incorrect data for process ow MRP elements to be canceled per material (KPPP000410)
Symptom Users report an incorrect number of business object instances for performance indicator MRP
elements to be canceled per material (KPPP000410).
Root cause The background user used for data collection isn't authorized to view MRP lists.
Suggested action Assign authorization object M_MTDI_ORG (Organizational Levels for Material Requirements Planning,
authorization for activity category L: “MRP: MRP list, individual display”).
 Remember
This performance indicator data is collected daily, so it can take some time to see correct data in
the application.
Related Information
Materials touched by MRP last week
MRP elements to be canceled per material

Sign Avio Administration Guide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sign Avio Administration Guide

Uploaded by

Copyright:

Available Formats

12/19/2022

Administration Guide for SAP Signavio

SAP Signavio Process Insights | Cloud

Original content: https://help.sap.com/docs/BPI/f5642e5272c1465986661c763b56213d?locale=en-

For more information, please visit the https://help.sap.com/docs/disclaimer.

Administration Guide for SAP Signavio Process Insights

This guide addresses the following target audiences:

About SAP Signavio Process Insights

1. Managed ERP System Requirements 4. Users Required in ERP System

Your ERP system must meet the

component version requirements: authorizations: PFCG roles and authorizations:

PFCG role SAP_SDF_ALM_SETUP

2283880 is as outlined under Installing the Required icm/HTTPS/client_sni_enabled is set to

ST-PI Version SAP Note

ST-PI 7.40 SP20 3240966

ST-PI 7.40 SP18 3196078

ST-PI Version SAP Note

ST-PI 7.40 SP17 3133333

ST-PI 7.40 SP16 3104662

ST- SAP ERP SAP

ST-A/PI SAP ERP: SAP

ST-A/PI SAP ERP: SAP

See also: Installing ST-PI and ST-A/PI

Software component versions for your system:

ST-PI 7.40 SP16

ST-A/PI 01U_731 SP3

However, the latest versions are recommended.

ST-PI Version SAP Note

ST-PI 7.40 SP20 3240966

ST-PI 7.40 SP18 and SP19 3196078

ST-PI 7.40 SP17 3133333

ST-PI Version SAP Note

ST-PI 7.40 SP16 3104662

ST-A/PI Version SAP ERP System SAP S/4HANA System

ST-A/PI 01V_731 SP0 SAP ERP: 3194251 SAP S/4HANA: 3194259

Framework: 3159166 SAP ERP: 3194251

ST-A/PI 01U_731 SP3 SAP ERP: 3111576 SAP S/4HANA: 3111641

Framework: 3070521 SAP ERP: 3111576

The following interactive image provides an overview of the onboarding process.

For more information, see Setting Up Data Collection in Managed Systems.

Initial Setup in SAP BTP

Subscribing to the Application

Assign entitlements from your global account to the subaccount.

Create the relevant subscriptions.

Create a default space, a service instance, and a service key

Open this video in a new window

Preparing an Account for SAP Signavio Process Insights

2. Search for SAP Signavio Process Insights.

4. Launch the booster by choosing Start.

5. When the check has completed successfully, choose Next.

Refer to the following information outlining what plans to select.

Name Plan Type Description

Name Plan Type Description

SAP Signavio Process test Subscription This application plan is

standard Subscription This application plan is

rise Subscription This application plan is

partner Subscription This application plan is

SAP Signavio Process standard Instance This service plan is

You can select from the following providers and regions.

Infrastructure Provider Region Region ID

Amazon Web Services Australia (Sydney) ap10

Amazon Web Services Canada (Montreal) ca10

Amazon Web Services Europe (Frankfurt) eu10