Technical SaaS Overview
Redwood offers RunMyJobs as a cloud-based Service (SaaS) solution that lets you improve the consistency and quality of all your business and IT processes. RunMyJobs lets you connect and coordinate your process activities between all of your strategic business and IT applications, across all platforms, silos and technologies.
Note: This documentation sometimes refers to "Redwood Server." Redwood Server is the server-based part of RunMyJobs, as opposed to portions of the RunMyJobs software that run inside a customer network (such as Platform Agents). In an SaaS installation, Redwood Server is the portion of the solution that runs in the cloud.
SaaS Architecture
With RunMyJobs SaaS, there is no need to maintain and manage all aspects of the central automation platform. This lets you focus on configuring automation tasks for your business-critical processes, without having to worry about managing the underlying infrastructure. RunMyJobs also makes your job easier by taking care of upgrades to the server environment, operating system, and database, as well as maintenance and monitoring of the infrastructure.
As shown above, the RunMyJobs SaaS architecture consists of a customer-specific area based in the cloud (sometimes referred to as Redwood Server). This customer-specific area is connected to managed systems and applications at the customer location across the Internet via a Secure Gateway. The mechanism used depends on your type of target system.
-
Operating system-level tasks are managed by a Redwood Platform Agents. Platform Agents are processes that can be downloaded from the Redwood Control Center and installed on the relevant computers.
-
External applications, such as SAP, Oracle E-Business Suite, PeopleSoft, and BusinessObjects, are connected via a Redwood Platform Agent acting as a Secure Gateway. Web Services and SQL applications are also connected via a Secure Gateway (described below).
Note: For more information about Platform Agents, see Install Platform Agents.
Users access their environment using a supported web browser via the Internet.
Security
Redwood deploys a "defense in depth" approach, preventing unauthorized access by employing multiple layers of security. The following subsections provide an overview of security. For more detail, please contact your local Redwood representative or partner.
Secure Gateway
The Secure Gateway is a technology invented by Redwood that allows a single, secure channel for all application connections that do not depend on Platform Agents.
Tip: For more information on Platform Agents, see Installing Platform Agents.
The Secure Gateway capability is a characteristic of Platform Agents, and can be enabled for designated Platform Agents as necessary. At start-up, the system designates one Platform Agent to be the active Secure Gateway. Once the Platform Agent-initiated connection to the RunMyJobs server components has been established, applications such as SAP, Oracle E-Business Suite, PeopleSoft, and BusinessObjects can communicate directly with the cloud through the Secure Gateway.
The Secure Gateway implements the following security measures to protect the connection.
- A TCP connection is always initiated from the customer site to the Redwood cloud.
- The Secure Gateway serves as a single conduit for all traffic, irrespective of the number of managed systems.
- The Secure Gateway's connection is TLS-encrypted with a Redwood certificate.
- Hostnames are always verified.
- "Man in the Middle" tampering detection is included.
- The Secure Gateway serves as a highly available connection to Redwood Server for managed entities.
- The system uses military-grade encryption through TLS 1.3 and the most secure industry standard ciphers.
The Secure Gateway is fault-tolerant. If the designated Secure Gateway host fails, a Platform Agent running on a different system will automatically take over, ensuring that processes continue to run.
For more information, see the Configure the Secure Gateway.
Secure Internet Connection
The Redwood SaaS architecture is designed so that no specific knowledge of, or access to, the underlying infrastructure is required. Each customer operates in a dedicated zone within the Redwood cloud. Users connect to their SaaS environment via a web browser, accessing their own environment using the URL provided by Redwood. This URL has the format <region>.###.cloud(for example dublin.runmyjobs.cloud). Because the Redwood cloud is running in the Amazon Web Services infrastructure, it benefits from all of the built-in security measures provided by Amazon. For more information, see https://aws.amazon.com/compliance/ and https://aws.amazon.com/security/.
All communications between the user and the Redwood environment, including connections to the remote servers and applications on which processes are being automated, are secured with HTTPS / TLS 1.3 and an SSL certificate.
User Access and Roles
Customers can access their environment only through the Redwood-provided SaaS portal.
Specific users at the customer location are designated as account administrators. These individuals can create and modify additional users for the account, depending on the level of service purchased.
Protection against unauthorized user access is provided by the following features.
- Built-in access control.
- Browser authorization. You cannot access the SaaS portal and solution from an unknown browser on an unknown desktop.
- User ID and password combination. There are built-in rules that enforce the use of complex passwords.
- User lockout after a predetermined number of failed login attempts.
SSO can be configured using SAML to authenticate against the customer's local identity provider. Protections such as multi-factor authentication, password rules, and lockout are controlled by the customer's configuration.
Further protection is provided by role-based access. This allows account administrators to control the level of access (for example, Administrator, Operator, Business, Viewer, Login Only, No Access) each user has to each environment (for example, Production, Test, Development). You can also create custom roles to provide more granular control over access to specific objects in the environment. For more information, see Managing Users and Roles document and the SSO Guide.
Managed Servers
Managed servers are the servers inside the customer network where RunMyJobs manages process tasks. To enable RunMyJobs to automate tasks on a managed server in your environment, customers must install a Platform Agent on that server (see Installing Platform Agents). You can download Platform Agents from the Redwood Control Center.
A Platform Agent initiates the installation process by contacting the Redwood cloud server from inside your network. If the server can access the Internet, the Platform Agent sets up the connection. This avoids the need to make changes to the inbound protection provided by your firewall.
Redwood supports internet access via an HTTPS proxy server.
Connection to ERP Systems
RunMyJobs manages connections to ERP systems (for example, SAP or Oracle EBS) through the Secure Gateway using standard ERP system connect string protocols. To authenticate the Redwood server to ERP systems, generally locations and username/password combinations are required.
ERP spool data is managed by the Spool Host component. This reduces the level of network traffic and improves data security by retaining customer ERP spool data on the customer site.
For more information, see Configure the Spool Host, Connect to SAP and Connect to Oracle EBS.
High Availability
The Redwood SaaS environment uses industry-standard container solutions running in a cloud environment to ensure high availability and scalability. There is no dependence on specific server hardware or physical storage components, and there is no single point of failure.
Redwood monitors the service around the clock. Any issues with the environment are immediately detected and corrective action is immediately taken so that customer business is not impacted.
In addition, you can configure Alerts Rules so that individual connections are monitored. For example, if a managed system goes into a "connecting" status, something could be wrong, so an alert can automatically be raised and sent to a designated recipient.
Data Backup and Disaster Recovery
Technical product and job logs in customer environments are backed up daily, and client databases are constantly streamed to all availability zones, allowing near zero data-loss continuous backups and point-in-time recoveries.
Note: This continuous backup helps to mitigate host, database, and data center issues, and is not for object-specific backup and restore purposes.
Redwood environments run on Amazon Web Services (AWS) hardware, with dedicated storage and networking to ensure full isolation of the environment. For an overview of AWS infrastructure, see https://aws.amazon.com/about-aws/global-infrastructure/.
The customer is responsible for object backups inside the Redwood solution. These built-in extracts (and archives) should be scheduled, copied to the customer environment, and removed from the Redwood cloud. Redwood is not responsible for backing up and restoring specific objects.
Upgrades
Redwood strives for optimum reliability and security in its SaaS environments. Consequently upgrades are mandatory, although patch-level upgrades are optional for Finance Automation environments. Upgrades are announced via Message Of The Day in the SaaS dashboard; General – Notifications/Reports contacts (Security > Contacts) will be informed via email. For RunMyJobs, all three environments must be upgraded following a precise calendar, based on the day of the release.
Note: Finance Automation automatic upgrades are suspended for the time being.
Service Packs
Service Packs consist of new features, new supported systems, and security and stability enhancements. They can be scheduled as the customer desires, within the boundaries described below.
| Environment | Scheduled (from day of release) | Re-schedule |
|---|---|---|
| Development | 1 week | 1 week |
| Test | 2 weeks | 1 week |
| Production | 4 weeks | 2 weeks |
Note: The allowed upgrade window for an environment is from the time the Patch or Service Pack is released until the maximum reschedule expires.
Development environments must be upgraded in the fortnight following a release. Test environments must be upgraded within three weeks of a release. Production environments must be upgraded within six weeks of a release.
For example, assume that a new version is released on June 1st.
- A Development environment upgrade might be scheduled for June 7th, and could be rescheduled to June 14th at the latest.
- A Test environment upgrade might be scheduled for June 14th, and could be rescheduled to June 21st at the latest.
- A Production environment upgrade might be scheduled for June 28th, and could be rescheduled to July 12th at the latest.
Once an upgrade is scheduled for one of your environments, you can initiate the upgrade (or reschedule it once) in Environments > Upgrades. You can easily add update schedules to your calendar by clicking Add to calendar. The Upgrade now button schedules an upgrade immediately.
Patches
Patches consist of only bug fixes and/or security updates, and are crucial to ensure the security and stability of the Redwood SaaS platform.
Environment administrators can set a patch window (day + time) for non-production and production which will be used for each patch. Non-production will automatically roll out during the 1st week after release, and production the 2nd week after release. This way, production patches will always be applied after patches to the non-production environment.
The desired day/time for patches can be configured under Environments > Patches and will apply to all future patches.
Hotfixes
A hotfix is a version of the software that is designed to fix a specific customer-identified issue. Hotfixes are provided at Redwood's discretion. If you have requested a hotfix and the request has been accepted, Redwood will arrange a timeframe for installation. Just as for patches, non-production systems will receive the hotfix first, and production systems will get the hotfix once testing has successfully been done.
Unlimited Connections and Platform Agents
Redwood SaaS is a subscription service with consumption-based pricing. This means there are no restrictions on the number of systems that can be connected and managed. Costs are based on a monthly subscription fee, plus a fixed price per automation process run.
From a technical perspective, this gives administrators the freedom to add and remove connections or install Platform Agents on as many target systems as desired, without having to worry about licensing implications.
This makes complex system development and QA testing easy to plan and implement, and it makes it practical to configure connections to rarely used systems that run very few processes but would still benefit for automation.
The Supported Platforms documents in the Help section in the Redwood cloud portal provides an overview of supported Platform Agents and platforms.
Redwood SaaS Dashboard
Users log in to the Redwood environment through an authorized web browser. Once logged in, they have access to the Redwood cloud dashboard, with access to features based on the type of user.
The dashboard allows authorized users to create other users and edit environment settings. All users have access to several documents in the Help section, to aid with the configuration and management of the Redwood environment. From the dashboard, users connect to any one of the Redwood automation environments. These are notionally called "Development", "Test" and "Production", but can be renamed as required.
Note: Renaming an environment changes the display name, but the endpoints remain the same.
The dashboard provides information on key areas to help management of the Redwood environment. It is broken down into several areas, which are described below.
Messages
The Messages area on the dashboard home page contains messages informing you of upcoming system maintenance and news related to your Redwood account.
User Settings
If you want to change information about your account, such as the company address or your email address, go to the Settings menu by clicking your username in the top left-hand corner of the screen to access the 'Settings' menu.
Note: Settings might be limited if SSO is configured.
Environments
Authorized users can access the environments area to access more detailed information and perform various tasks. In the Dashboard shown below, you can switch between environments
By clicking on Environments you are allowed to change the Description shown on the Dashboard, select which Redwood Support region will get (limited) access which allows them to help you in case of issues and you see Users and Activity
Patch and Upgrade configuration, as explained in an earlier section, are also managed from here.
Figure 6: Environments view
Security
The 'Security' area shows an overview of all users, including their access level to each environment and the type of user they are. Add a new user and select which level of access the user is to have to each environment from the 'pencil' icon on the top. Available roles are:
- Administrator - create objects, schedule tasks, run processes and monitor activities
- Operator - schedule tasks, run processes and monitor activities
- View - monitor activities
- Login - can connect but can only perform tasks granted via custom roles
- No Access - cannot access the environment
Different access levels can be assigned to a user for the different environments. User allowance and usage is indicated when using the 'Create User' tab. In the 'Security' area custom roles can also be created and the user activity log viewed.
Portal specific privileges can be given for people who do not need access to the Redwood system itself, only the portal. Besides having environment Access/Administrator you can also give users access as:
- Security Administrator - Allows a user to manage Security settings
- SSO Administrator - Allows a user to configure SSO for your SaaS environments
- Finance Administrator - Allows user to see Financial data in the portal
Figure 7: Portal Privileges
Consumption
The 'Consumption' area allows you to see near real time process consumption for each environment. The default view shows the consumption over all environments in the current year, listed per month. Clicking allows a drilldown to days or even hour specific consumption in total and per environment
Figure 8: Consumption overview