Solution Architecture Overview

this overview describes how activate components fit together in a secure, scalable, and operable solution it focuses on logical layers, trust boundaries, identity, data, and operational concerns so you can adapt the design to on premises, hybrid, or cloud only models architectural layers presentation layer activate web end user and admin portal (dashboards, self service, approvals, admin tools) enforces https and content security policy integrates with the chosen identity provider for sso and mfa orchestration layer activate orchestrator executes workflows (scheduled, event driven, on demand) manages queues, retries, and transactional steps uses service accounts and connector credentials to call downstream systems configuration & design layer activate studio design time configuration for workflows, parameters, connectors, forms, and security model (roles, permissions) integration layer activate api rest interface for inbound and outbound integrations connectors/adapters for microsoft 365, exchange online, active directory, ticketing/itsm, and custom rest/soap endpoints activate anywhere (optional) proxy component for dmz or segmented networks to bridge internal resources safely data layer activate database system of record for configuration, workflow state, audit history, cached directory data, and indexes hosted on an enterprise sql server instance (including servers hosted in azure) use enterprise sql backup/ha strategies; avoid platform features that are incompatible with activate environments and separation typical environment set development → test/uat → production (optionally pre prod ) configuration and content are promoted through controlled pipelines and change control trust boundaries public/dmz (optional) → app tier → data tier activate anywhere can terminate or relay requests at the boundary to avoid exposing internal resources identity, access, and security authentication sso via azure ad or other supported identity providers mfa and conditional access enforced at the idp authorization role based access control in activate (roles, permissions, policies) service accounts with least privilege for orchestration and connectors secrets management store credentials and api keys in secure parameters or a vault solution rotate secrets on a defined schedule; audit all access network security https only for activate web and activate api restrict inbound ports at each tier; allow only required egress to third party apis optional ip allowlists or private networking for admin and api endpoints data and integrations data flow (high level) user initiates a request in activate web (or via activate api ) request is persisted and queued in the activate database activate orchestrator processes workflow steps, calling connectors or external apis results and audit events are written back to the database and surfaced in the ui notifications/approvals are sent via email or chat integrations where configured directory and messaging cloud only operates against azure ad and exchange online without on prem domain controllers hybrid supports mixed mailbox and identity footprints with secure connectivity to both sides on prem direct integration with ad/exchange and other on prem systems availability, performance, and scale scale out patterns web horizontal scale behind a load balancer; stateless requests orchestrator multiple workers/instances for parallel workflow execution database sized for iops and memory; monitor query performance and indexing high availability multiple web instances across zones where possible orchestrator worker redundancy sql server ha using clustering/ags according to enterprise standards caching and indexing maintain directory cache and search indexes for fast lookups schedule background tasks to keep caches current without overloading upstream services operations, observability, and governance logging and monitoring centralised logs for web , orchestrator , and api (requests, errors, workflow telemetry) health checks and synthetic transactions for key user journeys alerts on queue backlogs, job failures, connector timeouts, and auth errors auditing and compliance comprehensive audit trail for user actions, approvals, and workflow changes retention policies aligned with regulatory requirements backup and recovery regular full and differential backups of the activate database with tested restores export configuration baselines from activate studio for rapid rebuilds documented runbooks for dr and environment rehydration deployment topologies (examples) cloud only (identity and messaging) hosting any mix of on prem or cloud for web / orchestrator identity/mail azure ad, exchange online; no dependency on on prem dcs data sql server hosted in azure or on customer infrastructure hybrid hosting web and/or orchestrator may run in cloud; activate anywhere in dmz to reach on prem systems identity/mail mixed estates (cloud and on prem) data enterprise sql server in preferred location on premises hosting all components on customer infrastructure identity/mail ad and exchange on prem data sql server on prem with enterprise ha/backup connectivity and ports (indicative) inbound (to web/api) 443/tcp from users, service integrations, and admin endpoints inbound (to orchestrator) management access (admin/rdp/ssh) restricted to operations networks message/queue endpoints if used (enterprise standard services only) data tier 1433/tcp (sql server) from web and orchestrator subnets only outbound identity provider endpoints, microsoft 365 services, ticketing/itsm apis, and any approved third party apis required by workflows non functional requirements checklist security sso/mfa, least privilege, secret rotation, tls enforcement reliability ha across tiers, tested backup/restore, dr plan with rto/rpo performance capacity model for web concurrency, workflow throughput, and sql iops observability centralised logging, metrics, traces, actionable alerts operability runbooks, change control, environment promotion strategy compliance audit retention, data residency, privacy impact assessment where applicable these topologies are illustrative, not prescriptive activate is flexible and deployments can combine elements from multiple models to meet specific security, connectivity, and operational needs