In the course of the last few decades, certain industries, such as the pharmaceutical or food-processing industries, have had to comply with ever stricter regulations with regard to the documentation and approval of their processes. Such regulations include the Good Manufacturing Practice ( GMP ) guidelines laid down by the U.S. Food and Drug Administration (FDA), which have in the meantime acquired international validity.
In addition, the increasing use of electronic data processing within enterprises makes it necessary to protect digital data through the use of reliable security mechanisms. Legislation such as the Final Rule on Electronic Records and Electronic Signatures , 21 CFR Part 11, issued by the FDA, and the German Act on the Digital Signature (Article 3 of the Federal Information and Communication Services Act ) reflects this necessity.
For this reason, the SAP system provides you with the digital signature, a tool enabling you to electronically sign and approve digital data. The digital signature ensures that the person signing a digital document is uniquely identified and that the his or her name is documented together with the signed document, date, and time. You can use digital signatures to approve documents or objects of the following types:
Area |
Signature object type |
---|---|
Engineering Change Management (ECH) |
Status changes of change orders |
Status changes of object management records |
|
Document Management System (DMS) |
Document management: status change |
Production Planning for Process Industries (PP-PI) |
PI sheet: complete process step |
PI sheet: accept invalid input values |
|
Batch record: approval |
|
Standard XSteps |
|
Quality Management (QM) |
Inspection lot: results recording |
Inspection lot: usage decision |
|
Physical-sample drawing |
|
Notifications (e.g. CA, QM, PM) |
Notification |
Potential Failure Mode and Effects Analysis |
|
Maintenance Processing (PM- WOC -MO) |
Maintenance order: sign off work operation |
Audit management |
|
Note
In contrast to document management, each status change in engineering change management is treated as a separate object type.
See also:
The digital signature is realized in the SAP system with the aid of the basis component Secure Store and Forward (SSF). If you use the user signature as your signature method (see Features below), you need an external security product that is linked to the SAP system via SSF.
Caution
The users' Personal Security Environment (PSE) should be stored not in the file system but on a smart card, for example. The PSE software does not satisfy the requirements of the authorities regarding digital signatures.
Before you can work with digital signatures, the following prerequisites must be satisfied in the SAP system:
You have activated the digital signature for the corresponding object type (exception: batch record). For more information, see the documentation for the relevant application (see See also: above).
You have made the settings for the system time zone (see Customizing, activity
).These settings are necessary so that the signature time can be determined in accordance with the global time that is valid system-wide and adopted in the signed document.
You have made the settings for the digital signature (see Customizing for Basis, section
and Customizing for the corresponding object type).In the process, among other things you also set the users' time zone on the basis of which the local signature time of the signer is determined and adopted in the signed document.
You have assigned the authorizations necessary to execute digital signatures to the relevant users (see Customizing for the relevant signature object). These include:
The appropriate authorization for the object to be signed
If you use signature strategies (see Features below), also the authorization for the corresponding individual signature or authorization group (authorization object C_SIGN_ BGR Authorization Group for Digital Signatures )
Caution
All users can maintain their address data and defaults via System -> User Profile -> Own Data. This includes name and time zone as well as the SSF settings for each user. Therefore, if you use digital signatures, you should not assign authorization to maintain their own data to all users.
The digital signature is based on the public key technology. Each signer receives a unique key pair consisting of a private and a public key. This data is stored in the user's Personal Security Environment (PSE)(on a smart card or in a protected directory that no-one else can access, for example). The signer uses the private key to execute the digital signature.
The SAP system distinguishes between the following signature methods:
System signature with authorization through user ID and password
Here, you do not need an external security product. Just as when they log on to the system, users identify themselves by entering their user IDs and passwords. The SAP system then executes the digital signature. The user name and ID are part of the signed document.
Digital user signature with verification
Here, you need an external security product. The users execute digital signatures themselves using their own private keys. The executed signatures are automatically verified for authenticity.
Digital user signature without verification
If you use an external security product, you can use this signature method for test purposes. Do not use it in a live system. Users execute their signatures as described above but they are not automatically verified.
In Customizing, you decide which signature method you want to use for each signature object type. This means for all individual signatures executed for objects of the type in question and for each signature strategy.
The SAP System provides a number of different functions for the execution of the signature process. You can use these functions for the individual signature objects according to your needs. This section contains a brief description of the available functions. The table below shows which of the functions are available for which object type.
If you use the individual signature for a signature object, this object is signed by a single authorized person.
For some object types, you can also require several individual signatures by different user or authorization groups in the course of signing an object (i.e. within the framework of the same signature process). You specify which individual signatures are necessary and in which sequence in Customizing for the object type in question in the form of signature strategies. It is also possible to define a signature strategy with just one signer.
Note
Each user who is authorized to execute signatures and has not yet signed the relevant object can also cancel a signature process. The signatures executed up to that point are then revoked and the object then reacquires the status it had before the start of the signature process.
Signature strategies can be executed synchronously or asynchronously depending on the signature object.
Once a synchronous signature process has been started, it must be completed without interruption. A new function or transaction cannot be invoked until the last required signature has been executed. If the signature process is interrupted before it is completed, no signature is saved. Signatures that have already been executed have to be executed again.
In an asynchronous signature process, signers execute their signatures independently of each other. The signature process can be interrupted after each signature and continued by the next signer at any time.
The system displays the description of the relevant signature object type as the reason for signature in the dialog box in which you execute the signature. Depending on the application, an additional text may be describing the signed object in more detail.
The reason for signature with the application-specific text is part of the signed document. It is added to the document in the language in which the signature was executed.
Depending on the signature object type, it may be that the signer and the logon user have to be identical. If this is the case, at the time the signature is executed, the signer is inserted by the system as a mandatory pre-set value that cannot be overwritten. The signer's user ID and complete name are adopted in the signed document.
You can always enter a comment when you execute a digital signature. In some object types, however, entry of a comment is mandatory. In such cases, the system does not accept the signature until you have entered a text in the comment field. In both cases, the comment is part of the signed document.
Signature object type |
Individual signature |
Signature strategy |
Synchronous signature process |
Asynchronous signature process |
Signer changeable |
Comment necessary |
Application-specific reason for signature |
|
---|---|---|---|---|---|---|---|---|
Engineering Change Management |
No |
Yes |
No |
Yes |
No |
No |
Yes |
|
Document Management |
No |
Yes |
No |
Yes |
No |
No |
Yes |
|
Production Planning - Process Industries |
||||||||
PI sheet: process step |
Yes |
Yes |
Yes |
At the end of the PI sheet only |
Yes |
No |
No |
|
PI sheet: accept invalid input values |
Yes |
Yes |
Yes |
No |
Yes |
Yes |
No |
|
Batch record: approval |
Yes |
Yes |
No |
Yes |
No |
Yes |
Yes |
|
Standard XSteps |
Yes |
Yes |
No |
Yes |
Yes |
Yes |
Yes |
|
Quality Management |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Notifications |
No |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
FMEA |
No |
Yes |
Yes |
Yes |
Yes |
No |
Yes |
|
Maintenance order operation |
No |
Yes |
Yes |
Yes |
Yes |
No |
Yes (standard) |
|
Audit management |
No |
Yes |
Yes |
Yes |
Yes |
No |
Yes |