Show TOC

 Approval Using Digital Signatures Locate this document in the navigation structure

Use

In the course of the last few decades, certain industries, such as the pharmaceutical or food-processing industries, have had to comply with ever stricter regulations with regard to the documentation and approval of their processes. Such regulations include the Good Manufacturing Practice ( GMP ) guidelines laid down by the U.S. Food and Drug Administration (FDA), which have in the meantime acquired international validity.

In addition, the increasing use of electronic data processing within enterprises makes it necessary to protect digital data through the use of reliable security mechanisms. Legislation such as the Final Rule on Electronic Records and Electronic Signatures , 21 CFR Part 11, issued by the FDA, and the German Act on the Digital Signature (Article 3 of the Federal Information and Communication Services Act ) reflects this necessity.

For this reason, the SAP system provides you with the digital signature, a tool enabling you to electronically sign and approve digital data. The digital signature ensures that the person signing a digital document is uniquely identified and that the his or her name is documented together with the signed document, date, and time. You can use digital signatures to approve documents or objects of the following types:

Area

Signature object type

Engineering Change Management (ECH)

Status changes of change orders

Status changes of object management records

Document Management System (DMS)

Document management: status change

Production Planning for Process Industries (PP-PI)

PI sheet: complete process step

PI sheet: accept invalid input values

Batch record: approval

Standard XSteps

Quality Management (QM)

Inspection lot: results recording

Inspection lot: usage decision

Physical-sample drawing

Notifications (e.g. CA, QM, PM)

Notification

Potential Failure Mode and Effects Analysis

  • FMEA

  • Preventive action / detection action

Maintenance Processing (PM- WOC -MO)

Maintenance order: sign off work operation

Audit management

  • Audit

  • Preventive/corrective measures

Note Note

In contrast to document management, each status change in engineering change management is treated as a separate object type.

End of the note.

See also:

Integration

The digital signature is realized in the SAP system with the aid of the basis component Secure Store and Forward (SSF). If you use the user signature as your signature method (see Features below), you need an external security product that is linked to the SAP system via SSF.

Caution Caution

The users' Personal Security Environment (PSE) should be stored not in the file system but on a smart card, for example. The PSE software does not satisfy the requirements of the authorities regarding digital signatures.

End of the caution.

Prerequisites

Before you can work with digital signatures, the following prerequisites must be satisfied in the SAP system:

  • You have activated the digital signature for the corresponding object type (exception: batch record). For more information, see the documentation for the relevant application (see See also: above).

  • You have made the settings for the system time zone (see Customizing, activity   General Settings   Time Zone   ).

    These settings are necessary so that the signature time can be determined in accordance with the global time that is valid system-wide and adopted in the signed document.

  • You have made the settings for the digital signature (see Customizing for Basis, section   System Administration   Digital Signature   and Customizing for the corresponding object type).

    In the process, among other things you also set the users' time zone on the basis of which the local signature time of the signer is determined and adopted in the signed document.

  • You have assigned the authorizations necessary to execute digital signatures to the relevant users (see Customizing for the relevant signature object). These include:

    • The appropriate authorization for the object to be signed

    • If you use signature strategies (see Features below), also the authorization for the corresponding individual signature or authorization group (authorization object C_SIGN_ BGR Authorization Group for Digital Signatures )

    Caution Caution

    All users can maintain their address data and defaults via System -> User Profile -> Own Data. This includes name and time zone as well as the SSF settings for each user. Therefore, if you use digital signatures, you should not assign authorization to maintain their own data to all users.

    End of the caution.

Features

The digital signature is based on the public key technology. Each signer receives a unique key pair consisting of a private and a public key. This data is stored in the user's Personal Security Environment (PSE)(on a smart card or in a protected directory that no-one else can access, for example). The signer uses the private key to execute the digital signature.

Signature Method

The SAP system distinguishes between the following signature methods:

  • System signature with authorization through user ID and password

    Here, you do not need an external security product. Just as when they log on to the system, users identify themselves by entering their user IDs and passwords. The SAP system then executes the digital signature. The user name and ID are part of the signed document.

  • Digital user signature with verification

    Here, you need an external security product. The users execute digital signatures themselves using their own private keys. The executed signatures are automatically verified for authenticity.

  • Digital user signature without verification

    If you use an external security product, you can use this signature method for test purposes. Do not use it in a live system. Users execute their signatures as described above but they are not automatically verified.

In Customizing, you decide which signature method you want to use for each signature object type. This means for all individual signatures executed for objects of the type in question and for each signature strategy.

Signature Process

The SAP System provides a number of different functions for the execution of the signature process. You can use these functions for the individual signature objects according to your needs. This section contains a brief description of the available functions. The table below shows which of the functions are available for which object type.

Individual Signature or Signature Strategy

If you use the individual signature for a signature object, this object is signed by a single authorized person.

For some object types, you can also require several individual signatures by different user or authorization groups in the course of signing an object (i.e. within the framework of the same signature process). You specify which individual signatures are necessary and in which sequence in Customizing for the object type in question in the form of signature strategies. It is also possible to define a signature strategy with just one signer.

Note Note

Each user who is authorized to execute signatures and has not yet signed the relevant object can also cancel a signature process. The signatures executed up to that point are then revoked and the object then reacquires the status it had before the start of the signature process.

End of the note.
Synchronous or Asynchronous Signature Process

Signature strategies can be executed synchronously or asynchronously depending on the signature object.

Once a synchronous signature process has been started, it must be completed without interruption. A new function or transaction cannot be invoked until the last required signature has been executed. If the signature process is interrupted before it is completed, no signature is saved. Signatures that have already been executed have to be executed again.

In an asynchronous signature process, signers execute their signatures independently of each other. The signature process can be interrupted after each signature and continued by the next signer at any time.

Reason for Signature

The system displays the description of the relevant signature object type as the reason for signature in the dialog box in which you execute the signature. Depending on the application, an additional text may be describing the signed object in more detail.

The reason for signature with the application-specific text is part of the signed document. It is added to the document in the language in which the signature was executed.

Signer and System User

Depending on the signature object type, it may be that the signer and the logon user have to be identical. If this is the case, at the time the signature is executed, the signer is inserted by the system as a mandatory pre-set value that cannot be overwritten. The signer's user ID and complete name are adopted in the signed document.

Comment

You can always enter a comment when you execute a digital signature. In some object types, however, entry of a comment is mandatory. In such cases, the system does not accept the signature until you have entered a text in the comment field. In both cases, the comment is part of the signed document.

Function Overview of Object Types

Signature object type

Individual signature

Signature

strategy

Synchronous signature process

Asynchronous signature process

Signer changeable

Comment necessary

Application-specific reason for signature

Engineering Change Management

No

Yes

No

Yes

No

No

Yes

Document Management

No

Yes

No

Yes

No

No

Yes

Production Planning - Process Industries

PI sheet: process step

Yes

Yes

Yes

At the end of the PI sheet only

Yes

No

No

PI sheet: accept invalid input values

Yes

Yes

Yes

No

Yes

Yes

No

Batch record: approval

Yes

Yes

No

Yes

No

Yes

Yes

Standard XSteps

Yes

Yes

No

Yes

Yes

Yes

Yes

Quality Management

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Notifications

No

Yes

Yes

Yes

Yes

Yes

Yes

FMEA

No

Yes

Yes

Yes

Yes

No

Yes

Maintenance order operation

No

Yes

Yes

Yes

Yes

No

Yes (standard)

Audit management

No

Yes

Yes

Yes

Yes

No

Yes