Approval Using Digital Signatures 
Approval Using Digital Signatures
Use
In the course of the last few decades, certain industries, such as the pharmaceutical or food-processing industry have to comply with even stricter regulations with regard to the documentation and approval of their processes (such as, the guidelines on Good Manufacturing Practices (GMP), which were laid down by the U.S. Food and Drug Administration and have become an international standard).
In addition, the increasing use of electronic data processing in companies also requires security mechanisms to protect digital data. Legislation such as the Final Rule on Electronic Records and Electronic Signatures, 21 CFR Part 11, issued by the FDA reflects this need.
For this reason, the SAP System contains the digital signature, a tool that enables you to sign and approve digital data. The digital signature ensures that the person signing a digital document is uniquely identified and that the signatory's name is documented along with the signed document, date, and time. You can use digital signatures to approve documents or objects of the following types:
Area |
Signature Object Type |
Engineering Change Management (ECH) |
Status changes of engineering change orders |
|
Status changes of object management records | |
Document Management System (DMS) |
Document management: status changes |
Production Planning - Process Industries (PP-PI) |
PI sheet: complete process step |
|
PI sheet: accept invalid input values | |
|
Batch record: approval | |
Quality Management (QM) |
Inspection lot: results recording |
|
Inspection lot: usage decision | |
|
Physical-sample drawing |
As opposed to document management, every status change in engineering change management is regarded as a separate object type.
See also:
Digital Signatures in Engineering Change Management (ECH)
Digital Signatures in the Document Management System (DMS)
Digital Signatures in Batch Records (PP-PI)
Digital Signatures in PI Sheets (PP-PI)
Digital Signatures in Quality Management (QM)
Integration
The basis component
Secure Store and Forward (SSF) is used to realize the digital signature in the SAP System. If you use the user signature as your signature method (see Features below), you need an external security product that is linked to the SAP System using SSF.
You should not store the users'
Prerequisites
For you to be able to work with digital signatures, the following requirements must be met in the SAP System:
These settings are necessary so that the signature time can be determined in accordance with the global time that is valid system-wide and transferred to the signed document.
You define, for example, the users' time zone that is used to determine the signatorys' local signature time and transfer it to the signed document.
All users can maintain their address data and defaults by choosing System ® User profile ® Own data. This includes the users' names, personal time zones, and SSF settings. Therefore, if you use digital signatures, do not assign the authorization to maintain own data to all users.
Features
The digital signature is based on the public-key technology. Each signatory receives an individual key pair consisting of a private and a public key. This data is stored in the user's
Personal Security Environment (PSE) , for example, on a smart card or in a protected directory that no-one else can access. The signatory uses the private key to execute the digital signature.Signature Method
The SAP System distinguishes between the following signature methods:
Here, you do not need an external security product. Just like when logging on to the system, users identify themselves by entering their user IDs and passwords. The SAP System then executes the digital signature. The user name and ID are part of the signed document.
Here, you need an external security product. The users execute digital signatures themselves using their private keys. The executed signatures are automatically verified.
If you use an external security product, you can use this signature method for test purposes. Do not use it in a live system. Users execute their signatures as described above but they are not automatically verified.
In Customizing, you decide which signature method you want to use for each signature object type, this means for all simple signatures executed for objects of the corresponding type, and for each
signature strategy.Signature Process
The SAP System provides a number of different functions for the execution of the signature process. You can use these functions for the individual signature objects according to your needs. This section contains a brief description of the available functions. The table below shows which of the functions are available for which object type.
Simple Signature or Signature Strategy
If you use the simple signature for a signature object, this object is signed by only one authorized person.
For some object types, you can also request several individual signatures by different user groups or authorization groups when signing an object, this means, during the same signature process. In Customizing for the corresponding object type you specify
signature strategies to define which individual signatures are required and in which sequence they must be executed.
Each user who is authorized to execute signatures and has not yet signed the relevant object can also cancel the signature process. The signatures executed so far are withdrawn and the object obtains the status it had before the signature process was started.
Synchronous or Asynchronous Signature Process
Signature strategies can be executed synchronously or asynchronously depending on the signature object.
Once a synchronous signature process has been started, it must be completed without interruption. A new function or transaction can only be called up after the last required signature has been executed. If the signature process is interrupted before it is completed, no signature is saved. Signatures that have already been executed must also be repeated.
In an asynchronous signature process, signatories execute their signatures independently. The signature process can be interrupted after each signature and continued by the next signatory any time.
Reason for Signature
The system displays the description of the corresponding signature object type as the reason for signature in the dialog box in which you execute the signature. Depending on the application, an additional text may be describing the signed object in more detail.
The reason for signature along with the application-specific text is part of the signed document. It is added to the document in the language in which the signature was executed.
Signatory and System User
Depending on the signature object type, the signatory and the user logged on to the system must be the same. In this case, the system by default sets the name of the signatory when the signature is executed. You cannot overwrite the user name. The signatory's user ID and the complete name is added to the signed document.
Comment
You can always enter a comment when you execute a digital signature. In some object types, however, you must enter a comment. The system does not accept the signature until you have entered a text in the comment field. In both cases, the comment is part of the signed document.
Function Overview for Object Types
Signature Object Type |
Simple Signature |
Signature Strategy |
Synchronous Signature Process |
Asynchronous Signature Process |
Signatory can be Changed |
Comment Required |
Application-Specific Reason for Signature | |
Engineering change management |
No |
Yes |
No |
Yes |
No |
No |
Yes | |
Document management system |
No |
Yes |
No |
Yes |
No |
No |
Yes | |
Production Planning - Process Industries |
||||||||
|
PI sheet: process step |
Yes |
Yes |
Yes |
At the end of the PI sheet only |
Yes |
No |
No | |
PI sheet: accept invalid input values |
Yes |
Yes |
Yes |
No |
Yes |
Yes |
No | |
Batch record: approval |
Yes |
Yes |
No |
Yes |
No |
Yes |
Yes | |
Quality management |
Yes |
No |
- |
- |
Yes |
No |
Yes | |