In the course of the last few decades, certain industries, such as the pharmaceutical or food-processing industry have had to comply with even stricter regulations with regard to the documentation and approval of their processes (such as, the guidelines on current Good Manufacturing Practices (cGMP), which were laid down by the U.S. Food and Drug Administration and are an international standard).

In addition, the increasing use of electronic data processing in companies also requires security mechanisms to protect digital data. Legislation such as the Final Rule on Electronic Records and Electronic Signatures, 21 CFR Part 11, issued by the FDA reflects this need.

For this reason, the SAP System contains the digital signature, a tool that enables you to sign and approve digital data. The digital signature ensures that the person signing a digital document is uniquely identified and that the signatory's name is documented along with the signed document, date, and time. You can use digital signatures to approve documents or objects in all the applications that are able to use it.

For more information on the digital signature, see the documentation for the relevant application components.

The basis component Secure Store and Forward (SSF) is used to realize the digital signature in the SAP System. If you use the user signature as your signature method (see Features below), you need an external security product that is linked to the SAP System using SSF.

You should not store the users' Personal Security Environment (PSE) in the file system but rather, for example, on a smart card. The PSE software does not comply with legal requirements for digital signatures.

Before you can work with digital signatures, the following requirements must be met in the SAP System:

• You have activated the digital signature for the corresponding object type. For more information, see the documentation for the relevant application.

• You have made the user settings (first and last name, possibly also the time zone)

• You have assigned the authorizations required to execute digital signatures to the relevant users (see Customizing for the relevant signature object). This includes:

The digital signature is based on the public-key technology. Each signatory receives an individual key pair consisting of a private and a public key. This data is stored in the user's Personal Security Environment (PSE), for example, on a smart card or in a protected directory that no-one else can access. The signatory uses the private key to execute the digital signature.

The SAP System distinguishes between the following signature methods:

• System signature with authorization by user ID and password

• Digital user signature with verification

• Digital user signature without verification

In Customizing, you decide which signature method you want to use for each signature object type, this means for all simple signatures executed for objects of the corresponding type, and for each signature strategy.

The SAP System provides a number of different functions for the execution of the signature process. You can use these functions for the individual signature objects according to your needs. This section contains a brief description of the available functions.

For some object types you can use a signature strategy when executing a signature. To do this, when signing an object, that is, within one and the same signature process, you call several individual signatures with different users groups or authorization groups. In the Customizing for the relevant object type, you use signature strategies to define which individual signatures are required and the sequence in which they are to be executed.

It is not absolutely necessary to use a signature strategy. If you do not want to use a signature strategy, do not enter anything in the corresponding field in the Customizing for the relevant object type. Then this object is signed with the signature of one single authorized person.

Alternatively, you can also define a signature strategy that only consists of one single individual signature. These means you still have the option of adding further individual signatures to this signature strategy, if necessary.

Signature strategies can be executed synchronously or asynchronously depending on the signature object.

Once a synchronous signature process has been started, it must be completed without interruption. A new function or transaction can only be called up after the last required signature has been executed. If the signature process is interrupted before it finishes, all the signatures that have previously been executed are saved, but are not valid for the signature process and must be repeated.

In an asynchronous signature process, signatories execute their signatures independently. The signature process can be interrupted after each signature and continued by the next signatory any time. To interrupt the asynchronous signature process, you must enter the password.

The system displays the description of the corresponding signature object as the reason for signature in the dialog box in which you execute the signature. Depending on the application, an additional text may be describing the signed object in more detail. In the Customizing, there are various options, for displaying the reason for signature.

The reason for signature along with the application-specific text is part of the signed document. It is added to the document in the language in which the signature was executed.

Depending on the signature object, the signatory and the user logged on to the system must be the same. In this case, the system by default sets the name of the signatory when the signature is executed. You cannot overwrite the user name. The signatory's user ID and the complete name is added to the signed document.

You can enter a comment when you execute a digital signature. In some object types you must enter a comment. The system does not accept the signature until you have entered a text in the comment field. In both cases, the comment is part of the signed document. In the Customizing, there are various options, for creating a comment.

Some applications offer the option of selecting a remark from a list of predefined remarks, and adding it to the signature when executing the digital signature. The individual remark texts are provided by the application. If it is required that you enter a remark, the system only signs off the digital signature if the signatory has selected a remark. This becomes part of the signed document. In the Customizing, there are various options, for creating a remark.

You use the verification function to check if the document to be signed is still identical to the original document and if all previously executed signatures have been stored correctly in the system. You have the following options: forbidden and possible.

Depending on the settings in the Customizing, the signatory is either required to, able to or forbidden from reading the content of the document to be signed.

For more information on the digital signature, see the Implementation Guide (IMG) under Cross-Application Components -> General Application Functions -> Digital Signature.