7/9/2021

Cross-Application Components
Generated on: 2021-07-09 00:28:38 GMT+0000

SAP ERP | 6.0 EHP7 SP14

PUBLIC

Original content: https://help.sap.com/viewer/67ae2d27aed945b7bd0ad1d2185ec217/6.17.14/en-US

Warning

This document has been generated from the SAP Help Portal and is an incomplete version of the official SAP product
documentation. The information included in custom documentation may not re ect the arrangement of topics in the SAP Help
Portal, and may be missing important aspects and/or correlations to other topics. For this reason, it is not for productive use.

For more information, please visit the https://help.sap.com/viewer/disclaimer.

This is custom documentation. For more information, please visit the SAP Help Portal 1
 7/9/2021

Digital Signature (CA-DSG)

Use
In the course of the last few decades, certain industries, such as the pharmaceutical or food-processing industry have had to
comply with even stricter regulations with regard to the documentation and approval of their processes (such as, the guidelines
on current Good Manufacturing Practices (cGMP) , which were laid down by the U.S. Food and Drug Administration and are an
international standard).

In addition, the increasing use of electronic data processing in companies also requires security mechanisms to protect digital
data. Legislation such as theFinal Rule on Electronic Records and Electronic Signatures , 21 CFR Part 11 , issued by the FDA
re ects this need.

For this reason, the SAP System contains the digital signature, a tool that enables you to sign and approve digital data. The
digital signature ensures that the person signing a digital document is uniquely identi ed and that the signatory's name is
documented along with the signed document, date, and time. You can use digital signatures to approve documents or objects in
all the applications that are able to use it.

For more information on the digital signature, see the documentation for the relevant application components.

Integration
The basis component Secure Store and Forward (SSF) is used to realize the digital signature in the SAP System. If you use the
user signature as your signature method (see Features below), you need an external security product that is linked to the SAP
System using SSF.

The user's personal security environment (PSE) should not be stored in the le system but rather, for example, on a smart card.
The PSE software does not comply with legal requirements for digital signatures.

Prerequisites
Before you can work with digital signatures, the following requirements must be met in the SAP System:

You have activated the digital signature for the corresponding object type. For more information, see the documentation
for the relevant application.

 Note
Batch records are an exception. This operation is particularly signi cant in the area of regulated production (for
example, for the pharmaceutical industry). Therefore, the digital signature is always active in the batch record, so
that the requirements of the FDA’s GMP guidelines are always covered. You can only set which signature procedure
(user signature or system signature) and which signature process (simple signature, signature strategy) you want to
implement.

You have made the settings for the system time zone (see Customizing, activity General Settings Time Zone ).

These settings are necessary so that the signature time can be determined in accordance with the global time that is
valid system-wide and transferred to the signed document.

You have made the settings for the digital signature (see Customizing for Basis Components , section System
Administration Digital Signature and Customizing for the corresponding object type).

You de ne, for example, the users' time zone that is used to determine the signatory’s local signature time and transfer
it to the signed document.

This is custom documentation. For more information, please visit the SAP Help Portal 2
 7/9/2021
You have made the user settings ( rst and last name, possibly also the time zone)

You have assigned the authorizations required to execute digital signatures to the relevant users (see Customizing for
the relevant signature object). This includes:

The appropriate authorization for the object to be signed

If you use signature strategies (see Features below), the authorization for the corresponding individual signature or
authorization group (authorization object C_SIGN_BGR Authorization group for digital signatures ). If you do not have
authorization to execute digital signatures, the authorization C_SIGN should be assigned to your pro le.

 Caution
All users can maintain their address data and defaults by choosing System -> User pro le -> Own data. This includes
the users' names, personal time zones, and SSF settings. Therefore, if you use digital signatures, do not assign the
authorization to maintain own data to all users.

Features
The digital signature is based on the public-key technology. Each signatory receives an individual key pair consisting of a private
and a public key. This data is stored in the user's Personal Security Environment (PSE), for example, on a smart card or in a
protected directory that no-one else can access. The signatory uses the private key to execute the digital signature.

Signature Method

The SAP system distinguishes between the following signature methods:

System signature with authorization by user ID and password

Here, you do not need an external security product. Just like when logging on to the system, users identify themselves by
entering their user IDs and passwords. The SAP system then executes the digital signature. The user name and ID are
part of the signed document.

Digital user signature with veri cation

Here, you need an external security product. The users execute digital signatures themselves using their private keys.
The executed signatures are automatically veri ed.

Digital user signature without veri cation

If you use an external security product, you can use this signature method for test purposes. Do not use it in a live
system. Users execute their signatures as described above but they are not automatically veri ed.

In Customizing, you decide which signature method you want to use for each signature object type, this means for all simple
signatures executed for objects of the corresponding type, and for each signature strategy.

Signature Process

The SAP System provides a number of different functions for the execution of the signature process. You can use these
functions for the individual signature objects according to your needs. This section contains a brief description of the available
functions.

Signature Strategy

For some object types you can use a signature strategy when executing a signature. To do this, when signing an object, that is,
within one and the same signature process, you call several individual signatures with different users groups or authorization
groups. In the Customizing for the relevant object type, you use signature strategies to de ne which individual signatures are
required and the sequence in which they are to be executed.

This is custom documentation. For more information, please visit the SAP Help Portal 3
 7/9/2021

 Note
Each user who is authorized to execute signatures within a signature strategy, and who has not yet signed the object, can
also cancel a signature process. The signatures executed so far are withdrawn and the object obtains the status it had
before the signature process was started.

It is not absolutely necessary to use a signature strategy. If you do not want to use a signature strategy, do not enter
anything in the corresponding eld in the Customizing for the relevant object type. Then this object is signed with the
signature of one single authorized person.

Alternatively, you can also de ne a signature strategy that only consists of one single individual signature. This means you
still have the option of adding further individual signatures to this signature strategy, if necessary.

Synchronous or Asynchronous Signature Process

Signature strategies can be executed synchronously or asynchronously depending on the signature object.

Once a synchronous signature process has been started, it must be completed without interruption. A new function or
transaction can only be called up after the last required signature has been executed. If the signature process is interrupted
before it nishes, all the signatures that have previously been executed are saved, but are not valid for the signature process
and must be repeated.

In an asynchronous signature process, signatories execute their signatures independently. The signature process can be
interrupted after each signature and continued by the next signatory any time. To interrupt the asynchronous signature
process, you must enter the password.

Reason for Signature

The system displays the description of the corresponding signature object as the reason for signature in the dialog box in which
you execute the signature. Depending on the application, an additional text may be describing the signed object in more detail.
In the Customizing, there are various options, for displaying the reason for signature.

The reason for signature along with the application-speci c text is part of the signed document. It is added to the document in
the language in which the signature was executed.

Signatory and Logon User

Depending on the signature object, the signatory and the user logged on to the system must be the same. In this case, the
system by default sets the name of the signatory when the signature is executed. You cannot overwrite the user name. The
signatory's user ID and the complete name is added to the signed document.

 Note
You enter the following settings for the comment,remark, document display and veri cation options in the Customizing for
the digital signature. These entries are overridden by the relevant application if the setting "forbidden" is speci ed there for
these options.

Comment

You can enter a comment when you execute a digital signature. In some object types you must enter a comment. The system
does not accept the signature until you have entered a text in the comment eld. In both cases, the comment is part of the
signed document. In the Customizing, there are various options, for creating a comment.

Remark

This is custom documentation. For more information, please visit the SAP Help Portal 4
 7/9/2021
Some applications offer the option of selecting a remark from a list of prede ned remarks, and adding it to the signature when
executing the digital signature. The individual remark texts are provided by the application If it is required that you enter a
remark, the system only signs off the digital signature if the signatory has selected a remark. This becomes part of the signed
document In the Customizing, there are various options, for creating a remark.

Veri cation

You use the veri cation function to check if the document to be signed is still identical to the original document and if all
previously executed signatures have been stored correctly in the system. You have the following options: forbidden and possible
.

Document Display

Depending on the settings in the Customizing, the signatory is either required to, able to or forbidden from reading the content
of the document to be signed.

For more information on the digital signature, see the Implementation Guide (IMG) under Cross-Application Components ->
General Application Functions -> Digital Signature .

Executing Digital Signatures

Use
You use this procedure to execute a digital signature on documents in the selected application. The system adds the date, time,
name of the signatory and, if necessary, further data that has been de ned in the Customizing for the Digital Signature, to the
document that is to be signed, and stores the data in the system together with the document.

Prerequisites
The application to be signed must be registered as a signature object in the SIGNAPPL and SIGNOBJECT tables.

You have made the necessary settings for the digital signature in the Customizing.

(For more information on the Customizing for the digital signature, see the Implementation Guide under Cross-Application
Components General Application Functions Digital Signature .)

In an application, you have executed an action that must be signed with a digital signature.

Procedure
Signing Documents

1. From the list, choose an authorization group for the digital signature.

2. Choose a remark that you wish to add to the document.

3.

You can only add a remark if you have set the value possible or required in the remark column in the Customizing for the
digital signature for this application. The application must also provide a list of remarks.

4. Enter the User-ID for the signatory and the corresponding password.

5. To enter a comment for the signature, choose .

6.

This is custom documentation. For more information, please visit the SAP Help Portal 5
 7/9/2021
You can only add a comment if you have set the value possible or required in the comment column in the Customizing for
the digital signature for this application. The application must also allow comments to be entered.

7. To display the document to be signed, choose .

8.

You can only display the document if you have set the value possible or required in the document column in the
Customizing for the digital signature for this application. The application must also allow documents to be displayed.

9. Choose .

Verifying the Signature

You can check the validity of signatures that have previously been executed within a signature strategy. To do this, at least one
signature from the strategy must already have been executed.

1. Choose .

2. The system lists all signatures that have already been executed for this application within the current signature strategy.

3. To check the signatures, choose .

The system executes the veri cation. The traffic light in the Verif. Column displays the result.

Green: The signature is valid.

Yellow: The veri cation could not be executed.

Red: The signature is invalid. You can nd more information if you double-click on the red light.

 Note

You can only execute the veri cation if you have set the value possible or required in the veri cation column in the
Customizing for the digital signature for this application.

Canceling the Signature Process

To cancel the overall signature process, choose .

You can only cancel the signature process if you have not yet executed a signature. All other signatures that have previously
been executed within the signature process are stored, but are no longer valid for the signature process. The overall signature
process must be restarted.

Canceling the Current Signature Operation

To cancel the current signature operation, choose . The signatures that have previously been executed within the signature
process are retained.

Monitoring and Logging of Signature Processes

Use
Digital approval processes must be reliable and transparent in order to comply with security requirements.For this reason, the
SAP System offers the following:

This is custom documentation. For more information, please visit the SAP Help Portal 6
 7/9/2021
You can lock users after a customer-speci c number of unsuccessful attempts has been reached.

You can monitor security-relevant activities that occurred during the signature process.

You can analyze all activities performed in the context of the signature process.

Features
User Lock

When a signature is executed, unsuccessful attempts can take place for a number of different reasons (for example, the user
has entered the wrong password, the user is not authorized to execute the signature, or the system could not verify the
signature). After a certain number of unsuccessful attempts has been exceeded, the user is locked as follows:

When a system signature is executed, the user is locked by the SAP System. The lock applies to the digital signature and
a new system logon. You set up the number of unsuccessful attempts in the system pro le (see Pro le Parameters for
Logon and Password ).

When a user signature is executed, the user is locked by the external security product. The lock only applies to the digital
signature. The number of allowed unsuccessful attempts is managed by the external security product.

Security Audit Log

Any failed signature attempt is logged in the Security Audit Log along with other security-relevant events of the SAP System.
The system documents, for example, the reason for the error, date and time, and the signatory's user ID. The security
administrator can use the CCMS alert monitor to evaluate the Security Audit Log (see ).

Log for Digital Signature

The log for the digital signature documents all relevant steps in a signature process. This includes successful and canceled
signatures as well as signatures that were deleted when the signature process was canceled. You can evaluate the signature
log, for example, by signature object, signature time, and the signatory's user ID (see Analyzing Logs for Digital Signatures ). It
contains the result of the signature steps along with all messages and the data that is transferred to the signed document if
the signatures were successful.

Analyzing Logs for Digital Signatures

Use
You use this procedure to obtain an overview of the course signature processes took and evaluate all activities performed in the
course of the signature process.

 Note

If you only want to analyze the security-relevant events that occurred both in the context of digital signatures and during
other activities in the SAP System, use the CCMS alert monitor to analyze the Security Audit Log instead (see ).

Procedure
1. In the relevant application, call the log for the digital signature.

2. From the list, choose the application for which you wish to display the digital signature log.

3. Choose the required signature object for the application.

This is custom documentation. For more information, please visit the SAP Help Portal 7
 7/9/2021
4. If required, choose a signatory.

5. As an option, you can create further criteria for the log selection (for example, date or time).

6. If it is possible to specify further, more restrictive criteria for the selected application, the Selection of signature object
screen appears and the key appears in the toolbar.

7. As an option, you can enter further criteria for selecting the log. In the case of PI sheets, for example, this would be the
number of the PI sheet, the number of the process instruction, and so on. Then choose .

8. To display the Selection for signature object screen again (for example, because you had chosen ), choose in the
toolbar.

9. If the Selection for signature object screen was not displayed (because no further selection criteria exist for the selected
signature object), choose after you have entered all the search criteria.

The overview of the logs that the system selected appears. The following data is displayed:

In the top screen area, the logs' header data, that is, the date and time, the signatory name, and the number of log
messages.

There is exactly one log for each signature attempt.

In the bottom screen area, the messages of the logs selected, that is, the result of the signature steps and all relevant
signature data

Messages are marked according to their type and logs are marked according to the most serious message type they contain:

Icon Message Type

Information

Warning

Error

Cancel

In addition, the following log classes are highlighted in different colors:

Log or Error Class Text Color

Signature process cancelled Log red, message highlighted in yellow

Wrong password, name not maintained, missing SSF info Log and message highlighted in yellow

1. Use the following functions to analyze the logs:

If you only want to display messages of a particular type, choose the corresponding icon in the symbol bar at the bottom
of the screen.

If you only want to display messages of a particular log, double-click the log in the top screen area. By double-clicking the
higher-level node, the system again displays all logs of the corresponding object type.

To display the long text for a message, choose in the corresponding line in the bottom area of the screen.

This is custom documentation. For more information, please visit the SAP Help Portal 8