For many SAP customers the “out of the box” functionality for digital signature should meet their requirements, particularly in closed systems. If another level of authentication is required, or the system is open to partners and customers, SAP supports the integration of external security products (i.e., smart card readers) and the use of public-key technology via the Secure Store & Forward (SSF) interface (starting with SAP version 4.0b). This is particularly relevant in SAP applications where digital information is exchanged electronically (i.e., electronic invoices) across enterprise boundaries.
In these cases, there are two keys involved. The document is signed using a private key, and the signature is verified using a public key. The private key can be stored on a computer (PC or server) or on a separate piece of hardware like a smart card. This white paper will focus on “single key” digital signature authentication. Depending on reader interest, we can potentially follow up this white paper with a look at the more complex “double key” authentication scenarios.
I. Background on Electronic or “Digital” Signatures
SAP defines a “Digital Signature” in the online documentation as follows:
Logistics - General (LO)
Equivalent to a handwritten signature for the processing of digital data.
The digital signature ensures that:
- The signed transaction can only be carried out by users with a special authorization
- The signatory identification is unique and forgery-proof
- The signatory name is documented together with the signed transaction and the date and time, and cannot be falsified
The Quality Management (QM) application component uses the simple signature. This means, that a document is signed or approved by the signature of a single authorized person.
You can use the digital signature for the following functions:
- During results recording
- At the usage decision
- When confirming the physical-sample drawing. This means, when releasing the first physical sample in a physical-sample drawing.
II. Configuration (using the IMG)
In order to use the Digital Signature functionality, you must first define the “General Settings.”
A) Time Zones
(standard SAP setting should suffice here—see Figure 1)
Figure 1: Maintain Time Zone
B) Assign Personal Time Zone (maintain User Defaults)
The “Personal Time Zone” for your User ID must be maintained. This assures that the signature date and time are correct for the individual user who “signs” the document.
This can be done using the following menu path System → User profile → Own data (or transaction SU3. Make sure to click on the “Defaults” tab (see Figure 2).
Figure 2: Assign Personal Time Zone to User ID
In this example, the system time zone is Eastern Standard Time (EST), but my user is located in California on Pacific Standard Time (PST).
C) Signature Method
There are two main options for the Signature Method (Listed below as 1. and 2.). For this white paper, we use Option 1 (System signature with authorization by SAP User ID and password). This option is only available from R/3 Version 4.6c forward.
1. System signature with authorization by SAP User ID and password
As noted by SAP: “Here, you do not need an external security product. Just like when logging on to the system, users identify themselves by entering their User IDs and passwords. The SAP system then executes the digital signature. The user name and ID are part of the signed document.”
This signature method is available “out of the box” and requires no additional hardware.
To configure the signature method, use the IMG to navigate to “Define Authorization Groups and Digital Signature” (see Figure 3).
Figure 3: IMG Menu Path to Signature Method
Once in the “Specify Signature Method for Simple Signature” Table, click on the “New Entries” button.
In the Signature object type field, we select the entries for “Inspection Lot: Results Recording” and “Inspection Lot: Usage Decision” (see Figure 4).
Figure 4: Assign Signature Object Type
In the Signature Method, field we select “System signature with authorization by R/3 user ID/password” (see Figure 5).
Figure 5: Assign System Signature as Method
When finished, the two rows you added should look like this:
Figure 6: Two Added Entries
2. User signature with and without verification
SAP notes: “Here, you need an external security product. Users execute digital signatures themselves using their private keys. The signature created by the security product is automatically checked for authenticity.” This is done using the Secure Store and Forward (SSF) interface, which makes use of Public-Key Cryptographic Standards (PKCS). http://help.sap.com
*NOTE - In this white paper, we do NOT use an external security product; therefore I will not detail the customizing settings for the (SSF) interface. For reference, they can be found in the IMG under: SAP Web Application Server → System Administration → Digital Signatures (menu path for SAP 4.7)
D) QM Material Authorization Group:
Quality Management (QM) in SAP is primarily a material-based system. The QM view of the Material Master is set up at an “organizational level” of “Plant.” This means that the general Quality Control settings are activated based on a combination of Material and Plant. The case with digital signatures is also the same. In order to activate the digital signature in QM, you must configure an authorization group in the QM View of the Material Master. This can be done in the following area of the IMG (same menu path as for Signature Method—see Figure 7):
Figure 7: IMG Menu Path to Mat. Auth Group
n this table, you can change an existing entry or add a new entry to create a QM Material Authorization Group based on your requirements. For our example, we will add QM Material Authorization Group 000099 with the following settings:
- Approval for Inspection Lot – approval not required
- Digital Signature in Results Recording – required for results recording
- Digital Signature at Usage Decision – required for making the usage decision
- Digital Signature for Sample Drawing – not required
Figure 8: Entry Added for Digital Signature at RR & UD
Although not used in this white paper, notice that there is the ability to require a digital signature for the approval of the inspection lot and the physical sample drawing. The “Approval insp. lot” setting can require a digital signature for the approval of an inspection lot and depends on whether a task list (i.e., inspection plan) or material specification is used. There is also the ability here to require a digital signature for the confirmation of a physical sample drawing.
Additionally, there is NOT a setting for Quality Notifications in this table. (Quality Notifications are not always based on a Material.) The digital signature for Quality Notifications is currently not available in Standard SAP (as of Release 4.7). This functionality could be added via a Business Add-In or “BAdI” as some SAP customers have done.
III. Master Data
A) Adding the QM Material Auth. Group to the QM View of the Material
Next we will add the QM Material Auth Group that we just created in Configuration to the QM View of the Material Master. As I stated earlier, the QM View is set up at an Organizational level of plant. I have an existing Material Master 10005723 that we will change via Transaction MM02 (see Figure 9).
Figure 9: QM View of Material Master
Next, select the plant at which you want to change the QM Settings:
Figure 10: Organizational Level of Plant
Then, add QM Material Authorization Group 000099:
Figure 11: QM Auth Group in Material Master
QM Auth Group. 000099, which we created earlier, will require a Digital Signature anytime we record results or make a usage decision for an inspection lot (for this material/plant combination—see Figure 12).
Figure 12: Entry Added
B) Reviewing the Inspection Data Setup:
In order to use the digital signature functionality, we must have the material set up to create an inspection lot. In this example, we have a Material Master that represents a semi-finished material that requires inspection at Goods Receipt from Production. In order to see the settings maintained for this material, click on the “Insp. setup” button:
Figure 13: QM Inspection Data Setup
You can see in the above screenshot that I have added Inspection Lot Origin 04 and activated it. The details for Inspection Lot Origin 04 are shown in the bottom half of the screen. In this example, we require that SAP create an inspection lot for the Goods Receipt from a production order and allow “early lot creation” at Production Order Release.
IV. Inspection Processing (Results Recording & Usage Decision)
In order to see the digital signature functionality in action, I have created an inspection lot.
A) Digital Signature at Results Recording
The digital signature for results recording happens at the time the user saves the results for the Operation (digital signature is at the Operation Level). In this example, a digital signature is required for results recording (for the material/plant combination). This means that when the results are saved, SAP will now ask the user to verify his unique identity. A digital signature will be required for every operation that results are recorded against (e.g., 3 Operations = 3 Signatures). SAP will automatically record the associated Inspection Lot and Operation number in the “remarks” section:
Figure 14: Digital Signature for Results Recording
The digital signature method we are using utilizes the SAP User ID and Password. This means that the person recording the results must enter their unique User ID (Signatory) and its associated Password in order to proceed. SAP will verify that the password is correct for that User ID, and then execute the digital signature—at which time the user name and ID become part of the signed document. If the password is incorrect, SAP will issue a message and allow the user to try again (up to the number of allowed attempts configured). In the case of too many failed attempts, SAP will lock the User ID.
Figure 15: Error, Incorrect Password
It is possible to change the signatory to another User ID (the password must be correct for that User ID). This can be helpful in the case where a supervisor may need to sign off the results for one of her inspectors. The “Comment” section can be used for documentation. It is possible to change the signatory to another User ID (the password must be correct for that User ID). This can be helpful in the case where a supervisor may need to sign off the results for one of her inspectors. The “Comment” section can be used for documentation.
B) Digital Signature at Usage Decision
The digital signature at Usage Decision happens at the time the user saves or changes a Usage Decision (transaction QA11 and QA12). This can happen for the stock posting or Usage Decision Code.
When the Usage Decision is saved, the Digital Signature box will appear:
Figure 16: Digital Signature at Usage Decision
SAP automatically records the inspection lot number. The user can enter comments if needed and again must enter his unique User ID (Signatory) and its associated Password in order to proceed.
V. Audit Trail
A) Digital Signature Logs
Lastly, SAP provides a transaction to review the digital signature logs. This is accessed via Transaction DSAL. As this is a common transaction that is used for multiple applications, you must select the application “inspection lot” to narrow down the entries (see Figure 17).
Figure 17: Digital Signature Logs (Selection Screen)
Using this transaction, you can search for signatures of a particular Signatory (User ID), as well as look for signatures for a particular Date Range or Inspection Lot (see Figure 18). The transaction can also find unsuccessful attempts (e.g., user locked, wrong password, etc.).
Figure 18: Digital Signature Log (Output)
The following log shows the successful signature for the usage decision—notice that the Global date/time of the signature differ from Local signature date/time:
Figure 19: Digital Signature Log (Detail)
In the past, SAP customers have found it challenging to prove that the Inspector who logged onto their SAP system was indeed the same Inspector (User) who recorded the results. This can often happen because many SAP users share a common desktop PC and leave it logged-on to SAP under one user’s account. With the digital signature, a user is required to enter the signatory/password combination that is only known to that user. The value here is that the “digital signature” proves to the business and regulatory authorities that the inspectors entering results in QM are who they say they are (just as an inspector’s stamp or written signature would).
As mentioned at the beginning of the white paper, the digital signature also helps SAP customers meet GMP guidelines as well as FDA 21 CFR Part 11 (for customers in the medical industry). Although the FDA is currently revising 21 CFR Part 11, they fully expect that companies using electronic records will take the needed steps to be in full compliance when the latest guidelines are released. As non-compliance can lead to fines and costs in millions of dollars, the cost of ignoring these issues can be steep. SAP, as well as their customers, has made compliance a priority.