SolMan 7.2 – How to configure Signature Strategy in Process Management
I would like to explain the process in setting up ‘Digital Signature’ strategy in Process Management to approve/reject documents that are uploaded in the solution.
Digital Signature can be used when the customer wants to have a control & governance for all those documents that is been uploaded in Solution Manager.
There are two types of Signatures,
- System Signature with Authorization by SAP User ID & password
- User Signature with external security product with or without verification
In this blog, I will explain with system signature and related configurations to fulfill the requirement.
To achieve this, we need to configure below settings.
1. Define Signature Object ( Transaction : ELSIG03N)
When the application tries to call the signature strategy, this customization is checked. The signature method ‘System signature with Authorization by SAP User-ID/Password’ is commonly used by
most applications. The user has to enter his/her SAP password during signing.
The two other signature methods ‘User signatures with External Security product with/without verification’ need additional hardware like Smart-card reader etc.
2. Define Authorization Group (Transaction : ELSIG01)
Authorization groups will be used when individual signatures from different user groups (worker, shift leader, QM,plant manager etc.) should be included in the signature strategy. Before an individual signature can be executed, the system checks if the user belongs to the correct authorization group of the individual signature.
3. Define Signature Strategy
Defining your signature strategy is bit tricky when you planned to have multiple approvers. You need to mention the release status (final status after the document been approved) which in turn specifies that Custom statuses are to be adopted for the documents.
I have explained with 2 signature strategy which requires 2 approvers.
Within the signature strategy, you need to assign individual signatures for each approver as shown below
After assigning the individual signature, you need to define the predecessor signature’s if case of multilevel approvals. Here in this case, signature 1 will be the predecessor for signature 2 and it is maintained as below.
4. Define Release Status
In this step, you to need to maintain the status in which the signature procedure ends and the corresponding status the documents changes to.
For this, you need to select the signature strategy and then click on ‘Release status’ as shown below
After doing these configurations, you can find the ‘Sign’ option by right clicking on the document type.
Now the signature block is visible and approver has to provide his SAP User ID and password along with his comments.
Once the document is approved, then its status changes to that of defined release status.
Note: I found that there are below limitations based on my experience.
- Signature is called only when the document is checked in-out or a new version is uploaded or edited online for which Microsoft Office integration is required.
- When doing so, you need to change the status so that the documents is locked internally by system
- Signature gets triggered with a locked status (internal check)
- There is no standard PPF actions that notify either the approver/document owner for a status change
Thanks Vignesh for nice explain,
I have configured as per mention steps , but still sign option is not showing.
not sure if any thing I have miss.
Sign option will be enabled only when user performs one of the below action.
Make sure you perform one of the above action, and set the document to relevant status where the document gets locked. Then you shall be able to see the sign option.
You have mentioned about "User Signature with external security product with or without verification".
Do you have more information about this ?
Is it possible to Microsoft Azure or a Public Key based authentication for digital signature ?
Hello Srinivasa Bhatta,
I am not sure on the possibility of using Azure based authentication.
Do the authorization groups tie to SU01? I ask because I assigned myself to both a BASIS group and SUPER group in SU01, I used those groups in Step 2. I have set a customer status schema and set the RELEASED status as the 'lock'. I have created a new document in Draft status. Checked it out, made an edit, checked it back in and set the RELEASED status. The overall status shows locked, however, I do not see a SIGN option. I believe I have followed the steps correctly. I was just curious how this tied back to the user in SU01 or if any additional authorizations needed to be added in SU01? This is a great blog, thank you so much for sharing.
Hello Matthew Harmon,
Using the same user if you try to perform digital signature, the system shall not allow by disabling the sign button as shown in the attachment.
The authorization groups are controlled by two authorization objects i.e. C_SIGN_BGR and C_SIGN to the users in respective authorization groups.
Try to assign the respective objects to these groups and retest once.
Sign button disabled if same user is trying to do approval
Many thanks on this. I realized that I needed to correctly create a customer status schema with two lock statuses. The very last lock status with the digital signature strategy assigned so the person seeking approval can set the status as locked, then the second lock status for the approver so they can go in and digitally sign the document. Works great! I will test with email notification workflow from Focused Build with note: 3053215 that allows for customer name space documents to used so the email workflow functionality will communicate between Document Owner and Responsible for approvals.
Hello Matthew Harmon,
I don't think you need to have two lock statuses.
When the first approver performs the check-in and check-out or edit online or upload new version and performs his approval, the document shall go to ''locked'' status.
All you need to do is, in the release strategy of the approval process, against the status the document shall go for lock, please ensure you maintain ''end status'' as shown in my case attached.
Document status schema showing the digital strategy
Strange. I get an error when executing with the configuration like in your attachment. I did notice you have a z status where I'm using the SAP 0* statuses, I wonder if that is causing the issue? Error I receive after checking out and checking in on Review status is:
Status change requires start of signature process
Message No. AI_SMD_DOC060
Saving the document with the new status value requires a digital signature. Signing the document is only possible via context menu operations.
The changes cannot be saved.
Choose one of the context menu items 'Edit Online': The office integration must be enabled in the user settings and it must be technically supported for the document type and the browser.
Alternatively download the document to your desktop and choose "Upload New Version" from the context menu of the document to save it with the new status value.
I wonder if I need customer defined statuses, can you give me a hint where to create those?
Thank you for providing such useful information !
I tried to assign predecessor in my signature stratregy, but am getting the below error and am not able to assign predecessor. Though am first selecting the signature strategy, then individual signature and then required signature to enter the predecessor, am getting the below errors :
Do you know which step am i missing.