Opentext™ Vendor Invoice Management For Sap Solutions: Security Guide

OpenText™ Vendor Invoice Management
for SAP® Solutions
Security Guide
The Security Guide collects all information that is relevant

regarding security in Vendor Invoice Management (VIM).
VIM160305-GSM-EN-01
OpenText™ Vendor Invoice Management for SAP® Solutions
Security Guide
VIM160305-GSM-EN-01
Rev.: 2020-Apr-25
This documentation has been created for software version 16.3.5.
It is also valid for subsequent software versions as long as no new document version is shipped with the product or is
published at https://knowledge.opentext.com.
Open Text Corporation
275 Frank Tompa Drive, Waterloo, Ontario, Canada, N2L 0A1
Tel: +1-519-888-7111
Toll Free Canada/USA: 1-800-499-6544 International: +800-4996-5440
Fax: +1-519-888-0677
Support: https://support.opentext.com
For more information, visit https://www.opentext.com
Copyright © 2020 Open Text. All Rights Reserved.

Trademarks owned by Open Text.
One or more patents may cover this product. For more information, please visit https://www.opentext.com/patents.
Disclaimer
No Warranties and Limitation of Liability
Every effort has been made to ensure the accuracy of the features and techniques presented in this publication. However,
Open Text Corporation and its affiliates accept no responsibility and offer no warranty whether expressed or implied, for the
accuracy of this publication.
Table of Contents
Part 1 About Vendor Invoice Management 5
1 About this document ............................................................... 11

1.1 Target audience .............................................................................. 11
1.2 Further information sources ............................................................. 11
2 Understanding VIM .................................................................. 13

2.1 Delivery model ................................................................................ 13
2.2 Workflow scheme ............................................................................ 15
Part 2 Secure setup of VIM 17
3 Secure connections ................................................................ 21
4 Secure import .......................................................................... 23
5 Secure storage ......................................................................... 25
Part 3 General security aspects of VIM 27
6 Preparing configuration .......................................................... 31
7 General authorization checks ................................................ 33
8 Specific authorization checks ................................................ 35
9 Chart of Authority (COA) ........................................................ 37
10 General Data Protection Regulation (GDPR) ........................ 39
Part 4 Security aspects of specific VIM components 41
11 BCC ........................................................................................... 45
12 Business Center Inbound Configuration .............................. 47
13 Information Extraction Service .............................................. 49
14 VIM Workplace ......................................................................... 51
15 Substitutes in the workflow processes ................................. 53
16 Roles for the SAP early watch service .................................. 55
17 Transactions ............................................................................ 57
18 Invoice Approval ...................................................................... 59
VIM160305-GSM-EN-01 Security Guide iii

Table of Contents
19 Approval Portal ........................................................................ 61
20 Mobile Approval Portal ........................................................... 63
21 KPI Dashboard ......................................................................... 65
22 VIM reports ............................................................................... 67
23 Fiori Task Apps ........................................................................ 69
24 Supplier Self Service ............................................................... 71
25 Supplier Self Service Fiori apps ............................................. 73
26 Supplier Self Service - Lean Variant ...................................... 75
27 Z constants .............................................................................. 77
28 Vendor data cleanup program ................................................ 79
29 Standard posting of invoices ................................................. 81
30 Posted invoice reversal with a new DP workflow start ........ 83
31 VIM translation ......................................................................... 85
32 Simple Mode VIM ..................................................................... 87
GLS Glossary 89
iv OpenText™ Vendor Invoice Management for SAP® Solutions VIM160305-GSM-EN-01

Part 1
About Vendor Invoice Management
Part 1 About Vendor Invoice Management
OpenText™ Vendor Invoice Management for SAP® Solutions 16.3 is an add-on

solution to SAP S/4HANA® on Premise to provide automation of invoice processing,
routing of invoice exceptions, managing of processing rules, and monitoring of
process flows.
By implementing Vendor Invoice Management (VIM), companies achieve the

following:
• Acceleration of AP operations across the enterprise

• Optimal integration of an invoice automation solution into SAP S/4HANA on
Premise
• Higher productivity in Accounts Payable and increased flexibility in cash
management by reducing time until invoices are free for payment
• Improved supplier relations through fast and accurate invoice processing
• Accurate, on-time financial reporting with integrated access to AP information
• Regulatory compliance through a well-managed process using preconfigured
rules, roles and actions considering country specific regulations
Vendor Invoice Management (classic mode) provides the following:
• Seamless integration with SAP® Finance and Logistic functions

• Secure storage and archiving of invoice documents and additional
documentation including processing and approval protocol through SAP
ArchiveLink®
• SAP add-on built on SAP Enterprise technology like ABAP®, SAP Business
Workflow®, SAP Fiori®, SAP NetWeaver®
• Multi-channel input for digital and non-digital invoice formats like scanned
paper invoices, PDF invoices attached to emails, EDI invoices, network invoices,
and so on. This includes integration of the SAP® Ariba® network based on SAP’s
built-in interface with Ariba.
• OCR add-on (OpenText™ Invoice Capture Center for SAP® Solutions; short:
ICC) for intelligent and automated capture of invoice data from scanned and
PDF invoices.
Note: From a technical point of view, OpenText™ Invoice Capture Center

for SAP® Solutions (ICC) corresponds to “OpenText™ Business Center
Capture for SAP® Solutions with invoice solution” (BCC with invoice
solution).
• Framework for data enrichment and data checks to achieve automation of
specific classes of invoices based on the input from OCR or electronic channels.
This approach leads to high-quality automated invoice postings.
• A large library of business rules and data mappings and data enrichment
modules considering different country based aspects
6 OpenText™ Vendor Invoice Management for SAP® Solutions VIM160305-GSM-EN-01

• A pre-configured best-practice baseline configuration delivered as SAP
customizing set
• Tools and workflow processes to optimize processing of invoices that cannot be
fully automated by their nature or invoices triggering exceptions during the
automated processing.
• Best practice approach to automated compliance validation based on vendor
white, grey, and black lists
• Best practice logic to allocate different tasks to the right team and users, for
example:
– Review of basic invoice issues by Accounts Payable or Shared Services team

– Allocation of exceptions to specialized experts, for example a tax expert
reviewing complex tax constellation
– Sending tasks and notifications to teams outside Accounts Payable like
Purchasing team, Goods-in department and roles like receiver, requester and
approvers
• Different coding scenarios: Auto-coding in background, coding in AP, coding by
business users
• Comprehensive approval workflow supporting approval of invoice data in VIM
tables, parked invoices, and posted and blocked invoices
• Unblocking workflows for invoices blocked for payment based on SAP logistic
invoice verification blocking reasons (price, quantity)
• Various UI options (SAP GUI, Web, Fiori) for optimizing user experience for all
roles, users, and devices involved in invoice handling and approval
• A suite of reports to monitor the invoice process, create liability figures for
invoices not yet posted, do evaluations to calculate KPI figures, and further
optimize the invoice process
• Extraction and pre-configured content for SAP Business Warehouse®
• Comprehensive customizing options to adjust and amend the pre-delivered
baseline to specific process flows plus extension points through BAdIs and other
ABAP interfaces to extend the solution to meet customer-specific requirements
VIM160305-GSM-EN-01 Security Guide 7

Figure 1: VIM 16.3 - Classic Mode
Vendor Invoice Management does not replace SAP invoice transactions and SAP
core logic of logistic invoice verification – Many categories of invoices can be
automated or treated by manual intervention through VIM screens. For other
invoice categories, navigation from VIM into the SAP invoice transaction (typically
MIRO) is required to fully post the invoice. Not all MIRO fields are provided in the
VIM baseline configuration.
VIM builds on top of the SAP core invoice verification. Tolerances are defined in
core SAP customizing. This logic will apply blocking reasons to line items when
invoices are posted. Most prominent blocking reasons are price and quantity. VIM
catches the events created by blocked invoices in core SAP and triggers workflows
for block resolution.
Vendor Invoice Management shares some components with OpenText™ Business

Center for SAP® Solutions. This allows to easily extend the methodology of capturing
and onboarding business documents to SAP S/4HANA beyond invoices.
Vendor Invoice Management provides additional value when used in combination

with other OpenText SAP-centric solutions like OpenText™ Archiving and Document
Access for SAP Solutions and OpenText™ Extended ECM for SAP® Solutions.
“Classic Mode” versus “Simple Mode” – Starting with version 16.3 and only
available for SAP S/4HANA 1610 and later, Vendor Invoice Management provides
two implementation options.
Classic Mode and Simple Mode are generally independent of each other.
Classic Mode Classic Mode is to a large extent compatible with previous VIM versions 7.0 and 7.5.
It offers proven architecture and a framework and many options to configure and

extend the pre-delivered invoice management logic. For details see the description
above. For VIM 16.3, the classic approach was updated and extended to meet SAP S/
4HANA requirements and optimizations and follow SAP strategy to post all
invoices through one invoice transaction: Baseline uses transaction MIRO for all
invoice types including Non-PO invoices.
Classic mode is the choice for organizations upgrading from SAP ECC and older
VIM versions who want to gradually adopt to new SAP S/4HANA concepts and
maintain their approach to invoice processing.
Classic mode provides powerful SAP GUI/Webgui based tools like VIM Workplace
and the VIM Analytics report, a web portal for invoice coding and approval, which
can be integrated with SAP NetWeaver® Portal and SAP Fiori apps for different
tasks like simple coding, approval, and confirming price and quantity on PO related
invoices.
Simple Mode Simple Mode provides a new invoice process designed embracing SAP S/4HANA
concepts like simplification, principle-of-one, digitalization, cloud-first, and new
user experience from the start. The SAP S/4HANA environment is the basis for a
next-generation invoice automation solution that focuses on streamlined and
simplified invoice processing.
While the Classic Mode provides different options, the Simple Mode philosophy is
about a uniform best practice approach based on different invoice scenarios:
• Invoices that can be processed through automation by their nature and structure
• Invoices that can be processed through automation with limited manual
intervention
• Invoices that need manual processing and may use specific features of SAP’s
Fiori app Manage Supplier Invoices
Vendor Invoice Management (Simple Mode) provides the following:
• Invoice automation build around SAP’s Fiori App Manage Supplier Invoices
• End-to-end Fiori user experience
• Capture of scanned paper invoices and PDF invoices through OCR cloud service
with automated optimization through constant feedback, other invoices are
received from networks like Ariba or classic IDocs or other channels.
• Cloud OCR as default option - on premise OCR will also be supported.
• Advanced machine learning features to optimize data capture (feedback from
SAP process and SAP posting to the data extraction service)
• Leverage SAP invoice drafts as container to store preliminary invoice data
(instead of separate business object and header and line items tables of classic
mode)
• Background logic for initial classification of incoming invoice data to control
process and flow (happens in background) - separate into invoices going through
automation and invoices that need manual intervention

• Pre-configured background flow of data enrichments, mappings, and business

rules including auto-post
• Manual postings by picking up the invoice draft created by VIM in background
inside the SAP Fiori App Manage Supplier Invoices
• A Fiori based validation screen for entering core invoice fields.
• Exception handling: AP and other roles get work item tasks to handle invoices
that run into exceptions or need approval.
• Central responsibility lies with the AP team and they will receive most
exceptions for review and resolution which can include collaboration with other
roles.
• Minimum set of mandatory configuration based on pre-delivered best practices
settings
• Limited classical customizing (done on DEV box and transported into QA and
PROD system)
• New “smart” and self-adapting features like intelligent coding defaults, dynamic
auto-classification of vendors into black, grey and white list, and others.
• Extension points through configuration of underlying Business Center process
framework to extend the solution to meet customer specific requirements
Limitations Vendor Invoice Management 16.3 provides a basic version of the new Simple Mode
covering invoices and credit memos. A number of features are not yet released and
there are further limitations. Future versions will provide new features to fully
support the scope of the Simple Mode as explained above.
Figure 2: VIM 16.3 - Simple Mode

Chapter 1
About this document
The Security Guide provides an overview of security and authorization aspects of

VIM. Where appropriate, the document adds links to more detailed descriptions in
other VIM guides.
The Security Guide comprises the following parts:
“Secure setup of VIM” on page 17

This part includes configurations that are needed to set up VIM securely.
“General security aspects of VIM” on page 27
This part deals with general security aspects of VIM that are concerned with
VIM as a whole or more than one component of VIM.
“Security aspects of specific VIM components” on page 41
This part deals with security aspects of VIM that are concerned with specific
VIM components.
1.1 Target audience

This document addresses those who participate in the customization and
implementation of VIM with a special focus on security aspects. This includes:
• SAP Basis Administrators

• SAP Workflow Administrators
• SAP Configuration and Development Support
1.2 Further information sources

Product docu- The following documentation is available for VIM on OpenText My Support (https://
mentation knowledge.opentext.com/knowledge/cs.dll/Open/10151494):
• OpenText Vendor Invoice Management for SAP Solutions - User Guide (VIM-UGD)
• OpenText Vendor Invoice Management for SAP Solutions - Installation Guide (VIM-
IGD)
• OpenText Vendor Invoice Management for SAP Solutions - Configuration Guide (VIM-
CGD)
• OpenText Vendor Invoice Management for SAP Solutions - Administration Guide
(VIM-AGD)
• OpenText Vendor Invoice Management for SAP Solutions - Reference Guide (VIM-
RGD)

Chapter 1 About this document
• OpenText Vendor Invoice Management for SAP Solutions - Scenario Guide (VIM-CCS)
Release Notes The Release Notes describe the following aspects in detail:
• The software supported by the product

• Requirements
• Restrictions
• Important dependencies
• New features
• Known issues
• Fixed issues
• Documentation extensions
The Release Notes are continually updated. The latest version of the VIM Release
Notes is available on OpenText My Support (https://support.opentext.com).
On OpenText My Support, you find the OpenText Vendor Invoice Management

Forum where you can post questions and discuss VIM issues: https://
knowledge.opentext.com/knowledge/cs.dll/Open/10361180
Important note for SAP Reseller Customers
For information about all OpenText products resold by SAP (including VIM
and ICC), check SAP Marketplace Note 1791874: SAP Products by OpenText -
Software and Support Lifecycle. This note provides detailed information about
software life cycle, access to Support Packages, access to latest documentation,
language packages, and other patches, as well as Support ticket handling.

Chapter 2
Understanding VIM
Process steps The Vendor Invoice Management (VIM) business process typically includes the
following main steps:
1. An OCR process (optional) sends metadata and invoice image to VIM. On a

system without OCR, the invoice images go through a standard SAP
ArchiveLink® early archiving scenario.
2. The Document Processing (DP) component validates the metadata and identifies
exceptions.
3. Invoice Exception workflows address the exception issues.
4. After validating the data and handling data exceptions, VIM creates an SAP
invoice.
5. If no business rules are violated, VIM posts the invoice.
2.1 Delivery model

As VIM is basically a scenario, its function may best be described as a problem
solution. It enables the flexible configuration of a company's payment workflow. To
this end, VIM is delivered with a so-called Baseline Configuration, a set of pre-defined
configurations that work out of the box. In conjunction with other OpenText
products such as OpenText™ Archive Center it is possible to realize comprehensive
solutions. Core Functions are the technical foundation of VIM: SAP screens, functions,
workflow templates, web pages, etc.

Chapter 2 Understanding VIM
Note: Only end user screens are translated in additional languages other than
English. Customizing screens are provided in English language only.

2.2. Workflow scheme
2.2 Workflow scheme
Figure 2-1: Workflow scheme
Each VIM workflow process has the same basic steps:
Validate metadata
The metadata or index data are validated against the SAP database. If validation
fails, an exception is triggered.
Check duplicates
The validated metadata is used to check whether the new invoice has been
entered already. If the new invoice is suspected to be a duplicate of any existing
invoice, an exception is triggered.
Apply business rules
Invoice pre-processing: Business rules are applied to detect additional
exceptions before posting.
Post for payment
The invoice is posted and released for payment.

Part 2
Secure setup of VIM
Part 2 Secure setup of VIM
Setting up VIM securely includes the following configurations:
• “About this document“ on page 11

• “Understanding VIM“ on page 13
• “Secure connections“ on page 21
• “Secure import“ on page 23
• “Secure storage“ on page 25
• “Preparing configuration“ on page 31
• “General authorization checks“ on page 33
• “Specific authorization checks“ on page 35
• “Chart of Authority (COA)“ on page 37
• “General Data Protection Regulation (GDPR)“ on page 39
• “BCC“ on page 45
• “Business Center Inbound Configuration“ on page 47
• “Information Extraction Service“ on page 49
• “VIM Workplace“ on page 51
• “Substitutes in the workflow processes“ on page 53
• “Roles for the SAP early watch service“ on page 55
• “Transactions“ on page 57
• “Invoice Approval“ on page 59
• “Approval Portal“ on page 61
• “Mobile Approval Portal“ on page 63
• “KPI Dashboard“ on page 65
• “VIM reports“ on page 67
• “Fiori Task Apps“ on page 69
• “Supplier Self Service“ on page 71
• “Supplier Self Service Fiori apps“ on page 73
• “Supplier Self Service - Lean Variant“ on page 75
• “Z constants“ on page 77
• “Vendor data cleanup program“ on page 79
• “Standard posting of invoices“ on page 81
• “Posted invoice reversal with a new DP workflow start“ on page 83
• “VIM translation“ on page 85

• “Simple Mode VIM“ on page 87

Chapter 3
Secure connections
To connect VIM to systems like OpenText™ Business Center Capture for SAP®
Solutions (BCC) with invoice solution), SAP systems, or OpenText™ Archive Center,
OpenText recommends that you always use a secure connection, for example a
trusted RFC destination between SAP S/4HANA® systems.
For more information about the customization of logical systems that are needed for
trusted RFC connections, see the SAP documentation, for example https://
help.sap.com/doc/saphelp_nw70ehp1/latest/en-US/8b/
0010519daef443ab06d38d7ade26f4/frameset.htm.
For Web Services connection settings, see Section 4.1.1 “System landscape” in
OpenText Business Center for SAP Solutions - Installation Guide (BOCP-IGD).

Chapter 4
Secure import
Inject documents only from secure channels. It is your task to avoid getting wrong
data into the system.
The configuration described in this section allows you to set up a virus protection
that works directly at the import stage. This means, for example, that PDF files
containing viruses can be avoided in the OCR.
The delivered PIPELINE document handler (for more information, see Section 4.4.1.2
“Creating a document handler” in OpenText Business Center for SAP Solutions -
Configuration Guide (BOCP-CGD)) processes a virus scan with the /SCMS/KPRO_
CREATE virus scan profile within the /OTX/PF01_CL_MODULE_DOC_VSCAN module
class. You can use this module class also within in a custom document handler to
process a virus scan for all available documents in inbound. All other delivered
inbound document handlers process already the same virus scan profile within
standard SAP ArchiveLink® processing.
Note: For further details about Virus Scan Provider, see the SAP
documentation: https://help.sap.com/viewer/
3cd5ac93e7ec4690bd804f0d23fed9da/latest/en-US/
4df582ed472d41c4e10000000a42189c.html.
SAP supports the integration of Virus Scan. For more information, see the following
SAP notes:
• 786179 - Data security products: Application in the antivirus area (https://

launchpad.support.sap.com/#/notes/786179)
• 817623 - Frequent questions about VSI in SAP applications (https://
launchpad.support.sap.com/#/notes/817623)
This is not specific to VIM but applies to SAP ERP in general.
If you use this configuration with the right scan profile, the SAP transaction OAWD
(upload) is protected as well as other ArchiveLink features, for example the call that
is used by the email input.

Chapter 5
Secure storage
Configure document archiving and document access in a proper way. SAP standard
takes care about security topics but you must set up the system in the correct way.
In the OpenText plugins, archived documents are shown in SAP GUI and HTML
control. Therefore corresponding security settings in SAP must be set correctly.
Note: For further details about ArchiveLink, see Section 5 “Configuring

ArchiveLink” in OpenText Vendor Invoice Management for SAP Solutions -
Configuration Guide (VIM-CGD).

Part 3
General security aspects of VIM
Part 3 General security aspects of VIM
This part deals with general security aspects of VIM that are concerned with VIM as
a whole or more than one component of VIM. Where applicable, this section adds
links to more detailed descriptions.
The following security aspects are covered in this part:



Chapter 6
Preparing configuration
During the preparation phase, you need to create User IDs with appropriate
developer and configuration authorizations. For more information, see Section 3
“Preparing the configuration” in OpenText Vendor Invoice Management for SAP
Solutions - Configuration Guide (VIM-CGD).

Chapter 7
General authorization checks
When implementing VIM, OpenText recommends that you restrict the access to
administrative (configuration) transactions and utilities reports through SAP
authority checks like S_TCODE and S_PROGRAM. Ideally, invoice processors should be
restricted, in addition to the authorizations for standard SAP transactions, to
performing workflow items either from the SAP inbox or VIM Workplace.
During invoice processing, running SAP transactions from within VIM can be
required. For example, posting of an invoice in dialog mode results into the call of
FB60 or MIRO transactions. The called standard transactions implement their own
authority checks. This is normally part of the project authorization concept, but you
can adjust it in the context of the implementation.

Chapter 8
Specific authorization checks
VIM implements authorization checks in several reports, for the COA maintenance
transaction /OPT/AR_COA, for the indexing screen, and for VIM Workplace.
In the reports, in the indexing screen, and in VIM Workplace, the authorization
checks ensure that SAP users working with VIM are able to see and process only the
information that they are authorized for. In the COA maintenance, the authorization
checks make sure that the user is allowed to display or maintain the entries.
For backward compatibility reasons, the authorization checks are disabled in the
standard configuration. You can enable them on demand as described in Section
8.3.3 “Enabling VIM authorization checks globally” in OpenText Vendor Invoice
Management for SAP Solutions - Configuration Guide (VIM-CGD).
With authorization checks activated, the information in the corresponding reports

and in VIM Workplace is filtered according to the settings. The documents or work
items for which the user is not authorized will not be shown. The COA maintenance
transaction also filters out unauthorized records and displays a warning in this case.
An additional authorization check with the object J_6NIM_BRO is done in VIM

Analytics to control the execution based on the fields ROUTE_ID1 and ROUTE_ID2.
For more information, see Section 11.1 “Routing documents with the route ID” in
OpenText Vendor Invoice Management for SAP Solutions - Scenario Guide (VIM-CCS).
For a comprehensive description of authorization checks, see Section 8

“Authorization checks” in OpenText Vendor Invoice Management for SAP Solutions -
Configuration Guide (VIM-CGD). This description includes the following major
aspects of authorization checks:
• Available authorization checks

• Configuring the authorization checks
• Authorization group for VIM tables
• Authorization checks when performing transaction calls
• Authorization checks for RFC calls
• Restricting ALV layout for process logs

Chapter 9
Chart of Authority (COA)
Roles and COA VIM provides means to direct invoices to specific persons or groups, depending on
the invoice data. VIM roles are used in DP and invoice exceptions workflows. The
responsibility based (COA) setup is used in Invoice Approval. This helps to ensure
that the data gets processed by the right agents, and misuse chances are minimized.
For more information, see Section 6 “Roles” in OpenText Vendor Invoice Management
for SAP Solutions - Configuration Guide (VIM-CGD).
Roles typically used for invoice processing are delivered in BC sets and are normally
created during VIM installation. This configuration must be verified and restricted if
needed, depending on your process.
Tip: The standard Refer to... dialog might allow invoice processors to modify
the agent list. This depends on the process option override settings. Similarly,
Invoice Approval has options that can allow to override the next approver
automatically. You must verify the use of these override options and switch
them off if they are unwanted.
VIM provides the following method for Invoice Approval:
Level-based This method is considered only for Non PO document types. For PO document
approval types, a one-step approval is provided by default.
For more information, see Section 13.4.4 “Configuring approval flow settings” in
OpenText Vendor Invoice Management for SAP Solutions - Configuration Guide (VIM-
CGD).
COA configura- In level-based approval, COA details are checked when the user opens the work
tion item. That means that changes in the COA details are automatically reflected in the
Invoice Approval screen. When a task is performed, the next approval steps are
automatically determined according to the actual setting. Therefore, changes to user-
specific COA details are not critical. Changing or renaming a User ID might be
critical.
Purpose COA is required in the Invoice Approval process to allow users to approve Non PO
invoices. The data combination maintained in the COA helps to determine the
correct approver for a certain invoice in the approval process.
For details on how to configure the COA for level-based Invoice Approval, see
Section 6.5 “Maintaining Chart of Authority” in OpenText Vendor Invoice Management
for SAP Solutions - Configuration Guide (VIM-CGD). This description includes the
following major aspects of the COA:
• User Details View

• Approval Limit/Level View

Chapter 9 Chart of Authority (COA)
• COA Details View

• Coder Settings view
• Setting up a substitute for the IAP process
• Logging with change documents
• COA upload report
• Usermap and COA cleanup
• Maintaining COA - alternative transaction
COA The COA maintenance transactions for Invoice Approval allow you to restrict the
maintenance data that is displayed and maintained by checking authorization for company code
authorization
checks
and user groups (from SAP user master records). In addition, using the
authorization checks by company code allows to maintain COA in parallel, as long
as different maintaining users are responsible for different company codes. For more
information, see Section 8.2.2 “COA maintenance” in OpenText Vendor Invoice

Chapter 10
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a new European Union (EU) law
that gives residents greater protection and control of their personal data. It will
regulate the data that companies in and outside the EU can collect, store, and
transfer, and how they use it. All companies that process EU resident data must be
ready to comply when the GDPR enforcement starts on May 25, 2018.
Note: No legal advice is provided in this document or any other part of VIM
product documentation. Product documentation does only provide general
technical guidelines that may be relevant to consider if a customer implements
the product and is looking to define their strategy towards GDPR and similar
data protection requirements.
Software solutions like VIM cannot be considered to be or not to be GDPR

compliant. Every customer using SAP S/4HANA and VIM is responsible to provide
GDPR compliance in their organization.
SAP S/4HANA already provides a superior level of user security and data protection
features. VIM as an add-on package profits from the high standard of SAP S/
4HANA compared to outside-in solutions with their own database, duplication of
data, and lower level security concepts.
For more information about GDPR, see Section 2 “General Data Protection
Regulation (GDPR)” in OpenText Vendor Invoice Management for SAP Solutions -
Scenario Guide (VIM-CCS).
VIM offers tools to delete vendor specific entries from some core customizing tables
as well as from the VIM run time tables.
The following documentation sections explain the tools available in VIM to delete
specific user data and specific vendor information in VIM tables:
• Section 6.5.8 “Usermap and COA cleanup” in OpenText Vendor Invoice

Management for SAP Solutions - Configuration Guide (VIM-CGD)
• Section 19.1 “Vendor data cleanup program” in OpenText Vendor Invoice
Management for SAP Solutions - Administration Guide (VIM-AGD)
• Section 22.9 “Vendor cleanup program for Supplier Self Service” in OpenText
Vendor Invoice Management for SAP Solutions - Configuration Guide (VIM-CGD)

Part 4
Security aspects of specific VIM
components
Part 4 Security aspects of specific VIM components
This part deals with security aspects of VIM that are concerned with specific VIM
components. Where applicable, this section adds links to more detailed descriptions.
The following security aspects are covered in this part:



Chapter 11
BCC
The documentation of OpenText™ Business Center Capture for SAP® Solutions

(BCC) discusses security topics related to BCC user authentication and the data
transfer between SAP systems and BCC. For more information, see Section 5
“Security” in OpenText Business Center Capture for SAP Solutions - Administration
Guide (CPBC-AGD).

Chapter 12
Business Center Inbound Configuration
Business Center Inbound Configuration has replaced the Incoming Document

Handling (IDH) framework and the ICC Dispatcher framework. For a
comprehensive description of the Business Center Inbound Configuration, see
Section 4 “Inbound Configuration” in OpenText Business Center for SAP Solutions -
Configuration Guide (BOCP-CGD).
Monitoring au- Some authorizations are needed to monitor Business Center Inbound Configuration.
thorization For more information, see the example in Section 7.4 “Authorization objects” in
OpenText Business Center for SAP Solutions - Configuration Guide (BOCP-CGD).
Validation Validation might be required for an ArchiveLink document type. If you do not use a
agent custom logic to determine the validator, you must assign the corresponding agent to
the ArchiveLink document type. This way, you can determine who is allowed to see
what. If this is not enough, implement a project specific user exit. For more
information, see Section 4.5.3.4 “Assigning an agent to an ArchiveLink document
type” in OpenText Business Center for SAP Solutions - Configuration Guide (BOCP-
CGD).

Chapter 13
Information Extraction Service
Note: “Information Extraction Service” (“IES”) is used in this documentation

as a common technical term for both of the following OpenText products:
• OpenText™ Intelligent Capture for SAP® Solutions, formerly known as IES

on premise
• OpenText™ Core Capture for SAP® Solutions, formerly known as IES cloud
For general information about security aspects in the context of IES, see Section 7
“Configuring security” in OpenText Intelligent Capture for SAP Solutions -
Administration Guide (CPIE-AGD).
Validation user OpenText™ Information Extraction Service for SAP® Solutions (IES) can be used in
in BCC scenarios that require OCR.
In the context of IES and the Validation Client in OpenText™ Business Center
Capture for SAP® Solutions (BCC), RFC authorizations are necessary for the
validation user. For more information, see Section 4.1 “Configuring authorizations
for validation user” in OpenText Intelligent Capture for SAP Solutions - Administration
Guide (CPIE-AGD).
Service user When setting up the IES result processing service according to the Business Center
authorizations documentation, you need to grant general MM and FI authorizations to the service
user if IES will be used with VIM. Perform this action in addition to the
authorizations listed in the Business Center documentation for authorization objects
S_ICF and J_6NPF_RFC, see Section 4.5.2.1.2 “On-Premise: Inbound
communication ” in OpenText Business Center for SAP Solutions - Configuration Guide
(BOCP-CGD).
If recognition results are not complete, for example, supplier or company code data
is not populated in general, perform an authorization trace to identify missing
authorizations. For more information about the IES integration into VIM, see Section
9.2.2 “Configuring the IES integration for VIM classic mode” in OpenText Vendor
Invoice Management for SAP Solutions - Configuration Guide (VIM-CGD).

Chapter 14
VIM Workplace
Protected The VIM Workplace allows the following types of actions, which can be protected
actions using special authority checks:
Button actions
These actions are defined as single or bulk action buttons within the process
output list button toolbar.
Output Field actions
These actions are defined as executable icons or hotspots within the process
output list itself.
VIM Workplace VIM Workplace provides the concept of action authority groups. For more
authorization information, see Section 18.5 “Defining action authority groups for the VIM
checks
Workplace” in OpenText Vendor Invoice Management for SAP Solutions - Configuration
Guide (VIM-CGD).
VIM Workplace supports several authorization checks that allow you to restrict
different functions. For example, you can restrict the use of other users’ view. When
VIM Workplace is started, an authorization check is performed.
Note: Running actions in other users’ view may require you to have additional
SAP authorizations. In particular, this refers to the authorization for the SWIA
transaction and potentially for other workflow administration functions. These
checks are imposed by SAP if you are managing work items of other users.
Teams in VIM In the VIM Workplace, special team-related functionalities are available based on the
Workplace following different types of possible team definitions:
Personal Team
Maintained by each user directly in the VIM Workplace team configuration
dialog box.
General Team
Generally maintained by an administrator. Users cannot change the general
team in the VIM Workplace team configuration dialog box.
For more information, see Section 18.8 “Maintaining general teams for the VIM
Workplace” in OpenText Vendor Invoice Management for SAP Solutions - Configuration
Guide (VIM-CGD).
Authorization A Scan button is available in VIM Workplace. It allows you to scan new invoices
for scanning directly from the VIM Workplace interface. For necessary prerequisites regarding
authorization, see Section 18.6 “Configuring scanning in VIM Workplace” in

Chapter 14 VIM Workplace
CGD).

Chapter 15
Substitutes in the workflow processes
Substitutes can be set up for the SAP inbox and for the Invoice Approval (IAP)
process. If a work item owner is on vacation or leaves the company, the substitute
can “adopt” the work items owned by the substituted user. For more information,
see Section 14 “Setting up substitutes for workflow processes” in OpenText Vendor
Invoice Management for SAP Solutions - Administration Guide (VIM-AGD).

Chapter 16
Roles for the SAP early watch service
The SAP early watch service checks and analyzes in order to optimize the
performance of SAP solutions. Since VIM resides inside the SAP S/4HANA system,
VIM follows standard early watch practices. Client dependent configuration data of
VIM is not visible in the early watch client and the early watch client is normally
locked against any configuration changes.
However, you can create a role to view the VIM configuration with “display only”
authorization. For more information, see Section 11.1 “Creating a role for VIM
configuration display” in OpenText Vendor Invoice Management for SAP Solutions -
Administration Guide (VIM-AGD).

Chapter 17
Transactions
Regarding domains, transactions, and the roles that have access to transactions,
adjusting the authorizations for ICC users might be necessary. Also be aware of the
Authorization objects. For more information, see Section 21 “Transaction profiles for
various roles” in OpenText Vendor Invoice Management for SAP Solutions - Reference
Guide (VIM-RGD).

Chapter 18
Invoice Approval
AFS For information about authorizations in the context of approval flow settings (AFS),
see Section 13.4.4 “Configuring approval flow settings” in OpenText Vendor Invoice
Troubleshoot- Symptom: When referring an invoice with the Wait for feedback check box set, the
ing invoice is not moved into the resubmission folder. Reason: This can happen if
authorizations are missing.
For more information, see Section 31 “Troubleshooting Invoice Approval” in

OpenText Vendor Invoice Management for SAP Solutions - Administration Guide (VIM-
AGD).

Chapter 19
Approval Portal
Single sign on Browser authentication is possible through a single sign on mechanism like SPNego
and SAML. For more information, see Section 12.3 “System architecture” in
OpenText Vendor Invoice Management for SAP Solutions - Installation Guide (VIM-IGD).
Security config- On the Configuration tab of the Admin console, a dedicated area Security
uration Configuration is available.
To prevent Click Jacking and Cross Site Request Forgery (CSRF), there is a
corresponding check box available on the Configuration tab of the Admin console.
For Click Jacking, the X-FRAME options have been restricted to same origin. For
more information, see Section 12.1.4 “Configuration” in OpenText Vendor Invoice
Management for SAP Solutions - Administration Guide (VIM-AGD).
NetWeaver If you deploy the Approval Portal inside of the SAP NetWeaver Portal, NetWeaver
user authenti- user authentication will take place. For more information, see the SAP
cation
documentation. In this scenario, two views are normally created, one for approvals
and one for administrative tasks like setting up server connections. Make sure the
roles are assigned to proper users.
HTTPs In all deployment scenarios, SSL-based HTTPs communication is supported if

additional security is required.
CPIC SAP user Approval Portal, in both J2EE and NetWeaver portal deployment scenarios, runs
VIM application logic of all portal users using the same CPIC SAP user. To prevent
misuse of dialog transactions, OpenText recommends that you create this user as a
system user and not a dialog user. You must create a profile with some
authorization objects and add it to the CPIC user. For more information, see Section
12.1 “Installation prerequisites” in OpenText Vendor Invoice Management for SAP
Solutions - Installation Guide (VIM-IGD).
Authorization When SAP GUI perfectly displays the invoice image and when only Approval Portal
issues with shows the error message when viewing the image, cross-check that the necessary
CPIC
authorizations are granted for the logged-in user in viewing the images. For more
information, see Section 32.12.5.1 “Authorization issues with CPIC” in OpenText
Vendor Invoice Management for SAP Solutions - Administration Guide (VIM-AGD).
Application logs Approval Portal logs the information about Protocols, Security, and other actions
performed on the application. For more information, see Section 32.12.1.1
“Application logs” in OpenText Vendor Invoice Management for SAP Solutions -
Administration Guide (VIM-AGD).

Chapter 20
Mobile Approval Portal
Authentication For information about authentication of the Mobile Approval Portal, see Section 22
“Authentication for the Mobile Approval Portal” in OpenText Vendor Invoice
Management for SAP Solutions - Installation Guide (VIM-IGD).
Web Viewer For integration of OpenText™ Imaging Web Viewer (Web Viewer) in the Mobile
Approval Portal and related security aspects, see Section 23 “Installing Web Viewer
for the Mobile Approval Portal” in OpenText Vendor Invoice Management for SAP
Solutions - Installation Guide (VIM-IGD).

Chapter 21
KPI Dashboard
Access is limited to users that have a SAP user on the central SAP S/4HANA system.
For more information, see Section 28.3 “Authorizations” in OpenText Vendor Invoice
Company code Using the Z constant DO_NOT_CHECK_BUKRS (product code KPI) you can control if the
authorization company code authorization is checked for each KPI Dashboard user. For more
information, see Section 28.4.10.6 “Company code authority check” in OpenText
Vendor Invoice Management for SAP Solutions - Configuration Guide (VIM-CGD).

Chapter 22
VIM reports
VIM reports, including VIM Analytics and central reporting, allow you to restrict the
displayed data by checking authorization for company code. For more information,
see Section 8.2.1 “Reporting” in OpenText Vendor Invoice Management for SAP

Chapter 23
Fiori Task Apps
The Fiori Task Apps use SAP user authentication. The communication with SAP S/
4HANA backends is done with trusted RFC connections, with the authenticated
SAP user. For more information, see the following list:
Confirm Quantity and Price app

For more information, see Section 14.3.4 “User authorizations” in OpenText
Resolve Invoice Exceptions app
For more information, see Section 14.4 “Configuring exception handling with
the Resolve Invoice Exceptions app” in OpenText Vendor Invoice Management for
SAP Solutions - Configuration Guide (VIM-CGD).
Enter Cost Assignment Simple app
For more information, see Section 14.5.4 “User Authorization” in OpenText
Enter Cost Assignment Advanced app
For more information, see Section 14.6.5 “User authorization” in OpenText
Approve Invoices app
Approve Invoices (bulk mode) app
My Approved Invoices app

Chapter 24
Supplier Self Service
Supplier Self Service needs authorization settings regarding the following

components:
Gateway users Users of the SAP NetWeaver Gateway are grouped in roles, which are needed for
several other configurations. There is no restriction on the number and names of
roles created for SAP NetWeaver Gateway. You must enhance the roles of the users
in your SAP NetWeaver Gateway system with the authorizations contained in the
authorization template /IWFND/RT_GW_USER. For more information, see Section
22.1.3 “Configuring Gateway users” in OpenText Vendor Invoice Management for SAP
Gateway The Supplier Self Service On-Premise option allows the UI5 repository to be
service authori- uploaded on the Gateway server as a BSP application. The On-Premise URL is
zation
generated for the BSP application with default HTML, and the application is
accessed using this URL.
For information how to bypass authorization issues for the service path, see Section
22.1.9 “Configuring the Gateway service authorization” in OpenText Vendor Invoice
Vendor cleanup The vendor cleanup program for Supplier Self Service has been created to clean up
vendors data based on selection criteria.
The program provides built-in checks to ensure that only VIM specific data is
modified or deleted. The program also provides a specific authorization check. The
authorization object is J_6NIM_CA6. For more information, see Section 22.9 “Vendor
cleanup program for Supplier Self Service” in OpenText Vendor Invoice Management
for SAP Solutions - Configuration Guide (VIM-CGD).

Chapter 25
Supplier Self Service Fiori apps
User account An SAP user account is required to use Supplier Self Service apps. The SAP user
account must be available on the SAP Fiori UI / Gateway system and also on the
SAP ERP system having specific authorization objects. For more information, see
Section 23.2 “User authorization” in OpenText Vendor Invoice Management for SAP
User Self To implement User Self Service, you must have users with proper authorizations to
Service create and to maintain the users in SAP NetWeaver AS ABAP. The following table
shows the different types of users:
User User Type SAP Gateway SAP Business Suite

Hub (with IW_BEP)
Service User Service Yes Yes
Admin User Dialog No Yes
Reference User Reference Yes Yes
For more information, see Section 23.3.2.1 “Security aspects of User Self Service” in
CGD).
Template User You need to maintain a reference Template User, which must be present in both SAP
Gateway and SAP Business Suite systems. This Template User must have the roles
and authorizations required for the Supplier Invoices app. For more information, see
Section 23.3.2.7 “User Self Service roles and authorizations” in OpenText Vendor
Invoice Management for SAP Solutions - Configuration Guide (VIM-CGD).

Chapter 26
Supplier Self Service - Lean Variant
When installing the SAP HANA Cloud connector, consider some security aspects.
For more information, see Section 40.3 “Installing the SAP HANA Cloud connector”
in OpenText Vendor Invoice Management for SAP Solutions - Installation Guide (VIM-
IGD).

Chapter 27
Z constants
Various Z constants deal with authorization topics, see the following list:
Product code 002 and 009
• ALV_CHECK_ACTIVE
• AUTH_CHECK_ACTIVE
• SPROGRAM_CHECK_ACTIV
• SRFC_CHECK_ACTIV
For more information, see Section 35 “Z constants for product code 002 and 009”
in OpenText Vendor Invoice Management for SAP Solutions - Reference Guide (VIM-
RGD).
Product code 005
• PROPOSAL_ONE_VENDOR
For more information, see Section 36 “Z constants for product code 005” in
OpenText Vendor Invoice Management for SAP Solutions - Reference Guide (VIM-
RGD).
Product code KPI
• DO_NOT_CHECK_BUKRS
For more information, see Section 40 “Z constants for product code KPI” in
OpenText Vendor Invoice Management for SAP Solutions - Reference Guide (VIM-
RGD).

Chapter 28
Vendor data cleanup program
The vendor data cleanup program provides built-in checks to ensure that only VIM
specific data is modified or deleted. The program also provides a specific
authorization check. The authorization object is J_6NIM_CA6. For more information,
see Section 19.1 “Vendor data cleanup program” in OpenText Vendor Invoice
Management for SAP Solutions - Administration Guide (VIM-AGD).

Chapter 29
Standard posting of invoices
The posting logic uses some SAP BAPIs. The accountant using dialog posting and
the background user needs the authorization to call these BAPIs. For more
information, see Section 33.1.3 “Authorization” in OpenText Vendor Invoice

Chapter 30
Posted invoice reversal with a new DP workflow
start
VIM provides a utility that allows selecting an invoice posted from VIM, cancel it,
and start a new DP workflow with a document containing the same data. DP process
log, approval log and entered comments are copied and linked to the new DP
document. This allows restarting a process, keeping the history easily available for
reference.
This utility includes an authorization check in reporting. For more information, see
Section 16 “Posted invoice reversal with a new DP workflow start” in OpenText
Vendor Invoice Management for SAP Solutions - Scenario Guide (VIM-CCS)

Chapter 31
VIM translation
Roles For information about authorization aspects of the SAP developer role and the
translator role, see Section 14.1 “Roles and responsibilities” in OpenText Vendor
Invoice Management for SAP Solutions - Scenario Guide (VIM-CCS).
Translator When creating translator profiles, each profile can include one or more
profiles authorizations. For more information, see Section 14.3.5 “Creating a translator
profile” in OpenText Vendor Invoice Management for SAP Solutions - Scenario Guide
(VIM-CCS).

Chapter 32
Simple Mode VIM
For Simple Mode VIM, you need to take the standard authorization settings of
OpenText™ Business Center for SAP® Solutions (Business Center) into account. For
more information, see Section 15 “Configuring authorization settings” in OpenText
Business Center for SAP Solutions - Administration and Security Guide (BOCP-AGD).
In the context of Fiori Monitoring and Analytics reports, you need to consider some
authorization aspects. For more information, see the heading Access Control, both
in Section 4.8.1.1 “Simple Mode: Invoice Monitor” in OpenText Vendor Invoice
Management for SAP Solutions - Configuration Guide (VIM-CGD) and Section 4.8.1.2
“Simple Mode: Invoice Analytics” in OpenText Vendor Invoice Management for SAP

Glossary
AAK
See: SAP Add-On Assembly Kit (AAK)
After Image
Technical option to realize an delta upload from the source systems into the SAP
NetWeaver BW system. A data record loaded as After Image provides the status
of the record after it has been changed, or after data has been added.
Aging Report
Part of the Central Reporting infrastructure. The Aging Report reports about the
aging of documents and work items in the current system.
Application Component Hierarchy

Hierarchy of folders to structure DataSources in SAP NetWeaver BW.
Approval chart of authority (COA)

The Approval chart of authority (COA) determines first approver and next
approver for an invoice by combinations of Company Code (specific or range),
Expense Type (marketing expense, utility), Cost Objects (G/L account, Cost
Center), and HR objects (Position, Job code).
Approval Portal
VIM web interface for approving invoices.
Archive system
Computer system that enables storage, management and retrieval of archived
data and documents
ArchiveLink document types

Document types that need to be customized for ArchiveLink
ArchiveLink
Service integrated in the SAP NetWeaver Application Server ABAP for linking
archived documents and the application documents entered in the SAP system
Authorization profiles
The SAP administrator assigns authorizations to the users that determine which
actions a user can perform in the SAP system. These authorizations are stored in
Authorization profiles.
Automation Report
Tool that provides data about automated and manual processing steps of VIM
documents

Glossary
BAdI
See: Business Add-Ins (BAdI)
BAPI®
SAP programming interface: Business Application Programming Interface
Baseline
Set of functionality with pre-defined configuration and the starting point to
implement VIM
BasisCube
See: InfoCube
BDC ID
Business Data Communication ID. The BDC ID is used by the system to process
an SAP transaction to create an SAP Document in user context.
Block
Situation where an invoice has a price or quantity variance that prevents invoice
from posting
BTE
See: Business Transaction Event (BTE)
Business Add-Ins (BAdI)

Business Add-Ins (BAdI) is an SAP enhancement technique based on ABAP
objects. BAdI can be inserted into the SAP system to accommodate user
requirements too specific to be included in the standard delivery.
Business Center Capture (BCC)

OpenText Business Center Capture for SAP Solutions. Business Center
component for use in VIM. Automates the capture of paper invoices by using
OCR to extract invoice data.
Business Center
OpenText Business Center for SAP Solutions. OpenText product that helps
receiving incoming documents, capturing processes, and filing them within a SAP
system. VIM is tightly integrated with Business Center.
Business rules
Rules that describe the operations, definitions and constraints that apply to an
organization

Glossary
Business Transaction Event (BTE)

Event used for extending a Non PO invoice functionality to call a custom program
Central Audit Report

Part of the Central Reporting infrastructure. The Central Audit Report is a
slimmed VIM Analytics (VAN). The main difference to VAN is that the Central
Audit Report serves as a single point of access in a multiple backend scenario.
Central Reporting
Reporting infrastructure that provides several reports that enable you to measure
certain properties of VIM documents and their work items, in order to optimize
working with VIM. Central Reporting comprises the following individual reports:
Aging Report, Central Audit Report, Exception Analysis Report, Key Process Analytics
Report, Productivity Report, and Summary Report.
Characteristic
Type of InfoObject in SAP NetWeaver BW that represents descriptions of fields,
such as Vendor ID, Invoice Number, Unit of Measure, and Posting Date.
COA
See: Approval chart of authority (COA)
Coding
Coding allocates an invoice to G/L account and cost object if required.
Dashboard
User interface that organizes and presents information in a way that is easy to
read. Users can also perform actions from the dashboard.
Data Transfer Process (DTP)

Object in SAP NetWeaver BW to transfer data from source objects to target objects
DataSource
Set of fields in SAP NetWeaver BW that provide the data for a business unit for
data transfer to the SAP NetWeaver BW system; technically, it contains an extract
structure and an extraction function module.
DataStore Object (DSO)

Storage location for consolidated and cleansed data in SAP NetWeaver BW
DocuLink
OpenText™ DocuLink for SAP Solutions enables the archiving, management and
retrieval of SAP CRM or SAP S/4HANA documents from within the SAP
infrastructure.

Glossary
Document Processing (DP)

VIM component that captures invoice metadata including line items for PO and
performs preconfigured business rules
Document type
Type of document such as PO, Non PO, OCR, Non OCR
DP
See: Document Processing (DP)
DSO
See: DataStore Object (DSO)
DTP
See: Data Transfer Process (DTP)
EDI
See: Electronic Data Interchange (EDI)
Electronic Data Interchange (EDI)

Method for transferring data between different application systems in the form of
messages. SAP applications support EDI with messages sent in an SAP
Intermediate Document (IDoc) format. VIM supports the creation of vendor
invoices through the EDI/IDoc interface.
Event Type Linkage

Error handling method. Event Type Linkage determines what the application
should do in case an error could not be handled.
Exception Analysis Report

Part of the Central Reporting infrastructure. The Exception Analysis Report
reports all work items with exceptions, grouped by exception, company code or
vendor.
Exception
Action that is not part of normal operations or standards
FI
See: Financial Accounting (FI)

Glossary
Financial Accounting (FI)

SAP module for the Finance and Accounting department
IAP
See: Invoice Approval (IAP)
IDoc
See: Intermediate Document (IDoc)
IE
See: Invoice Exception (IE)
Indexing
Process of entering or storing data into the system
InfoArea
Folder in SAP NetWeaver BW to organize InfoCubes, DataStore Objects, InfoObjects,
and InfoObject Catalogs
InfoCube
Self-contained dataset in SAP NetWeaver BW, for example, of a business-oriented
area; an InfoCube is a quantity of relational tables arranged according to the
enhanced star schema: A large fact table in the middle surrounded by several
dimension tables
InfoObject Catalog
Folder structure in SAP NetWeaver BW to organize InfoObjects
InfoObject
Smallest information unit in SAP NetWeaver BW. Key figures and Characteristics
are collectively called InfoObjects.
InfoPackages
Object in SAP NetWeaver BW that specifies when and how to load data from a
given source system to the SAP NetWeaver BW system
InfoProvider
Object in SAP NetWeaver BW for which queries can be created or executed.
InfoProviders are the objects or views that are relevant for reporting.
Intermediate Document (IDoc)

Standard SAP message document format for the EDI interface.

Glossary
Invoice Approval (IAP)

VIM component that enables users to perform coding, approving and rejecting
invoices
Invoice Capture Center (ICC)

Optional VIM OCR component.
Invoice characteristic
A value specific to each invoice (for example country) that allows flexible
processing in VIM. An invoice characteristic is determined during runtime and
depends on the corresponding index data of the document.
Invoice coder
Person who enters the accounting info on invoices to allocate the cost
Invoice Exception (IE)

VIM component that handles the exceptions that arise after an SAP invoice is
created
Invoice requester
Person who requested goods and services for Non PO invoices
Key Figure
Type of InfoObject in SAP NetWeaver BW that represents numeric values or
quantities, such as Number of Invoices and Gross Invoice Amount.
Key Process Analytics Report

Part of the Central Reporting infrastructure. The Key Process Analytics Report
reports about a variety of key figures regarding the VIM process: It shows the
accumulated amounts of all documents in the DP workflow, in parked state and
in posted state.
KPI Dashboard
Tool for managers showing VIM related process data at a glance in graphical
charts.
LIV
See: Logistic invoice (LIV)
Logistic invoice (LIV)

purchase order invoice
Materials Management (MM)

Materials management module of the SAP S/4HANA software package. Materials
management is used for procurement and inventory management.

Glossary
MM
See: Materials Management (MM)
Mobile Approval Portal

VIM component for approving invoices on mobile devices.
MultiProvider
Object in SAP NetWeaver BW that is based on InfoCube(s), DataStore Object(s),
and/or InfoObject(s). A MultiProvider is used as a layer for the creation of end user
queries; the MultiProvider itself does not contain any data; rather, data resides in
the BasisCubes.
Namespace
Name range reserved by SAP for customer objects and SAP objects to make sure
that objects are not overwritten by SAP objects during the import of corrections or
an upgrade
Non purchase order (Non PO)

Order that is not based on a PO
Non purchase order (Non PO) invoice (PIR)

Invoice based on a Non purchase order (Non PO)
Number range
Array of numbers that can be used for an object in the SAP S/4HANA system
OCR
See: Optical character recognition (OCR)
Optical character recognition (OCR)

Mechanical or electronic translation of images of handwritten, typewritten or
printed text (usually captured by a scanner) into machine-editable text
Park
Situation where an invoice is not posted and is waiting for further processing
Parked invoice document

Temporary document that the AP processor can change and post. SAP assigned
document number becomes real number when posted.
Persistent Staging Area (PSA)

Data staging area in SAP NetWeaver BW. It allows to check data in an
intermediate location before the data is sent to its destinations in SAP NetWeaver
BW.

Glossary
PIR
See: Non purchase order (Non PO) invoice (PIR)
PO
See: Purchase order (PO)
Posted invoice document

Invoice that has already been posted in SAP S/4HANA. Only free-form text fields
can be changed. Related documents such as POs or good receipts may be created
or changed to effect the invoice. If the document is not needed, it must be
cancelled ( PO invoice) or reversed ( non-PO invoice).
Price variance
Situation where the price on the invoice is different from the price in the purchase
order
Process Chain
Sequence of processes in SAP NetWeaver BW that are scheduled to wait in the
background for an event; used to automate, visualize and monitor the processes.
Process options
Processing options for the user in the dashboard, such as Referral, Authorization,
and Actions
Process type
Process type for a document. The process type determines the initial actor and
various collaboration options available to the various actors during the process
flow.
Productivity Report
Part of the Central Reporting infrastructure. The Productivity Report reports
about the productivity of users/roles and the activities of users/roles.
PSA
See: Persistent Staging Area (PSA)
Purchase order (PO) invoice

Invoice based on a Purchase order (PO)
Purchase order (PO)

SAP module. PO indicates a document sent from a buyer to a seller. The purpose
of the document is to order the delivery of goods or services.

Glossary
Quantity variance
Situation where the quantity on the invoice is different from the quantity in the
purchase order
Roles
Set of predefined roles for the SAP user
SAP Add-On Assembly Kit (AAK)

Standardized delivery procedure for software
SAP Customer Relationship Management (SAP CRM)

SAP application that provides software for ticket systems, for example in the
Accounts Payable department.
SAP NetWeaver Business Warehouse (SAP NetWeaver BW)

SAP application that allows to integrate, transform, and consolidate relevant
business information from productive SAP applications and external data
sources.
SAP Shared Service Framework

SAP software that contains a rich set of tools to improve and automate Shared
Service Center operations.
SAP Supplier Relationship Management (SAP SRM)

SAP application that automates, simplifies, and accelerates procure-to-pay
processes for goods and services.
Scan operator
Person who scans the invoices into images (may not have a SAP ID)
Summary Report
Part of the Central Reporting infrastructure. The Summary Report provides a
summary of all documents processed through VIM.
Transformation (TRF)
Object in SAP NetWeaver BW to connect source objects to data targets; it allows
to consolidate, cleanse and integrate data
TRF
See: Transformation (TRF)
VAN
See: VIM Analytics (VAN)

Glossary
Vendor Invoice Management (VIM)

Packaged business solution that solves a business problem – paying correct
amount to vendors on-time and with the lowest cost. VIM delivers not technology
but best-practice business processes. VIM provides values to customers in process
efficiency, visibility and compliance.
VIM Analytics (VAN)

VIM component that gives users a clear data report on their invoices in progress.
VIM Analytics allows to track the documents routed through SAP workflows via
VIM.
VIM Workplace
Tool for VIM super users, which allows users to display lists of their work items
that meet a selection they have entered before. Users also can display work items
of other users and of their team as a whole.
Workflow
SAP Business Workflows can be used to define business processes that are not yet
mapped in the SAP S/4HANA system.

Opentext™ Vendor Invoice Management For Sap Solutions: Security Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Opentext™ Vendor Invoice Management For Sap Solutions: Security Guide

Uploaded by

Copyright:

Available Formats

OpenText™ Vendor Invoice Management

for SAP® Solutions

The Security Guide collects all information that is relevant

Open Text Corporation

275 Frank Tompa Drive, Waterloo, Ontario, Canada, N2L 0A1

Copyright © 2020 Open Text. All Rights Reserved.

No Warranties and Limitation of Liability

1 About this document ............................................................... 11

2 Understanding VIM .................................................................. 13

Part 2 Secure setup of VIM 17

3 Secure connections ................................................................ 21

4 Secure import .......................................................................... 23

5 Secure storage ......................................................................... 25

Part 3 General security aspects of VIM 27

6 Preparing configuration .......................................................... 31

7 General authorization checks ................................................ 33

8 Specific authorization checks ................................................ 35

9 Chart of Authority (COA) ........................................................ 37

10 General Data Protection Regulation (GDPR) ........................ 39

Part 4 Security aspects of specific VIM components 41

12 Business Center Inbound Configuration .............................. 47

13 Information Extraction Service .............................................. 49

14 VIM Workplace ......................................................................... 51

15 Substitutes in the workflow processes ................................. 53

16 Roles for the SAP early watch service .................................. 55

18 Invoice Approval ...................................................................... 59

VIM160305-GSM-EN-01 Security Guide iii

19 Approval Portal ........................................................................ 61

20 Mobile Approval Portal ........................................................... 63

21 KPI Dashboard ......................................................................... 65

22 VIM reports ............................................................................... 67

23 Fiori Task Apps ........................................................................ 69

24 Supplier Self Service ............................................................... 71

25 Supplier Self Service Fiori apps ............................................. 73

26 Supplier Self Service - Lean Variant ...................................... 75

28 Vendor data cleanup program ................................................ 79

29 Standard posting of invoices ................................................. 81

30 Posted invoice reversal with a new DP workflow start ........ 83

31 VIM translation ......................................................................... 85

32 Simple Mode VIM ..................................................................... 87

iv OpenText™ Vendor Invoice Management for SAP® Solutions VIM160305-GSM-EN-01

OpenText™ Vendor Invoice Management for SAP® Solutions 16.3 is an add-on

By implementing Vendor Invoice Management (VIM), companies achieve the

• Acceleration of AP operations across the enterprise

Vendor Invoice Management (classic mode) provides the following:

• Seamless integration with SAP® Finance and Logistic functions

Note: From a technical point of view, OpenText™ Invoice Capture Center

6 OpenText™ Vendor Invoice Management for SAP® Solutions VIM160305-GSM-EN-01

– Review of basic invoice issues by Accounts Payable or Shared Services team

VIM160305-GSM-EN-01 Security Guide 7

Figure 1: VIM 16.3 - Classic Mode

Vendor Invoice Management shares some components with OpenText™ Business

Vendor Invoice Management provides additional value when used in combination

8 OpenText™ Vendor Invoice Management for SAP® Solutions VIM160305-GSM-EN-01

Vendor Invoice Management (Simple Mode) provides the following:

VIM160305-GSM-EN-01 Security Guide 9

• Pre-configured background flow of data enrichments, mappings, and business

Figure 2: VIM 16.3 - Simple Mode

10 OpenText™ Vendor Invoice Management for SAP® Solutions VIM160305-GSM-EN-01

The Security Guide provides an overview of security and authorization aspects of

The Security Guide comprises the following parts:

“Secure setup of VIM” on page 17

1.1 Target audience