OpenText™ Vendor Invoice Management

for SAP® Solutions

Security Guide

This guide collects all information that is relevant regarding

security of all components of Vendor Invoice Management. The
components of Vendor Invoice Management include
Foundation, Invoice Solution, and Solutions Beyond Invoice.

VIM200400-GSM-EN-03
OpenText™ Vendor Invoice Management for SAP® Solutions
Security Guide
VIM200400-GSM-EN-03
Rev.: 2021-Jan-18
This documentation has been created for OpenText™ Vendor Invoice Management for SAP® Solutions 20.4.
It is also valid for subsequent software releases unless OpenText has made newer documentation available with the product,
on an OpenText website, or by any other means.

Open Text Corporation

275 Frank Tompa Drive, Waterloo, Ontario, Canada, N2L 0A1

Tel: +1-519-888-7111
Toll Free Canada/USA: 1-800-499-6544 International: +800-4996-5440
Fax: +1-519-888-0677
Support: https://support.opentext.com
For more information, visit https://www.opentext.com

Copyright © 2021 Open Text. All Rights Reserved.

Trademarks owned by Open Text.

One or more patents may cover this product. For more information, please visit https://www.opentext.com/patents.

Disclaimer

No Warranties and Limitation of Liability

Every effort has been made to ensure the accuracy of the features and techniques presented in this publication. However,
Open Text Corporation and its affiliates accept no responsibility and offer no warranty whether expressed or implied, for the
accuracy of this publication.
 Table of Contents
1 About Vendor Invoice Management ........................................ 5
1.1 Architectural Overview ....................................................................... 7
1.2 About this document .......................................................................... 8
1.2.1 Target audience ................................................................................ 8
1.2.2 Further information sources ............................................................... 8

Part 1 Foundation 11

2 Secure setup ............................................................................ 13

2.1 Secure connections ......................................................................... 13
2.2 Secure import ................................................................................. 13
2.3 Secure storage ............................................................................... 14
2.4 Configuring authorizations for validation user .................................... 14

3 General security aspects ........................................................ 17

3.1 Preparing configuration ................................................................... 17
3.2 General authorization checks ........................................................... 17
3.3 General Data Protection Regulation (GDPR) ..................................... 17

4 Configuring authorization settings ........................................ 19

Part 2 Invoice Solution 21

5 Understanding the Invoice Solution ...................................... 23

5.1 Delivery model ................................................................................ 23
5.2 Workflow scheme ............................................................................ 25

6 General security aspects ........................................................ 27

6.1 Specific authorization checks ........................................................... 27
6.2 Chart of Authority (COA) .................................................................. 28

7 Security aspects of specific components ............................. 31

7.1 BCC ............................................................................................... 32
7.2 Business Center Inbound Configuration ............................................ 32
7.3 Information Extraction Service ......................................................... 32
7.4 VIM Workplace ............................................................................... 33
7.5 Substitutes in the workflow processes .............................................. 34
7.6 Roles for the SAP early watch service .............................................. 34
7.7 Transactions ................................................................................... 35
7.8 Invoice Approval ............................................................................. 35
7.9 Approval Portal ............................................................................... 35
7.10 Mobile Approval Portal .................................................................... 36

VIM200400-GSM-EN-03 Security Guide iii

Table of Contents

7.11 KPI Dashboard ............................................................................... 36

7.12 VIM reports ..................................................................................... 37
7.13 Fiori Task Apps ............................................................................... 37
7.14 Supplier Self Service ....................................................................... 38
7.15 Supplier Self Service Fiori apps ....................................................... 38
7.16 Supplier Self Service - Lean Variant ................................................. 39
7.17 Z constants ..................................................................................... 39
7.18 Vendor data cleanup program .......................................................... 40
7.19 Standard posting of invoices ............................................................ 40
7.20 Posted invoice reversal with a new DP workflow start ........................ 40
7.21 VIM translation ................................................................................ 40
7.22 Simple Mode VIM ............................................................................ 41

GLS Glossary 43

iv OpenText™ Vendor Invoice Management for SAP® Solutions VIM200400-GSM-EN-03

Chapter 1
About Vendor Invoice Management

OpenText Vendor Invoice Management for SAP Solutions (VIM) is an ABAP add-on
solution to SAP ECC and SAP S/4HANA.

VIM automates the processing of incoming documents into SAP.

Document-centric business processes like the processing of incoming invoices from

vendors or incoming sales orders from customers are typical use cases for VIM.
After capture, data is enriched and validated against predefined business rules.

If no business rules fail, the document is posted in SAP without human intervention.
Although a straight through, no-touch process is the ultimate objective, VIM also
supports the fast and efficient handling and resolution of exceptions.

Exceptions are routed via workflow to the relevant user or user group based on the
role assigned to the exception.

For managers VIM offers a comprehensive suite of operational and analytical

reports. In addition, VIM offers the tools to identify common exceptions that should
be addressed to achieve even higher levels of automation.

VIM includes the following solutions:

• Invoice Solution
• Procure to Pay Solutions

– Order Confirmation
– Delivery Note
– Quotation
• Order to Cash Solutions

– Sales Order
– Remittance Advice

Each solution consists of a best practice implementation for a specific document

scenario. It includes preconfigured mapping rules, enrichment rules, business rules,
user roles and user actions. Learning-based enrichments features embedded easy to
configure machine learning that automates input based on previous user input.

Since VIM resides inside SAP, enrichments and business rules have direct access to
SAP master and transactional data, which avoids complex interfaces and the
replication and duplication of data.

VIM200400-GSM-EN-03 Security Guide 5

Chapter 1 About Vendor Invoice Management

Each solution offers a Workplace used by end-users and managers to manage and
monitor outstanding and completed work items. Each solution includes a
preconfigured set of analytical measures tailored for the specific document scenario.
Solutions can be enhanced to support company-specific business requirements.

VIM Solutions use features offered by its powerful feature rich Foundation.

The VIM Foundation consists of the following components:

• Inbound
• Process
• Workplace
• Analytics

VIM also supports custom solutions where a preconfigured solution is not available
for a specific, less common business process.

VIM offers a simple and intuitive user interface for end-users, managers and
administrators.

Users can choose between the classic SAP GUI or the modern SAP Fiori interface.

SAP Fiori offers a responsive web-based user interface that supports desktop and
mobile devices.

VIM supports various input channels including scan, fax¸ e-mail and web services.

It also supports various input formats, including paper, PDF, TIFF, IDoc and XML.

VIM requires an ArchiveLink-compliant SAP-certified content repository for the

storage of incoming documents. OpenText recommends OpenText Archiving and
Document Access for SAP Solutions or OpenText Core Archive for SAP Solutions for
the storage of documents.

6 OpenText™ Vendor Invoice Management for SAP® Solutions VIM200400-GSM-EN-03

 1.1. Architectural Overview

VIM integrates seamlessly via its Inbound component with OpenText Intelligent
Capture for SAP Solutions and OpenText Core Capture for SAP Solutions, which
uses advanced machine learning algorithms to extract metadata from imaged-based
documents like PDF and TIFF.

VIM also offers integration with OpenText Extended ECM for SAP Solutions and
OpenText Document Presentment for SAP Solutions.

1.1 Architectural Overview

The following figure gives an overview of the basis architecture. It shows how the
core components of VIM are integrated into SAP and which additional OpenText
components like Document Pipeline, Document Storage, Information Extraction
Service and WebViewer are completing the solution.

Beside the components of this graphic, VIM offers additional components such as
SAP NetWeaver Business Warehouse or BW/4Hana for specific solutions which are
not shown in this basis architectural overview.

Figure 1-1: Technical system landscape

VIM200400-GSM-EN-03 Security Guide 7

Chapter 1 About Vendor Invoice Management

1.2 About this document

The Security Guide provides an overview of security and authorization aspects of
VIM. Where appropriate, the document adds links to more detailed descriptions in
other guides.

The Security Guide comprises the following parts:

“Foundation” on page 11
This part provides security-related information that you have to consider for all
VIM Solutions.
“Invoice Solution” on page 21
This part provides security-related information for the Invoice Solution.

1.2.1 Target audience

This document addresses those who participate in the customization and
implementation of VIM with a special focus on security aspects. This includes:

• SAP Basis Administrators

• SAP Workflow Administrators
• SAP Configuration and Development Support

1.2.2 Further information sources

Product docu- The following documentation is available for VIM on OpenText My Support (https://
mentation knowledge.opentext.com/knowledge/cs.dll/Open/10151494):

• OpenText Vendor Invoice Management for SAP Solutions - User Guide for Invoice
Solution (VIM200400-UGD)
• OpenText Vendor Invoice Management for SAP Solutions - Installation Guide
(VIM200400-IGD)
• OpenText Vendor Invoice Management for SAP Solutions - Configuration Guide for
Invoice Solution (VIM200400-CGD)
• OpenText Vendor Invoice Management for SAP Solutions - Administration Guide
(VIM200400-AGD)
• OpenText Vendor Invoice Management for SAP Solutions - Reference Guide for Invoice
Solution (VIM200400-RGD)
• OpenText Vendor Invoice Management for SAP Solutions - Scenario Guide for Invoice
Solution (VIM200400-CCS)
• OpenText Vendor Invoice Management for SAP Solutions - Security Guide
(VIM200400-GSM)
• OpenText Vendor Invoice Management for SAP Solutions - Configuration Guide for
Foundation (BOCP200400-CGD)

8 OpenText™ Vendor Invoice Management for SAP® Solutions VIM200400-GSM-EN-03

 1.2. About this document

• OpenText Vendor Invoice Management for SAP Solutions - Configuration Guide for
Solutions Beyond Invoice (BOCP200400-CCS)
• OpenText Vendor Invoice Management for SAP Solutions - User Guide for Solutions
Beyond Invoice (BOCP200400-UGD)

Release Notes Release Notes describe:

• The software supported by the product

• Requirements
• Restrictions
• Important dependencies
• New features
• Known issues
• Fixed issues
• Documentation extensions

The Release Notes are updated continuously . The latest version of the VIM Release
Notes is available on OpenText My Support (https://knowledge.opentext.com/
knowledge/cs.dll/Open/10151494).

On OpenText My Support, you find the OpenText Vendor Invoice Management

Forum where you can post questions and discuss VIM issues: https://
forums.opentext.com/forums/support/categories/cs-Vendor-Invoice-Management

Important note for SAP Reseller Customers

For information about all OpenText products resold by SAP (including VIM
and ICC), check SAP Marketplace Note 1791874: SAP Products by OpenText -
Software and Support Lifecycle. This note provides detailed information about
software life cycle, access to Support Packages, access to latest documentation,
language packages, and other patches, as well as Support ticket handling.

VIM200400-GSM-EN-03 Security Guide 9

 Part 1
Foundation
Part 1 Foundation

This part provides security-related information that you have to consider for the
Foundation.

12 OpenText™ Vendor Invoice Management for SAP® Solutions VIM200400-GSM-EN-03

Chapter 2
Secure setup

Setting up VIM securely includes the following configurations:

• “Secure connections” on page 13

• “Secure import” on page 13
• “Secure storage” on page 14
• “Configuring authorizations for validation user” on page 14

2.1 Secure connections

To connect to systems like OpenText™ Business Center Capture for SAP® Solutions
(BCC) with invoice solution), SAP systems, or OpenText™ Archive Center,
OpenText recommends that you always use a secure connection, for example a
trusted RFC destination between SAP S/4HANA® systems.

For more information about the customization of logical systems that are needed for
trusted RFC connections, see the SAP documentation.

For Web Services connection settings, see Section 11.1.1 “System landscape” in
OpenText Vendor Invoice Management for SAP Solutions - Installation Guide
(VIM200400-IGD).

2.2 Secure import

Inject documents only from secure channels. It is your task to avoid getting wrong
data into the system.

The configuration described in this section allows you to set up a virus protection
that works directly at the import stage. This means, for example, that PDF files
containing viruses can be avoided in the OCR.

The delivered PIPELINE document handler (for more information, see Section 3.4.1.2
“Creating a document handler” in OpenText Vendor Invoice Management for SAP
Solutions - Configuration Guide for Foundation (BOCP200400-CGD)) processes a virus
scan with the /SCMS/KPRO_CREATE virus scan profile within the /OTX/PF01_CL_
MODULE_DOC_VSCAN module class. You can use this module class also within in a
custom document handler to process a virus scan for all available documents in
inbound. All other delivered inbound document handlers process already the same
virus scan profile within standard SAP ArchiveLink® processing.

Note: For further details about Virus Scan Provider, see the SAP
documentation.

VIM200400-GSM-EN-03 Security Guide 13

Chapter 2 Secure setup

SAP supports the integration of Virus Scan. For more information, see the following
SAP notes:

• 786179 - Data security products: Application in the antivirus area (https://

launchpad.support.sap.com/#/notes/786179)
• 817623 - Frequent questions about VSI in SAP applications (https://
launchpad.support.sap.com/#/notes/817623)

This is not specific but applies to SAP ERP in general.

If you use this configuration with the right scan profile, the SAP transaction OAWD
(upload) is protected as well as other ArchiveLink features, for example the call that
is used by the email input.

2.3 Secure storage

Configure document archiving and document access in a proper way. SAP standard
takes care about security topics but you must set up the system in the correct way.

In the OpenText plugins, archived documents are shown in SAP GUI and HTML
control. Therefore corresponding security settings in SAP must be set correctly.

Note: For further details about ArchiveLink, see Section 2 “Configuring

ArchiveLink” in OpenText Vendor Invoice Management for SAP Solutions -
Configuration Guide for Invoice Solution (VIM200400-CGD).

2.4 Configuring authorizations for validation user

As soon as the validation user has started the Validation Client, the user has to log in
to SAP ERP or SAP S/4HANA using a prepared SAP user. This user needs the
following authorizations:

• For BC Inbound Framework version 16.3.1 and later, full authorization for the J_
6NPF_RFC object is required for all users. For more information, see Section 7.4
“Authorization objects” in OpenText Vendor Invoice Management for SAP Solutions
- Configuration Guide for Foundation (BOCP200400-CGD).
• S_RFC:ACTVT=16,RFC_TYPE=FUGR,RFC_NAME=SYST
• S_RFC:ACTVT=16,RFC_TYPE=FUGR,RFC_NAME=RFC1
• S_RFC:ACTVT=16,RFC_TYPE=FUGR,RFC_NAME=RFC_METADATA
• S_RFC:ACTVT=16,RFC_TYPE=FUGR,RFC_NAME= /OTX/PF11_VALIDATION

As of SAP Basis Release 7.10 you can choose a finer granularity for authorizations.
For more information, see SAP Note 460089. You can execute the authorization
check on individual function modules, instead of entire function groups.

You can replace the following authorizations:

• S_RFC:ACTVT=16,RFC_TYPE=FUGR,RFC_NAME=SYST

14 OpenText™ Vendor Invoice Management for SAP® Solutions VIM200400-GSM-EN-03

 2.4. Configuring authorizations for validation user

replace with
S_RFC:ACTVT=16,RFC_TYPE=FUNC,RFC_NAME=RFCPING
• S_RFC:ACTVT=16,RFC_TYPE=FUGR,RFC_NAME=RFC1
replace with
S_RFC:ACTVT=16,RFC_TYPE=FUNC,RFC_NAME=RFC_FUNCTION_SEARCH
• S_RFC:ACTVT=16,RFC_TYPE=FUGR,RFC_NAME=RFC_METADATA
replace with
S_RFC:ACTVT=16,RFC_TYPE=FUNC,RFC_NAME=RFC_METADATA_GET
• S_RFC:ACTVT=16,RFC_TYPE=FUGR,RFC_NAME=/OTX/PF11_VALIDATION
replace with
S_RFC:ACTVT=16,RFC_TYPE=FUNC,RFC_NAME=/OTX/
PF11_VAL_GET_DATA
S_RFC:ACTVT=16,RFC_TYPE=FUNC,RFC_NAME=/OTX/
PF11_VAL_GET_PROFILES
S_RFC:ACTVT=16,RFC_TYPE=FUNC,RFC_NAME=/OTX/
PF11_VAL_GET_SETTINGS
S_RFC:ACTVT=16,RFC_TYPE=FUNC,RFC_NAME=/OTX/
PF11_VAL_SET_DATA

You can also replace the other function group authorizations by the function module
authorizations but it is not necessary because nearly each function module within
the groups is used.

VIM200400-GSM-EN-03 Security Guide 15

Chapter 3
General security aspects

This part deals with general security aspects of VIM that are concerned with VIM as
a whole or more than one component of VIM. Where applicable, this section adds
links to more detailed descriptions.

The following security aspects are covered in this part:

• “Preparing configuration” on page 17

• “General authorization checks” on page 17
• “General Data Protection Regulation (GDPR)” on page 17

3.1 Preparing configuration

During the preparation phase, you need to create User IDs with appropriate
developer and configuration authorizations.

3.2 General authorization checks

When implementing VIM, OpenText recommends that you restrict the access to
administrative (configuration) transactions and utilities reports through SAP
authority checks like S_TCODE and S_PROGRAM. Ideally, invoice processors should be
restricted, in addition to the authorizations for standard SAP transactions, to
performing workflow items either from the SAP inbox or VIM Workplace. For more
information, see “Specific authorization checks” on page 27.

During invoice processing, running SAP transactions from within VIM can be
required. For example, posting of an invoice in dialog mode results into the call of
FB60 or MIRO transactions. The called standard transactions implement their own
authority checks. This is normally part of the project authorization concept, but you
can adjust it in the context of the implementation.

3.3 General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a new European Union (EU) law
that gives residents greater protection and control of their personal data. It will
regulate the data that companies in and outside the EU can collect, store, and
transfer, and how they use it. All companies that process EU resident data must be
ready to comply when the GDPR enforcement starts on May 25, 2018.

Note: No legal advice is provided in this document or any other part of VIM
product documentation. Product documentation does only provide general
technical guidelines that may be relevant to consider if a customer implements

VIM200400-GSM-EN-03 Security Guide 17

Chapter 3 General security aspects

the product and is looking to define their strategy towards GDPR and similar
data protection requirements.

Software solutions like VIM cannot be considered to be or not to be GDPR

compliant. Every customer using SAP S/4HANA and VIM is responsible to provide
GDPR compliance in their organization.

SAP S/4HANA already provides a superior level of user security and data protection
features. VIM as an add-on package profits from the high standard of SAP S/
4HANA compared to outside-in solutions with their own database, duplication of
data, and lower level security concepts.

For more information about GDPR, see Section 2 “General Data Protection
Regulation (GDPR)” in OpenText Vendor Invoice Management for SAP Solutions -
Scenario Guide for Invoice Solution (VIM200400-CCS).

VIM offers tools to delete vendor specific entries from some core customizing tables
as well as from the VIM run time tables.

The following documentation sections explain the tools available in VIM to delete
specific user data and specific vendor information in VIM tables:

• Section 3.1.4.8 “Usermap and COA cleanup” in OpenText Vendor Invoice

Management for SAP Solutions - Configuration Guide for Invoice Solution
(VIM200400-CGD)
• Section 8.3.1 “Vendor data cleanup program” in OpenText Vendor Invoice
Management for SAP Solutions - Administration Guide (VIM200400-AGD)
• Section 21.9 “Vendor cleanup program for Supplier Self Service” in OpenText
Vendor Invoice Management for SAP Solutions - Configuration Guide for Invoice
Solution (VIM200400-CGD)

18 OpenText™ Vendor Invoice Management for SAP® Solutions VIM200400-GSM-EN-03

Chapter 4

Configuring authorization settings

Business Center is delivered with new authorization objects. The SAP authorization
object SAP_ALL must be re-generated to apply the authorizations to this object.

Business Center delivers the following general authorization objects.

Authorization Description Usage

object
J_6NPF_NAV Checks navigation in workplace according to Business Center
workplace ID. For more information, see Workplace
OpenText Vendor Invoice Management for SAP
Solutions - Configuration Guide for Foundation
(BOCP200400-CGD).
J_6NPF_WTY Checks work object type with related actions, Business Center
functions, and nodes. For more information, see Workplace
OpenText Vendor Invoice Management for SAP
Solutions - Configuration Guide for Foundation
(BOCP200400-CGD).
J_6NPF_PRF Checks the process configuration profile with Processing Screen
profile ID, characteristic attribute, and process Business Process
step. For more information, see OpenText Vendor
Invoice Management for SAP Solutions -
Configuration Guide for Foundation (BOCP200400-
CGD).
J_6NPF_PRJ Checks the authorized project ID. For more Displaying Data in
information, see OpenText Vendor Invoice the Query or
Management for SAP Solutions - Configuration Analytics Reports
Guide for Foundation (BOCP200400-CGD).
J_6NPF_ADM Is checked in all administrative reports, Administration
transactions, and programs. For more
information, see OpenText Vendor Invoice
Management for SAP Solutions - Configuration
Guide for Foundation (BOCP200400-CGD).
J_6NPF_RFC Is checked in all RFC functions and executable Processing
programs. For more information, see OpenText
Vendor Invoice Management for SAP Solutions -
Configuration Guide for Foundation (BOCP200400-
CGD).

For further details, see Section 6.1.2.1 “Maintaining version settings” in OpenText
Vendor Invoice Management for SAP Solutions - Configuration Guide for Foundation
(BOCP200400-CGD) (AUTH_CHECK_DATA method) and Section 7.1.1.1.1

VIM200400-GSM-EN-03 Security Guide 19

Chapter 4 Configuring authorization settings

“Authorization Exit” in OpenText Vendor Invoice Management for SAP Solutions -

Configuration Guide for Foundation (BOCP200400-CGD).

20 OpenText™ Vendor Invoice Management for SAP® Solutions VIM200400-GSM-EN-03

 Part 2
Invoice Solution
Part 2 Invoice Solution

This part covers security-related information for VIM4SAP Invoice Solution.

22 OpenText™ Vendor Invoice Management for SAP® Solutions VIM200400-GSM-EN-03

Chapter 5
Understanding the Invoice Solution

Process steps The Vendor Invoice Management (VIM) business process typically includes the
following main steps:

1. An OCR process (optional) sends metadata and invoice image to VIM. On a

system without OCR, the invoice images go through a standard SAP
ArchiveLink® early archiving scenario.
2. The Document Processing (DP) component validates the metadata and identifies
exceptions.
3. Invoice Exception workflows address the exception issues.
4. After validating the data and handling data exceptions, VIM creates an SAP
invoice.
5. If no business rules are violated, VIM posts the invoice.

5.1 Delivery model

As VIM is basically a scenario, its function may best be described as a problem
solution. It enables the flexible configuration of a company's payment workflow. To
this end, VIM is delivered with a so-called Baseline Configuration, a set of pre-defined
configurations that work out of the box. In conjunction with other OpenText
products such as OpenText™ Archive Center it is possible to realize comprehensive
solutions. Core Functions are the technical foundation of VIM: SAP screens, functions,
workflow templates, web pages, etc.

VIM200400-GSM-EN-03 Security Guide 23

Chapter 5 Understanding the Invoice Solution

Note: Only end user screens are translated in additional languages other than
English. Customizing screens are provided in English language only.

24 OpenText™ Vendor Invoice Management for SAP® Solutions VIM200400-GSM-EN-03

 5.2. Workflow scheme

5.2 Workflow scheme

Figure 5-1: Workflow scheme

Each VIM workflow process has the same basic steps:

Validate metadata
The metadata or index data are validated against the SAP database. If validation
fails, an exception is triggered.
Check duplicates
The validated metadata is used to check whether the new invoice has been
entered already. If the new invoice is suspected to be a duplicate of any existing
invoice, an exception is triggered.
Apply business rules
Invoice pre-processing: Business rules are applied to detect additional
exceptions before posting.
Post for payment
The invoice is posted and released for payment.

VIM200400-GSM-EN-03 Security Guide 25

Chapter 6
General security aspects

This part deals with general security aspects of VIM that are concerned with VIM as
a whole or more than one component of VIM. Where applicable, this section adds
links to more detailed descriptions.

The following security aspects are covered in this part:

• “Specific authorization checks” on page 27

• “Chart of Authority (COA)” on page 28

6.1 Specific authorization checks

VIM implements authorization checks in several reports, for the COA maintenance
transaction /OPT/AR_COA, for the indexing screen, and for VIM Workplace.

In the reports, in the indexing screen, and in VIM Workplace, the authorization
checks ensure that SAP users working with VIM are able to see and process only the
information that they are authorized for. In the COA maintenance, the authorization
checks make sure that the user is allowed to display or maintain the entries.

For backward compatibility reasons, the authorization checks are disabled in the
standard configuration. You can enable them on demand as described in Section
5.3.3 “Enabling VIM authorization checks globally” in OpenText Vendor Invoice
Management for SAP Solutions - Configuration Guide for Invoice Solution (VIM200400-
CGD).

With authorization checks activated, the information in the corresponding reports

and in VIM Workplace is filtered according to the settings. The documents or work
items for which the user is not authorized will not be shown. The COA maintenance
transaction also filters out unauthorized records and displays a warning in this case.

An additional authorization check with the object J_6NIM_BRO is done in VIM

Analytics to control the execution based on the fields ROUTE_ID1 and ROUTE_ID2.
For more information, see Section 11.1 “Routing documents with the route ID” in
OpenText Vendor Invoice Management for SAP Solutions - Scenario Guide for Invoice
Solution (VIM200400-CCS).

For a comprehensive description of authorization checks, see Section 5

“Authorization checks” in OpenText Vendor Invoice Management for SAP Solutions -
Configuration Guide for Invoice Solution (VIM200400-CGD). This description includes
the following major aspects of authorization checks:

• Available authorization checks

• Configuring the authorization checks

VIM200400-GSM-EN-03 Security Guide 27

Chapter 6 General security aspects

• Authorization group for VIM tables

• Authorization checks when performing transaction calls
• Authorization checks for RFC calls
• Restricting ALV layout for process logs

6.2 Chart of Authority (COA)

Roles and COA VIM provides means to direct invoices to specific persons or groups, depending on
the invoice data. VIM roles are used in DP and invoice exceptions workflows. The
responsibility based (COA) setup is used in Invoice Approval. This helps to ensure
that the data gets processed by the right agents, and misuse chances are minimized.
For more information, see Section 3 “Roles” in OpenText Vendor Invoice Management
for SAP Solutions - Configuration Guide for Invoice Solution (VIM200400-CGD).

Roles typically used for invoice processing are delivered in BC sets and are normally
created during VIM installation. This configuration must be verified and restricted if
needed, depending on your process.

Tip: The standard Refer to... dialog might allow invoice processors to modify
the agent list. This depends on the process option override settings. Similarly,
Invoice Approval has options that can allow to override the next approver
automatically. You must verify the use of these override options and switch
them off if they are unwanted.

VIM provides the following method for Invoice Approval:

Level-based This method is considered only for Non PO document types. For PO document
approval types, a one-step approval is provided by default.

For more information, see Section 10.4.4 “Configuring approval flow settings” in
OpenText Vendor Invoice Management for SAP Solutions - Configuration Guide for Invoice
Solution (VIM200400-CGD).

COA configura- In level-based approval, COA details are checked when the user opens the work
tion item. That means that changes in the COA details are automatically reflected in the
Invoice Approval screen. When a task is performed, the next approval steps are
automatically determined according to the actual setting. Therefore, changes to user-
specific COA details are not critical. Changing or renaming a User ID might be
critical.

Purpose COA is required in the Invoice Approval process to allow users to approve Non PO
invoices. The data combination maintained in the COA helps to determine the
correct approver for a certain invoice in the approval process.

For details on how to configure the COA for level-based Invoice Approval, see
Section 3.1.4 “Maintaining Chart of Authority” in OpenText Vendor Invoice
Management for SAP Solutions - Configuration Guide for Invoice Solution (VIM200400-
CGD). This description includes the following major aspects of the COA:

28 OpenText™ Vendor Invoice Management for SAP® Solutions VIM200400-GSM-EN-03

 6.2. Chart of Authority (COA)

• User Details View

• Approval Limit/Level View
• COA Details View
• Coder Settings view
• Setting up a substitute for the IAP process
• Logging with change documents
• COA upload report
• Usermap and COA cleanup
• Maintaining COA - alternative transaction

COA The COA maintenance transactions for Invoice Approval allow you to restrict the
maintenance data that is displayed and maintained by checking authorization for company code
authorization
checks
and user groups (from SAP user master records). In addition, using the
authorization checks by company code allows to maintain COA in parallel, as long
as different maintaining users are responsible for different company codes. For more
information, see Section 5.2.2 “COA maintenance” in OpenText Vendor Invoice
Management for SAP Solutions - Configuration Guide for Invoice Solution (VIM200400-
CGD).

VIM200400-GSM-EN-03 Security Guide 29

Chapter 7

Security aspects of specific components

This chapter deals with security aspects of VIM that are concerned with specific VIM
components. Where applicable, this section adds links to more detailed descriptions.

The following security aspects are covered in this part:

• “BCC” on page 32

• “Business Center Inbound Configuration” on page 32

• “Information Extraction Service” on page 32

• “VIM Workplace” on page 33

• “Substitutes in the workflow processes” on page 34

• “Roles for the SAP early watch service” on page 34

• “Transactions” on page 35

• “Invoice Approval” on page 35

• “Approval Portal” on page 35

• “Mobile Approval Portal” on page 36

• “KPI Dashboard” on page 36

• “VIM reports” on page 37

• “Fiori Task Apps” on page 37

• “Supplier Self Service” on page 38

• “Supplier Self Service Fiori apps” on page 38

• “Supplier Self Service - Lean Variant” on page 39

• “Z constants” on page 39

• “Vendor data cleanup program” on page 40

• “Standard posting of invoices” on page 40

• “Posted invoice reversal with a new DP workflow start” on page 40

• “VIM translation” on page 40

• “Simple Mode VIM” on page 41

VIM200400-GSM-EN-03 Security Guide 31

Chapter 7 Security aspects of specific components

7.1 BCC
The documentation of OpenText™ Business Center Capture for SAP® Solutions
(BCC) discusses security topics related to BCC user authentication and the data
transfer between SAP systems and BCC. For more information, see Section 5
“Security” in OpenText Business Center Capture for SAP Solutions - Administration
Guide (CPBC-AGD).

7.2 Business Center Inbound Configuration

Business Center Inbound Configuration has replaced the Incoming Document
Handling (IDH) framework and the ICC Dispatcher framework. For a
comprehensive description of the Business Center Inbound Configuration, see
Section 3 “Inbound Configuration” in OpenText Vendor Invoice Management for SAP
Solutions - Configuration Guide for Foundation (BOCP200400-CGD).

Monitoring au- Some authorizations are needed to monitor Business Center Inbound Configuration.
thorization For more information, see the example in Section 7.4 “Authorization objects” in
OpenText Vendor Invoice Management for SAP Solutions - Configuration Guide for
Foundation (BOCP200400-CGD).

Validation Validation might be required for an ArchiveLink document type. If you do not use a
agent custom logic to determine the validator, you must assign the corresponding agent to
the ArchiveLink document type. This way, you can determine who is allowed to see
what. If this is not enough, implement a project specific user exit. For more
information, see Section 4.3.4 “Assigning an agent to an ArchiveLink document
type” in OpenText Vendor Invoice Management for SAP Solutions - Configuration Guide
for Foundation (BOCP200400-CGD).

7.3 Information Extraction Service

Note: “Information Extraction Service” (“IES”) is used in this documentation
as a common technical term for both of the following OpenText products:

• OpenText™ Intelligent Capture for SAP® Solutions, formerly known as

OpenText™ Information Extraction Service for SAP® Solutions (IES on
premise)
• OpenText™ Core Capture for SAP® Solutions

For general information about security aspects in the context of IES, see Section 9
“Configuring security” in OpenText Intelligent Capture for SAP Solutions - Installation
and Administration Guide (CPIE-AGD).

Validation user OpenText™ Information Extraction Service for SAP® Solutions (IES) can be used in
in BCC scenarios that require OCR.

In the context of IES and the Validation Client in OpenText Business Center Capture
for SAP Solutions (BCC), RFC authorizations are necessary for the validation user.

32 OpenText™ Vendor Invoice Management for SAP® Solutions VIM200400-GSM-EN-03

 7.4. VIM Workplace

For more information, see “Configuring authorizations for validation user”

on page 14.

Service user When setting up the IES result processing service according to the Business Center
authorizations documentation, you need to grant general MM and FI authorizations to the service
user if IES will be used with VIM. Perform this action in addition to the
authorizations listed in the Business Center documentation for authorization objects
S_ICF and J_6NPF_RFC, see Section 4.2.2.1.2 “On-Premises: Inbound
communication” in OpenText Vendor Invoice Management for SAP Solutions -
Configuration Guide for Foundation (BOCP200400-CGD).

If recognition results are not complete, for example, supplier or company code data
is not populated in general, perform an authorization trace to identify missing
authorizations. For more information about the IES integration into VIM, see Section
6.2.2 “Configuring the IES integration for VIM classic mode” in OpenText Vendor
Invoice Management for SAP Solutions - Configuration Guide for Invoice Solution
(VIM200400-CGD).

7.4 VIM Workplace

Protected The VIM Workplace allows the following types of actions, which can be protected
actions using special authority checks:

Button actions
These actions are defined as single or bulk action buttons within the process
output list button toolbar.

Output Field actions

These actions are defined as executable icons or hotspots within the process
output list itself.

VIM Workplace VIM Workplace provides the concept of action authority groups. For more
authorization information, see Section 15.5 “Defining action authority groups for the VIM
checks
Workplace” in OpenText Vendor Invoice Management for SAP Solutions - Configuration
Guide for Invoice Solution (VIM200400-CGD).

VIM Workplace supports several authorization checks that allow you to restrict
different functions. For example, you can restrict the use of other users’ view. When
VIM Workplace is started, an authorization check is performed.

Note: Running actions in other users’ view may require you to have additional
SAP authorizations. In chaptericular, this refers to the authorization for the
SWIA transaction and potentially for other workflow administration functions.
These checks are imposed by SAP if you are managing work items of other
users.

Teams in VIM In the VIM Workplace, special team-related functionalities are available based on the
Workplace following different types of possible team definitions:

VIM200400-GSM-EN-03 Security Guide 33

Chapter 7 Security aspects of specific components

Personal Team
Maintained by each user directly in the VIM Workplace team configuration
dialog box.
General Team
Generally maintained by an administrator. Users cannot change the general
team in the VIM Workplace team configuration dialog box.

For more information, see Section 15.8 “Maintaining general teams for the VIM
Workplace” in OpenText Vendor Invoice Management for SAP Solutions - Configuration
Guide for Invoice Solution (VIM200400-CGD).

Authorization A Scan button is available in VIM Workplace. It allows you to scan new invoices
for scanning directly from the VIM Workplace interface. For necessary prerequisites regarding
authorization, see Section 15.6 “Configuring scanning in VIM Workplace” in
OpenText Vendor Invoice Management for SAP Solutions - Configuration Guide for Invoice
Solution (VIM200400-CGD).

7.5 Substitutes in the workflow processes

Substitutes can be set up for the SAP inbox and for the Invoice Approval (IAP)
process. If a work item owner is on vacation or leaves the company, the substitute
can “adopt” the work items owned by the substituted user. For more information,
see Section 5.1 “Setting up substitutes for workflow processes” in OpenText Vendor
Invoice Management for SAP Solutions - Administration Guide (VIM200400-AGD).

7.6 Roles for the SAP early watch service

The SAP early watch service checks and analyzes in order to optimize the
performance of SAP solutions. Since VIM resides inside the SAP S/4HANA system,
VIM follows standard early watch practices. Client dependent configuration data of
VIM is not visible in the early watch client and the early watch client is normally
locked against any configuration changes.

However, you can create a role to view the VIM configuration with “display only”
authorization. For more information, see Section 7.7.1 “Creating a role for VIM
configuration display” in OpenText Vendor Invoice Management for SAP Solutions -
Administration Guide (VIM200400-AGD).

34 OpenText™ Vendor Invoice Management for SAP® Solutions VIM200400-GSM-EN-03

 7.7. Transactions

7.7 Transactions
Regarding domains, transactions, and the roles that have access to transactions,
adjusting the authorizations for ICC users might be necessary. Also be aware of the
Authorization objects. For more information, see Section 21 “Transaction profiles for
various roles” in OpenText Vendor Invoice Management for SAP Solutions - Reference
Guide for Invoice Solution (VIM200400-RGD).

7.8 Invoice Approval

AFS For information about authorizations in the context of approval flow settings (AFS),
see Section 10.4.4 “Configuring approval flow settings” in OpenText Vendor Invoice
Management for SAP Solutions - Configuration Guide for Invoice Solution (VIM200400-
CGD).

Troubleshoot- Symptom: When referring an invoice with the Wait for feedback check box set, the
ing invoice is not moved into the resubmission folder. Reason: This can happen if
authorizations are missing.

For more information, see Section 9.10 “Troubleshooting Invoice Approval” in

OpenText Vendor Invoice Management for SAP Solutions - Administration Guide
(VIM200400-AGD).

7.9 Approval Portal

Single sign on Browser authentication is possible through a single sign on mechanism like SPNego
and SAML. For more information, see Section 16.1.3 “System architecture” in
OpenText Vendor Invoice Management for SAP Solutions - Installation Guide
(VIM200400-IGD).

Security config- On the Configuration tab of the Admin console, a dedicated area Security
uration Configuration is available.

To prevent Click Jacking and Cross Site Request Forgery (CSRF), there is a
corresponding check box available on the Configuration tab of the Admin console.
For Click Jacking, the X-FRAME options have been restricted to same origin. For
more information, see Section 7.8.1.4 “Configuration” in OpenText Vendor Invoice
Management for SAP Solutions - Administration Guide (VIM200400-AGD).

NetWeaver If you deploy the Approval Portal inside of the SAP NetWeaver Portal, NetWeaver
user authenti- user authentication will take place. For more information, see the SAP
cation
documentation. In this scenario, two views are normally created, one for approvals
and one for administrative tasks like setting up server connections. Make sure the
roles are assigned to proper users.

HTTPs In all deployment scenarios, SSL-based HTTPs communication is supported if

additional security is required.

CPIC SAP user Approval Portal, in both J2EE and NetWeaver portal deployment scenarios, runs
VIM application logic of all portal users using the same CPIC SAP user. To prevent

VIM200400-GSM-EN-03 Security Guide 35

Chapter 7 Security aspects of specific components

misuse of dialog transactions, OpenText recommends that you create this user as a
system user and not a dialog user. You must create a profile with some
authorization objects and add it to the CPIC user. For more information, see Section
16.1.1 “Installation prerequisites” in OpenText Vendor Invoice Management for SAP
Solutions - Installation Guide (VIM200400-IGD).

Authorization When SAP GUI perfectly displays the invoice image and when only Approval Portal
issues with shows the error message when viewing the image, cross-check that the necessary
CPIC
authorizations are granted for the logged-in user in viewing the images. For more
information, see Section 9.11.12.5.1 “Authorization issues with CPIC” in OpenText
Vendor Invoice Management for SAP Solutions - Administration Guide (VIM200400-
AGD).

Application logs Approval Portal logs the information about Protocols, Security, and other actions
performed on the application. For more information, see Section 9.11.12.1.1
“Application logs” in OpenText Vendor Invoice Management for SAP Solutions -
Administration Guide (VIM200400-AGD).

7.10 Mobile Approval Portal

Authentication For information about authentication of the Mobile Approval Portal, see Section 17.2
“Authentication for the Mobile Approval Portal” in OpenText Vendor Invoice
Management for SAP Solutions - Installation Guide (VIM200400-IGD).

Web Viewer For integration of OpenText™ Imaging Web Viewer (Web Viewer) in the Mobile
Approval Portal and related security aspects, see Section 17.3 “Installing Web
Viewer for the Mobile Approval Portal” in OpenText Vendor Invoice Management for
SAP Solutions - Installation Guide (VIM200400-IGD).

7.11 KPI Dashboard

Access is limited to users that have a SAP user on the central SAP S/4HANA system.
For more information, see Section 27.3 “Authorizations” in OpenText Vendor Invoice
Management for SAP Solutions - Configuration Guide for Invoice Solution (VIM200400-
CGD).

Company code Using the Z constant DO_NOT_CHECK_BUKRS (product code KPI) you can control if the
authorization company code authorization is checked for each KPI Dashboard user. For more
information, see Section 27.4.10.6 “Company code authority check” in OpenText
Vendor Invoice Management for SAP Solutions - Configuration Guide for Invoice Solution
(VIM200400-CGD).

36 OpenText™ Vendor Invoice Management for SAP® Solutions VIM200400-GSM-EN-03

 7.12. VIM reports

7.12 VIM reports

VIM reports, including VIM Analytics and central reporting, allow you to restrict the
displayed data by checking authorization for company code. For more information,
see Section 5.2.1 “Reporting” in OpenText Vendor Invoice Management for SAP
Solutions - Configuration Guide for Invoice Solution (VIM200400-CGD).

7.13 Fiori Task Apps

The Fiori Task Apps use SAP user authentication. The communication with SAP S/
4HANA backends is done with trusted RFC connections, with the authenticated
SAP user. For more information, see the following list:

Confirm Quantity and Price app

For more information, see Section 11.3.4 “User authorizations” in OpenText
Vendor Invoice Management for SAP Solutions - Configuration Guide for Invoice
Solution (VIM200400-CGD).
Resolve Invoice Exceptions app
For more information, see Section 11.4 “Configuring exception handling with
the Resolve Invoice Exceptions app” in OpenText Vendor Invoice Management for
SAP Solutions - Configuration Guide for Invoice Solution (VIM200400-CGD).
Enter Cost Assignment Simple app
For more information, see Section 11.5.4 “User Authorization” in OpenText
Vendor Invoice Management for SAP Solutions - Configuration Guide for Invoice
Solution (VIM200400-CGD).
Enter Cost Assignment Advanced app
For more information, see Section 11.6.5 “User authorization” in OpenText
Vendor Invoice Management for SAP Solutions - Configuration Guide for Invoice
Solution (VIM200400-CGD).
Approve Invoices app
For more information, see Section 11.8.8 “User authorization” in OpenText
Vendor Invoice Management for SAP Solutions - Configuration Guide for Invoice
Solution (VIM200400-CGD).
Approve Invoices (bulk mode) app
For more information, see Section 11.9.8 “User authorization” in OpenText
Vendor Invoice Management for SAP Solutions - Configuration Guide for Invoice
Solution (VIM200400-CGD).
My Approved Invoices app
For more information, see Section 11.10.4 “User authorization” in OpenText
Vendor Invoice Management for SAP Solutions - Configuration Guide for Invoice
Solution (VIM200400-CGD).

VIM200400-GSM-EN-03 Security Guide 37

Chapter 7 Security aspects of specific components

7.14 Supplier Self Service

Supplier Self Service needs authorization settings regarding the following
components:

Gateway users Users of the SAP NetWeaver Gateway are grouped in roles, which are needed for
several other configurations. There is no restriction on the number and names of
roles created for SAP NetWeaver Gateway. You must enhance the roles of the users
in your SAP NetWeaver Gateway system with the authorizations contained in the
authorization template /IWFND/RT_GW_USER. For more information, see Section
21.1.3 “Configuring Gateway users” in OpenText Vendor Invoice Management for SAP
Solutions - Configuration Guide for Invoice Solution (VIM200400-CGD).

Gateway The Supplier Self Service On-Premise option allows the UI5 repository to be
service authori- uploaded on the Gateway server as a BSP application. The On-Premise URL is
zation
generated for the BSP application with default HTML, and the application is
accessed using this URL.

For information how to bypass authorization issues for the service path, see Section
21.1.9 “Configuring the Gateway service authorization” in OpenText Vendor Invoice
Management for SAP Solutions - Configuration Guide for Invoice Solution (VIM200400-
CGD).

Vendor cleanup The vendor cleanup program for Supplier Self Service has been created to clean up
vendors data based on selection criteria.

The program provides built-in checks to ensure that only VIM specific data is
modified or deleted. The program also provides a specific authorization check. The
authorization object is J_6NIM_CA6. For more information, see Section 21.9 “Vendor
cleanup program for Supplier Self Service” in OpenText Vendor Invoice Management
for SAP Solutions - Configuration Guide for Invoice Solution (VIM200400-CGD).

7.15 Supplier Self Service Fiori apps

User account An SAP user account is required to use Supplier Self Service apps. The SAP user
account must be available on the SAP Fiori UI / Gateway system and also on the
SAP ERP system having specific authorization objects. For more information, see
Section 22.2 “User authorization” in OpenText Vendor Invoice Management for SAP
Solutions - Configuration Guide for Invoice Solution (VIM200400-CGD).

User Self To implement User Self Service, you must have users with proper authorizations to
Service create and to maintain the users in SAP NetWeaver AS ABAP. The following table
shows the different types of users:

User User Type SAP Gateway SAP Business Suite

Hub (with IW_BEP)
Service User Service Yes Yes
Admin User Dialog No Yes

38 OpenText™ Vendor Invoice Management for SAP® Solutions VIM200400-GSM-EN-03

 7.16. Supplier Self Service - Lean Variant

User User Type SAP Gateway SAP Business Suite

Hub (with IW_BEP)
Reference User Reference Yes Yes

For more information, see Section 22.3.2.1 “Security aspects of User Self Service” in
OpenText Vendor Invoice Management for SAP Solutions - Configuration Guide for Invoice
Solution (VIM200400-CGD).

Template User You need to maintain a reference Template User, which must be present in both SAP
Gateway and SAP Business Suite systems. This Template User must have the roles
and authorizations required for the Supplier Invoices app. For more information, see
Section 22.3.2.7 “User Self Service roles and authorizations” in OpenText Vendor
Invoice Management for SAP Solutions - Configuration Guide for Invoice Solution
(VIM200400-CGD).

7.16 Supplier Self Service - Lean Variant

When installing the SAP HANA Cloud connector, consider some security aspects.
For more information, see Section 21.2.3 “Installing the SAP HANA Cloud
connector” in OpenText Vendor Invoice Management for SAP Solutions - Installation
Guide (VIM200400-IGD).

7.17 Z constants
Various Z constants deal with authorization topics, see the following list:

Product code 002 and 009

• ALV_CHECK_ACTIVE
• AUTH_CHECK_ACTIVE
• SPROGRAM_CHECK_ACTIV
• SRFC_CHECK_ACTIV

For more information, see Section 35 “Z constants for product code 002 and 009”
in OpenText Vendor Invoice Management for SAP Solutions - Reference Guide for
Invoice Solution (VIM200400-RGD).
Product code 005

• PROPOSAL_ONE_VENDOR

For more information, see Section 36 “Z constants for product code 005” in
OpenText Vendor Invoice Management for SAP Solutions - Reference Guide for Invoice
Solution (VIM200400-RGD).
Product code KPI

• DO_NOT_CHECK_BUKRS

VIM200400-GSM-EN-03 Security Guide 39

Chapter 7 Security aspects of specific components

For more information, see Section 40 “Z constants for product code KPI” in
OpenText Vendor Invoice Management for SAP Solutions - Reference Guide for Invoice
Solution (VIM200400-RGD).

7.18 Vendor data cleanup program

The vendor data cleanup program provides built-in checks to ensure that only VIM
specific data is modified or deleted. The program also provides a specific
authorization check. The authorization object is J_6NIM_CA6. For more information,
see Section 8.3.1 “Vendor data cleanup program” in OpenText Vendor Invoice
Management for SAP Solutions - Administration Guide (VIM200400-AGD).

7.19 Standard posting of invoices

The posting logic uses some SAP BAPIs. The accountant using dialog posting and
the background user needs the authorization to call these BAPIs. For more
information, see Section 32.1.3 “Authorization” in OpenText Vendor Invoice
Management for SAP Solutions - Configuration Guide for Invoice Solution (VIM200400-
CGD).

7.20 Posted invoice reversal with a new DP workflow

start
VIM provides a utility that allows selecting an invoice posted from VIM, cancel it,
and start a new DP workflow with a document containing the same data. DP process
log, approval log and entered comments are copied and linked to the new DP
document. This allows restarting a process, keeping the history easily available for
reference.

This utility includes an authorization check in reporting. For more information, see
Section 16 “Posted invoice reversal with a new DP workflow start” in OpenText
Vendor Invoice Management for SAP Solutions - Scenario Guide for Invoice Solution
(VIM200400-CCS)

7.21 VIM translation

Roles For information about authorization aspects of the SAP developer role and the
translator role, see Section 14.1 “Roles and responsibilities” in OpenText Vendor
Invoice Management for SAP Solutions - Scenario Guide for Invoice Solution (VIM200400-
CCS).

Translator When creating translator profiles, each profile can include one or more
profiles authorizations. For more information, see Section 14.3.5 “Creating a translator
profile” in OpenText Vendor Invoice Management for SAP Solutions - Scenario Guide for
Invoice Solution (VIM200400-CCS).

40 OpenText™ Vendor Invoice Management for SAP® Solutions VIM200400-GSM-EN-03

 7.22. Simple Mode VIM

7.22 Simple Mode VIM

For Simple Mode VIM, you need to take the standard authorization settings of
OpenText™ Business Center for SAP® Solutions (Business Center) into account. For
more information, see Section 9.1.1 “Technical security and authentication” in
OpenText Vendor Invoice Management for SAP Solutions - Administration Guide
(VIM200400-AGD).

In the context of Fiori Monitoring and Analytics reports, you need to consider some
authorization aspects. For more information, see the heading Access Control, both
in Section 40.8.1.1 “Simple Mode: Invoice Monitor” in OpenText Vendor Invoice
Management for SAP Solutions - Configuration Guide for Invoice Solution (VIM200400-
CGD) and Section 40.8.1.2 “Simple Mode: Invoice Analytics” in OpenText Vendor
Invoice Management for SAP Solutions - Configuration Guide for Invoice Solution
(VIM200400-CGD).

VIM200400-GSM-EN-03 Security Guide 41

Glossary
AAK

See: SAP Add-On Assembly Kit (AAK)

After Image
Technical option to realize an delta upload from the source systems into the SAP
NetWeaver BW system. A data record loaded as After Image provides the status
of the record after it has been changed, or after data has been added.

Aging Report
Part of the Central Reporting infrastructure. The Aging Report reports about the
aging of documents and work items in the current system.

Application Component Hierarchy

Hierarchy of folders to structure DataSources in SAP NetWeaver BW.

Approval chart of authority (COA)

The Approval chart of authority (COA) determines first approver and next
approver for an invoice by combinations of Company Code (specific or range),
Expense Type (marketing expense, utility), Cost Objects (G/L account, Cost
Center), and HR objects (Position, Job code).

Approval Portal
VIM web interface for approving invoices.

Archive system
Computer system that enables storage, management and retrieval of archived
data and documents

ArchiveLink document types

Document types that need to be customized for ArchiveLink

ArchiveLink
Service integrated in the SAP NetWeaver Application Server ABAP for linking
archived documents and the application documents entered in the SAP ERP
system.

Authorization profiles
The SAP administrator assigns authorizations to the users that determine which
actions a user can perform in the SAP system. These authorizations are stored in
Authorization profiles.

VIM200400-GSM-EN-03 Security Guide 43

Glossary

Automation Report
Tool that provides data about automated and manual processing steps of VIM
documents

BAdI

See: Business Add-Ins (BAdI)

BAPI®
SAP programming interface: Business Application Programming Interface

Baseline
Set of functionality with pre-defined configuration and the starting point to
implement VIM

BasisCube

See: InfoCube

BDC ID
Business Data Communication ID. The BDC ID is used by the system to process
an SAP transaction to create an SAP Document in user context.

Block
Situation where an invoice has a price or quantity variance that prevents invoice
from posting

BTE

See: Business Transaction Event (BTE)

Business Add-Ins (BAdI)

Business Add-Ins (BAdI) is an SAP enhancement technique based on ABAP
objects. BAdI can be inserted into the SAP system to accommodate user
requirements too specific to be included in the standard delivery.

Business Center Capture (BCC)

OpenText Business Center Capture for SAP Solutions. Business Center
component for use in VIM. Automates the capture of paper invoices by using
OCR to extract invoice data.

Business Center Foundation

Central Business Center unit that serves to import, capture, dispatch, process, and
consume business objects. It comprises Inbound Configuration, Process Foundation,
Process Configuration, Business Center Workplace, and Fiori Task App.

44 OpenText™ Vendor Invoice Management for SAP® Solutions VIM200400-GSM-EN-03

 Glossary

Business Center Workplace

Central tool to process work objects of the Business Center solutions. It provides
an inbox with personal and shared work item lists to the user. It also provides
access to different business objects and status information for all objects in
process. The user can switch between work centers and navigate in a process-
dependent tree.

Business Center
The name Business Center groups features of the VIM product that help receiving
incoming documents, capturing processes, and filing them within a SAP system.
These feature are an addition to the Vendor Invoice Management features that
form the VIMproduct.

Business rules
Rules that describe the operations, definitions and constraints that apply to an
organization

Business Transaction Event (BTE)

Event used for extending a Non PO invoice functionality to call a custom program

Central Audit Report

Part of the Central Reporting infrastructure. The Central Audit Report is a
slimmed VIM Analytics (VAN). The main difference to VAN is that the Central
Audit Report serves as a single point of access in a multiple backend scenario.

Central Reporting
Reporting infrastructure that provides several reports that enable you to measure
certain properties of VIM documents and their work items, in order to optimize
working with VIM. Central Reporting comprises the following individual reports:
Aging Report, Central Audit Report, Exception Analysis Report, Key Process Analytics
Report, Productivity Report, and Summary Report.

Characteristic
Type of InfoObject in SAP NetWeaver BW that represents descriptions of fields,
such as Vendor ID, Invoice Number, Unit of Measure, and Posting Date.

COA

See: Approval chart of authority (COA)

Coding
Coding allocates an invoice to G/L account and cost object if required.

Dashboard
User interface that organizes and presents information in a way that is easy to
read. Users can also perform actions from the dashboard.

VIM200400-GSM-EN-03 Security Guide 45

Glossary

Data Transfer Process (DTP)

Object in SAP NetWeaver BW to transfer data from source objects to target objects

Data View (View)

Dynamic part of a perspective. A set of views is shown in the template at specific
locations at runtime. For each perspective, you can define which view appears at
which location in its template. You can insert each view only once in each
perspective.

DataSource
Set of fields in SAP NetWeaver BW that provide the data for a business unit for
data transfer to the SAP NetWeaver BW system; technically, it contains an extract
structure and an extraction function module.

DataStore Object (DSO)

Storage location for consolidated and cleansed data in SAP NetWeaver BW

DocuLink
OpenText™ DocuLink for SAP Solutions enables the archiving, management and
retrieval of SAP CRM or SAP S/4HANA documents from within the SAP
infrastructure.

Document Processing (DP)

VIM component that captures invoice metadata including line items for PO and
performs preconfigured business rules

Document type
Type of document such as PO, Non PO, OCR, Non OCR

DP

See: Document Processing (DP)

DSO

See: DataStore Object (DSO)

DTP

See: Data Transfer Process (DTP)

EDI

See: Electronic Data Interchange (EDI)

46 OpenText™ Vendor Invoice Management for SAP® Solutions VIM200400-GSM-EN-03

 Glossary

Electronic Data Interchange (EDI)

Method for transferring data between different application systems in the form of
messages. SAP applications support EDI with messages sent in an SAP
Intermediate Document (IDoc) format. VIM supports the creation of vendor
invoices through the EDI/IDoc interface.

Event Type Linkage

Error handling method. Event Type Linkage determines what the application
should do in case an error could not be handled.

Exception Analysis Report

Part of the Central Reporting infrastructure. The Exception Analysis Report
reports all work items with exceptions, grouped by exception, company code or
vendor.

Exception
Action that is not part of normal operations or standards

FI

See: Financial Accounting (FI)

Financial Accounting (FI)

SAP module for the Finance and Accounting department

Fiori Task App

Light-weight web application following the design principles of SAP Fiori. It
provides an inbox showing the items that have been assigned to the logged-in
user. The user then is able to complete items by performing dedicated actions,
entering comments, and editing the data.

IAP

See: Invoice Approval (IAP)

IDoc

See: Intermediate Document (IDoc)

IE

See: Invoice Exception (IE)

VIM200400-GSM-EN-03 Security Guide 47

Glossary

Inbound Configuration
Connection to various inbound channels, for example scanned paper documents,
fax, email, or IDoc, and the corresponding configuration. Business Center
Inbound Configuration is also used in VIM.

Indexing
Process of entering or storing data into the system

InfoArea
Folder in SAP NetWeaver BW to organize InfoCubes, DataStore Objects, InfoObjects,
and InfoObject Catalogs

InfoCube
Self-contained dataset in SAP NetWeaver BW, for example, of a business-oriented
area; an InfoCube is a quantity of relational tables arranged according to the
enhanced star schema: A large fact table in the middle surrounded by several
dimension tables

InfoObject Catalog
Folder structure in SAP NetWeaver BW to organize InfoObjects

InfoObject
Smallest information unit in SAP NetWeaver BW. Key figures and Characteristics
are collectively called InfoObjects.

InfoPackages
Object in SAP NetWeaver BW that specifies when and how to load data from a
given source system to the SAP NetWeaver BW system

InfoProvider
Object in SAP NetWeaver BW for which queries can be created or executed.
InfoProviders are the objects or views that are relevant for reporting.

Intermediate Document (IDoc)

Standard SAP message document format for the EDI interface.

Invoice Approval (IAP)

VIM component that enables users to perform coding, approving and rejecting
invoices

Invoice Capture Center (ICC)

Optional VIM OCR component.

Invoice characteristic
A value specific to each invoice (for example country) that allows flexible
processing in VIM. An invoice characteristic is determined during runtime and
depends on the corresponding index data of the document.

48 OpenText™ Vendor Invoice Management for SAP® Solutions VIM200400-GSM-EN-03

 Glossary

Invoice coder
Person who enters the accounting info on invoices to allocate the cost

Invoice Exception (IE)

VIM component that handles the exceptions that arise after an SAP invoice is
created

Invoice requester
Person who requested goods and services for Non PO invoices

Key Figure
Type of InfoObject in SAP NetWeaver BW that represents numeric values or
quantities, such as Number of Invoices and Gross Invoice Amount.

Key Process Analytics Report

Part of the Central Reporting infrastructure. The Key Process Analytics Report
reports about a variety of key figures regarding the VIM process: It shows the
accumulated amounts of all documents in the DP workflow, in parked state and
in posted state.

KPI Dashboard
Tool for managers showing VIM related process data at a glance in graphical
charts.

LIV

See: Logistic invoice (LIV)

Logistic invoice (LIV)

purchase order invoice

Materials Management (MM)

Materials management module of the SAP S/4HANA software package. Materials
management is used for procurement and inventory management.

MM

See: Materials Management (MM)

Mobile Approval Portal

VIM component for approving invoices on mobile devices.

MultiProvider
Object in SAP NetWeaver BW that is based on InfoCube(s), DataStore Object(s),
and/or InfoObject(s). A MultiProvider is used as a layer for the creation of end user

VIM200400-GSM-EN-03 Security Guide 49

Glossary

queries; the MultiProvider itself does not contain any data; rather, data resides in
the BasisCubes.

Namespace
Name range reserved by SAP for customer objects and SAP objects to make sure
that objects are not overwritten by SAP objects during the import of corrections or
an upgrade

Non purchase order (Non PO)

Order that is not based on a PO

Non purchase order (Non PO) invoice (PIR)

Invoice based on a Non purchase order (Non PO)

Number range
Array of numbers that can be used for an object in the SAP S/4HANA system

OCR

See: Optical character recognition (OCR)

Optical character recognition (OCR)

Mechanical or electronic translation of images of handwritten, typewritten or
printed text (usually captured by a scanner) into machine-editable text

Park
Situation where an invoice is not posted and is waiting for further processing

Parked invoice document

Temporary document that the AP processor can change and post. SAP assigned
document number becomes real number when posted.

Persistent Staging Area (PSA)

Data staging area in SAP NetWeaver BW. It allows to check data in an
intermediate location before the data is sent to its destinations in SAP NetWeaver
BW.

Perspective
Web Services element that defines which item related data is displayed in the
Fiori Task App and where. A perspective defines the content and visual
appearance of items for a specific area of the screen in the Fiori Task App. The
Fiori Task App displays only one perspective at the same time.

PIR

See: Non purchase order (Non PO) invoice (PIR)

50 OpenText™ Vendor Invoice Management for SAP® Solutions VIM200400-GSM-EN-03

 Glossary

PO

See: Purchase order (PO)

Posted invoice document

Invoice that has already been posted in SAP S/4HANA. Only free-form text fields
can be changed. Related documents such as POs or good receipts may be created
or changed to effect the invoice. If the document is not needed, it must be
cancelled ( PO invoice) or reversed ( non-PO invoice).

Price variance
Situation where the price on the invoice is different from the price in the purchase
order

Process Chain
Sequence of processes in SAP NetWeaver BW that are scheduled to wait in the
background for an event; used to automate, visualize and monitor the processes.

Process Configuration
Easy and technically simplified configuration of complex business scenario
aspects. Process Configuration covers profile configuration, profile assignment,
and authorizations.

Process Foundation
Flexible framework to configure and run processes. It utilizes generic workflow
definitions, which are processed by the SAP Business Workflow engine.

Process options
Processing options for the user in the dashboard, such as Referral, Authorization,
and Actions

Process type
Process type for a document. The process type determines the initial actor and
various collaboration options available to the various actors during the process
flow.

Productivity Report
Part of the Central Reporting infrastructure. The Productivity Report reports
about the productivity of users/roles and the activities of users/roles.

PSA

See: Persistent Staging Area (PSA)

Purchase order (PO) invoice

Invoice based on a Purchase order (PO)

VIM200400-GSM-EN-03 Security Guide 51

Glossary

Purchase order (PO)

SAP module. PO indicates a document sent from a buyer to a seller. The purpose
of the document is to order the delivery of goods or services.

Quantity variance
Situation where the quantity on the invoice is different from the quantity in the
purchase order

Roles
Set of predefined roles for the SAP user

SAP Add-On Assembly Kit (AAK)

Standardized delivery procedure for software

SAP Customer Relationship Management (SAP CRM)

SAP application that provides software for ticket systems, for example in the
Accounts Payable department.

SAP NetWeaver Business Warehouse (SAP NetWeaver BW)

SAP application that allows to integrate, transform, and consolidate relevant
business information from productive SAP applications and external data
sources.

SAP Supplier Relationship Management (SAP SRM)

SAP application that automates, simplifies, and accelerates procure-to-pay
processes for goods and services.

Scan operator
Person who scans the invoices into images (may not have a SAP ID)

Summary Report
Part of the Central Reporting infrastructure. The Summary Report provides a
summary of all documents processed through VIM.

Transformation (TRF)
Object in SAP NetWeaver BW to connect source objects to data targets; it allows
to consolidate, cleanse and integrate data

TRF

See: Transformation (TRF)

VAN

See: VIM Analytics (VAN)

52 OpenText™ Vendor Invoice Management for SAP® Solutions VIM200400-GSM-EN-03

 Glossary

Vendor Invoice Management (VIM)

Packaged business solution that solves a business problem – paying correct
amount to vendors on-time and with the lowest cost. VIM delivers not technology
but best-practice business processes. VIM provides values to customers in process
efficiency, visibility and compliance.

VIM Analytics (VAN)

VIM component that gives users a clear data report on their invoices in progress.
VIM Analytics allows to track the documents routed through SAP workflows via
VIM.

VIM Workplace
Tool for VIM super users, which allows users to display lists of their work items
that meet a selection they have entered before. Users also can display work items
of other users and of their team as a whole.

Web Services
Underlying technical concept of the Fiori Task App interface. You configure the
complete content of the Fiori Task App either by customizing or by implementing
an interface for the Web Services.

Work object type

Processing object in the Business Center Workplace. It can represent a process
object, a SAP business object, or information from any SAP tables.

Workflow
SAP Business Workflows can be used to define business processes that are not yet
mapped in the SAP S/4HANA system.

VIM200400-GSM-EN-03 Security Guide 53