Request

For the past few months, there have been release notes about users being able to opt out of in-product messaging (IPM).

Just to clarify:

• For customers deployed to the EMEA Data Centre, users were provided with the ability to opt out late last year.
• For customers deployed to the North America Data Centre, users will be provided the ability to opt out in stages, with SAP Concur planning to have this feature fully available by the end of April.

The Fetch Attendee web service callout is now available for Request clients. The Concur Fetch Attendee callout allows clients to import attendee information from an external system to Request when a user is adding attendees to an expected expense. The Request service sends the attendee search fields to a custom connector, created by the client. The connector can be hosted by the client or Concur, and has access to the attendee system of record. The connector uses the attendee information sent from Request to search for all matching attendee records in the client’s system. Once the connector has the list of possible matches, it sends the attendee data to Request. The user sees the list of matches and can select the appropriate attendee for the expected expense.

This web service differs from the standard Concur web services in the following ways:

• It uses an outbound message where Request calls a public facing API endpoint provided by the custom connector.
• The client can configure and maintain the public web service interface (the custom connector), or the connector can be maintained by Concur.
• The client Request administrator must create an Attendee Type to use the Fetch Attendee web service (external data source) before this service can be used.

Refer to the Authorisation Request: Attendees Setup Guide (English Only) for more information.

Refer to the Fetch Attendee information on the Concur Developer Portal: https://developer.concur.com (English Only)

Business Purpose / Client Benefit: This web service callout allows clients to manage their attendee details in a system external to Concur, only bringing attendee details into Concur when necessary.

During the 12 May release, some cookie-related process changes and links were introduced because of specific consent requirements in Europe.

There are two types of consent when allowing cookies to be saved on the user's computer. As described on the following pages, each country decides which option to use. The options are:

• Active consent: The user actively agrees to accept cookies. In this case, SAP Concur is required to obtain user consent before loading any cookies on a user's computer.
• Passive consent: The user does not prevent cookies.

IMPORTANT

This release note discusses consent for and modification of cookies. Note the following:

• TrustArc, a global privacy and data governance provider, monitors and manages the cookie-related processes for SAP Concur. Several consent options are described on the following pages:
  • Be aware the TrustArc provides all consent text and manages all translations of the consent text. Neither SAP Concur nor its customers can affect the text or translation in any way.
  • As described on the following pages, consent regulations differ by country. TrustArc determines the consent option that is appropriate for each user, based on each country's regulations. SAP Concur cannot affect that determination in any way nor does SAP Concur have a list of countries and their consent regulations.
  • Be aware that the "country" is defined as the one in which the user is physically located when they sign in to SAP Concur – not the user's home country as defined in their profile nor the user's company's location.
• In accordance with regulations, the consent and modification processes described here must be completed by individual SAP Concur users. There is no option for companies to make these choices for their users.
• Once a user has actively accepted cookies, they cannot modify their cookies options to stop accepting cookies except to remove all cookies and start over.

Business Purpose / Client Benefit: These changes keep SAP Concur in compliance with global privacy requirements.

As noted in the New Cookie Preferences Link in the SAP Concur Footer release note, cookie-related process changes were introduced because of specific consent regulations in Europe.

To ensure that SAP Concur properly responds to the regulations, SAP Concur has enlisted the assistance of TrustArc, a global privacy and data governance provider. Please ensure that your organisation's IT (or similar) department adds TrustArc.com to its whitelist, so TrustArc can properly monitor and manage these processes.

Business Purpose / Client Benefit: Whitelisting ensures that TrustArc has the proper access to manage consent requirements on behalf of SAP Concur.

SAP Concur has a new feature, Data Retention, that allows clients to control how long the Concur solution stores their data based on who, when and where criteria. A new shared role, Data Retention Administrator, has been created in the system and is required for accessing this feature.

The feature provides the following functionality:

• Allows a company to set a specific amount of calendar time after which data such as old user profiles, itineraries and expense claims will be removed.
• Provides strict access to policy configuration with an email notification.
• Includes the ability to place a hold on a specific user whose data will be excluded by this feature when it is necessary or desirable to retain older data.
• Includes the ability to remove the data of a specific user independent of the company-wide data retention configuration.
• Provides a high-level summary of events to monitor data retention activities.

Business Purpose / Client Benefit: This feature gives clients the ability to meet their specific compliance needs regarding data retention.

For customers who currently display the Privacy Agreement page to users, be aware that – with this release – SAP Concur will eliminate that page. That means the existing Privacy Agreement page will no longer display under any circumstances. With that, the options to customise the privacy agreement text and to apply policy (for example, to require that a user accept the privacy agreement) will be removed.

Also with this release, SAP Concur will provide a standard privacy statement, which can be accessed via a link in the page footer. The new SAP Concur Privacy Statement describes SAP Concur's responsibility as a "processor" of customer data.

For customers who currently display the Privacy Agreement page to users, be aware that – with this release – SAP Concur will eliminate that page. That means the existing Privacy Agreement page will no longer display under any circumstances. With that, the options to customise the privacy agreement text and to apply policy (for example, to require that a user accept the privacy agreement) will be removed.

Also with this release, SAP Concur will provide a standard privacy statement, which can be accessed via a link in the page footer. The new SAP Concur Privacy Statement describes SAP Concur's responsibility as a "processor" of customer data.

Business Purpose / Client Benefit: The intent of the change is to ensure that all customers see the same unmodified SAP Concur Privacy Statement.

SAP Concur is updating our employee’s outgoing email to use sap.com instead of concur.com email addresses. This means clients will receive email communications from both domains. Clients may want to contact their IT department to add "sap.com" to their email whitelist.

Communications sent to SAP Concur using the concur.com email addresses will continue to be supported, including:

• plans@concur.com
• receipts@concur.com
• and all other existing concur.com email addresses

Background: In January of this year, we shared with you our evolution to the SAP Concur logo and brand. As part of our evolution to the SAP Concur brand, and as we continue to leverage the assets available to us as members of the SAP family, you can expect to see email communication from Concur that may come from the @sap.com email domain, in addition to @concur.com. Rest assured, communication from either address will be from the same person, and you can engage with us via either address.

Business Purpose / Client Benefit: SAP Concur is moving to the SAP brand, which includes updating email communications to use email addresses on the sap.com domain.

Budget

The Budget feature enables clients to set up all components of a budget; a fiscal year to determine the budget period, budget tracking fields to track spending on a cost centre (profit centre) level, budget categories to group expense types for budgets, which are the actual annual budgets, a budget manager hierarchy to match employees to the correct budgets and budget items which define the budget including fiscal year, budget owner, budget name and description.

Business Purpose / Client Benefit: This feature makes budgets visible, actionable and real-time for approvers and budget owners, leading to high-quality spending decisions for Request clients.

Clients can view new budget functionality and enhancements in the new Budget Release Notes which are located on the same page as the other product release notes.

Business Purpose / Client Benefit: Standalone release notes provide greater visibility for Concur Budget.

SAP Concur's Platform

The SAP Concur servers that support the SAP Concur Platform Callouts are scheduled for an upgrade. This maintenance includes the Production Proxy Migration (North America Data Centre only) and PWS Server Migration to VM (EMEA and North American Data Centres only). The PWS Server Migration to VM was completed on 2 May, 2018. The Production Proxy Migration began on 9 May, 2018, with one third of the traffic routed through the Production proxy. The other two thirds of the traffic is estimated to migrate through the Production proxy in the week of 14 May, 2018.

These servers support the following functionality:

• Fetch Attendee Data Callout
• Fetch List Item Callout
• Event Notification Callout
• Launch External URL Callout
• Concur Salesforce Connector

Be aware that this maintenance means that for any customer callout URLs, SAP Concur has the following requirements:

• The endpoint is secured with SSL/TLS.
• The endpoint uses a minimum of TLS 1.0, but TLS 1.2 is preferred.
• The endpoint must employ Diffie-Hellman cipher suites with key sizes >1024 bits.
• Due to the ever-evolving world of SSL and standards, we do not publish a specific list of permitted cipher suites, but we generally advise that a modern industry supported list is utilised.
• The endpoint must present an SSL certificate with a chain to a valid root that can be verified. If the chain cannot be verified without installing additional certificates, the calls from SAP Concur will fail.
• Clients who whitelist access for Concur callout traffic from the North America Data Centre (not common) may need to update their access control list (ACL) to IP 12.129.29.86.

Business Purpose / Client Benefit: This maintenance will mitigate the out-of-warranty issue with our current hardware.

Planned Changes

The items in this section are targeted for future releases. Concur reserves the right to postpone implementation of – or completely remove – any enhancement/change mentioned here.

SAP Concur announced the End of Support for plain text FTP to transfer data to and from SAP Concur.

Plain text FTP is not a secured protocol and has inherent security vulnerabilities. On 1 September, 2018, SAP Concur Operations will apply a security update to our File Transfer infrastructure, restricting the use of plain text FTP as a part of our ongoing commitment to securing our customers’ data and meeting the audited security requirements of the SAP Concur Trust Platform.

For more information, refer to thePlain Text FTP Retirement FAQ (English Only).

What This Means – The Client Experience: After 1 September, 2018, uploads of file types such as Employee, List, Attendee and other Import files, as well as downloads of SAE and other Extract files that use Plain Text FTP, will not be accepted via SAP Concur’s Filemover system. This will significantly impact client usage of SAP Concur products such as Concur Travel, Concur Expense and Concur Invoice, as well as integration activities to customers’ financial systems. There will be no exceptions beyond 1 September, 2018.

Client Notifications

The list of non-affiliated subprocessors is available here: SAP Concur Non-Affiliated Subprocessors (English only)

Monthly browser certifications, both current and planned, are available with the other SAP Concur monthly release notes, accessible from What's New - Professional Edition