We are currently working on an SAP Concur Expense integration with Microsoft Dynamics 365 Business Central.
Our requirement is very simple from an enterprise integration point of view:
Retrieve approved expense report data centrally, transform it, post it into Business Central, and track posting success/failure.
However, the Expense v4 API design appears to create a major architectural problem for this use case.
Many Expense v4 endpoints require values such as userID, contextType, and reportId. For example, report retrieval is done in the form of fetching a report for a specific user/context.
Even when the OAuth application has the required scopes, the API still appears to depend on whether that specific user/context has permission to access the report and its related child data, such as expenses, allocations, itemisations, and receipts.
This creates a serious problem for a central ERP integration.
If permissions are kept strict, the integration fails for reports where the selected user/context cannot access the data.
If broader permissions are granted to make the integration work, this creates a security concern because access is being widened only to support an integration.
This does not feel suitable for a central finance/ERP posting process. A Business Central integration should not need to fetch expense reports “on behalf of” individual users. It should work as an authorised company-level/system integration and retrieve only the approved financial documents that are ready for ERP posting.
From my current understanding, Expense v4 may be enforcing Concur’s user-context security model, but that model does not align well with central reporting, finance extraction, or ERP posting requirements.
We are now exploring the Financial Integration Service (FIS) API because it appears closer to the correct architecture for ERP posting. However, our FIS endpoint currently returns an empty transaction list even though the token includes the FISVC scope.
Example endpoint being tested:
GET /financialintegration/fi/v4/companies/transactiontypes/expense/transactions
Example response:
{
"links": [
{
"rel": "self",
"href": "/fi/v4/companies/transactiontypes/expense/transactions"
}
],
"content": [],
"page": {
"size": 25,
"totalElements": 0,
"totalPages": 0,
"number": 0
}
}We also tested with ignoreDocumentStatus, but understand that this flag may only be considered when docId is also supplied.
Questions for SAP / community:
- Is Expense v4 officially recommended for central ERP posting integrations?
- If yes, how is SAP expecting customers to avoid user-level permission dependency and over-permissioning?
- Is there a supported company-level access model for Expense v4 that allows central retrieval of approved reports without acting on behalf of individual users?
- For ERP posting use cases, is FIS the recommended approach instead of Expense v4?
- If FIS is the recommended approach, what exact SAP Concur configuration is required to make approved expense reports appear in the FIS transaction queue?
- Does FIS need to be enabled at company/group/policy level before the transaction endpoint returns data?
- What exact report/payment/accounting status is required before an expense report appears in the FIS READY queue?
At the moment, the Expense v4 model appears misaligned with enterprise ERP integration requirements. It may work for narrow user-context lookups, but it creates a security and scalability bottleneck for central finance integrations.
I would appreciate any guidance from SAP or anyone who has successfully implemented a central SAP Concur Expense to ERP posting integration without granting broad user/report permissions.
