SAP Interfaces: Use Prohibited

I want to take the time to look into the update to SAP Note 3255746—„Unpermitted usage of ODP Data Replication APIs“—dated April 13, 2026. 

SAP Note 3255746

Looking back, we can see the milestones through which SAP Note 3255746 has evolved to its current state: The first version of SAP Note 3255746 was published on October 17, 2022. Among other things, it stated: SAP does not support the use of RFC function modules from the ODP data replication API in customer or third-party applications. These function modules are intended solely for internal SAP applications. Since they are neither released nor documented, SAP may change them at any time without prior notice. Customer or partner applications that use these function modules do not comply with SAP’s recommendations for a sustainable and business-critical architecture. Any issues that arise from or are caused by such applications are the customer’s responsibility, and SAP does not provide support for solutions to these issues. As a solution, SAP essentially referred to the help article „ODP-Based Data Extraction via OData“ in October 2022.

On February 2, 2024, SAP then significantly revised the text. The note, in its V4 version at the time, read as follows: SAP does not permit the use of RFC modules from the Operational Data Provisioning (ODP) data replication API by customer or third-party applications to access SAP ABAP sources (on-premises or Cloud Private Edition). These modules are intended solely for SAP’s internal applications and may be modified by SAP at any time without prior notice. The proposed solution remained unchanged in this update. On April 13, 2026, version 10 was released, which was later slightly modified on April 21. Here, SAP announces that on Patch Day, June 9, 2026, it will technically block the unauthorized use of the interfaces. The block is justified on the grounds of significant security risks. The note now states the following as a solution: Customers can, as described in the documentation, explore alternatives for transferring data to third-party applications, including the SAP Business Data Cloud (BDC) or the ODP-OData API (ODP-based data extraction via OData). Since the editorial deadline for the publication of this article in July 2026 was before June 9, 2026, I do not wish to speculate further here on how the announced security patches have affected the data exports of individual SAP customers.

Relevance for the executive level?

What is certain, however, is that the use of the ODP-RFC API by customer and third-party applications—which has been declared „prohibited“ since February 2024—has become widespread among SAP customers around the globe. In some cases, regulatory reports depend on the prohibited export of SAP data via this interface. Financial and governance processes—including earnings reports for publicly traded companies—are also potentially affected by the block.

This means that the announcement of a technical block on the interface for unauthorized applications—enforced via a security patch—is not a technical issue for the IT department. It has direct relevance for executive boards and supervisory boards, which are responsible for ensuring the company’s proper reporting. In the end, it’s like concrete: it all depends on what you do with it.

The solutions proposed by SAP deserve due recognition. But in my experience, SAP solutions are never black and white, and I don’t know of any customer who licenses the Business Data Cloud for all of their SAP data, for example. On the other hand, I do know several customers for whom the achievable data throughput when using the ODP-ODATA API is far from sufficient.

Conclusion: It's all about the mix

My recommendation to SAP customers is—and this has become even more apparent since the announcements at Sapphire in Orlando and Madrid—that the path forward will not work for SAP customers without BDC. However, SAP customers will not be able to—or will not want to—afford BDC for all their SAP data. In particular, it seems to me that using BDC purely as a tool for exporting SAP data to other systems is a waste of resources. For those who want to use such SAP data outside the SAP stack—where BDC is not yet in use and is not intended to be used—there is a solid and cost-effective solution available that does not compromise the “clean core” principle. (Source: Mehr.Sale)