SAP & OutSystem Security
A bunch of reasons leads our customers to choose a low-code platform like OutSystems on top of their SAP landscape.
Does this sound too good to be true? Well, it isn’t! But nevertheless, there are some issues that should be carefully considered. One of them is how to deal with SAP’s license model which these pages are about.
Does this sound too good to be true? Well it isn’t! But nevertheless, there are some issues that should be carefully considered. One of them is how to deal with security on SAP-OutSystems integration scenario which these pages are about.
It almost sounds to good to be true, Connect, Search and use SAP Services in OutSystems. Is it really this simple. Off course nothing is ever as simple in the IT world. From a technical perspective usin a BAPI (Business Application Programming Interface is easy enough. But when you do apart from technical and functional SAP knowhow there are some subjects that need thorough observation. One of them being the SAP-OutSystems Security.
SAP, as most OutSystems developers know by now comes packed with functions to create or update their business object like sales orders, purchase orders Plant Maintenance Orders etc. B-Synergy and OutSystems implemented in close collaboration the functionality in OutSystems to consume those functions. Since these functions can be called from outside SAP they are called RFC's (Remote Function Calls). The more complex ones are called BAPI's (Business Application Programming Interface)
OutSystems comes with the functionality to very easily get data out of SAP ECC or S/4HANA by using RFC's.. Most companies that want to benefit from this SAP-OutSystems synergy are not aware and have not implemented Security measures that keep your SAP systems from prying eyes. This comes as a serious security risk and does from a legal perspective could be seen as negligence in court cases where Private data was stolen.
How easy is it actually to breach an SAP System with OutSystems? Well, when you are using a technical SAP user to integrate with OutSystems a junior developer can make ALL of your SAP publicly available for querying.
It is therefore very worrying that all but 1 customer B-Synergy has encountered in almost 10 years of SAP-OutSystems experience has a security layer implemented. Without naming true identities a big dutch brewerie, an orange rental company, a large chemical plant, a large bakery and a major retailer are all at serious risk!
B-Synergy can audit your SAP-OutSystems integration in 1 day to help you avoid intentional or unintentional SAP-OutSystems security breaches. When we find threats you can implement security measures yourselves or implement the security layer as provided by B-Synergy.
When you are an SAP Partner or OutSystems partner, B-Synergy is more than willing to help secure your customers, the employees of your customer and the customers of the customer, another good address company to talk to in this regard is Craig Terblanche- Chief Transformation Advisor at ExoSystems
SAP Logon Tickets are native to SAP and will be issued only in exchange for valid credentials (during logon / inbound communication).
-typically transmitted as a (non-persistent) browser cookie
-transmitted whenever the browser sends a HTTP request to a server (domain constraints apply)
-designed to be used for cross-system SSO (Portal scenario)
SAP Logon ticket creation is not supported by OutSystems as a standard function in their SAP utilities
The two ticket-based methods are native to SAP ECC and S/4HANA and are only for native SAP HANA users as it does not map user information into SAP HANA from external applications. Thus, the logon tickets and assertion tickets method is a direct way of user authentication. The users requesting access to SAP ECC or HANA system are issued user-specific tickets using which they get access into the system. The user tickets can be created in the SAP ECC or HANA system or from OutSystems directly through an SAP-OutSystems Security layer as an extension in OutSyst
Underwater SAP ODATA services use BAPIs and RFCs for functions that involve business logic. This is because SAP is built on ABAP and conversion must take place from web protocol to sap native ABAP.
OData is a Web protocol for querying and updating data, applying and building on Web technologies such as HTTP, Atom Publishing Protocol (AtomPub), and RSS (Really Simple Syndication) to provide access to information from a variety of applications. It is easy to understand and extensible and provides consumers with a predictable interface for querying a variety of data sources.
AtomPub is the standard for treating groups of similar information snippets as it is simple, extensible, and allows anything textual in its content. However, as so much textual enterprise data is structured, there is also a requirement to express what structure to expect in a certain kind of information snippet. As these snippets can come in large quantities, they must be trimmed down to manageable chunks, sorted according to ad-hoc user preferences, and the result set must be stepped through page by page.
OData provides all of the above as well as additional features, such as feed customization that allows mapping part of the structured content into the standard Atom elements, and the ability to link data entities within an OData service (via "…related…" links) and beyond (via media link entries). This facilitates support of a wide range of clients with different capabilities
More on ODATA
IDoc, short for Intermediate Document, is an SAP document format for business transaction data transfers. Non SAP systems can use IDocs as the standard interface (computing) for data transfer. IDoc is similar to XML in purpose but differs in syntax. Both serve the purpose of data exchange and automation in computer systems, but IDoc-Technology takes a different approach.
While XML allows having some metadata about the document itself, an IDoc is obliged to have information at its header like its creator, creation time etc. While XML has a tag-like tree structure containing data and meta-data, IDocs use a table with the data and meta-data. IDocs also have a session that explains all the processes in which the document passed or will pass, allowing one to debug and trace the status of the document.
Different IDoc types are available to handle different types of messages. For example, the IDoc format ORDERS01 may be used for both purchase orders and order confirmations.