SAP & OutSystem Security

How to hack SAP with OutSystems, and how to avoid being hacked.

Secure your SAP OutSystems Integration

Implement Principal Propagation with SAP & OutSystems

Principal Propagation with SAP & OutSystems

SAP Indirect access

OutSystems integration with SAP is conciddered indirect access
How to hack SAP with out systems ;-)

SAP Digital core

SAP made it easy to connect to its Digital Core
SAP OutSystems integration, how to deal with indirect access

SAP Licence model

The SAP License model, document based Indirect Access.
Secure your SAP OutSystems Integration

OutSystems mobile- or web applications can be integrated with SAP.

Complement your SAP environment to a modern and future-proof system but maker sure you are secure!

Extend SAP by using OutSystems

A bunch of reasons leads our customers to choose a low-code platform like OutSystems on top of their SAP landscape.

Does this sound too good to be true? Well, it isn’t! But nevertheless, there are some issues that should be carefully considered. One of them is how to deal with SAP’s license model which these pages are about.

Does this sound too good to be true? Well it isn’t! But nevertheless, there are some issues that should be carefully considered. One of them is how to deal with security on SAP-OutSystems integration scenario which these pages are about.

 It almost sounds to good to be true, Connect, Search and use SAP Services in OutSystems. Is it really this simple. Off course nothing is ever as simple in the IT world. From a technical perspective usin a BAPI (Business Application Programming Interface is easy enough. But when you do apart from technical and functional SAP knowhow there are some subjects that need thorough observation. One of them being the SAP-OutSystems Security.

SAP, as most OutSystems developers know by now comes packed with functions to create or update their business object like sales orders, purchase orders Plant Maintenance Orders etc. B-Synergy and OutSystems implemented in close collaboration the functionality in OutSystems to consume those functions. Since these functions can be called from outside SAP they are called RFC's (Remote Function Calls). The more complex ones are called BAPI's (Business Application Programming Interface)

Reasons to choose LowCode & SAP

Short delivery time of mobile- and web applications
-Overall reduction of IT-costs
-Increase efficiency of business processes
New business model opportunities
-Offering customer-friendly solutions

How to hack SAP with OutSystems?

"If you're in a business that's worth being in, there's someone out there who will find your information valuable"
This is a lesson that more and more corporations are learning.

"Although attacks by outside hackers -- people who illegally access electronic systems to obtain secret information or steal money -- generally receive more publicity, insiders pose a far greater threat to computer security," according to The Lipman Report, a monthly management newsletter published by security consulting firm Guardsmark Inc.

OutSystems comes with the functionality to very easily get data out of SAP ECC or S/4HANA by using RFC's.. Most companies that want to benefit from this SAP-OutSystems synergy are not aware and have not implemented Security measures that keep your SAP systems from prying eyes. This comes as a serious security risk and does from a legal perspective could be seen as negligence in court cases where Private data was stolen.
How easy is it actually to breach an SAP System with OutSystems? Well, when you are using a technical SAP user to integrate with OutSystems a junior developer can make ALL of your SAP publicly available for querying.

It is therefore very worrying that all but 1 customer B-Synergy has encountered in almost 10 years of SAP-OutSystems experience has a security layer implemented. Without naming true identities a big dutch brewerie, an orange rental company, a large chemical plant, a large bakery and a major retailer are all at serious risk!

B-Synergy can audit your SAP-OutSystems integration in 1 day to help you avoid intentional or unintentional SAP-OutSystems security breaches. When we find threats you can implement security measures yourselves or implement the security layer as provided by B-Synergy.

When you are an SAP Partner or OutSystems partner, B-Synergy is more than willing to help secure your customers, the employees of your customer and the customers of the customer, another good address company to talk to in this regard is Craig Terblanche- Chief Transformation Advisor at ExoSystems

SAP-OutSystems Security, Better Save than Sorry. ?

Principal Propagation with SAP & OutSystems

SAP-OutSystems Login Ticket

SAP Logon Tickets are native to SAP and will be issued only in exchange for valid credentials (during logon / inbound communication).

 -typically transmitted as a (non-persistent) browser cookie

-transmitted whenever the browser sends a HTTP request to a server (domain constraints apply)

-designed to be used for cross-system SSO (Portal scenario)

SAP Logon ticket creation is not supported by OutSystems as a standard function in their SAP utilities

The two ticket-based methods are native to SAP ECC and S/4HANA and are only for native SAP HANA users as it does not map user information into SAP HANA from external applications. Thus, the logon tickets and assertion tickets method is a direct way of user authentication. The users requesting access to SAP ECC or HANA system are issued user-specific tickets using which they get access into the system. The user tickets can be created in the SAP ECC or HANA system or from OutSystems directly through an SAP-OutSystems Security layer as an extension in OutSyst

Difference between BAPI and RFC ?

Business Application Programming Interface

BAPI stands for Business Application Programming Interface. It is a library of functions that are released to the public as an interface into an existing SAP system from an external system.RFC is the protocol used to call functions in a R/3 system by a caller external to R/3 or to call programs external to R/3 from an R/3 system.

Remote Function Call

Functions can only be called via RFC, if they are tagged as RFC functions in the SAP development workbench. They are then called RFC function modules. BAPIs are complete sets of (BAPI) function modules that model a business application.When you are familiar with web developments: RFC can be compared to HTTP and BAPIs are CGI applications. In other words: A BAPI function is a function module that can be called remotely using the RFC technology.

All BAPIs are RFCs

An RFC (Remote Function Call), describes an external interface to a system function module available in SAP. For example, getting the system parameters is a system function available via RFC. A BAPI (Business Application Programming Interface), is an RFC-enabled function module that provides external access to an SAP business application such as creating a sales order. In effect, all BAPIs are RFCs but there is a superset of RFCs that are not considered BAPIs. Really, two sides of the same coin.

Business Object Repository

BAPIs are RFC enabled function modules. The difference between RFC and BAPI are business objects. You create business objects and those are then registered in your BOR (Business Object Repository) which can be accessed outside the SAP system by using some other applications (Non-SAP) such as VB or JAVA. in this case u only specify the business object and its method from the external system in BAPI there is no direct system call. while RFC is a direct system call. Some BAPIs provide basic functions and can be used for most SAP business object types. These BAPIs should be implemented the same for all business object types. Standardized BAPIs are easier to use and prevent users from having to deal with a number of different BAPIs. Whenever possible, a standardized BAPI must be used in preference to an individual BAPI.

SAP & OutSystems ODATA

Underwater SAP ODATA services use BAPIs and RFCs for functions that involve business logic. This is because SAP is built on ABAP and conversion must take place from web protocol to sap native ABAP.

SAP & OutSystems SOAP

The same as with ODATA web services SOAP services use BAPIs and RFCs. Within a server-to-server integration like SAP and OutSystems is there is no point in creating web services for BAPI's. It is just more work and more maintenance and you will not be able to keep your SAP system standard.

SAP Business Suite services

By exposing SAP Business Suite functionality as REST-based OData (Open Data Protocol) services, SAP Gateway enables SAP applications to share data with a wide range of devices, technologies, and platforms in a way that is easy to understand and consume. Use standard GET, PUT, POST, DELETE, and QUERY. If you know where to GET data, you know where to PUT it, and you can use the same format.

OData is a Web protocol for querying and updating data, applying and building on Web technologies such as HTTP, Atom Publishing Protocol (AtomPub), and RSS (Really Simple Syndication) to provide access to information from a variety of applications. It is easy to understand and extensible and provides consumers with a predictable interface for querying a variety of data sources.

AtomPub is the standard for treating groups of similar information snippets as it is simple, extensible, and allows anything textual in its content. However, as so much textual enterprise data is structured, there is also a requirement to express what structure to expect in a certain kind of information snippet. As these snippets can come in large quantities, they must be trimmed down to manageable chunks, sorted according to ad-hoc user preferences, and the result set must be stepped through page by page.

OData provides all of the above as well as additional features, such as feed customization that allows mapping part of the structured content into the standard Atom elements, and the ability to link data entities within an OData service (via "…related…" links) and beyond (via media link entries). This facilitates support of a wide range of clients with different capabilities

Benefits SAP ODATA

Obtain human readable results; you can use your browser to see what data you will get.
Use stateless applications
Receive related pieces of information, one leading to another.
Aware of query options, tailoring the OData services to their needs.

More on ODATA

OData is also extensible, like the underlying AtomPub, and thereby allows the addition of features that are required when building easy-to-use applications, both mobile and browser-based.SAP Gateway uses OData for SAP Products, which contains SAP-specific metadata that helps the developer to consume SAP business data, such as descriptions of fields that can be retrieved from the SAP ABAP Dictionary. The following are examples of OData for SAP applications:

-Human-readable, language-dependent labels for all properties (required for building user interfaces).

-Free-text search, within collections of similar entities, and across collections using OpenSearch. OpenSearch can use the Atom Syndication Format for its search results, so the OData entities that are returned by the search fit in, and OpenSearch can be integrated into AtomPub service documents via links with rel="search", per collection as well as on the top level. The OpenSearch description specifies the URL template to use for searching, and for collections it simply points to the OData entity set, using a custom query option with the name of "search".

-Semantic annotations, which are required for applications running on mobile devices to provide seamless integration into contacts, calendar, and telephony. The client needs to know which OData properties contain a phone number, a part of a name or address, or something related to a calendar event.

Not all entities and entity sets will support the full spectrum of possible interactions defined by the uniform interface, so capability discovery will help clients avoid requests that the server cannot fulfil. The metadata document will tell whether an entity set is searchable, which properties may be used in filter expressions, and which properties of an entity will always be managed by the server.

Most of the applications for "light-weight consumption" follow an interaction pattern called "view-inspect-act", "alert-analyze-act", or "explore & act", meaning that you somehow navigate (or are led) to an entity that interests you, and then you have to choose what to do. The chosen action eventually results in changes to this entity, or entities related to it, but it may be tricky to express it in terms of an Update operation, so the available actions are advertised to the client as special atom links (with an optional embedded simplified "form" in case the action needs parameters) and the action is triggered by POSTing to the target URI of the link.

SAP-OutSystems Security protocols

The key is to remember that the CIO is accountable for the overall security and compliance of the enterprise. At this level, there is little room for distinction between general IT security, such as email, firewalls and Web servers, and SAP-OutSystems security, which includes the control of how people access the system, the data they process, and the functionality they execute. Effective IT departments adopt a similar philosophy by viewing the IT security picture in its entirety across the whole organization, thereby reducing the risk of breaches of any kind.
B-Synergy delivers the service of a one-day SAP-OutSystems security audit. That can help the CIO responsible for SAP-OutSystems integrations decide on  SAP-OutSystems measures to take, and architectures to follow.
Do's and dont's of SAP OutSystems integration

SAP IDOC with OutSystems

IDoc, short for Intermediate Document, is an SAP document format for business transaction data transfers.[1] Non SAP systems can use IDocs as the standard interface (computing) for data transfer.[2] IDoc is similar to XML in purpose but differs in syntax. Both serve the purpose of data exchange and automation in computer systems, but IDoc-Technology takes a different approach.

While XML allows having some metadata about the document itself, an IDoc is obliged to have information at its header like its creator, creation time etc. While XML has a tag-like tree structure containing data and meta-data, IDocs use a table with the data and meta-data. IDocs also have a session that explains all the processes in which the document passed or will pass, allowing one to debug and trace the status of the document.

Different IDoc types are available to handle different types of messages. For example, the IDoc format ORDERS01 may be used for both purchase orders and order confirmations.

IDoc technology offers many tools for automation, monitoring and error handling. For example, if the IDocs are customised that way on a particular server, then a user of SAP R/3 system creates a purchase order; this is automatically sent via an IDoc and a sales order is immediately created on the vendor's system.

When this order cannot be created because of an application error (for example: The price per piece is lower than allowed for this material), then the administrator on the vendor's system sees this IDoc among the erroneous ones and can solve the situation. If the error is in the master data at the vendor's system, he can correct them and order the IDoc to be processed again.

Because of the flexibility and transparency of IDoc technology, some non-SAP technologies use them as well.


Find developers or a full development team for your project.


Off-the-shelf procure-to-pay application running running on OutSystems.


Fully operational SAP Plant maintenance solution for web and mobile


Webshop and apps for direct integration with SAP SD, including pricing.

Don't be a stranger!

SAP LowCode & RAD solutions

B-Synergy International

Visit the B-Synergy website to know more about B-Synergy SAP LowCode & RAD solutions
SAP LowCode & RAD solutions

B-Synergy Nederland

Visit B-Synergy Netherlands to know more about the off-the-shelf SAP LowCode & RAD solutions

Convinced? Contact us today!