SAP Restricts HR Data API Access, Pushing OData

- The shift away from RFC for external access is driven by a need for modern, secure, and traceable interfaces like OData, which are built on web standards like HTTP and REST. This change addresses the security vulnerabilities inherent in RFC, which could allow external systems to execute functions without robust authorization checks. SAP can also now better audit data access, a key requirement for compliance with regulations like GDPR. - SAP's move aligns with its broader "Clean Core" strategy, which pushes for keeping the central ERP system free of modifications and instead using APIs for extensions and integrations. This API-first approach is central to their SAP Business Technology Platform (BTP), which promotes the use of pre-built connectors and a managed API layer to connect SAP and non-SAP applications. - OData provides a more flexible and standardized way to query data compared to the rigid structures of RFC. It allows for filtering, sorting, and paginating results through URL parameters, reducing the development effort for third-party integrators compared to building custom RFC modules. However, while OData is well-suited for transactional queries, it can be less efficient for large-scale bulk data extraction. - The initial SAP Note 3255746 was published in 2022, stating that third-party use of ODP APIs was unsupported, but the update on February 2, 2024, explicitly prohibited this usage. While SAP Notes are not initially legally binding, these restrictions are expected to be incorporated into future client contracts. - This change significantly impacts HR tech vendors and data integration platforms that have built their connectors using RFC within the ODP framework. These companies must now re-architect their integrations to use OData or other SAP-certified methods to ensure continued compliance and support. Any technical issues arising from the continued use of the now-banned RFC modules will be the sole responsibility of the customer or third-party vendor. - For HR tech companies, this shift necessitates a deeper understanding of modern API security protocols like OAuth 2.0 to ensure secure and authorized access to sensitive employee data via OData services. The move away from proprietary protocols also lowers the barrier to entry for developers who are more familiar with open standards like REST and JSON. - The transition to OData is not without challenges for HR tech vendors, including the costs and resources required for re-platforming, ensuring compatibility with various SAP S/4HANA and ECC versions, and managing customer change. Data privacy and compliance, especially with the cross-border nature of HR data, remain critical considerations during this transition. - This strategic shift by SAP can be seen as a move to gain more control over its ecosystem and steer customers towards its own data integration solutions, like SAP DataSphere. By decertifying third-party ETL tools that use forbidden technologies, SAP is creating a more walled garden, potentially increasing the total cost of ownership for customers who rely on a diverse set of data tools.