Meet the Authors

Key Takeaways What you need to know
  1. SAP Note 3255746 reached Version 11 in April 2026, prohibiting ODP-RFC for SAP-to-non-SAP data integration across on-premises and private cloud landscapes.

  2. From June 2026, a security patch will technically block unauthorized ODP-RFC calls, disabling non-compliant integrations touching S/4HANA, BW, and ECC.

  3. SAP recommends Business Data Cloud and ODP OData, while Theobald Software offers component-specific migration paths like Table CDC, DeltaQ, and Table with CDS View.

If an organization moves SAP data into a non-SAP analytics platform, a data warehouse, or a lakehouse, a compliance clock is ticking that most teams have not fully registered. SAP Note 3255746 reached Version 11 on April 21, 2026, and it significantly tightens the rules on how data can leave SAP systems. The part that turns this from a policy update into an operational risk is this: starting in June 2026, a security patch will technically block unauthorized ODP-RFC calls.

What Changed

The RFC modules of the ODP Data Replication API (ODP-RFC) are now defined as exclusively for data transfer between SAP applications. Any use of ODP-RFC by the customer or third-party applications to access SAP ABAP systems, whether on-premises or in a private cloud, is prohibited, and SAP explicitly states that issues arising from non-compliant use are the sole responsibility of the customer. The affected sources are the ones most enterprises depend on: SAP S/4HANA, SAP BW, and ECC.

There is a crucial clarification that prevents needless panic. This is not a ban on RFC as a protocol. Table and CDS view extractions, BAPIs, function modules, and DeltaQ all remain fully usable and SAP-compliant. Only the ODP Data Replication API via RFC is restricted in SAP-to-non-SAP scenarios. If organizations are not using ODP-RFC, they are not affected. The problem is that many teams do not know whether they are.

Explore related questions

How To Find Out, Fast

SAP published a self-assessment tool via Note 3439624, available since April 13, 2026, that audits ODP-RFC usage across an organization’s landscape. Theobald frames this as the mandatory first step, because without a baseline, IT teams cannot scope the migration. For teams already running Xtract Universal, a built-in Compliance function (F6) surfaces every extraction that still uses ODP, without requiring manual configuration review. One practical relief valve exists: SAP has introduced a temporary opt-out that allows restricted ODP-RFC calls to continue until the end of 2026, buying time to adapt.

The Migration Paths

SAP’s recommended destinations for external data access are SAP Business Data Cloud (BDC), which uses zero-copy architecture, and OData. Theobald offers component-specific alternatives that avoid ODP-RFC entirely: Table with CDS View for CDS-based extractions, Table CDC for incremental table-level replication without a CDS dependency, BW Cube for BW extractions, and DeltaQ for data sources and extractors, with ODP OData as a fallback. Notably, Theobald cautions that OData is often less efficient in practice because SAP Basis must manually create an OData service for each source object, and performance typically trails that of alternatives.

Why This Lands At A Sensitive Moment

This is not happening in a vacuum. SAP announced Business Data Cloud in early 2025 as a SaaS offering to unify and govern SAP data and connect it to non-SAP data. SAPinsider’s 2026 research agenda now includes a dedicated study of BDC adoption and use cases. Meanwhile, the pressure on clean, trusted data is intensifying. SAPinsider’s supply chain research finds poor data quality costs organizations an average of $12.9 million annually, and 82% of members require integrations between core ERP and line-of-business systems. A forced rethink of extraction architecture is arriving precisely as data foundations become a board-level concern.

What This Means for SAPinsiders

Run the self-assessment before June, not after. SAP Note 3439624 will indicate whether organizations are exposed. Once the June 2026 patch validates incoming calls, non-compliant integrations simply stop working. SAP security teams should install the assessment tool this quarter, or use Xtract Universal’s F6 Compliance view to inventory every ODP-RFC extraction that touches SAP S/4HANA, SAP BW, or SAP ECC.

Choose the successor component by use case, not by default. Table CDC, DeltaQ, Table with CDS View, and BW Cube each fit different scenarios, and OData is a fallback rather than a first choice. Picking OData reflexively can lock an organization into avoidable performance overhead. SAPinsiders should map each affected extraction to the right non-ODP component before they touch production.

Fold this into the broader data-platform strategy. The SAP BDC and clean-core directions are converging under this restriction. Treating 3255746 as a one-off patch misses the strategic signal about where SAP wants data to live. CIOs and IT Leaders should use the migration as an opportunity to align the extraction architecture with their SAP BDC and analytics roadmap, not just to restore a broken pipeline.

Events

29Oct
SAPinsider Summit New Orleans 2026New Orleans, Louisiana, United States
View All