As of SAP Basis 740 (downported to ABAP 731 with Kernel 7.21 SP 321), we have introduced the callback whitelist for each RFC destination.

When you use the ABAP statement “CALL FUNCTION <func> DESTINATION <DEST>” to call a synchronous RFC, you can, when executing the remote function module (<func>), use a synchronous RFC with the predefined destination “BACK” (that is, via the ABAP statement “CALL FUNCTION <funcBack> DESTINATION ‘BACK'” (also known as an RFC callback)) to execute a remote-enabled module (<funcBack>). The following prerequisite applies: If the RFC authorization check is activated (see SAP Note 93254) on the calling side, the caller must have the necessary RFC authorization. Otherwise, execution of the function module (<funcBack>) terminates with a corresponding error message.

Comment: In the RFC runtime, an RFC callback is supported during the synchronous RFC only. During other types of RFCs, such as during an asynchronous RFC, a transactional RFC or a background RFC, an RFC callback is not supported.

You can find more detailed information in SAP note 1686632 .

For example,


  1. 1. Each RFC Destination has an activation switch for its callback whitelist.
  2. 2. Profile parameter rfc/callback_security_method determines the system behavior:

Value 0:   Emergency fallback mode:
All whitelists are ignored.

Value 1:  Compatibility mode (default value):
Only callbacks prohibited by active whitelists are rejected.

Value 2:   Simulation mode:
  Only callbacks prohibited by active whitelists are rejected.
prohibited by non-active whitelists are allowed, but logged in SAL.

Value 3:  Most secure mode:
prohibited by active or non-active whitelists are rejected

If you set the parameter  to 0, or 1, you will see a red alert message “RFC callback chk not secure”.

You can define the whitelist in SM59 -> Logon & Security -> Callback whitelist.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply