Secure AIOps: Do I really need the SAP transport? - Q&A

During customer implementations, we are often asked about the need for Avantra SAP transports. This post addresses many of the common questions we receive and explains the rationale behind our platform design decisions.

Our choices are guided by security-first principles, SAP best practices, and over 23 years of accumulated expertise. These principles ensure a reliable, secure, and effective solution for our customers.

If you have a question not covered here, please let us know, and we’ll be happy to address it in future updates.

Is the Avantra transport required for everything in Avantra?

No, particularly in the observability (monitoring) domain, many checks work even without the transport in place. This is extremely useful during deployment while customers wait for change approvals to be processed.

Why do you need code in my SAP system?

Most tasks in an SAP system require local execution, meaning users must log into the system via the SAP GUI or Fiori interface. This design choice by SAP enhances security, auditing, and consistency in business process execution.

For third-party solutions like Avantra, achieving monitoring and automation requires a different approach. Avantra accomplishes this by introducing custom code through an SAP “transport.” Transports allow for the addition or modification of code in an SAP system. SAP allocates unique namespaces or code prefixes for third-party vendors to deliver their code. For example, Avantra’s namespace is “/syslink/” and “/avantra/” where all Avantra-specific code resides.

Is it possible to execute automations without using a transport?

Yes, but more often, no. If SAP explicitly allows a process to be executed remotely, such as creating new users, a transport is not required.

However, for most use cases, this is not the case. SAP intentionally restricts remote execution to protect the system. Complex tasks like system refresh, profile parameter maintenance, certificate replacement, and applying SAP HotNews updates should only be automated with deep expertise.

At Avantra, we use custom code within our transports to enable these functionalities securely within our automation engine.

What about solutions that claim that no transport is required?

Avantra adheres to SAP’s guidelines and best practices, avoiding the use of injected dynamic code for complex automations like system refresh or certificate replacement. SAP explicitly warns that “dynamic programming techniques can present a serious security risk” to its systems and so this is why all Avantra code is present statically in our transports rather than being injected into the system at runtime.

Dynamic code injection at runtime is dangerous for three key reasons:

1. Dangerous Permissions
   Dynamic code injection requires a third-party user to have permissions to create and delete code on-the-fly. This introduces significant security risks, as there is no control or oversight over what the injected code is doing.
   
   
2. Lack of Auditability
   Code injected at runtime is removed after execution, making it impossible to audit what actions were taken or what code was executed in the system. This lack of traceability is a significant compliance and security concern.
   
   
3. Code Manipulation Risks
   Dynamic code is susceptible to changes without proper oversight or verification. The executed code might differ over time, with no way to verify these changes. If the third-party system loses control over the injected code, it could leave the SAP system vulnerable to exploitation.

Many years ago, in consultation with some of our major customers, Avantra transitioned away from injected dynamic code to align with SAP’s guidance and industry best practices, ensuring secure, auditable, and reliable automation.

Why does Avantra prefer to use its own transport?

Aside from the obvious security considerations, Avantra prefers to use our own code in a transport for a number of other reasons:

SAP Certified Add-in

Avantra is certified as a “Works with SAP RISE” solution (Report No. 20704), “Integration for SAP NetWeaver,” and “Integration with SAP S/4HANA.” We undergo regular certification processes with SAP, during which our functionality and code are analyzed to ensure alignment with SAP’s standards and expectations for third-party automation integrations.

Audits

Avantra provides static, viewable transports to enable customers to perform comprehensive end-to-end audits of our functionality and code. This ensures our solutions meet their high security and quality standards. Such transparency would not be possible with dynamic code injection, reinforcing our commitment to secure and reliable operations.

Penetration testing

Avantra and its customers regularly conduct comprehensive penetration testing on the platform and its capabilities. We do not rely on “security through obscurity” and are fully transparent about our SAP transports. Customers are encouraged to review, test, and verify the transports before deploying them in mission-critical environments, ensuring trust and reliability.

What about my SAP RISE environment - can I use Avantra transports there?

Avantra is a certified “Works with RISE with SAP” solution (Report No. 20704). If your Avantra transports are already in place before transitioning to SAP RISE, you can continue using them as usual. If not, collaborate with SAP or your service provider to implement them and set up the appropriate user access.

In a RISE scenario, certain automations, such as system refreshes, are typically managed by SAP or your service provider, who may also utilize Avantra. However, numerous other Avantra automations remain available for your use. 

In contrario automations that do not use ABAP code (via transport) usually rely on os commands and scripts / ansible and therefore cannot be used in a RISE environment.  

What about SAP S/4HANA Cloud - Public Edition - do I need a transport there?

SAP S/4HANA Cloud public edition is a SaaS product, so observability and automation solutions integrate via public APIs rather than the traditional on-premises or cloud installation methods. Since the APIs are public, no transport is required. You simply configure the system location and credentials in Avantra, and the integration should function seamlessly.

Talk with one of our SAP experts today to find out more.