Background: During RFC communication, ABAP programs call remote functions on RFC servers. During synchronous RFC calls, the server can start communication back to the caller (callback). To do this, the RFC connection that is already open is used in the context of the calling user. Further logon data is not required. These RFC callbacks can pose a security risk if RFC communication takes place from a system with high protection requirements to a less trustworthy system.

The new enhanced xSuite parameter XF_RFC_CALLBACK_PROTECTION_ON can be used to control whether RFC callbacks are allowed.

Callback protection is switched off in the standard system.