RAP for SAP applications: what changes for developers and IAM teams?

TL;DR: ABAP RESTful Application Programming Model (RAP) standardises how SAP teams build cloud-ready transactional apps and expose business objects through OData, CDS, and service bindings, while preserving extension paths for S/4HANA and SAP BTP, according to Pathlock. The governance lesson is that application architecture now shapes access scope, service exposure, and lifecycle control as much as code quality does.

NHIMG editorial — based on content published by Pathlock: What is RESTful Application Programming (RAP)?

Questions worth separating out

Q: How should teams govern access in RAP-based SAP applications?

A: Teams should govern RAP access at the service definition and binding layer, not only in the underlying business object.

Q: What breaks when RAP extensions are allowed without review?

A: Unreviewed RAP extensions can expand the application contract beyond the original control scope, which makes least privilege harder to prove and audit.

Q: How do managed and unmanaged RAP services differ for security governance?

A: Managed RAP relies more on framework defaults for transactional integrity and validations, while unmanaged RAP shifts those responsibilities into custom ABAP code.

Practitioner guidance

• Review service definitions as access boundaries Map each exposed CDS entity to the minimum business action it needs to support, then verify that service bindings do not expose unused read or write paths.
• Separate governance for managed and unmanaged objects Apply a stricter design review to unmanaged RAP objects because the framework no longer enforces transactional behavior by default.
• Control extension points with lifecycle review Track in-app and side-by-side extensions as part of change management so they do not quietly widen the application contract.

What's in the full article

Pathlock's full article covers the implementation detail this post intentionally leaves for the source:

• Step-by-step RAP development flow from database tables through behavior definition, service definition, and service binding
• Managed versus unmanaged implementation choices and the practical trade-offs between framework defaults and custom ABAP control
• Examples of RAP business object, query, business service, and business event design in SAP environments
• Naming conventions and tool usage inside ABAP Development Tools for building and testing RAP services

👉 Read Pathlock's overview of SAP RAP and cloud-ready application design →

RAP for SAP applications: what changes for developers and IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →