What Is SAP Indirect Access?
SAP indirect access occurs when a user or automated system accesses SAP data or functionality without logging directly into SAP. The classic scenario: a company builds a custom e-commerce portal, a mobile app, a warehouse management system, or an RPA (Robotic Process Automation) process that reads from or writes to SAP. Those portals, apps, bots, and integrations are the "indirect" channel — and SAP has argued, successfully in some cases, that the humans ultimately driving those transactions require SAP named user licences even if they never touch the SAP GUI.
The concept sounds logical on the surface: SAP licences users who derive value from SAP software. But SAP's original interpretation was extraordinarily broad. Under the pre-2018 interpretation, any human who ultimately benefited from data that SAP processed — whether they ever interacted with SAP directly or not — could be argued to require a named user licence. This interpretation was used to generate enormous compliance gap claims against SAP customers who had modernised their IT landscapes with middleware, APIs, and third-party applications.
The Diageo case in the UK — in which the English High Court ruled in 2017 that Diageo owed SAP millions for indirect access through its integration architecture — sent shockwaves through enterprise procurement teams globally. If Diageo's settlement amount was in the tens of millions, how exposed was every other large enterprise running similar landscapes? Our SAP indirect access advisory service exists precisely to answer that question — and to protect buyers before SAP asks it first.
Concerned About Digital Access Exposure?
SAP's Digital Access model can generate multi-million-pound claims based on automated document counts that include test data, cancelled transactions, and legacy migrations. Independent measurement is the only way to know your real exposure.
Get Digital Access Review → Read the Digital Access Guide →Critical Point: Indirect access risk did not disappear when SAP introduced Digital Access in 2018. Digital Access is a new metric for new contracts. Customers on older Master Agreements may still be subject to the original indirect access T&Cs — and SAP's audit team can and does assert claims under both frameworks simultaneously.
Digital Access vs Indirect Access: What Changed in 2018?
In 2018, responding to intense customer pressure and reputational damage from high-profile Diageo-style disputes, SAP announced the Digital Access model. Rather than licencing by named users accessing SAP indirectly, Digital Access licences the volume of specific document types created in SAP by non-SAP systems. The four initial document types were: Sales Order, Delivery, Invoice, and Material Document.
This was a genuine improvement in transparency. Instead of an open-ended, arguable liability (how many humans eventually benefit from this SAP data?), Digital Access provides a countable metric: how many orders, deliveries, invoices, and material documents did your third-party systems create in SAP last year?
| Framework | Metric | Applies To | Risk Profile |
|---|---|---|---|
| Original Indirect Access | Named users who access SAP value, directly or indirectly | Legacy ECC contracts pre-2018; some ECC contracts post-2018 | Very high — broad and arguable |
| Digital Access | Volume of specific document types created by non-SAP systems | New S/4HANA contracts; some ECC renewals post-2018 | Quantifiable — but document volumes can be enormous |
| RISE with SAP | Digital Access included in RISE subscription (up to a cap) | RISE subscribers | Capped exposure — but cap may be exceeded in high-volume scenarios |
The critical point: if you are still on a legacy Master Agreement from before 2018, SAP's digital access update may not have been incorporated into your contract. Your liability framework may still be the original indirect access T&Cs. Before assuming you are protected by the Digital Access model, have your Master Agreement reviewed by an independent SAP contract specialist. Do not rely on SAP's verbal assurances during account management conversations — only contractual language provides protection.
What framework governs your indirect access exposure?
Our SAP indirect access advisory team reviews your Master Agreement and Order Forms to determine which framework applies and what your quantified exposure is. Book a free initial review.
The Eight Highest-Risk Indirect Access Scenarios in 2026
Not all integrations carry equal risk. The scenarios below represent the situations where we most frequently find significant unmeasured indirect access exposure during client engagements. If your organisation runs any of these architectures, an immediate risk assessment is advisable.
An e-commerce platform (Salesforce Commerce Cloud, Shopify Plus, custom-built) that creates SAP Sales Orders triggers Digital Access for every order posted. A retailer processing 500,000 orders per year through a third-party storefront with SAP as the order management backend has significant Digital Access exposure. Each Sales Order document counts separately. High-volume retailers have received claims ranging from hundreds of thousands to multi-million pound figures.
Robotic Process Automation tools (UiPath, Blue Prism, Automation Anywhere) that interact with SAP by scripting the SAP GUI or calling BAPIs create indirect access liability in two ways. First, the bot itself may require a named user licence under legacy frameworks. Second, if the bot creates SAP documents (GRs, invoices, POs), Digital Access applies per document. Many organisations deployed RPA without understanding the SAP licensing implications — and have accumulated years of unlicenced document creation.
Integration platforms (MuleSoft, Dell Boomi, Azure Integration Services, SAP Integration Suite) that orchestrate data flows between SAP and third-party systems create indirect access when those flows result in document creation in SAP. A middleware solution that receives purchase requisitions from a third-party procurement tool and posts them as SAP Purchase Orders triggers Digital Access per document. The middleware vendor itself does not require a licence — but the documents it creates on behalf of external systems do count.
Custom applications built on SAP APIs (RFC, BAPI, OData) that allow non-SAP-licenced users to submit requests or data that ultimately become SAP documents are an indirect access risk. Field service apps where technicians submit job completions that create SAP service orders, HR portals where employees submit leave that creates SAP absences, and sales apps where reps submit orders that become SAP sales orders — all carry document-based Digital Access exposure.
Warehouse Management Systems (WMS) or Manufacturing Execution Systems (MES) from third-party vendors (Manhattan, JDA, Honeywell Intelligrated, Rockwell) that synchronise goods movements with SAP create Material Document entries. In a high-throughput manufacturing environment, a single shift can generate thousands of SAP material documents from WMS confirmations. At scale, the Digital Access cost can approach or exceed the cost of full SAP licences for the workers driving those transactions.
Tools that extract SAP data for reporting (Power BI, Tableau, QlikView) are typically read-only and do not create Digital Access documents. However, if the BI tool writes back to SAP — annotating records, triggering workflows, or updating master data — the write-back creates indirect access exposure. Additionally, under legacy T&Cs, SAP has argued that BI users who derive business value from SAP data require named user licences. This argument is weaker post-2018 but not entirely extinguished for legacy contract holders.
How SAP's Audit Team Identifies Indirect Access Exposure
When SAP conducts an enhanced audit — more comprehensive than a standard USMM measurement — its team will specifically look for indirect access scenarios beyond the named user count. Understanding their methodology helps you prepare an effective defence.
Landscape Documentation Review
SAP's audit team typically requests a systems landscape diagram as part of the audit information-gathering process. They are looking for any system outside the SAP perimeter that connects to SAP — particularly systems that drive transactions or create documents. A well-managed landscape documentation pack, reviewed by your audit defence advisors before submission, can significantly limit the surface area SAP's team is able to investigate.
BAPI and RFC Call Analysis
SAP can analyse system logs to identify calls made to SAP via RFC (Remote Function Calls) and BAPIs (Business Application Programming Interfaces) by external systems. Each RFC caller — whether a human user or an automated system — can be traced. If the caller is an external system whose users are not named in the SAP licence, SAP has the basis for an indirect access claim. In enhanced audits, SAP sometimes requests SM20 logs specifically to identify non-licenced RFC callers.
Digital Access Document Counting
For Digital Access claims, SAP can run queries against SAP transaction tables (VBAK for Sales Orders, LIKP for Deliveries, RBKP for Invoices, MKPF for Material Documents) to count documents created by non-SAP systems. The creation source is typically identifiable from the document header fields. SAP's commercial team will use these counts to calculate the retroactive Digital Access licence fee for uncovered document volumes.
Don't wait for SAP's auditors to find your exposure
Our SAP audit defence team conducts proactive landscape audits to identify indirect access exposure before SAP does. We map every integration, count every document, and structure a commercial remediation plan — on your terms, not SAP's. Book a free consultation.
How to Protect Your Organisation: 7 Practical Strategies
Indirect access and Digital Access risk can be managed, mitigated, and in some cases eliminated — but it requires intentional action. These are the seven strategies our indirect access advisory practice deploys across enterprise engagements.
1. Conduct a Landscape Integration Inventory
Start with a complete map of every system that connects to SAP — directly or via middleware. For each integration, classify it: does it read only, or does it write? If it writes, what document types does it create, and in what volumes? This inventory is the foundation of any credible risk assessment. Most enterprises discover integrations they had forgotten about during this exercise.
2. Review Your Master Agreement T&Cs
Your indirect access framework is determined by your contract, not by SAP's current marketing materials. Have your Master Agreement reviewed by a legal or commercial specialist who understands SAP T&Cs. Specifically, identify: which version of the T&Cs Supplement governs your agreement, whether the Digital Access Adoption Program (DAAP) has been applied to your contract, and whether any specific carve-outs or exclusions have been negotiated.
3. Quantify Your Digital Access Document Exposure
Before SAP runs the numbers, run them yourself. Count the Sales Orders, Deliveries, Invoices, and Material Documents created by third-party systems in SAP over the past 12 months. Compare this to any Digital Access licence you have purchased. The gap between what you've created and what you've licenced is your current exposure. Knowing this number gives you negotiating leverage: you can approach SAP proactively and negotiate a commercial settlement rather than waiting for an audit-driven demand.
4. Negotiate Digital Access Inclusions at Renewal
If your current contract does not include Digital Access for the document types your landscape creates, your next renewal or renegotiation is your best opportunity to fix this. SAP is more willing to include Digital Access at commercially reasonable rates during a contract discussion than during an audit. Our contract negotiation team has secured Digital Access inclusions covering millions of documents per year at rates 40–60% below SAP's standard list price.
5. Architect for Licence Efficiency
Some integration architectures can be restructured to reduce or eliminate Digital Access exposure. If a third-party system is creating SAP documents, consider whether SAP could instead push data to the third-party system, reducing or eliminating the third-party-to-SAP document creation flow. Involve SAP licensing expertise early in any new integration design — the architectural choices made during a project will determine the licensing costs for years.
6. Use SAP's Native Tooling Where Possible
The safest integration path from a licensing standpoint is SAP's own tools — SAP Integration Suite, SAP BTP, S/4HANA embedded analytics. Integrations built natively within the SAP ecosystem do not create indirect access risk in the same way that third-party-to-SAP integrations do. Where it makes technical and commercial sense, native SAP integration reduces licensing risk while also receiving support from SAP under your maintenance agreement.
7. Document Exclusions and Carve-Outs in Every New Contract
When executing any new SAP Order Form or contract amendment, ensure that any known indirect access scenarios — specific integrations, specific third-party systems, specific document types — are explicitly addressed. Either include Digital Access coverage for those volumes or negotiate a written exclusion that confirms those scenarios do not trigger additional licensing liability. Verbal assurances from your SAP account team have no legal force. Only written contract language protects you.
Indirect Access Under RISE with SAP
RISE with SAP bundles Digital Access into the subscription — but the bundled volume may not be sufficient for your actual integration landscape. RISE advisory engagements consistently reveal that the default Digital Access allocation in a standard RISE proposal is calculated based on SAP's average across customer segments — not based on your actual integration volumes. If your business processes significantly more orders, deliveries, or material movements than the average, you may exceed your RISE Digital Access allocation and incur overage charges.
The solution is to negotiate your Digital Access tier into the RISE contract based on your actual measured volumes, not SAP's default allocation. Our RISE advisory team has reviewed over 50 RISE proposals and identified Digital Access shortfalls in the majority of them. Read our broader guide on RISE with SAP licensing for the full picture.
Is your RISE proposal correctly sized for your indirect access volumes?
Our independent review of RISE with SAP proposals has identified Digital Access shortfalls that would have resulted in seven-figure overage costs for the enterprises concerned. Book a free RISE review before you sign.
The Bottom Line on SAP Indirect Access in 2026
SAP indirect access — whether under the original framework or the Digital Access model — remains one of the most commercially significant licensing risks in enterprise SAP environments. The risk is not hypothetical: SAP's commercial team actively investigates indirect access during audits and will use every contractually available argument to quantify exposure.
The enterprises that manage this risk best do three things consistently: they maintain a live inventory of all SAP integrations, they negotiate Digital Access coverage explicitly into their contracts, and they involve independent licensing expertise before signing any new SAP agreement. Our indirect access advisory service provides all three elements — commercial assessment, contract review, and negotiation support — from a position that is entirely independent of SAP.
If you are facing an SAP audit that includes indirect access claims, read our SAP audit guide and review the audit defence service page. Then contact us — the sooner we are involved, the more effectively we can protect your position.
Independent Digital Access Advisory
Our indirect and digital access advisory service provides independent measurement, third-party integration analysis, and a commercially defensible position against SAP's document-based claims.
Book a Free Digital Access Review →