Impact of SAP Indirect Access Compliance: Best Practices
SAP indirect access compliance is a critical issue that can carry multi-million dollar risks if not managed proactively.
This brief outlines how IT leaders can navigate SAP’s complex indirect licensing rules and adopt best practices to avoid unexpected audit costs while maintaining control over SAP licensing.
Indirect Access and Its Risks
SAP “indirect access” refers to any scenario where SAP software is used via an external system or interface rather than through a direct SAP login.
If a third-party application reads data from SAP or pushes a transaction into SAP, this constitutes indirect use and still requires an SAP license.
Because modern IT landscapes are so interconnected, even these behind-the-scenes integrations can inadvertently create license liabilities if not managed properly.
An SAP system connected to multiple external applications, each representing a potential indirect access point that needs to be licensed.
Failing to govern indirect access can lead to serious consequences. SAP has pursued customers for huge back-license fees (one UK customer was hit with £54M in 2017), so indirect access is no trivial technicality – unmanaged, it can quickly turn into a costly audit nightmare.
Read SAP Indirect Access Compliance: Best Practices.
Legacy vs. Digital Access Licensing
SAP offers two approaches to license indirect use: the legacy named-user model and the newer document-based Digital Access model. The table below summarizes their differences:
| Model | What You Pay For | Best For |
|---|---|---|
| Named User | A license for each external user/account. | Few external users or integrations (small, controlled scenarios). |
| Digital | The number of documents created in SAP by external systems. | High-volume or unpredictable external usage (e.g. customer portals, IoT). |
For example, one company found that licensing 1,000 external partner users via named-user licenses would cost approximately $2 million annually, whereas covering the same workload via Digital Access documents would cost around $200,000 per year.
This shows the potential savings of the document approach – but every landscape is different. You should analyze your system usage and choose the licensing strategy that best contains cost and compliance risk in your situation.
Best Practices for Managing Indirect Access
To manage SAP indirect access effectively and avoid compliance problems, IT leaders should:
- Inventory Integrations: Keep an updated list of all external systems and interfaces connected to SAP. This provides visibility into where indirect access occurs.
- Optimize Licensing: Decide for each integration if named user licenses or document licenses are more cost-effective. Assign the appropriate model and avoid double-licensing the same activity.
- Monitor Continuously: Utilize SAP’s audit tools or SAM software to track the number of documents generated by external systems and identify active service accounts. Run periodic internal “mock audits” to ensure all indirect use is covered under your licenses.
- Manage Contracts: When negotiating with SAP (renewals or new deals), address indirect access in the contract. Clarify definitions and negotiate provisions, such as fixed allowances or discounts for indirect use, if possible.
Recommendations
To mitigate indirect access risks, IT leaders should:
- Discover & Document: Identify every system and user accessing SAP indirectly, and document how each connection is licensed.
- Choose the Right Model: Use the licensing approach (user-based or document-based) that best fits each integration’s usage profile to control costs.
- Monitor & Adjust: Continuously monitor external usage and true-up or optimize licenses as needed before SAP finds a shortfall.
- Negotiate Upfront: Leverage SAP contract renewals or new purchases to negotiate clear terms and better pricing for indirect access rather than waiting for an audit.
- Institutionalize Compliance: Establish an internal policy that requires a licensing review for all new integrations before they go live, ensuring compliance is built into your processes.
Read What is SAP Indirect Access?.
FAQ
Q1: What qualifies as “indirect access” in SAP?
A1: Indirect access occurs when a person or program uses SAP through an external application rather than directly logging in to SAP. If a non-SAP system retrieves data from SAP or submits data to SAP, that constitutes indirect use and typically requires an SAP license. For example, a web storefront displaying SAP inventory or a third-party app creating orders in SAP are indirect access scenarios.
Q2: How is SAP’s Digital Access licensing different from traditional licensing?
A2: Traditional SAP licensing is user-based – you need a licensed SAP user for each individual or system that uses SAP (even via another application). Digital Access is document-based – you purchase licenses for a set number of documents created in SAP by external systems. In other words, instead of counting users, you’re licensing the transactions. It can be more efficient when you have many external users, but you must monitor your document volumes and buy more if you exceed your allotment.
Q3: How can we track and manage indirect usage in our SAP environment?
A3: Maintain a comprehensive list of all systems that interface with SAP. Use SAP’s own tools (like USMM/LAW reports and Digital Access evaluation notes) regularly to detect external usage – these can count documents created by interfaces and technical users. A comprehensive integration inventory, combined with periodic monitoring of SAP logs, will help you identify indirect access issues early and address them before they escalate.
Q4: What happens if SAP finds unlicensed indirect access during an audit?
A4: If an SAP audit discovers indirect use that isn’t licensed, SAP will insist you purchase the required licenses right away. This can result in a substantial, unplanned expense. While SAP’s goal is to get you compliant (by selling you the needed licenses, not shutting down your system), they can threaten to suspend support until you fix the shortfall. Once you’re found non-compliant, there’s little room to negotiate – you’ll be expected to pay to resolve the issue. That’s why managing indirect access proactively is so important.
Q5: Can we negotiate or get exceptions from SAP for indirect access?
A5: You can try to negotiate terms upfront. During a contract renewal or new SAP purchase, include provisions for indirect use – for example, a discounted bundle of Digital Access licenses or an agreed allowance for certain scenarios. SAP may be flexible if it helps close a deal, but any special terms must be explicitly written into your contract. If you’re already under audit, your options are limited, and SAP will expect you to purchase the necessary licenses. It’s best to negotiate clarity and protections in advance rather than hoping for exceptions later.
Read more about our SAP Advisory Services.
