Managing Key Legal Issues in Indirect Access

Managing Key Legal Issues in SAP Indirect Access

SAP Indirect Access refers to the use of SAP systems via third-party applications or interfaces. This seemingly technical issue has become a major legal and financial concern for enterprises.

IT leaders must proactively manage SAP indirect access to avoid surprise license fees and compliance risks.

In short, understanding how your SAP data is accessed and negotiating clear terms up front is key to preventing costly disputes.

Understanding SAP Indirect Access

Indirect access occurs when users or systems interact with SAP software without using the SAP GUI directly, often through external platforms.

In practice, this means that if a third-party system (such as a customer portal, mobile app, or SaaS service) either inputs data into SAP or retrieves data from SAP, it triggers SAP licensing requirements.

For example:

• A CRM system (e.g., Salesforce) creates sales orders in SAP.
• A warehouse management system updates inventory levels in SAP.
• An HR portal reads employee records from SAP for a dashboard.

In each case, people who never log into SAP directly still consume SAP functionality indirectly.

Historically, SAP’s contracts have defined any indirect use as requiring a license. This broad definition has caught many companies off guard, leading to compliance audits and hefty back-license claims.

Why Indirect Access Becomes a Legal Issue

Indirect access has been called a “licensing minefield” for good reason.

SAP’s license agreements often lacked clear language on indirect use, creating ambiguity.

High-profile legal disputes highlight the stakes:

• SAP vs. Diageo (2017): The global distiller connected Salesforce to SAP, enabling sales representatives to initiate SAP transactions. A UK court ruled these external users were “SAP users” under the contract. Diageo faced an estimated £54 million license fee for years of unlicensed indirect use.
• SAP vs. Anheuser-Busch InBev (2017): Shortly after, SAP pursued the brewery for over $600 million in license fees for various third-party system integrations. The case was settled confidentially, but it sent shockwaves through the SAP customer community.

These examples underscore that unauthorized indirect usage can result in multimillion-dollar penalties or legal action. Many organizations don’t realize a simple integration can put them in breach of contract.

The lesson is clear: indirect access is not a loophole—it’s a liability if unmanaged.

SAP regularly audits customers, and any data exchanged with SAP via non-SAP tools is scrutinized. IT leaders must, therefore, treat indirect access with the same rigor as they do with named user licensing.

Read Managing SAP Indirect Access Compliance.

SAP’s Response: The Digital Access Model

In response to customer backlash, SAP introduced the Digital Access licensing model—a new approach to handling indirect use.

Digital Access moves away from licensing every user and instead licenses the outcomes of indirect usage.

It is document-based licensing:

• Document-centric: SAP identified nine document types (e.g., sales orders, invoices, purchase orders, material documents, financial postings) that cover common business transactions. When a third-party system creates one of these in SAP, it counts as a licensable document.
• Volume-based: Licenses are sold in packs (for example, blocks of 1,000 documents per year). You estimate the number of documents your integrations create annually and purchase enough blocks. Volume discounts apply at higher tiers.
• No charge for reads: Importantly, SAP clarified that “static read” access is free of charge. If external systems or users only query data from SAP without creating new transactions, SAP does not charge for that. Charges apply when new records are created (the first creation event is counted, and subsequent updates or automated downstream documents are not counted again).
• Weighted documents: Each document type has a multiplier. Most transactions are counted as 1 document, while a couple (such as Material or Financial line items) are counted as 0.2, reflecting their lighter footprint. This weighting helps align cost with business impact.

Digital Access aims to provide a fairer, more predictable approach. Instead of worrying about an unknowable number of external users, companies can focus on measurable business documents.

SAP even launched a Digital Access Adoption Program (DAAP) offering steep discounts (up to 90%) to encourage customers to transition.

Under DAAP, many companies converted to document licensing by purchasing a quantity equal to their current estimated usage (often with a buffer, like 115% of current volume at a special rate).

Read Indirect Access in SAP S/4HANA.

Traditional vs. Digital Licensing: Cost and Compliance

How does digital document licensing compare to the old named user model in practice? Each approach has pros and cons for cost and compliance:

• Traditional Named Users: Companies license every individual (or device) that indirectly accesses SAP, often as a “Professional” or “Limited” user. This can be predictable if user counts are stable. For example, if 100 call center agents use a third-party app that updates SAP, you may need to purchase 100 SAP user licenses. At list prices reaching ~$5,000 per user for professional licenses, this approach can be expensive for large external user bases. It also breaks down when the external users aren’t known (e.g., thousands of customers on an e-commerce site). Many organizations ended up under-licensed in indirect scenarios because tracking every potential user was impractical.
• Digital Access Documents: Instead of counting users, you license transactions. This model scales better for high-volume integrations. For instance, an e-commerce platform that creates 50,000 SAP sales orders and invoices per year would need to license those ~50,000 documents (perhaps by purchasing 50 blocks of 1,000 documents). If usage grows, costs rise based on volume, not headcount. This ties fees more directly to system activity. However, estimating document volumes can be challenging – usage may spike with business growth or the introduction of new interfaces. If you underestimate and exceed your licensed document count, you’ll need to true-up (or risk compliance issues). Conversely, overestimating means unnecessary spending.

Compliance impact: Traditional licensing carries high audit risk if indirect users are overlooked – one missing license can trigger non-compliance.

Digital Access reduces this audit uncertainty; as long as you’ve licensed a sufficient volume of documents, you’re covered. However, it shifts the challenge to monitoring document counts.

Companies need processes or tools to track the number of documents generated by external systems. In both models, SAP expects you to manage usage actively, but the focus shifts from counting people to counting transactions.

Below is a simplified comparison of the two approaches:

Real-world cost example: One large enterprise analysis found their SAP integrations generated ~30 million documents annually.

Under traditional licensing, it was impossible to assign individual licenses to each external interaction; under Digital Access, even with a discounted rate, those documents would cost the company around $700,000 per year.

In another case, a retailer’s digital access bill was calculated at over $50 million (at list price) due to massive volumes – a figure so high that it prompted renegotiation with SAP.

These examples illustrate that neither model is “cheap”; the goal is to choose the model that best fits your usage profile and negotiate terms that cap extreme costs.

Cloud Subscriptions and Indirect Access (RISE with SAP)

SAP’s push to the cloud has added a new dimension to this issue.

RISE with SAP, the subscription-based S/4HANA cloud offering, bundles many licensing elements that were separate on-premises.

The good news is that typical indirect access is generally included in RISE subscriptions:

• RISE contracts utilize a metric called Full User Equivalents (FUEs) or a similar measure, which aggregates all types of usage into a single subscription count. If you size your subscription correctly (counting all your human users and some portion for system use), standard third-party integrations are covered without needing extra “digital access” licenses.
• SAP’s cloud model thus reduces the risk of surprise indirect fees. For example, an e-commerce integration creating orders in S/4HANA Cloud would consume resources but not trigger a separate license charge per order – it’s part of your subscription service, as long as it stays within fair use limits.

However, “simplified” doesn’t mean “unlimited.” In RISE contracts, extremely high volumes or unusual usage patterns may still fall outside of the assumed scope:

• If you have millions of IoT sensor updates or an external app generating massive transactions, you might need to purchase additional capacity or higher-tier packages. SAP may set thresholds, where exceeding certain document volumes requires revisiting your subscription level.
• Contract clarity is crucial. The standard RISE contract may not explicitly outline indirect usage allowances, so customers should insist on language that confirms integrations and digital access are included. If the contract is silent, there’s a risk SAP could later claim certain indirect uses weren’t permitted.

Overall, for IT leaders, RISE with SAP has transformed indirect access from a separate licensing headache into an integral part of overall subscription governance.

The focus shifts to monitoring your overall consumption (users and transactions against cloud entitlements) rather than managing separate licenses for each interface.

This is a positive development, but it remains crucial to track usage and negotiate upfront if you anticipate exceptionally high volumes.

Managing Indirect Access Risks and Contracts

To avoid the next Diageo scenario, organizations need to be proactive in both technical and legal management of indirect access:

• Inventory Your Integrations: Start with a detailed mapping of every system that connects to SAP. Identify where data enters or leaves SAP – whether it’s via APIs, middleware, file imports, or even manual uploads. This map enables you to pinpoint potential indirect usage that may require licensing.
• Assess the Usage Type: For each integration, determine if it’s read-only, creates SAP documents, or triggers transactions. Pure data extracts (reports, analytics) are generally low risk under SAP’s stated policy (data viewing is free), but any create or update actions are high risk and require attention.
• Review Your SAP Contracts: Work with legal and procurement teams to examine how “use” is defined in your SAP license agreements. Look for clauses on indirect or third-party access. If the language is vague, plan to clarify it at the next renewal or via an addendum. In negotiations, savvy customers insist on terms that exclude static reads from licensing and clearly define what counts as indirect usage.
• Leverage the Digital Access Evaluation: SAP provides tools (like an Indirect Access estimation note and the concept of SAP Passport tagging for technical tracking) to help gauge how many documents your external systems generate. Use these tools to estimate your digital document count. While not perfect, this data is useful for making an informed decision between sticking with named users or moving to document licensing.
• Cost Modeling: Do a scenario analysis. Compare the cost of licensing all indirect users vs. licensing documents for a year. Factor in growth projections. If named user licenses for all external parties would cost $1 million, but the digital access model estimates $ 200,000 in document licenses, that’s a strong case to switch (and vice versa). Additionally, consider the operational overhead: managing thousands of named users who never log in could pose a significant compliance risk.
• Negotiate a Balance: If you decide to adopt Digital Access, negotiate the best possible terms. SAP’s adoption programs or volume discounts can significantly reduce the price. Ensure any conversion of existing licenses (if you have a surplus of traditional licenses) is accounted for as credit. Conversely, if you remain on traditional licensing, you may negotiate a special engine or flat-fee license for a specific interface (some customers have obtained custom licensing for, say, all customers on a B2C website at a fixed price).
• Monitor Continuously: Assign responsibility to an internal licensing manager or team to continually monitor indirect access. This is not a “set and forget” area. Changes in your IT landscape (new integrations, new IoT projects, M&A bringing in new systems) can suddenly create indirect use exposure. Establish a policy that no new system interfaces with SAP without a license impact assessment.
• Engage SAP and Experts: Maintain an open dialogue with SAP about your usage. If you anticipate a surge in transactions (e.g., launching a new online service that will impact SAP), discuss it with SAP in advance. Additionally, consider engaging independent licensing experts or third-party advisors to review your compliance and optimization options – they can often identify tricky scenarios or negotiating angles that in-house teams might overlook.
• Plan for Audits: Assume that SAP will periodically audit your licenses. Being prepared with accurate usage data and a clear licensing position will make audits far less painful. If SAP raises indirect access during an audit, you should already be aware of your stance. Whether you’re covered under digital access, or you’ve licensed named users, or you have a contractual exception. Never wait until an audit to address this issue.

Recommendations

• Map All Third-Party Connections: Create a detailed inventory of systems and users that interface with SAP. This mapping will serve as the foundation for your indirect access management.
• Classify and Quantify Usage: For each interface, determine if it’s read-only or transactional. Count the approximate number of document creations per year to understand your exposure in a digital access model.
• Evaluate License Options: Compare the cost of covering indirect use with traditional named users versus SAP’s digital access documents. Choose the model that minimizes cost and risk for your scenario.
• Negotiate Clear Contract Terms: Don’t rely on ambiguous standard language. In your SAP contracts, explicitly define indirect usage rules. Include clauses that enable read-only scenarios and establish expectations for typical integrations.
• Leverage SAP Programs: If beneficial, utilize SAP’s Digital Access Adoption Program or other promotional offerings to transition at a discounted rate. Ensure you receive credits for existing licenses and secure favorable rates for high volumes.
• Monitor Usage Proactively: Implement tools or processes (monthly reports, SAP audit tools) to track indirect document counts or external user counts. Catch any usage spikes early and inform SAP or adjust licenses as needed.
• Educate Stakeholders: Ensure that project teams and business units understand the implications of integrating new apps with SAP. Build license checks into architecture governance so that no integration goes live without addressing indirect access compliance.
• Prepare for Audits: Keep documentation of your indirect access licensing approach. If audited, you can demonstrate a rational, measured compliance strategy (and avoid panic reactions that could lead to overpaying).
• Consider Cloud Implications: When moving to RISE or other SAP cloud services, factor in indirect usage to determine your subscription size. Negotiate any special high-volume use cases upfront so that your SaaS agreement covers them, and you avoid post-migration surprises.
• Seek Expert Advice When Needed: SAP licensing is complex and ever-changing. Don’t hesitate to consult independent experts or legal advisors, especially when negotiating contracts involving complex or indirect terms, or when facing a significant compliance claim.

FAQ

Q1: What exactly is “indirect access” in SAP licensing?
A1: Indirect access means using SAP’s data or functions through a non-SAP system or application. In other words, a person or app that never logs into SAP directly but triggers SAP transactions or reads SAP data is accessing SAP indirectly. For example, if your e-commerce website creates an order in SAP, those web customers are indirectly accessing SAP. SAP requires you to license this usage even though it’s not via the SAP GUI.

Q2: Why can indirect access lead to legal or financial issues for my company?
A2: The issue is that SAP’s contracts historically charged for any use of the software, and indirect use was often overlooked until an audit. If SAP finds you allowed outside systems or users to use SAP without proper licenses, they can claim back fees or damages. This has led to high-profile legal cases (like the Diageo case) where companies owed tens of millions for license shortfalls. In short, indirect access can breach your license agreement if not accounted for, leading to compliance penalties or expensive settlements.

Q3: How does SAP’s Digital Access (document-based) licensing work?
A3: Digital Access is SAP’s newer model to handle indirect usage by counting documents instead of users. Under this model, you purchase a certain number of documents (in bundles) that cover transactions created by external systems. For example, if external applications create 10,000 sales orders in SAP per year, you’d license at least 10,000 documents. The model supports unlimited external users – you just need to ensure you have purchased sufficient document capacity. It also doesn’t charge for simply viewing data. This can simplify compliance and sometimes reduce costs, especially if you have a large number of occasional external users but a moderate number of transactions.

Q4: Should we switch to the digital access model or stick with traditional user licenses?
A4: It depends on your usage profile. Suppose you have a high volume of transactions coming from third-party systems (such as IoT sensors and customer platforms) or an unknown number of external users. In that case, digital access is often more practical and cost-effective. It prevents the scenario of needing thousands of named user licenses for every partner or customer. On the other hand, if your indirect use is minimal – say just one or two interfaces with low document counts – you might be fine sticking with traditional licensing or even negotiating a small add-on license. Perform a cost analysis: estimate your annual document count and obtain a quote for that compared to the cost of user licenses. Additionally, consider the administrative overhead; many companies prefer digital access for its simplicity, even if the costs are similar. In any case, review this decision periodically, as what is optimal can change as your business grows or SAP updates its policies.

Q5: Does moving to RISE with SAP (cloud subscription) solve the indirect access problem?
A5: It significantly reduces the problem but doesn’t erase it. RISE with SAP bundles most licensing into a single subscription, which typically includes indirect usage. You won’t be separately licensing each interface – it’s essentially “all-inclusive” for normal integration scenarios. This means fewer worries about surprise fees for connecting a new system. However, you must remain vigilant. Extremely heavy usage (like millions of API calls or documents) may exceed the implicit allowances and require you to upgrade your subscription. Also, your contract should clearly state that your expected integrations are permitted. In summary, RISE simplifies indirect access management for most use cases; however, it is essential to monitor your consumption and ensure that your contract covers any extraordinary usage.

Q6: How can we detect and monitor indirect access usage?
A6: Start by leveraging SAP’s tools: SAP has provided an Indirect Usage Estimation tool (via an SAP note) that can scan your system to count documents likely created by external sources. It’s not perfect – it might over-count in some areas – but it’s a good baseline. You can also implement the SAP Passport technology, which tags external inputs for more precise tracking; however, it requires system updates, and not all customers opt for it. Aside from SAP tools, you should maintain internal logs of interfaces, including which accounts or technical users are used by integrations and the number of transactions they execute. Many organizations do monthly or quarterly reviews of interface activity. If you have a Software Asset Management (SAM) solution or SAP license management tool, configure it to report on indirect usage. The key is to make indirect access visible internally before an SAP auditor identifies it.

Q7: What should we do if SAP audits us and finds indirect access non-compliance?
A7: First, don’t panic. Engage calmly with SAP’s audit team and verify their findings. Often, SAP will highlight areas where they believe extra licenses are required. You should analyze those scenarios yourself – how many documents or users are truly involved? In many cases, SAP will propose purchasing digital access licenses to resolve the shortfall. This can be an opportunity to negotiate. For instance, you might agree to adopt digital access in the future, but ask for credit for past compliance or discounts under programs like DAAP to mitigate the cost. It’s wise to involve your procurement and legal teams; if the stakes are high, consider seeking external expert help to negotiate a settlement. Remember, an audit outcome is negotiable – you want to turn it into a commercially acceptable solution rather than just paying the first bill presented.

Q8: Can we simply avoid indirect access charges by technical means (e.g. limiting integrations)?
A8: Trying to technically circumvent licensing usually isn’t practical and can stifle innovation. While you can limit how external systems interact with SAP (for example, by exchanging data in batches or via files), if those interactions result in SAP transactions, they’re still licensable. The best approach is not to avoid integrations but to plan for them with proper licensing. That said, you can design smartly: if read-only data export is your main need, use approaches that don’t trigger SAP transaction creation (to stay license-free for those reads). However, for interactive processes, you will need to license it. Some companies choose to use non-SAP systems as a buffer (for instance, by building middleware that handles many transactions and only sends a summary to SAP) – this might reduce the document count, but it adds complexity. It’s usually more efficient to enable the integration and ensure your SAP license covers it rather than hobbling your architecture to save license fees.

Q9: What contract clauses or terms help protect against indirect access surprises?
A9: Key terms to negotiate include:

• A clear definition of “Use” that excludes passive data viewing and defines what constitutes indirect usage that requires a license.
• An acknowledgment of known third-party interfaces (listing them, if possible), and a statement that these are permitted under existing licenses or the subscription.
• If you adopt Digital Access, a clause that fixes the price of additional document packs or caps the cost for high volumes ensures you don’t face unlimited expenses as your business grows.
• “Give-back” provisions if you convert existing licenses to digital documents (so you’re not paying twice for the same capability).
• Audit provisions that give you reasonable time to cure any compliance issues and perhaps limit back-charges (some customers negotiate that any license shortfall will be purchased prospectively, not as a retroactive penalty).
  Having these points in writing greatly reduces ambiguity. Engage your legal counsel to get specific language – generic SAP contracts often favor SAP, so it’s up to you to add customer-centric protections.

Q10: Is indirect access just an SAP issue, or should we also be concerned about it with other software?
A10: Indirect or shared usage also arises with other enterprise software, but SAP has been one of the most notable for enforcing it strictly. Other vendors (Oracle, Microsoft, etc.) have their own rules for third-party access. However, the scale of potential fees and the high-profile cases have made SAP’s indirect access a focal point for many CIOs. The general lesson is universal: whenever you integrate systems, always check how the licensing works for both sides of the integration. For SAP specifically, it remains a critical area to manage, especially in large enterprises with complex application landscapes.

Read more about our SAP Advisory Services.

Schedule a meeting with us to discuss our SAP Advisory Services.

Please enable JavaScript in your browser to complete this form.

Name *

First

Last

Email *

Company

Message *

Submit