Managing SAP Indirect Access Compliance
Executive Summary: SAP Indirect Access refers to the use of SAP software via third-party applications, interfaces, or automated systems without a direct SAP login.
It has become a major compliance concern for IT leaders, as unlicensed indirect usage can result in unexpected audit fees in the millions.
In response, SAP introduced a Digital Access licensing model that ties fees to business documents created through indirect use.
IT leaders must proactively identify indirect access in their landscapes, select the appropriate licensing model, and negotiate contracts to manage this risk while facilitating business integrations.
Read Managing Key Legal Issues in Indirect Access.
SAP Indirect Access
SAP Indirect Access is any scenario where people or external systems utilize SAP’s data or functions without directly logging into SAP.
Instead of a user entering transactions in the SAP GUI, a third-party platform (such as a web portal, mobile app, or middleware) triggers SAP to process data on the back end.
In practical terms, if an external system creates or changes records in SAP – for example, posting a sales order or updating inventory via an API – that is indirect usage of SAP.
Not all external access is licensable. SAP draws a line between active use and passive “static read” access.
Suppose data is exported from SAP for viewing elsewhere (with no changes or automated actions fed back into SAP). In that case, it’s generally considered a static read and does not require additional SAP licenses.
The moment an external system writes back to SAP or invokes an SAP transaction (e.g., creating an order, invoice, or journal entry), it becomes a licensable indirect access event.
In short, SAP expects a license for any use of its software – direct or indirect – that drives business processes in SAP.
Why Indirect Access Became a Compliance Risk
Indirect access has emerged as a compliance hotspot due to a combination of unclear contract language and the growth of digital integrations.
Historically, SAP license agreements stipulated that all usage, “directly or indirectly,” must be licensed, but did not explicitly define indirect use.
This ambiguity led many organizations to unknowingly violate SAP’s rules as they rolled out new digital initiatives.
Key factors that turned indirect access into a minefield include:
- Vague Contracts: Older SAP contracts didn’t clearly define what constitutes indirect use. Companies built web portals, mobile apps, and integrations, assuming existing licenses were enough. The contract wording gave SAP broad latitude to interpret any third-party interaction as chargeable usage.
- High-Profile Audits: Several well-known cases have demonstrated the high cost of indirect access. In 2017, beverage company Diageo was ordered to pay around £54 million after a court found that its Salesforce-to-SAP integration had resulted in thousands of unlicensed SAP users. Around the same time, SAP claimed over $600 million from Anheuser-Busch InBev for customers and partners interacting with SAP through external systems (settled for an undisclosed sum). These headlines shocked CIOs, revealing that a simple interface could trigger enormous license liabilities.
- Scale of Digital Use: As businesses expanded e-commerce, IoT, and cloud apps, almost every SAP customer introduced third-party connections. Many CIOs were caught off guard that a peripheral system (like a supplier portal or IoT sensor) could count as an SAP user. Indirect access amplified compliance risk because it extended SAP’s licensing reach to potentially thousands of external users and devices that were never part of the original license planning.
- Enforcement Push: SAP began auditing and enforcing indirect usage aggressively around 2017–2018, creating a sense of urgency. The lack of internal monitoring tools at companies meant that indirect use went unmanaged until SAP auditors pointed it out, usually accompanied by a hefty bill.
In summary, indirect access became a compliance trap: unclear rules and aggressive enforcement led to unplanned costs and conflicts with SAP.
IT leaders recognized the need to proactively address this issue to prevent budget surprises and avoid potential legal disputes.
Read Real-World Case Studies in SAP Indirect Access Disputes.
Common Indirect Access Scenarios
Indirect access can occur in many everyday business processes.
IT leaders should recognize these common scenarios where SAP may be used behind the scenes:
- Online Retail Orders: A non-SAP e-commerce website or customer portal takes an order from a customer and then calls an SAP API to create a Sales Order in SAP ECC/S/4HANA. The customer and web app user never log into SAP, but SAP is processing orders triggered externally. Every online sale could count as indirect SAP use.
- CRM to SAP Integration: Sales teams often work in a cloud CRM, such as Salesforce, or another system to manage leads and quotes. When a deal closes, the CRM system sends the order or customer info to SAP, which then creates records (orders, invoices, new customer accounts). In the Diageo case, Salesforce users indirectly created SAP orders; SAP argued that those users needed licenses.
- Warehouse or Shop Floor Systems: A warehouse management system (WMS) or barcode scanning app updates inventory in SAP. For example, scanning a pallet triggers a goods movement in SAP via an interface. The warehouse workers never use SAP directly, but each scan updating stock is an SAP transaction behind the scenes.
- Supplier/Vendor Portals and EDI: Your suppliers or distributors may use a B2B portal or send EDI messages that integrate with your SAP system. If a vendor’s system sends an electronic purchase order or invoice to your SAP system, SAP will create documents (purchase orders, invoices, confirmations). Those partner actions are indirect access events – external parties’ interactions resulting in SAP records.
- HR and Payroll Integrations: Many companies utilize external HR, time tracking, or payroll systems (such as Workday or ADP) that periodically synchronize data with SAP. For instance, an external payroll system might post salary journal entries into SAP Finance, or an HR system might update employee info in the SAP HR module. These automated updates in SAP (triggered by another system) count as an indirect use of SAP’s functionality.
- IoT Devices and RPA Bots: In modern architectures, IoT sensors, industrial machines, or RPA bots often connect to SAP. An IoT sensor might directly create a maintenance notification in SAP when it detects an issue. Robotic Process Automation scripts might read and write SAP data in the background. Even though no human is logging in, these automated agents are indirectly utilizing SAP’s digital core.
In all such scenarios, SAP is performing work on behalf of external users or systems.
From SAP’s perspective, it doesn’t matter if the trigger was a human on SAP GUI or an API call from a third-party app – the SAP software is being utilized and thus requires a license.
Organizations that don’t account for these scenarios risk compliance gaps because, traditionally, they may not have purchased licenses for customers, suppliers, or devices that are not directly logging into SAP.
Traditional vs. Digital Access Licensing
To address the confusion and customer backlash, SAP introduced a new licensing approach in 2018 called Digital Access.
Today, enterprises have two parallel ways to license indirect use, and many use a combination:
- Traditional Named User Licensing: In the classic model, every individual (or system account) that uses SAP, directly or indirectly, requires a named user license. These roles include Professional, Limited Professional, Employee Self-Service, and others, each with distinct permissions and associated costs. Under the strict interpretation, if 1,000 customers place orders via a third-party web portal that feeds into SAP, you would theoretically need 1,000 named user licenses (one for each customer or an equivalent external user type license). In practice, this was nearly impossible to manage or budget for. Companies either ignored the rule and hoped for the best or purchased a handful of technical user licenses to cover the interfaces (which didn’t truly cover all those users, but were a band-aid). The named user approach is simple in concept (one user = one license with unlimited SAP use for that person) and works fine for internal employees. However, it breaks down for high-volume external scenarios – it’s neither technically nor financially feasible to license every consumer, supplier, or device individually. This gap is what led to so many indirect access disputes.
- SAP Digital Access (Document-Based Licensing): The Digital Access model licenses SAP transactions based on volume rather than user headcount. SAP identified nine core document types that cover common business events (such as Sales Order line items, Invoice line items, Purchase Order line items, Delivery documents, Manufacturing orders, etc.). When an external system triggers one of these documents in SAP, it counts towards your licensed document quota. For example, if an e-commerce site created 5,000 sales order line items in SAP last month, you need to have rights for at least 5,000 digital documents. SAP sells these in bundles (commonly packs of 1,000 documents per year). Each document type is counted, often at the line item level; to account for different impacts, some document types have a weighting factor (e.g., high-volume financial and material documents might count as 0.2 of a document, while sales orders count as 1.0 each). Reading or querying data is free under this model – charges only apply when a document is initially created in SAP by an external input. Additionally, SAP doesn’t “double count” follow-on documents: if a sales order spawns a delivery and invoice inside SAP, those subsequent documents aren’t charged again. This model shifts the licensing conversation from “How many external documents are created?” to “How many users do you have?”It aligns costs with business activity and outcomes (e.g., the number of orders) rather than the number of people, which can be more logical in the era of automation and APIs.
Table: Comparison of Indirect Access Licensing Models
| Licensing Model | How It’s Licensed | When It Makes Sense | Key Challenges |
|---|---|---|---|
| Named User (Traditional) | Per individual user (including any external user or device that triggers SAP transactions). Each user needs an appropriate SAP named-user license. | Suitable for scenarios with a limited, known number of external users. Familiar model used for employees (one license per user). | Becomes cost-prohibitive at scale – impractical for thousands of external users. Difficult to identify and track every user. High audit risk if external usage is untracked. |
| Digital Access (Document) | Per document event. Licenses are purchased in blocks (e.g. packs of 1,000 document creations per year) covering nine defined document types (Sales Order, Invoice, Purchase Order, etc.). | Best for high-volume integrations where user-based licensing would be untenable. Aligns licensing with actual system usage (transactions) rather than headcount. External users don’t each need a license – cost ties to aggregate activity. | Requires estimating document volumes and monitoring usage. Need to identify which processes create chargeable documents. Overestimating volume can lead to unused capacity (wasted spend), while underestimating risks compliance shortfall. Also adds a new layer of license management for document counts. |
Under the traditional model, compliance involves ensuring that a valid user license covers every person or system that interacts with SAP.
Under digital access, compliance involves tracking the number of documents generated through integrations and ensuring adherence to purchased amounts.
Some organizations negotiate a mix, for example, keeping named user licenses for employees but adding a digital document license for heavy external data exchange.
It’s worth noting that before Digital Access, SAP sometimes offered specialized “engine” licenses or packages to cover certain indirect use cases (for example, a “SAP Sales and Service Order Processing” package licensed by order volume, which a few customers used to cheaply cover their web shops).
SAP has since phased out many of those alternatives to funnel customers toward the Digital Access model.
Today, Digital Access is SAP’s primary answer to indirect use licensing, and SAP actively encourages customers to adopt it.
Measuring and Monitoring Indirect Usage
A critical step in managing indirect access compliance is quantifying your indirect usage.
IT leaders should establish clear visibility into how and how much third-party systems are using SAP.
Key steps and tools include:
- Inventory Your Integrations: Start by thoroughly mapping all systems that connect to SAP. List out every interface, middleware, API, and data feed between SAP and other applications (internal and external). This inventory provides a comprehensive view of potential indirect access points. Many organizations are surprised to discover just how many touchpoints exist – from customer portals to supplier EDI links to IoT platforms.
- Use SAP’s Measurement Tools: SAP provides an Indirect Access Estimation tool (available via SAP notes) and a Digital Access Evaluation Service to help estimate document counts. For example, SAP’s free Digital Access evaluation can scan your systems and report the number of each of the nine document types being created within a given period. These tools typically require identifying certain integration user IDs and running reports that count documents by type. While not 100% precise, they offer a starting baseline. SAP’s newer Passport technology can tag and trace external calls in SAP to more accurately log indirect usage; however, it requires the installation of specific support packs and is not yet widely deployed.
- Leverage License Management Software: Third-party software asset management (SAM) tools or SAP’s License Administration Workbench (LAW) can help analyze usage logs. Some SAM tools can detect external access patterns or consolidate user counts across systems. If your SAP landscape is complex, an investment in such tooling or external expert analysis can pay off by uncovering indirect use that would otherwise be missed.
- Continuous Monitoring: Indirect access isn’t a one-time analysis. Establish a process (perhaps quarterly or biannually) to review key metrics, including the number of digital documents generated, new integrations added, and changes in usage patterns. Monitoring should also cover static read vs. write usage – ensure that integrations claimed to be “read-only” aren’t quietly evolving into interactive ones that update SAP.
Measuring indirect use helps in two ways. First, it quantifies your license liability – so you can budget and purchase the right licenses (user or document packs) before SAP comes knocking.
Second, it highlights inefficiencies or uncontrolled growth in integration usage.
For instance, if one interface is generating a very large number of documents, you might decide to optimize the process (such as batching updates or caching data) to reduce volume and save costs.
Strategies to Manage and Mitigate Indirect Access Risk
Managing SAP indirect access compliance requires a combination of contractual, technical, and organizational measures.
CIOs and IT leaders should approach it as an ongoing area of governance.
Here are key strategies to mitigate risk and cost:
- Clarify Contract Terms: When negotiating or renewing your SAP contracts, explicitly address indirect usage. Define what constitutes indirect use in your context and include exemptions for specific scenarios (e.g., pure read-only data exports). If you adopt Digital Access, ensure that the language includes a provision stating that only the initial document creation is counted (to prevent any ambiguity). Also consider negotiating a cap or buffer – for example, a certain volume of digital documents included at no additional cost or at a fixed rate, to avoid open-ended exposure.
- Leverage the Digital Access Adoption Program (DAAP): SAP periodically offers incentive programs to facilitate the transition to Digital Access. The DAAP, for instance, offers deep discounts (up to 90%) on the list price of digital document licenses for the initial purchase and allows some of your existing shelfware licenses to be credited towards the cost. This program has been extended multiple times (currently with no set end date). IT leaders should seriously evaluate such offers – it can be far cheaper to proactively buy Digital Access licenses at a discount than to pay full price after an audit. Engage your SAP account rep about any ongoing promotions or the possibility of a tailored deal if you commit to addressing indirect use.
- Optimize License Mix: Analyze whether sticking with named user licenses or shifting to document licenses (or a hybrid approach) best fits your usage. If indirect transactions are relatively low, it might be more economical to purchase a few extra-named user licenses (or utilize existing ones) for the technical accounts driving integrations. Conversely, if you have high volumes of documents (such as orders), calculate the breakeven point at which Digital Access becomes more cost-effective. Regularly revisit this analysis, as usage can increase over time. Right-size your license allocations proactively rather than waiting for an audit-driven true-up.
- Monitor and Govern Usage: Implement governance procedures to ensure that no new integration goes live without a licensing impact assessment. For example, establish an architecture review step: whenever a project proposes a new interface to SAP, the team must evaluate if it introduces indirect use and account for licensing. Internally, assign responsibility (perhaps a licensing manager or SAM team) to track indirect usage metrics. By treating indirect access as a managed metric (similar to how you manage security or performance), you can identify issues early. Some companies create dashboards to track document count usage against their purchased entitlement, allowing them to know when they are nearing their limits.
- Technical Mitigations: In some cases, you can reduce the cost impact through technical choices. If an integration is creating a very large number of SAP documents, see if it’s truly necessary. Perhaps batch processing or data caching could meet the business need with fewer calls to SAP. Ensure interfaces are configured correctly – e.g., a poorly designed interface that creates duplicate records will not only hurt data quality but also unnecessarily inflate license counts. While you should never try to “game” the system improperly, efficient integration design can incidentally minimize licensable events.
- Consider Cloud/Subscribers: If your organization is moving toward SAP S/4HANA Cloud or RISE with SAP (the subscription offering), understand how indirect access is handled in this context. In RISE with SAP, for example, digital access is generally bundled into the subscription based on an FUE (Full User Equivalent) metric – meaning a lot of indirect usage might be covered by your subscription as long as it’s within normal ranges. This can simplify compliance (fewer separate indirect charges) if negotiated correctly. However, extremely high-volume use might still require additional capacity. The strategy here is to use a migration to the cloud or S/4HANA as an opportunity to clean up indirect access issues: negotiate as part of the new deal that your typical third-party interfaces are included in the subscription. Many companies have obtained contractual assurances in RISE deals that shield them from indirect access surprises.
- Educate Stakeholders: Finally, create awareness among both IT and business stakeholders about indirect access. Ensure that your procurement team and IT architects know that connecting a tool to SAP isn’t “free” from a licensing standpoint. By building knowledge, business units are less likely to spin up rogue integrations that later cause compliance headaches. Equally, train your SAP user administrators not to think only in terms of human users – they should also monitor service accounts and external connections as part of license compliance.
The overarching goal is to be on offense, not just defense. If you proactively manage indirect access – through smart licensing choices, vigilant monitoring, and strong contracts – you can support business innovation (integrating SAP with all the modern apps and devices you need) without falling into a compliance trap.
It turns a potential IT liability into a manageable aspect of your SAP environment.
Recommendations
- Map All Third-Party Connections: Create an inventory of every system, application, or user group that interacts with SAP indirectly. Visibility is the first step in controlling indirect access.
- Measure Your Indirect Usage: Utilize SAP’s Digital Access evaluation tools or third-party analysis to quantify how many documents are created by external inputs. Know your baseline so you can plan licensing needs.
- Evaluate License Model Options: Compare the cost of covering indirect use with additional named user licenses versus purchasing Digital Access document packs. Identify the tipping point where one model becomes more cost-effective for your situation.
- Take Advantage of SAP Programs: Proactively engage SAP about the Digital Access Adoption Program or similar offers. Lock in discounts and trade-in credits before an audit forces you to buy at full price.
- Negotiate Clear Contract Terms: When signing new agreements or renewals, include specific terms for indirect access to ensure clarity and transparency. For example, define “static read” exemptions, set predictable pricing for high-volume interfaces, or secure a cap on potential indirect usage fees.
- Implement Ongoing Monitoring: Treat indirect access as an ongoing compliance metric. Monitor document usage and external access logs regularly (e.g., quarterly) to catch any spikes or new interfaces. This allows you to adjust licenses or usage patterns proactively.
- Educate and Govern Internally: Train your project teams and architects to consider licensing early. Institute governance so that no integration with SAP goes live without a license compliance check. An informed team will avoid costly mistakes.
- Plan for the Future: If you are migrating to S/4HANA or a cloud subscription (such as RISE), factor indirect access into your transition plan. Use this opportunity to negotiate inclusive terms or reset your licensing model to better align with your modern usage.
FAQ
Q1: What exactly counts as indirect access in SAP?
A: Indirect access occurs when SAP is accessed by a person or program through another system, rather than directly via a SAP login. For example, if a customer places an order on a website that, in turn, creates an order in SAP, that’s indirect access. Reading data from SAP (exporting reports, etc.) without updating SAP is typically not considered indirect use. However, any action that creates or changes data in SAP initiated from outside (such as creating orders, invoices, or entries via an interface) does count and usually requires proper licensing.
Q2: Can we stick to traditional user licenses instead of using the Digital Access model?
A: It depends on your situation. SAP isn’t forcing existing customers to switch to document licensing if the old model works for them. If you have very few external integrations or can cover them with spare named user licenses, you might remain on the traditional model. However, new SAP contracts (especially for S/4HANA or cloud services) often include the Digital Access model by default. It’s wise to evaluate both options – some companies run a hybrid model, maintaining user licenses for known users and adding document licenses for high-volume external transactions. Choose the approach (or mix) that provides compliance and the lowest total cost for your usage profile.
Q3: How can we determine the number of Digital Access documents we need to license?
A: To estimate your document count, start by analyzing system logs and using SAP’s tools. SAP’s Digital Access Evaluation Service can scan your ERP system and report how many of each document type (sales orders, invoices, etc.) were created by indirect means over a period. You can also look at interface logs or IDoc statistics if you use those. In some cases, you may need to make assumptions (e.g., if 10,000 orders came from a web store last quarter, that translates to 10,000 documents). Because the model counts line items, ensure you count each line in an order or invoice as a separate document event. If available, implement the SAP Passport feature to tag external transactions for more accurate tracking going forward. It may also be helpful to get an independent licensing consultant’s assessment – they’ve seen other clients and can help validate your estimates. Always err on the side of a buffer, since document counts tend to grow as the business expands.
Q4: What is SAP’s Digital Access Adoption Program (DAAP), and should we use it?
A: The Digital Access Adoption Program is an incentive program SAP introduced to encourage customers to move to the document-based licensing model. It typically offers significant discounts (often 90% off list price) on the initial purchase of digital access licenses and sometimes allows you to convert some unused existing licenses into credit. Essentially, SAP lowered the cost barrier, enabling customers to tackle indirect use compliance proactively rather than resist it. The program has been extended multiple times and, as of now, remains available. If you determine that you need Digital Access licenses, taking advantage of DAAP can dramatically reduce your cost. It’s a smart way to future-proof your licensing with minimal spending, as opposed to facing a full-price purchase later (or worse, an audit penalty). Always check the current terms of DAAP with SAP – and ensure any conversion or discount is documented in your contract.
Q5: How can we minimize the cost and risk of indirect access in the long run?
A: The best approach is a proactive one. Regularly review your SAP usage and integrations so you’re never blindsided. Keep your SAP user license assignments optimized – remove or reassign any licenses not actively used so you have some headroom for new needs. For integrations, try to use efficient data exchange patterns (avoid super high-frequency calls if not truly needed). Stay informed on SAP’s licensing updates; for example, if SAP reclassifies something as free or changes a policy, you want to know. When planning IT projects, involve your licensing or SAM team in the design phase. Also, maintain a good relationship with SAP and negotiate at renewal time. If you’ve shown diligence in compliance, you may negotiate better terms (like getting certain indirect use cases included in your deal). Finally, consider whether moving to an SAP subscription model (cloud) makes sense for your business – while not a cure-all, it can simplify indirect access management by bundling it into a broader usage metric. In summary, constant vigilance, good governance, and savvy negotiation are the recipe to keep indirect access under control cost-effectively.
Read more about our SAP Advisory Services.
