Preventing Unauthorized Indirect Access in SAP Systems

Preventing Unauthorized Indirect Access in SAP Systems

Unauthorized indirect access to SAP occurs when users or systems utilize SAP data via third-party tools without proper licensing, exposing enterprises to significant compliance risks and costs.

IT leaders must proactively prevent such access by understanding SAP’s licensing rules, monitoring integrations, and negotiating favorable contract terms to ensure compliance.

The goal is to avoid surprise audit penalties while enabling necessary business integrations in a compliant, cost-effective manner.

SAP Indirect Access

Indirect access in SAP occurs when people or external systems interact with SAP data through non-SAP interfaces rather than logging in via SAP’s GUI.

For example, a customer web portal, mobile app, or third-party software (like a CRM or IoT device) that creates or reads transactions in SAP is accessing it indirectly.

SAP’s licensing agreements require that any use of SAP software – direct or indirect – be properly licensed.

In practice, this means if a user or device triggers SAP transactions through an external application, that usage counts just as if they logged into SAP directly.

Unauthorized indirect access refers to scenarios that aren’t covered by the appropriate license.

It’s a common blind spot: Companies may connect new digital channels to SAP without realizing that each external user or automated process may require an SAP license.

What seems like a harmless integration can inadvertently violate license terms if not managed properly. Understanding this definition is the first step for IT leaders in controlling exposure.

Read What is SAP Indirect Access?.

Why Indirect Access Becomes a Costly Risk

Allowing unlicensed indirect use can result in substantial, unbudgeted fees during audits. SAP has taken a firm stance that every individual or system benefiting from SAP data must be paid for.

In one high-profile case, a global beverage company’s customer portal (built on Salesforce) tapped SAP to process orders, and a court ruled the customer owed over £54 million (≈$70+ million) in license fees for those portal users.

Another enterprise faced a $600 million claim for sales tools that connected to SAP without proper licenses.

These examples underline the stakes: if SAP discovers indirect usage that isn’t licensed, they may demand back payments at list prices, plus maintenance penalties.

Such audit surprises can devastate IT budgets, often far exceeding any savings from unlicensed usage.

Beyond the financial impact, this issue can stifle innovation: teams become wary of deploying new integrations or automation if they fear a licensing landmine.

Compliance uncertainty is the real risk – many organizations simply don’t know where indirect access is occurring or how much usage is within their license rights.

This unknown creates a compliance vulnerability.

Ultimately, indirect access must be treated as a serious governance issue.

It’s not just about avoiding fees but about planning integrations intelligently so IT can innovate without stepping over hidden licensing lines.

SAP’s Evolving License Models (User vs. Digital Access)

SAP historically sold licenses per named user, including users accessing the system indirectly.

Every person or device using SAP data was supposed to have a named user license (with types ranging from low-cost employee self-service users to expensive professional users).

This legacy model made indirect scenarios awkward: for instance, thousands of occasional e-commerce customers would technically need a user license each, which is neither practical nor affordable.

In 2018, SAP introduced the “Digital Access” model to modernize this. Digital Access shifts the metric from users to documents (system transactions)

Under this model, indirect usage is measured by the number of certain documents created (e.g., Sales Orders, Invoices, Purchase Orders, etc.).

SAP identified nine document types that cover common business outcomes (orders, invoices, deliveries, etc.), with each document counted once (and a smaller fraction for financial or material documents).

Customers can license a block of documents, regardless of the number of external users or devices that generate them.

This outcome-based approach aligns better with digital workflows, for example, if a million orders are created via an online store, you pay for those documents instead of needing a million user licenses.

Initially, SAP incentivized the adoption of Digital Access with steep discounts (up to 90% off) and by crediting existing user licenses toward document licenses.

Many enterprises took this deal to cap their indirect exposure.

Today, new SAP S/4HANA contracts often default to document-based licensing for indirect use.

Still, companies have a choice: stick with named user licensing or convert to digital access.

Each has pros and cons – named user licenses are simpler if indirect usage is small, while digital access can be more cost-effective for broad integrations.

Read Real-World Case Studies in SAP Indirect Access Disputes.

The table below compares these models:

Key point:

Regardless of the model you use, deliberate management is necessary. Named-user licensing demands that you identify every human and bot accessing SAP.

Digital Access demands that you count documents and adjust for growth.

Both require a clear understanding of your SAP use patterns. Many enterprises conduct a cost analysis to decide which model yields the lower cost for their usage profile.

For instance, if you have 500 indirect users performing 5,000 transactions a year, compare the cost of 500 user licenses vs. the cost of 5,000 documents.

SAP’s newer contracts and cloud offerings have eased the burden. RISE with SAP (S/4HANA cloud subscriptions) now includes most digital access rights in the subscription fee, thereby reducing the need for separate indirect charges.

However, even under RISE, extremely heavy usage or out-of-the-ordinary scenarios might require additional negotiations.

The takeaway for IT leaders is to choose the model that aligns with how your business extends SAP and ensure it’s reflected in your contract to avoid surprises.

Identifying and Monitoring Indirect Usage

You can’t control what you don’t know – so a critical step is to map out all the ways SAP data is accessed in your organization.

Start by inventorying integrations: list every third-party application, middleware, or interface connected to SAP.

Common culprits include customer-facing websites, mobile apps, partner portals, cloud services (such as CRM, HR, and e-commerce platforms), robotic process automation (RPA) bots, and even Excel macros or API scripts that pull data from SAP.

For each interface, determine whether it reads from SAP, writes to SAP, or both.

How many end-users or devices are connected to it? This mapping effort often reveals indirect usage you weren’t aware of.

For example, a single technical user account might be funneling data to SAP on behalf of hundreds of employees or customers. Once you have the big picture, leverage tools to quantify the usage.

SAP provides the License Administration Workbench (LAW) and user measurement reports, which can help flag activity from non-dialog (technical) users and interface accounts.

Many organizations also use third-party software asset management tools to track indirect access metrics (e.g., counting documents created via external systems).

Regular monitoring is essential – establish a process (quarterly or continuous) to review new integrations or changes that may introduce indirect access.

The goal is to detect unauthorized usage internally before an official SAP audit is conducted. It’s also wise to classify any “read-only” access that might qualify as Indirect Static Read (which SAP does not charge for, if it meets the criteria).

For instance, if you export data daily from SAP to a data lake and users query that data lake, that’s likely a static read scenario; document it so you can defend it as license-free if questioned.

In sum, shine a light on all the shadow usage: transparency is your ally.

With a comprehensive view of indirect usage, you can make informed decisions on licensing or technical adjustments to ensure compliance.

Preventive Measures and Best Practices

Preventing unauthorized indirect access isn’t about blocking business innovation; it’s about enabling it safely.

Here are key practices IT leaders should implement to guard against indirect access risks:

• Architect with Licensing in Mind: When designing new integrations, factor in SAP licensing upfront to ensure seamless integration. If a marketing app needs to access SAP customer data, decide whether to license each user or batch the data transfer to minimize interactive calls. Sometimes, a different architecture (like a replicated database for read-only queries) can eliminate the need for extra SAP licenses. Early consideration can save costly rework later.
• Enforce Access Controls: Technically restrict SAP interfaces so that only intended systems and users can query data. For example, do not share a single SAP login among dozens of people – this may seem to save licenses, but it violates compliance if those people aren’t licensed. Instead, if multiple external users need SAP data, consider a middleware solution that aggregates requests and ensures either that each user is accounted for or that access is read-only. Utilize SAP authorization roles to restrict the actions that external systems can perform. By sandboxing integrations to the minimal necessary operations, you reduce the chance of an inadvertent license breach.
• Eliminate Redundant and Duplicate Users: A common issue is the presence of duplicate accounts or unused accounts that consume licenses that could be re-harvested. Regularly audit SAP user accounts – remove or reassign those that are inactive or duplicated. This ensures you have a pool of licenses available for legitimate indirect usage or can even reduce your support costs. Some companies find they can free up many professional user licenses by cleaning up old accounts – these licenses can then cover previously “unauthorized” indirect users properly. Right-sizing your named user count is a prerequisite to tackling indirect usage.
• Restrict Real-Time Data Calls: Not every integration needs real-time, direct queries to SAP. If a third-party application can function with periodic data syncs or cached data, configure it that way. SAP’s rules often treat synchronous, live access as licensable usage, whereas asynchronous or buffered data might be considered a static read. For instance, instead of letting a sales portal query SAP for inventory on each web page load (which would count as usage for every customer viewing it), update the portal with inventory levels hourly from a batch export. Users see nearly up-to-date info, and you potentially avoid triggering indirect use licenses for each view.
• Educate and Govern: Establish internal guidelines for any team planning to interface with SAP. Developers, architects, and project managers should be aware that adding an interface to SAP isn’t just a technical task – it also carries licensing implications. Introduce a governance checkpoint in project planning: any new system integration touching SAP must be reviewed for compliance. Often, a quick consultation with your SAP licensing expert or vendor management team can clarify whether a proposed use requires licenses. This prevents well-meaning teams from unknowingly creating a compliance gap.
• Leverage SAP’s Tools and Programs: Stay informed on SAP’s licensing programs. SAP occasionally offers audit relief programs or exchange programs (for example, trading in user licenses for document licenses during the Digital Access Adoption Program period). Utilize any measurement tools that SAP provides (some newer systems can automatically tag digital access documents for counting). If you are on SAP S/4HANA, ensure that you have activated any available tools that generate a “Digital Access report.” SAP has provided customers with an assessment report to estimate the number of documents. These tools can provide concrete data to base decisions on, rather than relying on guesswork.

By applying these preventative measures, organizations create a controlled environment where indirect access is either licensed or technically constrained.

This dramatically lowers the risk of an unpleasant surprise when SAP or an auditor comes knocking.

Remember, the goal is not to stop integration – it’s to guide it within safe bounds so the business can keep transforming without triggering unforeseen costs.

Contract Negotiation Strategies

Technical controls are closely tied to strong contract terms. Negotiation is your chance to codify protections against indirect access fallout.

When renewing or signing SAP agreements, IT leaders should push for clarity and favorable terms on this topic. First, ensure the contract explicitly defines indirect (or “digital”) access and states how it’s licensed.

Vague wording (e.g., “all usage direct or indirect must be licensed”) without specifics leaves too much open to interpretation. Instead, negotiate language that carves out known scenarios – for example, you might include a clause that allows certain third-party read-only interfaces without additional license fees.

If you plan to adopt SAP’s digital access model, use the negotiation to secure adequate capacity and favorable discounts. SAP sales reps often have leeway to offer discounts on document packs or even bundle some free documents if you’re committing to a new S/4HANA deal.

Leverage the fact that SAP wants customers to transition to the new model and the cloud by asking for incentives, such as “XX free digital documents” or price locks on future growth.

Another tactic is trading shelfware for rights – if you have unused SAP licenses or components, consider proposing a conversion to coverage for indirect use. For instance, unused engine licenses or surplus named users could be exchanged for a block of document licenses.

Also, seek to cap retroactive charges: get written assurance that if indirect usage is discovered, you’ll pay forward-looking license fees but not punitive back-maintenance for past years.

SAP has become more amenable to this “amnesty” approach in recent years, provided customers come forward proactively.

Importantly, separate the audit process from sales in your discussions – you want the comfort that an ongoing negotiation won’t trigger an immediate audit penalty.

If possible, negotiate audit terms: some contracts allow a customer-remediation period if an audit finds indirect use, during which you can purchase needed licenses at a discount rather than the full list price.

Finally, don’t shy away from involving legal counsel or licensing experts to review contract language around indirect use. The nuances can be complex, and SAP’s standard terms may require adjustments; having expert eyes can save millions in the long run.

In summary, utilize contract time to your advantage: anticipate indirect access needs for the next few years and incorporate solutions into the agreement now, rather than fighting over an audit claim later.

A well-negotiated contract is one of the best defenses against unexpected unauthorized usage.

The Cloud Factor – Indirect Access in SAP RISE

As SAP pushes its customers toward cloud subscriptions (RISE with SAP and SaaS editions of S/4HANA), the good news is that indirect licensing is becoming less of a minefield for those who leap.

In a RISE with an SAP contract, you typically pay a subscription based on business metrics or user counts (often measured in Full User Equivalents for S/4HANA Cloud). SAP bundles many digital access rights into this subscription.

In practical terms, this means common integrations – e.g., your Salesforce CRM creating an order in SAP or a supplier portal reading stock levels – are already covered under your cloud agreement as long as they fall within normal usage limits.

IT leaders can breathe a bit easier when connecting third-party apps to a RISE deployment, as traditional indirect access charges are largely eliminated.

SAP itself has highlighted that one of RISE’s benefits is eliminating the need for separate indirect-use licenses in most cases.

However, “cloud simplicity” doesn’t mean you can ignore usage.

Extreme scenarios may still incur additional fees: if your IoT network generates millions of records a day and dumps them into SAP, or if you have an unusually high number of external users beyond your subscribed metric, you may need to increase your subscription tier.

Moreover, visibility can be a challenge – in on-premise SAP, you can run audit tools yourself, but in SAP’s cloud, SAP handles the monitoring.

Customers should regularly request transparency and reports from SAP on their usage to ensure they’re within their entitled levels.

Also, when negotiating RISE contracts, explicitly discuss any known heavy integrations to confirm they’re allowed.

The shift to the cloud is overall a positive for indirect access management, as it converts an unpredictable cost into a more predictable one, bundled into your subscription.

Just be sure to right-size your subscription and include all foreseeable interfaces in the planning stage.

In essence, moving to RISE or cloud SaaS can dramatically reduce the headache of indirect access, but it doesn’t eliminate the need for oversight.

It changes the conversation from “Did we license those API users?” to “Are we within our subscribed capacity?”.

Many IT leaders see this as a welcome change, freeing them to focus on usage optimization rather than counting licenses for every interface.

If your organization is planning a cloud move, consider indirect access risk reduction as one of the benefits when building the business case.

Recommendations

• Audit Your Integrations: Immediately catalog all third-party systems, APIs, and tools interfacing with SAP. Identify who or what is accessing SAP and how (read vs. write). This inventory is the foundation for managing indirect access.
• Classify and Address Each Use Case: For each integration, determine whether it should be licensed, redesigned, or potentially qualify as a license-free static read. Prioritize high-risk interfaces (those with many users or frequent transactional updates) for remediation first.
• Optimize Named User Licensing: Clean up inactive or duplicate SAP users to maintain a buffer of available licenses. Ensure that every human user has the correct license type assigned (avoiding the unnecessary use of expensive license types). A well-optimized license pool can accommodate some legitimate indirect usage.
• Consider the Digital Access Model: Evaluate SAP’s document-based licensing for your environment. Compare your document volumes to user counts to determine which model is more cost-efficient. If digital access can lower your risk or cost, plan a business case to transition and negotiate terms (e.g., volume discounts, conversion credits).
• Implement Technical Controls: Utilize SAP security and technical settings to prevent unauthorized access. For example, disable generic or shared login accounts that hide real user counts and require each integration to authenticate with a unique service account. Limit those accounts’ permissions to only the necessary data and functions.
• Train Teams on License Compliance: Create awareness across IT and development teams that connecting anything to SAP has licensing implications. Establish an internal review process for new SAP-connected projects to ensure compliance is considered at the design stage. This prevents accidental non-compliance through ignorance.
• Engage with SAP Proactively: If you suspect indirect usage issues, engage SAP (or a certified licensing partner) proactively rather than waiting for an audit. SAP has shown flexibility with customers who voluntarily come forward, often foregoing back penalties if a reasonable path to compliance is negotiated. It’s better to control the narrative than to react to an audit letter.
• Negotiate Protective Contract Terms: Don’t sign SAP deals blindly – insist on clauses that define indirect usage clearly and include any special rights you need. If you’re renewing, use the opportunity to obtain written assurances (e.g., confirmation that certain integrations are permitted or a cap on indirect fees). Engage experts to ensure the wording is accurate.
• Monitor Continuously: Treat indirect access management as an ongoing process, not a one-time fix. Schedule periodic license compliance checks and integration reviews to ensure ongoing compliance. Business environments evolve – new apps emerge, while old ones evolve – so make this a part of IT governance to continuously prevent unauthorized access.
• Leverage External Expertise: If internal resources are limited, consider consulting firms or software asset management services specialized in SAP. They can provide tools and experience from other clients to identify hidden indirect usage and recommend remediation strategies, potentially saving you from costly mistakes.

FAQ

Q1: What is “unauthorized indirect access” in SAP, and why should I care?
A1: Unauthorized indirect access refers to any use of SAP systems via third-party interfaces or applications that aren’t properly licensed. For example, if your employees or customers use a non-SAP app that pulls or pushes data to SAP, each of those users or actions might technically require an SAP license. You should care because SAP treats unlicensed indirect usage as a compliance violation – if they discover it, your company could be liable for substantial fees. Essentially, it’s “unauthorized” because it falls outside of what your contract permits. Every IT leader wants to avoid a scenario where an integration meant to improve business ends up triggering a surprise audit bill. Knowing where indirect access is happening and ensuring it’s authorized (either by licensing it or architecting around it) is critical to avoid financial and legal headaches.

Q2: How can we detect indirect access usage in our SAP environment?
A2: Start by mapping all systems that interface with SAP – this could include other enterprise software (e.g., CRM, HR, e-commerce), custom mobile apps, reporting tools, and even IoT sensors. Once mapped, use SAP’s audit tools (like user reports and the License Administration Workbench) to see how data is being accessed. Look for technical or communication users who handle data exchanges – these often indicate indirect access. You might notice, for instance, a service account that created thousands of sales orders (likely an external system doing that). Also, engage your business and development teams: ask where they send data to or from SAP. It can help to maintain an architecture diagram of data flows. Additionally, third-party license management tools can scan logs and track documents or calls from external sources. Regular internal audits, also known as “mock audits,” are effective for detection. Simulate an SAP license audit by reviewing logs and ensuring each external interaction has a corresponding license.

Q3: What are the consequences if SAP finds we have unlicensed indirect users or interfaces?
A3: The consequences can be severe financially. Suppose an SAP audit finds indirect usage that isn’t licensed. In that case, SAP will likely require you to purchase the necessary licenses retroactively – often at list price (which is much higher than negotiated discounts). They may also charge back-dated maintenance fees for those licenses as if you should have been paying all along. In high-profile cases, these back charges have reached tens of millions of dollars. Beyond the immediate cost, there’s also the aspect of compliance breach: you may end up in a contentious negotiation or even face legal action with SAP, which can strain the vendor relationship. Internally, it could lead to unplanned budget hits and project delays (as funds get diverted to settle the compliance issue). It’s also worth noting the soft consequence: lost trust and scrutiny. Your executives and auditors will likely impose stricter oversight on IT projects in the future. In summary, the fallout is both monetary and operational – it’s far better to prevent the issue than to fix it after the fact.

Q4: How does SAP’s Digital Access (document-based) licensing help with indirect access?
A4: SAP’s Digital Access license (also known as document-based licensing) is essentially a different method of paying for indirect use. Instead of requiring a named user license for each person or system that indirectly uses SAP, you purchase rights based on the number of documents or transactions created. For example, if your e-commerce site creates 10,000 sales orders in SAP, you’d license those 10,000 documents (regardless of whether it was 1,000 customers or 100,000 customers generating them). This model can simplify compliance for scenarios with large or unknown user counts. It often lowers the cost for high-volume, external-facing processes because you’re not paying per user. It also aligns cost with business activity – when the business grows and you process more orders, you add more document licenses accordingly. However, it requires you to estimate your usage and buy-in blocks, so it’s essential to carefully analyze your document counts. Many companies find digital access attractive for modern use cases (such as IoT, APIs, and customer apps) because it eliminates the need to track every user. It’s not always cheaper, but it provides a more transparent and predictable metric for indirect usage. Importantly, if you opt for digital access, ensure your contract with SAP reflects the switch and that any outdated user-based clauses are updated to avoid double charges. It’s a tool to make indirect licensing more manageable – when used correctly, it can eliminate the notion of “unauthorized” access since you’ve effectively pre-authorized a set amount of external activity.

Q5: Will moving to SAP’s cloud (RISE with SAP) solve indirect access concerns?
A5: Moving to RISE (SAP’s subscription-based cloud offering) can significantly reduce indirect access worries, but not completely erase them. In a RISE model, you pay an annual subscription for SAP that typically covers multiple users and a broad range of usage rights, including most indirect scenarios. SAP essentially bundles what would have been separate indirect usage licenses into one package. That means if you integrate common third-party systems (CRM, supplier networks, etc.) with your SAP S/4HANA Cloud, you generally won’t get a separate bill for those integrations – they’re part of your subscription as long as you stay within your contracted scope. This simplifies compliance and virtually eliminates the classic indirect access audits for those on RISE. However, you still need to be mindful of usage levels. If your usage exceeds what you subscribed for (for example, you have way more users or transactions than planned), you might have to true-up your subscription.

Read more about our SAP Advisory Services.

Schedule a meeting with us to discuss our SAP Advisory Services.

Please enable JavaScript in your browser to complete this form.

Name *

First

Last

Email *

Company

Message *

Submit