SAP Indirect Access
SAP Indirect Access refers to the use of SAP systems by third-party applications or users who aren’t directly logged into SAP. This often-unexpected form of usage can drive up licensing costs and compliance risks for enterprises.
IT leaders need to understand how indirect access works, its impact on SAP license fees, and the strategies that can mitigate potential legal and financial penalties.
What is SAP Indirect Access?
SAP Indirect Access (also referred to as indirect use) occurs when a non-SAP system or external user accesses data or transactions in an SAP system without a direct SAP login. In traditional direct access, a person logs into SAP (via SAP GUI or Fiori) with a named user account.
In indirect access, an external application (such as a customer web portal, CRM, or IoT device) communicates with SAP in the background. For example, if a sales portal pulls customer or order data from SAP, those portal users are indirectly using SAP.
SAP treats these indirect interactions as licensable events, even though users aren’t directly on an SAP screen. In essence, any system or person that retrieves, creates, or updates SAP-held data via an interface might require an SAP license.
Recognizing this distinction is crucial because companies often overlook indirect use when planning integrations, which can lead to compliance surprises.
How Indirect Access Affects SAP Licensing Costs
Indirect access can significantly impact SAP licensing costs by expanding the scope of who or what needs a license. Historically, SAP’s contracts have required a valid license for any individual or system that uses SAP functionality – regardless of the access method.
This means if thousands of customers or devices interact with your SAP data through a third-party app, you could be on the hook for thousands of additional SAP user licenses. These unexpected fees can inflate IT budgets and erode ROI on integration projects.
User-Based vs. Document-Based Licensing:
To manage indirect use, SAP offers two licensing approaches:
- Named User Licensing: Counting each external user or device as a “user” and requiring a license for each. This can become extremely expensive if large communities (customers, suppliers, IoT sensors) are involved.
- Digital Access (Document Licensing): A newer model where you pay based on the number of business documents created or processed via indirect access (e.g,. sales orders, invoices). This transaction-based model, introduced with SAP S/4HANA, often results in costs tied to volume of activity rather than headcount.
The choice of model has a significant impact on costs. The table below illustrates two scenarios:
| Scenario | Cost with Named User Licensing | Cost with Digital Access Licensing |
|---|---|---|
| 1000 customers via a web portal (2 orders each) | ~1000 user licenses * $3,000 each = $3,000,000 | ~2000 documents * $0.80 each = $1,600 |
| IoT devices sending 1,000,000 updates/year | Not practical to license 1M users | 1,000,000 documents * $0.50 each = $500,000 |
In the first scenario, licensing every customer as a named user would cost millions, whereas paying per order document is negligible. In the second, the document-based approach provides a way to license high-volume machine data that simply isn’t feasible to cover with individual user licenses.
These examples illustrate how indirect access can either significantly increase costs or be managed economically, depending on the licensing model and usage patterns. IT leaders must carefully analyze their indirect usage to choose the most cost-effective approach and avoid unpleasant surprises in SAP audit bills.
Identifying Indirect Access Risks
Understanding where indirect access occurs in your IT landscape is essential. Common indirect access risk areas include:
- External CRM or Web Applications: For example, a Salesforce CRM system querying SAP for customer info or an e-commerce website creating orders in SAP. These are high-risk integration points because they involve a large number of users or transactions.
- IoT Devices and Automation: Sensors, shop-floor machines, or RPA bots that feed data into SAP (such as inventory updates or production statistics) can trigger indirect usage. Even if no human logs in, the device interactions count as access.
- Middleware and APIs: Integration platforms (SAP PI/PO, MuleSoft, Dell Boomi, etc.) and custom APIs broker data between SAP and other systems. They can mask the true source of access if a middleware service creates a sales order in SAP on behalf of an external application, which constitutes indirect access and requires a license.
Compliance Traps: A significant risk is assuming that only named SAP users require licenses. In reality, even background processes or technical accounts can consume SAP functionality. Undocumented interfaces or shadow IT integrations are especially dangerous – if they are not on your radar, they won’t be licensed.
To identify risks, map out every system that reads or writes SAP data. Internal systems (like a data warehouse or HR app) and external partner systems should all be reviewed.
The goal is to have no “black box” connections – every data flow into or out of SAP should be known and evaluated for licensing impact. Without this visibility, companies may face compliance issues during an SAP audit when hidden indirect usage is discovered.
Read Preventing Unauthorized Indirect Access in SAP Systems.
SAP vs. Third-Party Indirect Access Cases
SAP’s enforcement of indirect access licensing gained attention due to high-profile legal cases involving customers who used third-party software.
The most notable example is SAP vs. Diageo, where a UK court in 2017 ruled that the client’s use of Salesforce to indirectly access SAP data required additional SAP licenses.
Diageo was found liable for around £54 million in fees because thousands of Salesforce users had indirectly retrieved SAP information without proper licensing.
Another major case involved Anheuser-Busch InBev (AB InBev), which SAP pursued for an alleged $600 million in indirect use fees related to a third-party logistics system.
AB InBev settled the dispute out of court for an undisclosed but substantial amount. These cases sent shockwaves through the SAP customer base, demonstrating SAP’s willingness to pursue large penalties for unlicensed indirect access.
SAP’s Stance:
Through these disputes, SAP has made it clear that it considers data access via any non-SAP application to be equal to direct use.
From SAP’s perspective, it doesn’t matter if an employee enters an order in SAP directly or does it through a third-party front-end – the business value derived from SAP is the same, so a license is required either way. This strict stance is aimed at protecting SAP’s intellectual property and license revenue.
Key Lesson:
For businesses, the takeaway is to proactively review all third-party integrations and address licensing needs upfront. It’s far better to negotiate license terms for a new interface early than to face an audit or lawsuit later.
These cases also highlight the importance of precise contract language: ambiguities in older SAP contracts about indirect use can lead to costly interpretations favoring SAP.
Read Real-World Case Studies in SAP Indirect Access Disputes.
SAP Indirect Access Compliance
Ensuring compliance with SAP’s indirect access policies requires a combination of processes, tools, and vigilance.
Every system or user that interfaces with SAP data must be accounted for under your license agreement.
If a non-SAP application interacts with SAP (e.g., creating orders, retrieving reports), you must either have that usage covered by existing licenses or obtain additional ones (such as the appropriate named user category or document licenses).
Strategies to Stay Compliant:
- Regular Internal Audits: Conduct routine reviews (e.g., quarterly or biannually) of all SAP-connected systems. Identify new integrations or changes in usage that might introduce indirect access. An internal audit can identify issues before an official SAP audit is conducted.
- Use SAP’s License Tools: Leverage SAP’s tools, such as the License Administration Workbench (LAW) and System Measurement programs. These tools help gather data on user counts and technical usage. Newer SAP measurement tools can also estimate the number of digital documents. Regularly run these checks to ensure that any indirect usage is accounted for.
- Employee Awareness and Training: Make sure your IT staff and project teams understand what constitutes indirect access. Many compliance breaches are unintentional – for instance, a developer might connect a new analytics tool to SAP without realizing it requires licensing. Training business and IT stakeholders on indirect use rules will prevent accidental non-compliance.
Equally important is documentation. Maintain an up-to-date inventory of all interfaces to SAP, including the data exchanged and the frequency of exchange. If SAP initiates an audit, having documentation ready for every integration point shows that you’re on top of compliance.
Monitoring tools can be set up to alert if unknown connections appear. In essence, treat indirect access compliance as an ongoing discipline – part of your IT governance – not a one-time effort.
Key Legal Issues in Indirect Access
Several legal questions make indirect access a complex area in contracts:
- Definition of “Use” or “Access”: SAP typically defines software use broadly. Legally, if your contract says an SAP license is required for any individual or system that “uses” the software, SAP will argue this includes indirect scenarios. A key issue is whether retrieving data from SAP constitutes “use” (SAP’s view: yes, it does).
- Contract Language and Ambiguities: Older SAP contracts may not explicitly mention indirect access, which can lead to disputes about what is permitted. Some customers assumed buying a SAP interface product (like SAP PI middleware) covered their indirect usage, but SAP’s lawyers have argued that each end user still needed to be licensed. This gap between customer interpretation and SAP’s interpretation has led to conflicts.
- Usage Rights and Restrictions: Contracts often restrict how SAP data can be accessed or replicated. For instance, integrating SAP data into a non-SAP database or application without permission could breach the license terms. From a legal standpoint, indirect access cases often hinge on whether the customer exceeded the agreed usage scope by connecting unlicensed third-party systems.
Avoiding Legal Conflict:
To stay safe, engage with SAP proactively whenever you plan new integrations. Obtain clarity on whether a planned scenario is permitted under your current agreement.
If not, negotiate an addendum or additional licenses before going live. It’s also wise to involve legal or licensing experts to review your SAP contracts for any language about third-party use or interface connectivity. Closing those loopholes ahead of time – and perhaps getting them explicitly addressed in the contract – can save your organization from courtroom battles.
Indirect Access in SAP S/4HANA
SAP S/4HANA introduced important changes to how indirect access is managed, primarily through the Digital Access Model.
Instead of counting indirect users, S/4HANA’s licensing (for new contracts) shifts the focus to document counts.
Under digital access, nine specific document types (such as Sales Orders, Invoices, and Purchase Orders) are defined. If those documents are created in the SAP core by an external system, they incur a license count.
Reads and updates of data are generally free of charge, and only the initial creation of a document via an external input counts towards your license usage.
This approach aims to simplify and bring more predictability. Companies migrating to S/4HANA can opt to license indirect use based on these document metrics.
For many, this is a relief – you no longer have to figure out how many indirect “users” you have in, say, a customer portal (which was nearly impossible to measure accurately). Instead, you measure the number of orders or other documents the portal creates in SAP.
Considerations for Migrating Customers:
If you are transitioning from SAP ECC to S/4HANA, it presents an opportunity to review your licensing.
SAP has offered programs like the Digital Access Adoption Program (DAAP), which provides credits or discounts to switch to document-based licensing.
It’s wise to evaluate your current indirect usage volumes: if you have a high number of external users but a moderate number of transactions, the digital access model could save money.
Conversely, if indirect interactions are minimal, you may want to stick with named user licenses. When negotiating your S/4HANA contract, work closely with SAP to obtain the optimal mix of user licenses and digital access (document packs) that suits your specific scenario.
The key is to prevent any lapse in coverage during the migration – map all existing interfaces and ensure they are accounted for under the new S/4HANA licensing terms.
How to Measure Indirect Access in SAP Systems
Measuring indirect usage is challenging but crucial for control. Visibility is the first step: maintain an inventory of all external systems interfacing with SAP.
Once you know where to look, use a combination of tools and methods to quantify usage:
- System Logs & Statistics: SAP application servers keep logs of transactions and remote function calls. By analyzing logs (using SAP transaction STAD or ST03N), you can identify activity coming from technical users or external connectors. For example, if a user ID “ECOMMERCE_API” is creating hundreds of orders, that’s indirect usage.
- SAP License Measurement Tools: Tools such as USMM (User Measurement) and LAW (License Administration Workbench) aggregate user counts across multiple systems. Newer versions and specific SAP notes provide Digital Access Estimation tools that scan your system for document creation by external users. You can run these reports to estimate the number of documents that would be counted under the digital access model.
- Third-Party Monitoring Solutions: There are Software Asset Management (SAM) tools that specialize in SAP licensing. These can automate the detection of indirect use by correlating SAP data with other system logs. They often present dashboards showing the number of documents each interface is generating, which is useful for continuous monitoring.
Key metrics to track include the number of documents created indirectly (per document type), the number of external interface connections, and the frequency with which each interface is invoked. It’s advisable to perform these measurements regularly (e.g., quarterly), especially before any SAP true-up or audit.
Continuous measurement ensures you have data on hand to make informed decisions – such as whether to buy additional licenses or to switch licensing models.
In summary, you can’t manage what you don’t measure: invest time in setting up measurement processes so indirect access doesn’t remain a blind spot.
SAP Indirect Use and Integration Tools
Modern IT environments use various integration tools to link SAP with other applications. These tools themselves don’t avoid indirect licensing requirements – in fact, they often enable indirect access.
Common integration methods include:
- APIs: Application Programming Interfaces (including SAP’s own OData or RFC APIs) allow external apps to query or update SAP. If a mobile app uses an API to pull SAP inventory data, that API call represents indirect use. The volume of API calls and the data created will determine the license impact.
- Connectors: Pre-built connectors or adapters (such as SAP Cloud Platform Integration and MuleSoft connectors for SAP) make it easier to send data to and from SAP. Technically, these connectors log into SAP as a user (often a technical user account) to perform tasks on behalf of external systems. SAP typically considers those actions as being performed by an indirect user.
- Middleware Platforms: Enterprise Service Buses or middleware (SAP PI/PO, Boomi, IBM Integration Bus, etc.) facilitate the transfer of data between systems. While they improve architecture, they can also aggregate multiple sources of access through a single channel. That means you must carefully track what the middleware is doing in SAP’s backend, as it may create thousands of transactions that all require licensing.
Managing Integration Compliance: For each tool in use, ensure there is documentation of what transactions it performs in SAP. For instance, if an integration platform posts financial entries into SAP, specify the number of entries per month.
During an audit, SAP will scrutinize these tools as if they were users. It’s wise to evaluate licensing needs early – when designing a new interface, ask SAP or a licensing expert, “If we connect System X via this middleware, what licenses do we need?”
This proactive approach can prevent expensive surprises later. Additionally, perform periodic audits of the integration tools themselves.
As your business expands, a connector originally used for a small task may scale up significantly (e.g., now it handles all orders from a new website), requiring adjustments to your licensing accordingly.
Case Studies in Indirect Access Disputes
Real-world disputes provide cautionary tales. Two notable case studies already mentioned are:
- Diageo: A global beverage company that allowed Salesforce CRM to interface with SAP ERP. They believed their existing SAP licenses and use of SAP’s middleware (SAP PI) might cover the usage. However, a court found that the thousands of Salesforce users still constituted unauthorized use of SAP. Diageo’s costly lesson was that even read-only access to SAP data via a third-party app was not exempt from licensing.
- AB InBev: The beer conglomerate faced a massive claim after SAP audited its systems and found a third-party logistics software exchanging data with SAP without proper licenses. The case went to arbitration, and AB InBev settled, reportedly paying a significant sum rather than litigating in public court.
Lessons Learned:
First, transparency with SAP is critical. If Diageo or AB InBev had openly discussed their integration plans with SAP beforehand, they might have negotiated a licensing deal instead of facing enforcement action.
Second, always review contracts and clarify indirect use rights – neither company had clauses explicitly permitting those third-party usages.
Engaging SAP early when implementing new systems can lead to more favorable terms or at least a mutual understanding, reducing the chance of a dispute.
Finally, these disputes demonstrate SAP’s approach to resolution: they will seek back-licensing fees (possibly for years of usage) and may pursue legal action if a customer is uncooperative. Companies should avoid reaching that point by maintaining good communication and ensuring compliance documentation is up to date.
Mitigating Indirect Access Penalties
Indirect access penalties or back-charges can be steep, but there are ways to mitigate these risks proactively:
- Limit Unnecessary Integrations: Each external interface to SAP is a potential liability. Simplify and consolidate systems where possible. If you can retire redundant applications or use a single middleware for multiple needs, you reduce the number of access points to manage (and license).
- Frequent Compliance Audits: Don’t wait for SAP’s official audit. Do your mini-audits regularly. Verify that every known interface has a corresponding license. Catching a growing indirect usage early allows you to address it (by licensing or adjusting usage) before it accumulates into a large penalty.
- Use SAP-Certified Solutions: When selecting third-party software to integrate with SAP, opt for SAP-certified interfaces or partner solutions. While certification itself doesn’t grant license immunity, these solutions are typically designed with SAP’s licensing rules in mind, and you might get clearer guidance on how to license their use. SAP-approved connectors might also come with terms that make licensing easier to negotiate.
If you do discover a potential compliance gap, it’s often better to approach SAP before they approach you. When negotiating with SAP:
- Gather Detailed Usage Data: Knowledge is power. Come to SAP with a detailed report of how many interactions or documents your third-party system is generating. This shows good faith and allows a more data-driven negotiation on license costs (rather than SAP assuming the worst-case scenario).
- Explore Alternative Models: If the standard license approach is prohibitively expensive, ask about the Digital Access model or other options. In some cases, moving to document-based licensing or a volume-based deal can significantly reduce the cost compared to buying thousands of named users.
- Long-Term Agreements: If you anticipate ongoing growth in indirect usage, consider negotiating a long-term contract or enterprise license that covers indirect use more holistically. SAP may be willing to discount if you commit to a multi-year arrangement that secures your compliance over time.
Building a compliance-centric strategy is ultimately the best mitigation. This means training your teams to always consider licensing impacts when integrating systems and centralizing oversight of all SAP integrations.
A designated licensing or compliance manager can ensure that every new project is reviewed for indirect access implications, thereby preventing problems before they arise.
The Role of Digital Interfaces in Indirect Access
Digital interfaces (like APIs, web services, and connectors) are the technical means through which indirect access happens.
Their role is pivotal: they serve as the conduits through which outside users or devices interact with SAP.
For instance, an API might let an e-commerce site check SAP for product availability in real-time.
A connector might sync data between SAP and a cloud analytics platform. These are powerful tools, but if left unchecked, they can inadvertently open many channels of unlicensed use.
Key types of interfaces and their impact:
- APIs: They provide direct programmatic access to SAP. If an API allows a third-party app to create orders or fetch data, you need to license those actions. High API call volumes could translate to high document counts (under digital access) or a large number of equivalent users.
- Middleware: This can obscure who is accessing SAP because the middleware acts as a proxy. For example, if five different systems all feed into SAP through one middleware, you might only see the middleware’s account in SAP logs. Without careful monitoring, you might underestimate indirect usage. Middleware is useful, but you must ensure it doesn’t hide licensing needs – break down what that middleware is doing on behalf of others.
- Cloud Integration Tools: Many organizations use cloud integration services or iPaaS solutions to connect SAP with cloud apps. These can spin up numerous lightweight connections or microservices hitting SAP. Each of those is an access point that should be governed. Digital interfaces often make technical integration easier, which ironically can increase the risk of overuse because connecting to SAP is no longer a significant technical hurdle.
Best Practices: Always maintain a catalog of interfaces. For every API endpoint or integration flow into SAP, document the purpose and the data being created or read. Monitor interface activity, ideally automatically.
Solutions like SAP Solution Manager or integration monitoring tools can log how often each interface is used. If you detect an interface suddenly spiking in usage, investigate whether this is expected and ensure that licensing is adjusted accordingly.
Finally, involve SAP’s team or support: have periodic reviews with SAP representatives to discuss your integration landscape.
They can advise on whether certain interface scenarios are permissible under your current licenses or if you should consider additional provisions. A collaborative approach with SAP can turn these interfaces from a liability into a well-managed asset.
Preventing Unauthorized Indirect Access
Preventing unauthorized or unintended indirect access is about controlling both technology and process:
- Strong Access Policies: Establish clear policies that no system may connect to SAP unless it’s been approved by the architecture and compliance teams. This prevents ad-hoc integrations set up by well-meaning developers without visibility. Limit generic or open-access methods; for example, disable any widely shared SAP accounts or generic credentials that external tools might use without proper oversight.
- Role-Based Access Control (RBAC): Within SAP, use roles to restrict the actions that any external-facing account can perform. If an interface account is only intended to read data, ensure its SAP role cannot create or modify data. This minimizes the risk that an external system inadvertently performs actions that would incur licensing (or even cause data errors). Also, ensure that only necessary people have the right to set up new interfaces.
- Continuous Auditing and Monitoring: Regularly audit all connections to SAP. This could involve reviewing SAP system logs, gateway logs, or network logs for any unknown integrations. There are SAP Governance, Risk & Compliance (GRC) tools that can help track who (or what) is accessing data. Consider using the SAP Solution Manager’s monitoring capabilities to get an overview of connected systems.
From a cultural perspective, promote a compliance mindset among IT teams. Everyone should treat SAP like a controlled resource – because it is one, both technically and legally. Encourage team members to report any new data integration involving SAP so it can be evaluated.
Assign “SAP compliance champions” or an owner who regularly checks that policies are followed. When new software is introduced into the environment, part of the deployment checklist should be “Does it interface with SAP, and if so, did we account for indirect use licenses?” By building these checks into your processes, unauthorized access (the kind that “flies under the radar”) can be caught and addressed before it grows.
Licensing Costs with Third-Party Integrations
When integrating third-party systems with SAP, it’s crucial to factor in potential SAP licensing costs as part of the project budget.
Often, the hidden cost of integration is the SAP license impact:
- Identify High-Cost Integrations: Some systems are inherently heavy on transactions. For example, integrating an e-commerce platform that logs every customer click or inquiry into SAP could generate huge document volumes. Similarly, a custom application that frequently reads and writes SAP data might drive costs through frequent use. Flag such projects early as high-licensing-impact candidates.
- Budget for Growth: If a third-party integration is small now but expected to grow (e.g., with more users or additional data in the future), plan for your SAP licensing spend to grow accordingly. A common mistake is implementing a pilot integration without a license and then scaling up usage without revisiting the license requirements. Always re-evaluate when usage expands.
- Consider Digital Access Pricing: Evaluate whether switching to a document-based model would make costs more predictable or lower for your specific integration mix. For instance, if you have thousands of occasional external users (such as customers or vendors), paying per document might be more cost-effective than purchasing user licenses for all of them. Conversely, if integrations create only a handful of documents but you’ve licensed a large user count, you might be over-paying – adjusting the model could save money. Calculate both scenarios.
Cost Reduction Strategies: You can take steps to reduce licensing costs without reducing functionality. Consolidation is one option: if multiple third-party apps perform similar functions, consider whether they can be integrated through a single interface or even replaced with a single solution, thereby eliminating duplicate license requirements.
Another strategy is to negotiate with SAP – if you know integration is critical but expensive, approach SAP for a custom licensing arrangement (for example, a bulk document license pack or a special license type tailored to that scenario).
SAP may offer special terms for unique situations, especially if it helps keep the customer on board with SAP products. Finally, continuously review your integrations to ensure they deliver usage versus value.
If an integrated system is not providing enough benefit to justify its added SAP cost, consider disconnecting it or finding an alternative approach (perhaps batch data transfers, which might incur fewer license costs than real-time integrations). Treat indirect access cost as a factor in ROI calculations for any third-party system.
How to Defend Against Indirect Access Audits
When you receive an SAP audit notice, preparation is your best defense – especially for indirect access:
- Pre-audit Preparation: Maintain comprehensive documentation of all third-party systems connected to SAP, as previously mentioned. By the time an audit begins, you should already have a dossier ready: a list of interfaces, their functions, and the dates on which they were licensed or reviewed. This will put you in a strong position to answer auditors’ questions quickly and accurately.
- Conduct Internal Audits First: Before SAP’s official auditors come in, do an internal license audit. Simulate what SAP will look for. Check if there are any unlicensed users or interfaces and address them (either remove the access or acquire licenses) ahead of time. It’s far better for you to identify and resolve an issue than for SAP to discover it and issue a non-compliance notice.
- Know Your Contract: Be extremely familiar with the specifics of your SAP licensing agreements. Pull out the contract clauses on indirect use, named users, engine metrics, etc., and understand your obligations. In an audit meeting, if you know exactly what your contract says, you can ensure SAP doesn’t overstate your requirements. Sometimes audits are conducted by third-party firms on SAP’s behalf – they may use boilerplate rules, some of which might not apply if you have a negotiated contract exception. Knowing your rights can prevent unwarranted findings.
If SAP’s audit does find compliance gaps, negotiation is the next step. Show the auditors or SAP representatives the efforts you’ve made; for example, present logs and monitoring data that demonstrate your transparency.
This good-faith effort can sometimes lead SAP to waive penalties and allow you to simply purchase needed licenses moving forward. You can also propose retrospective licensing – essentially offering to pay for the required licenses for past usage at standard rates, rather than incurring a hefty penalty fee. SAP often prefers selling you more licenses over engaging in legal fights or punishing a customer.
Finally, use the audit outcome as leverage to improve terms. If the audit revealed an ambiguity in your contract or a need for a different license model, push to amend the agreement so that it doesn’t happen again. In summary, defending against an indirect access audit is about being proactive, transparent, and collaborative – demonstrating that you take compliance seriously and have a plan in place to address any shortfalls.
SAP Indirect Access Lawsuits and Settlements
SAP indirect access disputes have occasionally escalated to lawsuits and big settlements, which serve as warnings for the rest of us.
We’ve discussed Diageo and AB InBev, both of which underscore some key points:
- Contract Clarity: In each case, SAP’s claim rested on contract language that allowed them to charge for indirect use. These outcomes highlight the importance of negotiating clear terms. If you have any doubt about whether a scenario is allowed under your license, get it clarified in writing. For example, some companies have successfully added contract riders that explicitly permit certain third-party read-only access to SAP, thereby avoiding future arguments.
- Cost of Non-Compliance: The settlements (tens of millions of dollars) show that SAP will seek large sums for unlicensed use. And beyond the financial implications, the public nature of a lawsuit can strain the vendor-customer relationship and generate negative publicity. Most companies understandably want to avoid that path.
- SAP’s Enforcement Approach: SAP would prefer not to sue customers; these cases are relatively rare and only came after (presumably) negotiations failed. Typically, SAP will try to resolve indirect access findings through sales and account management channels first. Lawsuits seem to be a last resort, typically when usage is very large and the customer refuses to pay anything. Knowing this, if SAP ever raises an indirect use issue with you, it’s wise to engage constructively and find a business resolution (license purchase, contract adjustment) rather than ignore or dismiss the claim.
Proactive Measures: To avoid ending up in a similar situation, companies should conduct thorough due diligence on all current integrations (including a comprehensive audit and cleanup), and also future-proof their operations.
This could mean negotiating a blanket license for certain types of indirect use if you foresee heavy usage (some companies negotiate enterprise licenses that cover third-party interfaces broadly). Additionally, consider using SAP-endorsed integration products whenever possible, and seek guidance from SAP on their use.
If SAP has helped deploy a certain connector, it’s less likely they’ll later claim ignorance of it. Ultimately, being upfront and in continuous communication with SAP about how you use their software is the best way to avoid legal conflicts.
Best Practices for Indirect Access in Large Companies
Large enterprises often have dozens or hundreds of systems interfacing with SAP, making governance even more important.
Key best practices for complex organizations include:
- Formal Integration Policies: Establish a company-wide policy that outlines the design and approval process for new integrations with SAP. For example, require a licensing impact assessment as part of any project that touches SAP. This formal approach ensures consistency across different business units and projects.
- Centralize Oversight: It’s beneficial to have a central architecture or IT asset management team oversee all SAP integrations in a big company. This team can maintain the master list of integrations, ensure compliance steps are followed, and serve as the liaison with SAP for any licensing questions. Central oversight prevents the scenario where one department unknowingly creates an indirect access issue that blindsides the rest of the company.
- Segment and Secure: Given the scale, segment your SAP environment and connected systems. Perhaps limit which systems can connect to production SAP vs. a reporting copy, for example. Using a middleware gateway can funnel all access through a controlled point where monitoring and throttling can occur. Additionally, implement robust role-based permissions to ensure that only authorized applications and users can access SAP data, thereby reducing the surface area of risk.
- Culture of Compliance: Large organizations should regularly educate their teams (including new hires, project managers, and solution architects) about indirect access. The more people know about it, the fewer risky behaviors will occur. You might incorporate SAP license compliance checks into project KPIs or IT controls. Additionally, schedule periodic internal audits at a corporate level to verify each division or region is following the indirect access policy. Big companies often have the resources to invest in specialized license management tools – doing so can pay off by catching issues early across a vast system landscape.
By implementing these best practices, large enterprises can maintain tight control over indirect access, despite the complexity of their operations. This reduces the likelihood of an unpleasant surprise when SAP auditors come knocking.
SAP Indirect Licensing in the Cloud
As businesses move workloads to the cloud, SAP indirect access issues evolve but do not disappear.
Whether your SAP is hosted on-premises or in the cloud (like S/4HANA Cloud or RISE with SAP), the fundamental licensing rules still apply.
Cloud architectures can introduce new twists:
- Hybrid Environments: Many enterprises run hybrid setups (e.g., SAP ERP on-prem connected to cloud-based applications). Data flowing between on-prem and cloud systems counts as indirect access if the cloud app triggers SAP processing. It’s essential to verify that your licenses encompass these hybrid interactions. Some older SAP contracts might not explicitly mention cloud scenarios, which could be a loophole SAP will enforce.
- Multi-Cloud Integrations: If you have SAP on one cloud and various services on other cloud platforms (e.g., AWS, Azure), tracking indirect use becomes a challenge. Cloud integration services, serverless functions, and microservices can all call SAP’s APIs. Each of those calls in the cloud is as licensable as it would be on-prem. From a licensing view, you need the same diligence in monitoring cloud-to-SAP connections as you do on internal networks.
- Cloud Editions of SAP: If you subscribe to SAP S/4HANA Cloud (the SaaS version), you typically get a certain level of digital access included or available as an add-on. Review the cloud subscription agreement, as it may bundle certain document transactions or have different rules for external access. Do not assume that using a cloud SaaS automatically grants unlimited access by other apps – usually, it does not.
Best Practices in Cloud Context:
Use cloud integration tools wisely. For example, SAP’s Cloud Connector or Integration Suite can help manage connections in a controlled way. Maintain a detailed inventory of all cloud services connected to SAP.
Utilize cloud monitoring to track API calls originating from cloud IP addresses and hitting SAP. Before initiating a cloud migration or deploying a new SaaS that will tie into SAP, discuss the plan with SAP’s licensing team.
They might offer a contract adjustment or at least clarify how to remain compliant. Essentially, treat the cloud as just another location – an indirect usage policy follows wherever SAP is used. The key difference is you may need extra vigilance and possibly new tools to monitor usage in a dynamic cloud environment.
SAP Marketplace and Indirect Use Licensing
The SAP Marketplace (also known as the SAP Store) offers third-party and SAP-built applications that extend SAP’s capabilities. While these apps can add value, companies must examine whether their use triggers indirect usage of SAP.
For example, if you purchase a supply chain app from the SAP Marketplace that plugs into your SAP ERP, that app’s users or data flows might count as indirect access unless the app license explicitly covers it.
When evaluating Marketplace solutions:
- Check Integration Points: Determine exactly how the app integrates with your SAP system. Does it use standard SAP interfaces or require any special user roles? If an app is reading or writing SAP data, ask the vendor (and SAP) how that usage is supposed to be licensed.
- Review the App’s License Terms: Some marketplace apps might come with an OEM SAP license or be built on SAP’s platform, which could cover their usage of SAP data. Others might assume you have the necessary SAP-named user licenses. It’s dangerous to assume; always verify. If the terms are unclear, involve SAP to get a written clarification.
To stay compliant when using marketplace add-ons, incorporate them into your monitoring regime. Treat a new marketplace app as you would any custom integration: track what it does in SAP and ensure it falls under your license scope.
Regularly review your portfolio of add-ons, especially after SAP updates its indirect use policies (SAP has occasionally refined definitions or offered new licensing options for specific scenarios).
By proactively managing marketplace integrations, you can enjoy their benefits without inadvertently breaking licensing rules.
Reducing Costs of SAP Indirect Use
Every IT leader wants to minimize unnecessary costs – indirect access fees are no exception. Here are strategies to keep those costs in check:
- Consolidate and Simplify: The more third-party systems you have connected to SAP, the more complex and costly your licensing can become. Look for opportunities to consolidate systems or interfaces to streamline operations. For instance, instead of having three different customer portals that all create orders in SAP, consider unifying them into a single portal. Fewer integration points can mean fewer licenses needed.
- Leverage SAP’s Programs: SAP has offered programs, such as the Digital Access Adoption Program (DAAP), which provide incentives (like credit for existing licenses or discounted pricing) to transition to the document-based model. If your analysis shows the document model would save money, engage SAP about these programs. They can significantly reduce the upfront cost of conversion to digital access licensing.
- Negotiation and Bundling: When renewing your SAP agreement or purchasing additional licenses, negotiate for an indirect use bundle. For example, some companies negotiate a certain number of “external user” licenses at a flat rate or get SAP to include a block of document transactions for a fixed fee. If indirect access is a known pain point, use your leverage at renewal time to get a better deal tailored to your needs.
- Ongoing Optimization: Incorporate indirect access optimization into your continuous improvement process. Schedule a license review annually to identify any indirect licenses that aren’t being fully utilized or any unused integrations you can shut off. By trimming the fat, you can avoid paying for things you don’t need. Additionally, keep an eye on SAP’s licensing policies – sometimes new options emerge (for example, SAP might introduce a new license type or alter digital access pricing). Being an early adopter of a more favorable model can yield cost benefits.
In summary, reducing indirect use costs is about smart architecture and smart licensing. Align your system design with licensing best practices (fewer, well-managed interfaces) and treat licenses as negotiable assets, not static prices.
With diligence, companies can greatly mitigate the financial impact of indirect SAP use while still enabling the integrations that the business demands.
Recommendations
- Audit Your Integrations: Create a detailed inventory of all third-party systems and applications interfacing with SAP. Update it regularly and use it as a basis for licensing compliance checks.
- Monitor Usage Continuously: Implement tools or processes (such as SAP LAW, Solution Manager, or third-party SAM tools) to continuously monitor indirect usage metrics, including document counts and external connection frequency. Early detection of growing usage can prevent large audit surprises.
- Engage SAP Proactively: Don’t wait for an audit to discuss indirect access. When planning any new integration or major system change, involve an SAP expert or a licensing specialist to clarify the licensing requirements. Proactive communication can lead to more flexible terms or discount programs that result in cost savings.
- Leverage the Digital Access Model: Analyze whether SAP’s digital access (document-based) licensing can lower your costs. If so, work with SAP to transition under programs like DAAP for favorable pricing. This model can be particularly cost-effective for environments with a high volume of external users and moderate transaction volumes.
- Train and Educate Teams: Build internal awareness about indirect access. Train IT architects, developers, and procurement officers on the fundamentals of SAP licensing, ensuring that indirect use is considered in every project. A little knowledge upfront can prevent costly mistakes later.
- Centralized License Governance: For large enterprises, establish a central licensing or compliance team responsible for managing all SAP licenses. This team should review contracts, approve new integrations, and prepare for audits, ensuring a consistent and controlled approach across the company.
- Optimize and Retire Unused Systems: Periodically review all systems connected to SAP. If some integrations or applications are no longer delivering value, disconnect them to eliminate the licensing overhead. Streamlining your SAP landscape not only reduces risk but also can cut licensing and support costs.
- Prepare for Audits: Always be “audit-ready.” Keep documentation of user licenses and indirect use handy. If an SAP audit occurs, you’ll be able to demonstrate control and accuracy, which can lead to a faster, smoother audit process with minimal findings.
FAQ
Q: What is SAP Indirect Access, in simple terms?
A: It means using SAP’s data or functions through a third-party system or external user rather than logging into SAP directly. Even if someone never opens SAP themselves (for example, they use a web app that communicates with SAP in the background), SAP considers this “indirect” use and requires proper licensing for it.
Q: How can indirect access increase my SAP costs?
A: Indirect access can introduce a lot of additional “users” or transactions that you didn’t plan for in your SAP license count. For instance, connecting a customer portal or a mobile app to SAP might involve hundreds of new users or a high volume of document updates. Without the right license model, you might suddenly owe SAP for those extra touches on the system. This can result in millions of dollars in fees if not managed, as seen in cases where companies were charged for every partner or customer interacting with their SAP data, even if it was done indirectly.
Q: What is SAP’s Digital Access model, and should we consider it?
A: Digital Access is SAP’s newer licensing approach for indirect use, where you pay based on document transactions (such as the number of orders or invoices processed) instead of counting each user. Many companies consider it if they have large numbers of external users or devices because it can be more predictable and sometimes cheaper. Whether you should adopt it depends on your usage profile – you’d compare the cost of licensing all indirect users versus the cost per document. It’s worth evaluating, especially if SAP is offering incentive programs to transition to Digital Access.
Q: How do we prepare for an SAP license audit focusing on indirect use?
A: Preparation involves having thorough records and having already self-identified any indirect usage. Ensure that you document every integration to SAP, including who or what is accessing it and why. Conduct an internal audit to ensure that you’ve addressed any unlicensed access (either by stopping it or by purchasing the necessary licenses). Familiarize yourself with the terms of your SAP contract, so you can confidently discuss what is permitted. If audited, present your data and compliance efforts clearly – show SAP that you’re in control. This proactive stance can often lead to a more favorable and collaborative audit result.
Q: How can we reduce the risk and cost of indirect access issues?
A: The key is active management. Reduce risk by limiting SAP connections to only those truly needed and by enforcing governance (no one sets up a new interface without approval). Regularly monitor usage so you catch any overuse early. From a cost perspective, consider negotiating with SAP – if you know you have heavy indirect usage, discuss bulk or special licensing arrangements. Additionally, revisit your architecture: sometimes, a slight redesign (for example, caching data in a data warehouse for read-only purposes) can reduce direct hits to SAP. By being strategic in both technical design and license negotiations, you can maintain indirect access while keeping it cost-effective.
Read more about our SAP Advisory Services.
