SAP Indirect Access Monitoring: Tools, Processes & Governance Best Practices
SAP indirect access, also known as digital access, has become one of SAP’s biggest audit revenue streams.
In simple terms, indirect access means your SAP system is being used by people or software that aren’t logging in through the usual SAP interface.
For example, a sales order created in SAP by a third-party CRM system is considered SAP usage, even though no human has logged into SAP.
If you’re not actively monitoring this indirect usage, you could be blindsided by a surprise license bill running into millions of euros. Read our comprehensive guide to SAP Indirect Access.
This article is a hands-on guide to proactively monitor SAP indirect access.
We’ll explain why ongoing monitoring is critical, outline key tools and processes for detecting indirect usage, and demonstrate how to establish a governance framework to maintain control.
The goal is to help IT leaders, compliance teams, and procurement managers integrate indirect access monitoring into their regular operations – thereby avoiding costly audit surprises and maintaining control over SAP licensing costs.
Why Monitoring Indirect Access is Critical
Imagine thinking your SAP licensing is under control, only to have an auditor discover that a customer portal or third-party application has been accessing SAP without proper licenses.
This scenario isn’t hypothetical – companies have faced multi-million euro penalties for indirect access violations.
SAP often uses indirect access findings as a lever to drive audit revenue, meaning they actively look for unmonitored external usage during audits. Without monitoring, organizations risk sudden compliance issues that come with hefty unbudgeted fees.
Early detection = negotiation leverage. Regularly monitoring indirect access gives you early warning of any potential licensing shortfall. If you detect unusual SAP document creation or data access from an external system, you can address it on your terms.
For instance, you might purchase additional licenses or adjust an integration before SAP’s auditors come knocking.
By catching issues first, you maintain the upper hand – you can negotiate license adjustments or enroll in SAP’s digital access programs proactively, rather than scrambling under audit pressure.
In short, monitoring isn’t just about avoiding penalties; it’s about keeping control. It turns licensing from a reactive firefight into a proactive discipline that saves costs and reduces risk.
Read more SAP Indirect Access Audit Alert: Common Triggers You Can’t Ignore.
Tools for Monitoring Indirect Access Exposure
Monitoring SAP indirect access requires the right tools. There are options from SAP’s own toolset as well as specialized third-party platforms.
Each has its role:
- SAP LAW: The License Administration Workbench (LAW) consolidates license data from across SAP systems. It’s integrated and provides an official usage baseline. You can use LAW to detect anomalies (e.g., unexpectedly high document counts tied to an interface), but it offers limited detail about which external systems or processes caused those numbers.
- SAP USMM & SLAW2: USMM is SAP’s user measurement program, and SLAW2 helps combine results from multiple systems. Together, they produce audit-ready reports of user counts and digital document counts. They’re essential for seeing what SAP auditors would see, but they require expertise to run and interpret. Schedule them periodically and know how to read the output.
- Third-Party SAM Tools: Specialized license management tools (from vendors like Snow or Flexera) can continuously track SAP usage, including indirect access. Their strength lies in a holistic view – they can correlate data across systems to automatically identify usage patterns. The downside is extra cost and setup effort, but for a complex SAP landscape, they provide valuable continuous monitoring with dashboards and alerts.
- Custom Dashboards/Scripts: Some organizations develop in-house reports or dashboards to monitor indirect access KPIs. For example, a custom script might list all documents created by each technical interface user on a weekly basis. This approach is highly tailored to your needs and can send real-time alerts. However, it requires ongoing development effort and maintenance as systems evolve.
Here is a quick comparison of these monitoring tools and their capabilities:
| Tool | Strengths | Limitations | Best Use Case |
|---|---|---|---|
| LAW (License Workbench) | Integrated with SAP; official usage baseline | Limited insight into root causes (black-box output) | Initial detection of anomalies across systems |
| USMM/SLAW2 (SAP measurement) | Compliance-focused, audit-ready reports | Technical complexity; needs expert analysis | Simulating audits; audit preparation |
| Third-Party SAM Tools | Holistic, cross-application visibility; alerts | Additional cost and setup effort | Continuous real-time monitoring in large landscapes |
| Custom Dashboards/Scripts | Tailored to specific enterprise needs; real-time alerts | Requires development and maintenance | Ongoing internal tracking of key metrics |
Processes for Ongoing Monitoring
Having the right tools is important, but they must be coupled with consistent processes. Monitoring indirect access isn’t a one-time project – it’s an ongoing discipline.
Key processes include:
- Integration Mapping: Maintain a catalog of all third-party systems and interfaces that connect to SAP. Document what each integration does (e.g., “CRM system creates orders in SAP”) and keep this list updated. This provides a clear view of where indirect access can occur, so nothing sneaks by unnoticed.
- Document Volume Tracking: Regularly track the number of key business documents created in SAP that result from external activities (such as sales orders, invoices, and purchase orders). Establish a monthly or quarterly baseline for each document type. If you see an unusual spike in one category, investigate immediately – it could indicate a new or expanding interface driving that volume.
- User-to-Document Ratio Analysis: Look at how many documents each user or service account creates. Indirect access often appears as a technical account generating an unusually high number of transactions. If one interface user is responsible for thousands of documents (while normal users create only dozens or hundreds), that’s a red flag to investigate the source.
- Pre-Audit Simulations: Don’t wait for an official SAP audit to reveal issues. Conduct regular internal license audits (e.g., quarterly). Use SAP’s measurement tools (USMM/LAW) to simulate an audit and see your license compliance status (an SAP audit best practice to avoid surprises). By performing these “mock audits,” you can find and fix indirect access compliance gaps on your terms, long before SAP’s auditors might find them.
Governance Framework for Indirect Access
A clear governance framework ensures that tools and processes work effectively and that everyone knows their responsibilities.
Indirect access monitoring spans IT, procurement, and compliance, and it should be embedded into overall digital access governance. You should:
- Define Ownership: Assign clear responsibility for indirect access compliance. Typically, IT administrators (SAP administrators or IT asset management) track usage data, procurement or licensing managers handle contract implications and negotiations, and compliance/internal audit oversees policy adherence. Designate a coordinator or committee to bring these roles together, ensuring that nothing falls through the cracks.
- Establish a Reporting Cadence: Make indirect access a regular topic in management reviews and meetings. For example, provide a quarterly report to the CIO/CFO or governance board with metrics on SAP license usage, including trends in indirect usage and any related issues. Regular reporting keeps leadership aware and supports budgeting for licenses or remedial actions as needed – it turns indirect access from a hidden risk into a managed metric.
- Set Escalation Paths: Define what happens if monitoring flags a potential problem. If a spike in usage or an unapproved integration is detected, who gets alerted, and how do they respond? Create an escalation workflow that allows IT to quickly involve procurement (to review contracts or purchase licenses) and compliance/legal (to assess risk) as needed. Having predefined thresholds and response plans means you can react swiftly and in a coordinated way, rather than scrambling ad hoc.
- Integrate with New Projects and M&A: Incorporate indirect access checks into your change management and onboarding processes for new systems. If you’re adding a new integration, launching a portal, or undergoing a merger/acquisition, include a mandatory SAP license impact assessment. This way, before a new system goes live or a new company’s systems connect to SAP, you’ve evaluated how it will affect licensing. No project should go from idea to production without someone asking, “Could this create indirect SAP usage, and are we licensed for it?”
By formalizing governance, you ensure that indirect access monitoring isn’t just an IT task, but an organization-wide responsibility and routine.
Read about SAP Digital Access Adoption Program (DAAP): Timing Your Entry for Maximum Savings.
Best Practices for Proactive Control
Consider these best practices to stay ahead of indirect access issues:
- Proactively Identify and Resolve Issues: Prioritize discovering and resolving indirect access issues internally, rather than waiting for SAP to identify them. Encourage teams to flag new integrations early and run internal audits. It’s much better to clean up potential compliance problems yourself – SAP audits are far less painful when you’ve already identified and addressed the risky areas.
- Track by Document Type: Monitor usage broken down by specific document categories because SAP’s digital access licenses are based on those categories. For example, keep an eye on how many sales orders, invoices, or other documents are created via external systems. If one type of document is growing rapidly, you can focus your mitigation or licensing efforts there. Aligning monitoring to SAP’s nine digital document types ensures you’re watching the exact metrics that auditors will examine.
- Negotiate with SAP Proactively: If you discover you’re at risk of non-compliance, engage SAP before they engage you. Often, you can negotiate a solution in a less confrontational setting – for instance, obtaining a grace period to purchase additional licenses, or converting some existing license allocations into digital access licenses to cover indirect use. Approaching SAP with a remediation plan tends to lead to a more favorable outcome (financially and in the relationship) than being caught by surprise in an audit.
- Benchmark Before Renewals: Before any SAP contract renewal or true-up, thoroughly understand your indirect usage metrics. Gather data on how many documents your integrations are generating and how that’s trending. This knowledge lets you negotiate from a position of strength. For example, suppose you know you processed 50,000 external-origin documents last year. In that case, you can arrange to include an appropriate digital access package in your renewal (possibly at a better rate during negotiations). The idea is to incorporate indirect access into your license forecasting and budgeting rather than reacting post-audit.
Example Scenario — Preventing a €10M Audit Claim
To see how these practices pay off, consider a scenario based on real events. Company X is a large manufacturer that uses a cloud CRM (Salesforce) integrated with SAP.
Whenever salespeople close an opportunity in the CRM, an order is automatically created in SAP via an interface account. Over time, this interface began generating tens of thousands of SAP sales orders through a single technical user.
Thanks to proactive monitoring, Company X’s IT team caught the spike in a quarterly LAW report before any official audit. They realized this indirect usage wasn’t covered under their current licenses.
Armed with that insight, the company immediately opened dialogue with SAP. Through SAP’s Digital Access Adoption Program (DAAP), they negotiated proper licensing for the Salesforce-driven orders, including a cap on the cost impact for the first year.
By acting early, Company X turned a potential surprise €10M compliance claim into a planned licensing adjustment at a far lower cost.
When SAP’s next audit rolled around, the previously risky integration was already licensed and documented, so it did not result in any penalties. This example illustrates how identifying and addressing an issue internally can save millions and prevent an adversarial audit situation.
Indirect Access Monitoring Checklist
Use this quick checklist to ensure you’re covering the bases on SAP indirect access:
☐ Run quarterly SAP LAW and USMM reports and reconcile the results for any anomalies.
☐ Map all third-party systems that interface with SAP and keep this integration inventory up to date.
☐ Track SAP document counts (sales orders, invoices, etc.) per category every month to spot trends.
☐ Analyze user-to-document ratios to catch any single account creating unusually high volumes.
☐ Embed indirect access monitoring into IT and procurement governance processes.
FAQ — SAP Indirect Access Monitoring
Q: What tools are best for monitoring SAP indirect access?
A: There’s no single silver-bullet tool – it’s best to use a combination. Run SAP’s built-in measurement tools (USMM and LAW) for the official numbers, and add a third-party SAP license management solution if your environment is complex. Internal custom monitors or scripts can fill any gaps specific to your business. The goal is to have multiple layers of monitoring so nothing is missed.
Q: How often should we run SAP’s LAW/USMM reports internally?
A: At least once a year (to coincide with annual license audits or true-ups), but preferably run them quarterly. Quarterly checks enable you to identify growth or changes in usage within the year and make adjustments before they become a serious compliance issue.
Q: Can third-party SAM tools help reduce indirect access risk?
A: Yes. Third-party Software Asset Management tools often have features to automatically identify indirect usage – for example, flagging when an external system makes a high volume of SAP API calls. This continuous oversight can help catch issues that might be missed manually. Just remember, you still need a team to act on the data; the tools enhance your monitoring program, they don’t replace good governance.
Q: Who should own indirect access monitoring in an organization – IT or procurement?
A: It’s a joint effort. IT (especially SAP or IT asset management teams) handles the technical tracking and data collection, while procurement or licensing teams handle the contract side and negotiations with SAP. Ideally, a cross-functional team or manager coordinates between both, with input from compliance/internal audit as well. Collaboration is key – no single department can manage this area effectively in isolation.
Q: What is a major red flag for SAP auditors when it comes to indirect usage?
A: A big red flag is when a small number of service accounts generate a huge number of SAP transactions or documents. For instance, if one interface user created tens of thousands of sales orders that normal users never directly entered, auditors will zero in on that. They also watch for known integration patterns – if they know you use a popular CRM or e-commerce platform, they’ll ask how those interactions are licensed. In short, anything that suggests system-driven mass creation of documents (without corresponding named-user licenses or document licenses) will catch their attention.
Read about our SAP Advisory Services.
