22 Dec

SAP Indirect Access Explained

SAP Indirect Access License Fees Can Be Significant and Unexpected

Interfacing third-party applications to your SAP system could cost you dearly, due to what SAP refers to as Indirect Access usage. Indirect Access has been around for a long time, although in recent years it has emerged as a hot topic in the SAP licensing world.

With claims for unlicensed Indirect Access usage by SAP reaching into the millions, even tens of millions, organisations can no longer afford to ignore the issue. This article addresses the key factors affecting Indirect Access licensing providing guidance on the best way to avoid significant and unexpected licensing fees.


Most people reading about Indirect Access are looking to establish a definition of Indirect Access, how it might affect their organisation, and what they can do about it. As such we have organised this article under logical headings, so you can get the information you need:

  • Indirect Access Definition.
  • Examples of Potential Indirect Access usage.
  • Indirect Access FAQ’s.
  • Addressing Indirect Access Risk.
  • Managing Indirect Access Risk.
  • Indirect Access Conclusion.

 Indirect Access Definition

According to SAP, all usage of the SAP systems needs to be licensed. Indirect Access is a user or third-party application creating, manipulating, or viewing data in the SAP Systems via an interface between the third-party application and SAP. Technically, Indirect access occurs when data communication is executed remotely using SAP’s remote protocol RFC (Remote Function Call). If data is created, manipulated, or viewed in the SAP systems indirectly via a third-party application, that usage needs to be licensed according to SAP’s named-user licensing definitions.

Here’s the definition is taken from the current SAP System Measurement Guide – Version 7.0 (Jan-2017):


Quote:

13.8 Indirect Use

Named users are also upstream and intermediary technical systems that exchange information with the SAP software system, as well as the users of those systems, if the users exchange information with the SAP software in dialogue or prompt mode. It makes no difference whether the software is accessed directly or indirectly (see the indirect use information under section “1.2 Named Users”). In the case of indirect use of SAP software, you should provide SAP with the number of external named users.

1.2 Named Users

A named user is an employee of a customer, of its affiliated companies, or of third-party companies authorised to access the licensed software directly or indirectly, regardless of the technical interface chosen. All employees who use the SAP software require a license and must be set up as dialogue users. SAP is entitled to require that the customer declares the number of external named users and produce a stipulated statement from each external named user concerning compliance with the restrictions applying to licensed use and confidentiality.

Indirect Use

Named users primarily use the SAP software. Users from upstream or interposed technical systems require licenses as named users if they exchange information with the software in dialogue or prompt mode, regardless of whether the software is accessed directly or indirectly. If redundant functions that are also available in the software are used in upstream or interposed systems that access the software, the users of these redundant functions also count as named users, even if the data is transferred to the software in background processing (that is, not dialogue related). Indirect access means that the user is communicating with a system upstream from the SAP software that transfers communication activities to the SAP software installation or otherwise accesses the SAP software or uses its functions. In particular, the following are examples of indirect use:

  • Users in an upstream system enter or make data available that is transferred to, or interacts with, the SAP software – for example, order entry in a mobile system, or users of a portal to the extent that they use functions of the software.
  • Users operate non-SAP software to access data that is read, modified, or stored using SAP software and for which they use SAP programs such as the BAPI® programming interface, remote function calls (RFC), or transaction calls.

Un-quote


in the same document repository under a different menu is “SAP System Measurement Guide – Version 7.0 Updated August 2015”, which does not contain the above definitions! Both versions of the guide were available on SAP’s website at the time of writing this article…


“Tip. Measurement Guide definitions are always changing. Do not accept Measurement Guide definitions as contractually binding. Always refer to your contract to understand your obligations”


 Examples of Potential Indirect Access Usage

  • Business customers using an eCommerce platform to place sales orders.
  • Sales representatives capturing sales orders via mobile device to input into SAP ERP.
  • A third-party CRM system accessing data in SAP ERP.
  • Partners and suppliers accessing SAP to check inventory and stock levels.
  • Partner or suppliers running and accessing reports on SAP system data via SAP BO.
  • Engineers entering plant maintenance data into SAP via mobile devices.
  • A third-party logistics provider using a handheld device in the warehouse and accessing SAP ERP to get data on materials or stock movements.
  • Using Salesforce to view customer master data that resides in SAP ERP.

To understand if any given interface or third-party system scenario constitutes Indirect Access you must first examine the nature of the usage, and how data is being exchanged to and from SAP. Primarily, the risk of indirect access resides in your contract, so your SAP contract will be the key in determining if that usage constitutes Indirect Access and if you could be liable to pay SAP additional licensing fees.


“Primarily, the risk of indirect access resides in your contract”


Click here to view JNC’s Indirect Access Review service, which includes both contract risk assessment and usage evaluation.

 About Indirect Access

Although many organisations are not aware of it, interfacing SAP data into third-party applications and how users use that data, must be considered carefully from an SAP licensing perspective. An application interface may only require one user ID to access SAP and retrieve the data, this is not adequate for SAP licensing purposes. Generally speaking, if 1,000 external users use this data indirectly in an online (dialogue or prompt) manner, then 1,000 named-user licenses would be required to cover this indirect access to SAP.

Why is Indirect Access such a hot topic right now?

There is a notable correlation between the global financial crisis and the emergence of Indirect Access. Firms spending power shrunk, and growth shrinkage resulted in less re-occurring annual licensing demand. With spending power and growth slowing down SAP have had to resort to other revenue streams and where Indirect Access had historically been low on SAP’s radar it became a focus. This has also been supported by two key trends. Firstly, the move to interfacing best-of-breed non-SAP applications to SAP, and the emergence of cloud technology and web based platforms extending the use of SAP out beyond the usual boundaries

According to a typical SAP contract, users who indirectly access SAP must have an SAP user license too. There are numerous contractual inclusions or exclusions that could give rise to indirect access risk or protect you from it, and yes, every customers contract is different and different clauses and wording can give rise to Indirect Access risk. Sophisticated organisations specifically define the correlation between indirect access usage and license types in their SAP contracts, either at the initial negotiation before purchase or during annual maintenance. For example, they might write something like, “All indirect access will be classified as user type ESS.” Typically, if a non-SAP system accesses SAP data, the user of that external data needs to be covered by an appropriate SAP license. If you don’t have a clause in your contract, you’d be wise to agree with SAP what constitutes Indirect Usage to avoid any nasty surprises.


“Every customers contract is different and different clauses and wording can give rise to Indirect Accedes risk”


Click here to view JNC’s Indirect Access Risk Assessment service to find out if your contract gives rise to indirect access risk.
Indirect Access FAQ’s

From our experience these are the 5 most asked question about Indirect Access:

1. Are users that access the system directly and indirectly, counted as two different users?

A named user should never be counted twice. Each named-user should have one single named-user license which should cover all their usage of the SAP system even if they have access to multiple systems. The license required for a user accessing SAP both directly and indirectly would depend on the transactions they have access to in either, with the highest level of activity in either system taking precedence when determining the license type required. So no, a user that accesses the system directly and indirectly should not be counted twice, or in licensing terms, should not be allocated two seperate named-user licenses.

2. My data passes through multiple connected systems. Would this be classed as Indirect Access?

It depends on how those systems are connected to the SAP system and whether data is being created, manipulated, or viewed in the SAP system via the connected systems. It also depends on the activity of the users using the system. If they are operating in a way, in terms of their system usage activity that matches any contractual definition of a named-user then they will require the corresponding named-user license to cover that usage.

3. Is there a certain license type applicable to a named-user who is given the required permissions to access the SAP system indirectly?

No, the normal rules behind the assignment of named-users apply. If it is a small community of users are performing business critical activity they may all need a professional license. A large community of users viewing reports may need an ESS (Employee Self-service License), or indeed some form of specially negotiated blanket coverage usage license which provides a degree of flexibility across large external user populations or where user numbers frequently fluctuate.

4. Is accessing SAP systems remotely via an intermediary interface compliant?

It is if the individual accessing the SAP software in this manner has a license that covers the activity they perform in the SAP system when accessing it. In principal, there is nothing wrong with using an interface to provide remote access to the SAP systems, where systems security would be a more important consideration.

5. What about when SAP creates Indirect Access instances themselves when performing a systems integration or deployment

SAP may well have been involved in or directly responsible for a third-party system and or performing the integration. Whilst contractually the usage can later be defined as indirect and therefor subject to indirect access licensing fees, any organisation would have a strong case in defending against having to pay these unexpected and un-illustrated fees at a later stage. If these costs had been explained at the time of purchase or implementation the customer may not have proceeded knowing the total licensing fees they would be faced with. JNC have successfully defended clients in this position on that basis.

6. Are Indirect Access claims from SAP negotiable?

Yes, they are! JNC offer a service called Indirect Access Defence, which supports customer facing a claim for Indirect Access from SAP.  We perform a detailed contract analysis and usage evaluation with a view to proving compliant usage. If there is a risk the usage in question could be non-compliant we help the customer by quantifying the risk, identifying target outcomes and developing a response and negotiation strategy.  Due to the complexities of the contract and differences in interpretations of usage SAP can sometimes get it wrong meaning their claim for Indiorect Access can either be proven to be excessive or completely unsubstanciable. So yes, its negotiable so give it a shot! If you need help, call JNC!

* always check your contract for the terms and rules that govern how you must license your use of the SAP software*


“SAP can sometimes get it wrong meaning their claim for Indirect Access can either be proven to be excessive or completely unsustainable”


Click here to view JNC’s Indirect Access Defence service

Addressing Indirect Access Risk

The following steps are JNC’s recommeneded approach for dealing with Indirect Access. With the potential risks involved, it is always recommended that you seek expert help.

Map the interface environment

The first step is to get a clear picture of the interface environment by mapping all SAP systems, and mapping interfaces both to, from, and between SAP systems. From a technical point of view, you need to map your RFC connections to the organization’s systems. A good starting point would be to map all of the connections in T-Code SM59 (RFC Destinations) and review all incoming RFC connections through T-Code ST03N (Workload and Performance Statistics). Architects, technical managers, systems owners, and integration experts can all collaborate to build this picture. The task to identify Indirect Usage becomes all the more difficult if you have multiple servers and applications spanning different geographies, operation verticals and service lines.

Define the nature of the usage

The nature of the usage needs to be defined by looking at data flows, data origination and the underlying interface technology. Look at the end user environment looking at who is using the connected systems, how they are using those systems, and if data is being created, viewed, or changed in the SAP systems as a result of the usage.

Carry out a contract review

A thorough and detailed contract review needs to be carried out to understand the terms and conditions that impact indirect access usage obligations. As mentioned earlier in the article there are clauses or a lack thereof that can give rise to Indirect Access or protect you from it. With an understanding of these terms and conditions, it is possible then to perform an enterprise wide assessment of all interfaces to determine if that usage gives rise to any Indirect Access liability as defined in the contract.

Perform an Indirect Access risk assessment

With a detailed understanding of indirect systems usage and contractual entitlement, an assessment of licensing risk can then be made on a system-by-system basis. Risk indicators (high, medium, and low for example) can be assigned to all third-party systems. High risk usage can be pro-actively addressed by seeking to procure entitlement from SAP, which will most certainly involve negotiation. It is highly beneficial to approach SAP to discuss your needs rather than be discovered by them, and to come prepared with a clearly defined position and target outcome. For all levels of risk, the risk should be quantified by looking at the potential cost of licensing that usage correctly.

Define Your Risk Response and/or Negotiation Strategy

The low or no risk usage can be dealt with by writing a business case demonstrating compliant usage referring both to the detailed technical and functional evaluation of the usage and the contract analysis. If SAP were to come knocking on your door regarding indirect access you will be prepared to present your business cases to SAP defending your indirect usage as compliant. Demonstrating to SAP that you are knowledgeable and prepared goes a long way to dispelling any further advances and contributes to Vendor Audit Readiness. Where high risk usage is identified, which is most likely non-compliant and the risk response is to present this to SAP to buy entitlement, the act of having the usage under question clearly defined will help your organisation perform better in the negotiations and most likely result in a better licensing deal. Leaving indirect access to be discovered and pursued by SAP could result in significant and unexpected licensing fees.

Managing Indirect Access Risk

How should organisations manage Indirect usage to avoid unexpected licensing fees?

Your Indirect Access management strategy has to start somewhere and your current position needs to be discovered first as illustrated above. You must first address and deal with the risk arriving at a position where you have the adequate entitlement to ensure current usage is compliant, which may or may not require the procurement of additional entitlement. From that point forward managing indirect usage involves monitoring and controlling the interface and third-party application environment ensuring that the enterprise systems and technology road-map is developed with a view to the impact on licensing and compliance. There are tools available or management techniques that can be implemented to help create alerts when new interfaces go-live, particularly useful in large, complex global scale organisations.

All key technical and systems stakeholders need to be able to review the deployment of new interfaces, understand licensing risk and understand how to properly license any new deployments. Some deployments may, according to current contractual definitions, be too costly to deploy compliantly. You can then revert to negotiating with SAP to come to a cost effective comprise that satisfies both parties, mitigating future compliance risk and facilitating technology development.

Indirect Access Conclusion

With the continued global uptake in SAP, the issue of Indirect Access has most certainly not peeked. As a result of some high-profile cases and an increase in awareness within the SAP eco-system, far more organisations are taking action to deal with Indirect Access risk. Some in response to a claim that has been presented by SAP and some with the foresight to address it pro-actively to identify any risk, quantify potential license fee exposure, take appropriate steps to mitigate the risk and minimise their potential exposure. The key to successfully dealing with Indirect Access risk is to get informed, put in place an Indirect Access action plan, and be prepared for a licensing audit.


“The key to successfully dealing with Indirect Access risk is to get informed, put in place an Indirect Access action plan, and be prepared for a licensing audit”


Click here to view JNC’s range of Indirect Access solutions

 

James Cochlin on EmailJames Cochlin on Linkedin
James Cochlin
Principal Consultant - SAP Licensing and Compliancy at JNC Consultancy
James Cochlin is Principle Consultant and Head of Audit & Compliancy Services at JNC, A company which has been providing SAP License Management services since 2009. In total James possesses over 12 years’ experience in SAP License Management and Auditing with significant knowledge and experience in SAP security, Authorisations and GRC. In the past, James was an SAP License Auditor for Deloitte. As Global Technical Lead James audited clients around the world on behalf of SAP, and was involved in the development of SAP’s License Audit Methodology. Now James works with customers helping reduce their risk of non-compliance, identify cost savings and avoid the pit-falls of licensing SAP estates. Throughout his consulting career, James has worked at some of the largest clients of SAP helping them solve complex licensing problems whilst helping them regain control of SAP Licensing and Compliancy. James continues to train SAP Consultants on SAP licensing to the highest standards, he was the lead architect of a well know SAP Software Asset Management tool, and is held in high esteem internationally as a leading SME and authority on SAP License Management.
Share this