SAP Indirect Access Explained

“Tip. Measurement Guide definitions are always changing. Do not accept Measurement Guide definitions as contractually binding. Always refer to your contract to understand your obligations.”

Examples of Potential Indirect Access Usage

• Business customers using an eCommerce platform to place sales orders.
• Sales representatives capturing sales orders via mobile device to input into SAP ERP.
• A third-party CRM system accessing data in SAP ERP.
• Partners and suppliers accessing SAP to check inventory and stock levels.
• Partner or suppliers running and accessing reports on SAP system data via SAP BO.
• Packageers entering plant maintenance data into SAP via mobile devices.
• A third-party logistics provider using a handheld device in the warehouse and accessing SAP ERP to get data on materials or stock movements.
• Using Salesforce to view customer master data that resides in SAP ERP.

To understand if any given interface or third-party system scenario constitutes Indirect Access you must first examine the nature of the usage, and how data is being exchanged to and from SAP.

Primarily, the risk of indirect access resides in your contract, so your SAP contract will be the key in determining if that usage constitutes Indirect Access and if you could be liable to pay SAP additional licensing fees.

“Primarily, the risk of indirect access resides in your contract.”

Click here to view JNC’s Indirect Access Review service, which includes both contract risk assessment and usage evaluation.

 About Indirect Access

Although many organisations are not aware of it, interfacing SAP data into third-party applications and how users use that data must be considered carefully from an SAP licensing perspective. An application interface may only require one user ID to access SAP and retrieve the data, this is not adequate for SAP licensing purposes. Generally speaking, if 1,000 external users use this data indirectly in an online (dialogue or prompt) manner, then 1,000 named-user licenses would be required to cover this indirect access to SAP.

Why is Indirect Access such a hot topic right now?

There is a notable correlation between the global financial crisis and the emergence of Indirect Access. Firms spending power shrunk, and growth shrinkage resulted in less re-occurring annual licensing demand. With spending power and growth slowing down SAP have had to resort to other revenue streams and where Indirect Access had historically been low on SAP’s radar it became a focus. This has also been supported by two key trends.

Firstly, the move to interfacing best-of-breed non-SAP applications to SAP, and the emergence of cloud technology and web-based platforms extending the use of SAP out beyond the usual boundaries

According to a typical SAP contract, users who indirectly access SAP must have an SAP user license too. There are numerous contractual inclusions or exclusions that could give rise to indirect access risk or protect you from it, and yes, every customer’s contract is different and different clauses and wording can give rise to Indirect Access risk.

Sophisticated organisations specifically define the correlation between indirect access usage and license types in their SAP contracts, either at the initial negotiation before purchase or during annual maintenance. For example, they might write something like, “All indirect access will be classified as user type ESS.” Typically, if a non-SAP system accesses SAP data, the user of that external data needs to be covered by an appropriate SAP license.

If you don’t have a clause in your contract, you’d be wise to agree with SAP what constitutes Indirect Usage to avoid any nasty surprises.

“Every customers contract is different and different clauses and wording can give rise to Indirect Accedes risk.”

Click here to view JNC’s Indirect Access Risk Assessment service to find out if your contract gives rise to indirect access risk.
Indirect Access FAQ’s

From our experience these are the 5 most asked question about Indirect Access:

1. Are users that access the system, directly and indirectly, counted as two different users?

A named user should never be counted twice. Each named-user should have one single named-user license which should cover all their usage of the SAP system even if they have access to multiple systems.

The license required for a user accessing SAP both directly and indirectly would depend on the transactions they have access to in either, with the highest level of activity in either system taking precedence when determining the license type required. So no, a user that accesses the system, directly and indirectly, should not be counted twice, or in licensing terms, should not be allocated two separate named-user licenses.

2. My data passes through multiple connected systems. Would this be classed as Indirect Access?

It depends on how those systems are connected to the SAP system and whether data is being created, manipulated, or viewed in the SAP system via the connected systems. It also depends on the activity of the users using the system. If they are operating in a way, in terms of their system usage activity that matches any contractual definition of a named-user then they will require the corresponding named-user license to cover that usage.

3. Is there a certain license type applicable to a named-user who is given the required permissions to access the SAP system indirectly?

No, the normal rules behind the assignment of named-users apply. If it is a small community of users are performing the business critical activity they may all need a professional license. A large community of users viewing reports may need an ESS (Employee Self-service License), or indeed some form of specially negotiated blanket coverage usage license which provides a degree of flexibility across large external user populations or where user numbers frequently fluctuate.

4. Is accessing SAP systems remotely via an intermediary interface compliant?

It is if the individual accessing the SAP software in this manner has a license that covers the activity they perform in the SAP system when accessing it. In principal, there is nothing wrong with using an interface to provide remote access to the SAP systems, where systems security would be a more important consideration.

5. What about when SAP creates Indirect Access instances themselves when performing a systems integration or deployment

SAP may well have been involved in or directly responsible for a third-party system and or performing the integration. Whilst contractually the usage can later be defined as indirect and therefor subject to indirect access licensing fees, any organisation would have a strong case in defending against having to pay these unexpected and un-illustrated fees at a later stage. If these costs had been explained at the time of purchase or implementation the customer may not have proceeded knowing the total licensing fees they would be faced with. JNC have successfully defended clients in this position on that basis.

6. Are Indirect Access claims from SAP negotiable?

Yes, they are! JNC offer a service called Indirect Access Defence, which supports customer facing a claim for Indirect Access from SAP.  We perform a detailed contract analysis and usage evaluation with a view to proving compliant usage. If there is a risk the usage in question could be non-compliant we help the customer by quantifying the risk, identifying target outcomes and developing a response and negotiation strategy.  Due to the complexities of the contract and differences in interpretations of usage SAP can sometimes get it wrong meaning their claim for Indiorect Access can either be proven to be excessive or completely unsubstanciable. So yes, its negotiable so give it a shot! If you need help, call JNC!

* always check your contract for the terms and rules that govern how you must license your use of the SAP software*

“SAP can sometimes get it wrong meaning their claim for Indirect Access can either be proven to be excessive or completely unsustainable.”

Click here to view JNC’s Indirect Access Defence service.

Addressing Indirect Access Risk

The following steps are JNC’s recommended approach for dealing with Indirect Access. With the potential risks involved, it is always recommended that you seek expert help.

Map the interface environment

The first step is to get a clear picture of the interface environment by mapping all SAP systems, and mapping interfaces both to, from and between SAP systems. From a technical point of view, you need to map your RFC connections to the organisation’s systems. A good starting point would be to map all of the connections in T-Code SM59 (RFC Destinations) and review all incoming RFC connections through T-Code ST03N (Workload and Performance Statistics). Architects, technical managers, systems owners, and integration experts can all collaborate to build this picture.

The task to identify Indirect Usage becomes all the more difficult if you have multiple servers and applications spanning different geographies, operation verticals and service lines.

Define the nature of the usage

The nature of the usage needs to be defined by looking at data flows, data origination and the underlying interface technology. Look at the end-user environment looking at who is using the connected systems, how they are using those systems, and if data is being created, viewed, or changed in the SAP systems as a result of the usage.

Carry out a contract review

A thorough and detailed contract review needs to be carried out to understand the terms and conditions that impact indirect access usage obligations. As mentioned earlier in the article there are clauses or a lack thereof that can give rise to Indirect Access or protect you from it. With an understanding of these terms and conditions, it is possible then to perform an enterprise-wide assessment of all interfaces to determine if that usage gives rise to any Indirect Access liability as defined in the contract.

Perform an Indirect Access risk assessment

With a detailed understanding of indirect systems usage and contractual entitlement, an assessment of licensing risk can then be made on a system-by-system basis. Risk indicators (high, medium, and low for example) can be assigned to all third-party systems. High-risk usage can be pro-actively addressed by seeking to procure entitlement from SAP, which will most certainly involve negotiation. It is highly beneficial to approach SAP to discuss your needs rather than be discovered by them and to come prepared with a clearly defined position and target outcome. For all levels of risk, the risk should be quantified by looking at the potential cost of licensing that usage correctly.

Define Your Risk Response and/or Negotiation Strategy

The low or no risk usage can be dealt with by writing a business case demonstrating compliant usage referring both to the detailed technical and functional evaluation of the usage and the contract analysis. If SAP were to come knocking on your door regarding indirect access you will be prepared to present your business cases to SAP defending your indirect usage as compliant.

Demonstrating to SAP that you are knowledgeable and prepared goes a long way to dispelling any further advances and contributes to Vendor Measurement Readiness. Where high-risk usage is identified, which is most likely non-compliant and the risk response is to present this to SAP to buy entitlement, the act of having the usage under question clearly defined will help your organisation perform better in the negotiations and most likely result in a better licensing deal. Leaving indirect access to be discovered and pursued by SAP could result in significant and unexpected licensing fees.

Managing Indirect Access Risk

How should organisations manage Indirect usage to avoid unexpected licensing fees?

Your Indirect Access management strategy has to start somewhere and your current position needs to be discovered first as illustrated above. You must first address and deal with the risk arriving at a position where you have the adequate entitlement to ensure current usage is compliant, which may or may not require the procurement of additional entitlement. From that point forward managing indirect usage involves monitoring and controlling the interface and third-party application environment ensuring that the enterprise systems and technology road-map is developed with a view to the impact on licensing and compliance.

There are tools available or management techniques that can be implemented to help create alerts when new interfaces go-live, particularly useful in large, complex global scale organisations.

All key technologies and systems stakeholders need to be able to review the deployment of new interfaces, understand licensing risk and understand how to properly license any new deployments. Some deployments may, according to current contractual definitions, be too costly to deploy compliantly. You can then revert to negotiating with SAP to come to a cost-effective comprise that satisfies both parties, mitigating future compliance risk and facilitating technology development.

Take away message

With the continued global uptake in SAP, the issue of Indirect Access has most certainly not peeked. As a result of some high-profile cases and an increase in awareness within the SAP eco-system, far more organisations are taking action to deal with Indirect Access risk. Some in response to a claim that has been presented by SAP and some with the foresight to address it pro-actively to identify any risk, quantify potential license fee exposure, take appropriate steps to mitigate the risk and minimise their potential exposure.

The key to successfully dealing with Indirect Access risk is to get informed, put in place an Indirect Access action plan, and be prepared for a licensing measurement.

“The key to successfully dealing with Indirect Access risk is to get informed, put in place an Indirect Access action plan, and be prepared for a licensing measurement”

Click here to view JNC’s range of Indirect Access solutions.