Measuring SAP Indirect Usage: Tools and Methods to Detect Third‑Party Access
Indirect usage of SAP – when third-party systems or users access SAP data without a direct login – has become a critical licensing and compliance concern for CIOs and CTOs.
Accurately measuring this indirect usage is essential to avoid surprise fees and optimize costs. This article explains how to detect third-party access to SAP, outlines SAP’s standard tools for measuring indirect usage, and provides best practices for proactively managing licensing risks.
Read SAP’s Digital Access Model: Document-Based Licensing vs. User-Based (What Triggers Indirect Fees).
SAP Indirect Usage
Indirect usage (also known as indirect access) occurs whenever SAP is used via a third-party interface instead of a direct SAP GUI or user login.
In practical terms, this means that external systems or applications read or write SAP data on behalf of users or processes. Common examples include:
- A CRM system (e.g., Salesforce) automatically creates a sales order in SAP.
- An e-commerce website retrieves pricing or inventory data from SAP in real-time.
- IoT sensors or RPA bots updating SAP records (like stock levels or maintenance orders) through APIs.
In all these cases, SAP’s software is being utilized indirectly. Historically, SAP required a named user license for any individual who benefited from SAP data or transactions, regardless of whether they had ever logged in directly to the SAP system.
This broad definition led to confusion and high-profile disputes (e.g., the Diageo case, where a customer faced multi-million dollar fees for Salesforce-to-SAP integration).
Why Measuring Indirect Access Matters
Unmeasured indirect usage is a hidden compliance risk. If third-party systems interface with SAP without proper licensing, organizations may be out of compliance and exposed during an audit.
SAP auditors increasingly scrutinize integrations and can assess significant back-license fees or penalties if unlicensed use is discovered.
For CIOs and CTOs, this translates to:
- Financial Risk: Unexpected license true-up costs that can reach millions if indirect usage has been ongoing unchecked.
- Operational Risk: Integration workflows might be interrupted or forced to shut down if licensing issues aren’t resolved, impacting business continuity.
- Strategic Decisions: Without quantifying indirect usage, IT leaders can’t accurately plan for the most cost-effective licensing model (user-based vs document-based).
Measuring indirect access provides the data needed to negotiate better contracts and avoid overpaying. It also supports informed decisions on whether to stick with traditional user licenses or adopt SAP’s newer Digital Access model for indirect usage.
In short, you can’t manage or optimize what you don’t measure – gaining visibility into third-party SAP access is now a must for any SAP-centric enterprise architecture.
Read Negotiating Indirect Use Terms in SAP Contracts.
From Named Users to Digital Access: SAP’s Licensing Shift
To address the complexities of indirect use, SAP introduced the Digital Access licensing model in 2018. Under this model, instead of counting users, SAP charges for the number of certain business documents created in the SAP system by external (third-party) systems.
Nine core document types contribute to Digital Access, including Sales Order line items, Invoice documents, Purchase Order line items, and other types (such as delivery notes, service and maintenance documents, etc.).
Only when these documents are created through a non-SAP interface do they incur a Digital Access charge. Documents created by a human user in SAP or by another SAP application are covered by existing user licenses.
Reading or querying data (without creating new documents) does not count toward these document licenses, which was a relief to many customers.
This document-based approach was SAP’s response to the outrage over cases like Diageo. It offers a more transparent metric: companies can measure how many documents their integrations generate and pay accordingly, rather than trying to count every possible end user.
SAP incentivized customers to adopt Digital Access through programs like the Digital Access Adoption Program (DAAP), offering deep discounts or credit for existing licenses. As a result, many new SAP contracts (especially S/4HANA or RISE agreements) now embed Digital Access by default.
Is it cheaper?
It depends on the situation. For scenarios involving hundreds or thousands of indirect users, paying per document can be significantly more economical than purchasing named user licenses for each individual. (A single professional user license can cost several thousand dollars, while one digital document license is often priced under $1 per document.)
However, if only a handful of external documents are created, traditional user licenses might be sufficient. The key is having the data to compare both models, which is why measurement is so important.
Example Cost Comparison: Below is a simplified illustration of two scenarios – one where many external users perform few transactions, and another with automated systems generating high volumes:
| Scenario (Annual) | Traditional Named User Cost | Digital Access Cost (approximate) |
|---|---|---|
| 1,000 customers placing orders via a portal (average 2 orders each) | 1,000 Named Users * $3,000 each = $3,000,000 | ~2,000 documents * $0.80 each = $1,600 (for order documents) |
| IoT sensors sending 1,000,000 inventory updates (no human users) | Not feasible to license per user (unlimited users) | 1,000,000 documents * $0.50 each = $500,000 (with volume discounts) |
In the first case, Digital Access saves cost by charging per document instead of per user. In the second case, Digital Access provides a way to license a high-volume machine integration that would be impossible with named users.
These examples highlight why CIOs and CTOs must evaluate indirect usage metrics – the optimal model and costs hinge on actual usage patterns.
Tools and Methods to Detect Third‑Party SAP Access
Identifying when and how third-party systems are accessing SAP is the foundation for managing indirect usage.
Organizations should take a multi-pronged approach to detect and measure this activity:
- Integration Inventory: Maintain a register of all interfaces to SAP. Document which external systems (applications, middleware, customer portals, etc.) connect to SAP, what data they exchange, and which technical user accounts or APIs they use. This inventory is a starting point for targeting measurement efforts.
- System Logs & Audit Trails: SAP systems record transactions and remote function calls. Tools like SAP ST03N (Workload Statistics) and STAD can show which user IDs and function modules are being called, including those used by interfaces. For example, if an account “SALES_PORTAL” is executing hundreds of create order transactions (VA01) via RFC, that’s a clear indicator of indirect usage. Similarly, SM59 and RFC connection tables list external connection endpoints. Regularly reviewing these logs helps pinpoint active third-party access.
- SAP License Audit Reports: SAP’s traditional audit tools (USMM and LAW) focus on named-user counts and engine metrics, but they also indirectly reveal anomalies (e.g., a technical user consuming a lot of documents might flag indirect access). Newer versions of SAP’s audit tools also incorporate Digital Access metrics. Customers can also request SAP’s Digital Access Evaluation Service, where SAP helps run special programs to estimate document counts for indirect use.
- Third-Party License Management Solutions: Many enterprises invest in software asset management (SAM) tools or services that monitor SAP usage. These tools can consolidate data from SAP logs, database triggers, and external system logs to identify where indirect access is happening. They often provide analytics or dashboards that show how many documents each interface generates, helping IT leaders visualize indirect consumption in near real-time.
- Manual Spot Checks and Interviews: Sometimes, the simplest method is to interview integration owners and review interface specifications. Ask questions like: “Does this interface create any records in SAP? How many per day?” This can validate and complement the technical measurements, ensuring no obscure interface is overlooked (e.g., an Excel macro that quietly updates SAP data via an API).
Combining these methods provides a comprehensive view. The integration inventory tells you where to look; logs and tools tell you how much activity is happening; and human intel ensures why and what is happening is understood.
SAP’s Standard Tools for Measuring Indirect Usage
SAP has delivered two standard tools to help customers quantify indirect usage under the Digital Access model.
These tools focus on counting the documents created by external systems:
1. Digital Access Estimation Tool: This is a report program (available via SAP Notes 2992090 for ECC and 2999672 for S/4HANA) that estimates the number of documents in your system that might be generated via indirect access.
It typically requires input such as a date range and relevant technical user IDs (the accounts used by interfaces or third-party applications).
The tool then scans the system for documents (across the nine types) created by those users and produces a count per document type.
Advantages:
The Estimation Tool is easy to deploy (no major system upgrade needed) and works across many SAP versions. It provides a quick baseline and is often used as a starting point for discussions with SAP or internal decision-making processes. It can be run on demand to gauge usage over a period.
Limitations:
The output is an estimate. The tool cannot always distinguish documents originating from an external system vs those created by internal processes. For example, if an external order creates an internal invoice, the tool might count both. This double-counting can inflate the numbers.
Additionally, the Estimation Tool considers historical data, including old documents and usage patterns that may no longer be relevant. This could surface past indirect use that wasn’t licensed, potentially raising questions of back-compliance. In short, the Estimation Tool may over-count and requires expert interpretation to refine the results.
2. SAP Passport (Digital Access Measurement Program):
The SAP Passport tool is SAP’s “official” solution for precise indirect usage measurement in the future. Introduced in newer SAP releases, Passport embeds a token in every transaction or document created from within SAP.
If a document is created and it lacks this internal SAP token, it implies the document came from an external source. By recording this, the system can accurately report the number of documents created by non-SAP systems.
To enable Passport, your SAP system must be on a specific patch level or version (for example, a specific support pack level of ECC 6.0 or an S/4HANA system at version 1809 or higher). Installing it involves applying SAP Note 2837612 and then running a report (transaction RSUVM_DAC) to generate the usage analysis.
Advantages: The Passport mechanism offers high accuracy by filtering out internally generated documents. It counts only what truly qualifies as indirect (external) documents, thereby avoiding the issue of double-counting.
This provides CIOs and CTOs with a much clearer picture of licensing-relevant usage. The data from Passport can be used for ongoing monitoring, not just one-time estimates.
Limitations: The biggest hurdle is implementation effort. Activating a Passport may require an upgrade or the installation of a support package on the SAP system. It’s not always feasible for older ECC systems without significant system changes.
Also, Passport only starts collecting data from the point of installation – it doesn’t retroactively analyze past usage. This means you need to run it for a period (often several months) to gather enough data for decision-making.
Additionally, some customers are cautious about potential performance impacts or the complexity of adding this new tracking mechanism (though SAP has designed Passport to be low-overhead).
Despite the effort, Passport is considered the long-term solution for continuous indirect usage tracking. SAP has indicated that future systems will have this capability built in, making indirect usage measurement a standard part of system monitoring.
A sample SAP Digital Access report output, summarizing the volume of documents (e.g., sales orders, invoices, purchase orders) generated via external (third-party) systems. This data helps organizations quantify indirect usage for licensing purposes.
Both tools can be used in tandem: for instance, run the Estimation Tool to get a quick snapshot, then implement Passport for more definitive ongoing measurement.
Some organizations initially use the Estimation results to negotiate a provisional deal with SAP (perhaps leveraging DAAP discounts), with the understanding that they will true up or adjust once the Passport data is collected.
Challenges in Measurement and Best Practices
Measuring indirect usage isn’t always straightforward. CIOs and CTOs should be aware of common challenges and follow best practices to address them:
- Complex Workflows: Modern SAP environments have interconnected processes. An external trigger might spawn multiple subsequent documents inside SAP. Deciding which documents “count” is tricky. Best practice is to count the originating document (as per SAP’s rules, downstream documents from an already counted event are not charged again). Ensure that your measurement approach or tool complies with these guidelines. If you are using the Estimation Tool, you may need to manually exclude downstream documents to avoid overcounting.
- Data Interpretation: The raw output of tools like the Estimation report or Passport requires interpretation. Establish a cross-functional team (licensing experts, SAP basis team, process owners) to review the results. They can validate whether high counts in a certain document category make sense (e.g., “Are these 50,000 quality management documents legitimate external entries, or an internal batch job artifact?”). This team should also distinguish between truly third-party activity and any SAP-to-SAP integrations (the latter typically don’t require digital access licenses if both sides are licensed SAP systems).
- Regular Monitoring vs One-Time Check: Indirect usage isn’t static – new integrations, M&A activity, or digital projects can introduce new third-party connections at any time. Treat indirect usage measurement as an ongoing process, not a one-off project. Many organizations now include digital access metrics in their quarterly license compliance reviews or use dashboards to continuously track document counts. This way, any spike in usage can be caught early (for example, if a new e-commerce front-end goes live and suddenly starts creating thousands of orders in SAP, you’ll see it before the next audit).
- Balancing User vs. Document Licensing: Simply measuring documents doesn’t automatically determine the best licensing approach – you must model scenarios. Best practice is to take the measured document counts and calculate the cost if those were licensed via Digital Access. Then compare that cost to what it would take to license the equivalent via named users. This analysis should factor in growth projections (will these transactions increase 10% next year?) and the nature of the users (are they employees, partners, or public users?). Often, a hybrid model is optimal – e.g., license high-volume interfaces via documents, but retain some named user licenses for known external partners who interact frequently.
- Negotiating with Data: One significant benefit of having accurate indirect usage data is the leverage it provides in negotiations with SAP. If you can show a detailed report of your third-party interface activity, you’re in a stronger position to argue for appropriate licensing terms. For instance, if certain document types are high-volume but low-value (say millions of tiny sensor updates), you might negotiate a special deal or an IoT-specific licensing arrangement. Always use your measurements to drive a fact-based discussion with SAP or resellers, rather than accepting generic quotes.
- Stay Updated on SAP Policies: SAP’s rules and tools around indirect access have evolved and may continue to change. Keep an eye on SAP notes, official updates, or user group guidance. For example, SAP has occasionally clarified how read-only scenarios are treated or updated the weighting factors for certain document types. Staying informed ensures your measurement approach remains aligned with the latest definitions (so you don’t over-count something that SAP decided to exclude, or vice versa).
By anticipating these challenges, IT leaders can establish processes to effectively manage them.
The goal is to make indirect usage measurement a business-as-usual practice, integrated into your IT governance, architecture reviews, and license management routines.
This proactive stance will significantly reduce the likelihood of nasty surprises in your SAP licensing and keep your digital ecosystem running smoothly.
Recommendations
- Inventory All Integrations: Create and maintain a detailed list of every system interfacing with SAP, including the type of data exchanged and the frequency of exchange. This catalog is the foundation for monitoring indirect usage.
- Use SAP’s Measurement Tools: Leverage the SAP Digital Access Estimation Tool for a quick initial assessment, and plan to implement the SAP Passport tool for more accurate, ongoing measurement of external document creation.
- Analyze and Validate Results: Don’t take the output at face value. Have SAP experts review the measured document counts, identify and remove any internal processes that were mistakenly included, and validate any unusual spikes with the relevant functional teams.
- Run “What-If” License Scenarios: Use the data to model costs under different licensing models. Compare the cost of covering your measured indirect usage with Digital Access documents versus traditional named users to inform your decision on which model (or mix) to adopt.
- Integrate into Audit Readiness: Treat indirect usage metrics as part of your regular license compliance checks. Before any SAP audit, ensure you have reports on indirect usage ready to demonstrate control or to preemptively address any compliance gap.
- Educate Stakeholders: Brief your integration architects and project managers about indirect access rules. When new systems are being designed, they should factor in licensing impact and choose approaches (or volumes) that your licenses can accommodate.
- Negotiate Contract Protections: When renewing or signing SAP agreements, include clear terms for digital access and data security. Aim for provisions like grace thresholds (a buffer of documents), clarified definitions of document types, and fixed pricing tiers – using your usage data as justification.
- Leverage Expert Help if Needed: If your indirect usage landscape is complex, consider engaging SAP licensing experts or third-party advisors. They can bring tools and experience to ensure your measurements are accurate and your licensing position is optimized.
- Monitor Continuously: Establish KPIs and perhaps dashboards for indirect usage (e.g., “external documents created per month”). Regularly review these metrics to respond quickly if usage exceeds expectations.
- Plan for the Future: Keep an eye on SAP’s roadmap. As you transition to S/4HANA or cloud models, anticipate that digital access will continue to be a key component of licensing. Build measurement and compliance into your transformation projects from day one.
FAQ
Q1: What exactly counts as indirect access in SAP?
A1: Indirect access is when SAP is used via a non-SAP intermediary. If a person or application doesn’t log in to SAP directly but triggers SAP transactions or document creations (for example, a third-party webshop creating an order in SAP), that’s indirect usage. Essentially, any external system that reads or writes SAP data beyond simple viewing is considered indirect access and may require licensing.
Q2: We only allow reading of SAP data via APIs, not creating records – do we still need to worry?
A2: Reading data purely (e.g., an API that allows a portal to display SAP inventory levels) is generally less of a licensing concern under the Digital Access model – SAP does not charge for read-only access in terms of document counts. However, if those external users are interacting in real-time, SAP might argue that it’s the “use” of the software. It’s important to clarify contract terms about read-only scenarios. You may not pay document fees for reads; however, if a large number of external users are involved, SAP may require a named-user license. Always confirm the scope of usage with SAP if in doubt.
Q3: How can I identify which third-party systems are accessing my SAP data?
A3: Start by listing all known integrations (middleware, third-party apps, etc.) connected to SAP. Then use SAP’s system tools: check transaction SM59 for configured RFC connections, review interface monitoring in SAP PI/PO if you use those, and analyze usage logs (ST03N, STAD) for technical users who perform large volumes of tasks. Often, interface users have distinctive usernames (like “EDIUSER” or “MULESOFT”) – track what they’re doing. Combining these technical checks with interviews of your IT teams will reveal the touchpoints where third-party systems interact with SAP.
Q4: What tools does SAP provide to measure indirect usage?
A4: SAP offers two primary tools. The Digital Access Estimation Tool is a report that you can run (after applying a note) to estimate the number of documents (such as sales orders and invoices) that external systems may have created. It’s quick to deploy and works on older systems. The SAP Passport tool is a built-in mechanism in newer SAP versions that tags internal transactions, allowing the system to later report exactly which documents originated from outside. The passport requires an update to your SAP system, but it provides very accurate ongoing measurements. Additionally, SAP’s License Administration Workbench (LAW) can now incorporate digital document counts from these tools for audit purposes.
Q5: How does the SAP Passport differ from the Estimation Tool in practice?
A5: The Estimation Tool provides a one-time snapshot and tends to overcount because it cannot perfectly differentiate between internal and external document creation. It might count every document created by certain users or within a date range, giving an upper-bound number. SAP Passport, on the other hand, works in real-time by marking “internal” usage, so any document that doesn’t have the mark is external. Passport yields more precise figures, but only for the period after it’s activated (it does not analyze historical data). In summary, Estimation is easier but rough, and Passport is effortful but accurate.
Q6: Can third-party license management tools help with monitoring indirect usage?
A6: Yes. Many SAM tools and services (from vendors like Flexera, Snow, etc.) have modules for SAP. They can automate the collection of usage data, including indirect usage metrics. Some tools tie into SAP logs and even apply SAP’s rules (like excluding internal docs) to give you a continuous view of Digital Access document counts. They can also simulate cost scenarios and send alerts if usage approaches certain thresholds. While they come at a cost, these tools can pay off by preventing over-licensing or non-compliance through early detection and analytics.
Q7: Is switching to SAP’s Digital Access document licensing always the best choice?
A7: Not always – it depends on your usage profile. Digital Access can be very cost-effective if you have a large number of external users or devices generating a moderate number of documents. However, suppose your indirect usage is minimal or you only have a few third-party integrations. In that case, you might be better off sticking with existing named user licenses (or engine licenses if applicable). The best approach is to measure your indirect usage, price it out under Digital Access, and compare that to the status quo. In some cases, a hybrid approach is ideal – use document licensing for certain high-volume interfaces, and user licensing for others. SAP gives flexibility to mix models as long as you don’t double-count the same usage in both.
Q8: How do we avoid surprise costs during an SAP audit related to indirect usage?
A8: Preparation and documentation are key. Continuously monitor your indirect usage and keep records of those measurements. If using the Digital Access model, ensure you have reports (from Passport or estimation) showing your document counts and that you’ve purchased adequate licenses for them. If still on user licensing, document how you calculated the number of users attributable to each third-party system (e.g., 500 portal users mapped to 500 named users). Also, clarify any assumptions with SAP in writing (for instance, “we consider read-only access exempt, as per our understanding”). By having these details ready, you can anticipate and address many audit questions. Engaging in SAP’s voluntary license self-audit programs or the Digital Access Evaluation Service ahead of time can also uncover issues on your terms rather than during a formal audit.
Q9: What if an interface is only used internally (SAP to SAP or within the company)?
A9: If it’s SAP-to-SAP (like your SAP ERP feeding data to SAP BW or another SAP cloud service), generally that’s not considered indirect third-party access – those scenarios are usually covered by the respective SAP products’ licenses (you shouldn’t need extra licenses for standard SAP integrations). If it’s an interface within the company but on non-SAP technology (such as a custom .NET app used by employees that updates SAP), that’s still indirect usage. However, if all those users already have SAP named user licenses, you might be compliant under the traditional model. The important distinction is whether unlicensed users or systems are accessing SAP. If yes, it likely needs to be measured and licensed (via named users or documents). Always verify the specifics of each case against your SAP contract clauses for indirect use.
Q10: What steps should we take right now to get a handle on indirect usage?
A10: First, assemble the stakeholders – licensing managers, SAP basis admins, integration leads – and make indirect usage management a team effort. Immediately create the integration inventory if it has not already been done. Next, schedule a run of SAP’s Digital Access Estimation Tool on your production system to get an initial gauge of where you stand; it’s a fast way to determine whether you’re discussing thousands or millions of documents. In parallel, plan for a long-term solution, such as implementing Passport or another monitoring mechanism. Review your current SAP contract to determine what it states about indirect access or Digital Access – you may find that you already have some entitlements or need to budget for an upgrade. Finally, start socializing the findings with IT leadership and finance – if there’s a potential compliance gap, it’s better to address it proactively (e.g., by discussing a digital access license package with SAP) than reactively under audit pressure.
Read more about our SAP Advisory Services.
