SAP Indirect Access
Introduction: Why SAP Indirect Access Still Matters in 2025
SAP indirect access remains a pressing issue in 2025 for CIOs and IT leaders, as it can lead to unexpected audit costs and unbudgeted license fees.
Indirect access refers to situations where users or systems use SAP software without logging in directly, typically via third-party applications, IoT devices, or external websites. SAPโs rules around this have evolved, but the risk hasnโt disappeared. Audit teams at SAP are increasingly focused on indirect usage, and companies that ignore it could face significant compliance penalties.
This guide provides up-to-date definitions, current SAP rules, cost models, audit triggers, and practical steps to mitigate and negotiate indirect access licensing.
It will help you understand SAPโs Digital Access model versus traditional licensing, identify what triggers audits, and learn strategies such as DAAP (Digital Access Adoption Program) to reduce risk and spend.
Next step: Acknowledge that indirect use of SAP is likely happening in your organization and commit to addressing it before SAP does.
What Is SAP Indirect Access?
SAP indirect access means using SAPโs โDigital Coreโ (ERP or S/4HANA) without a direct SAP login, typically through a non-SAP system or interface.
In plain English, if people or devices retrieve data from SAP or push transactions into SAP through a third-party app or automation, thatโs indirect access. SAPโs licensing agreements stipulate that any use of SAP functionality โ even via an intermediary โ requires a license.
This broad definition has caught many companies off guard.
Consider a few simple examples of indirect access in action:
- External CRM integration: Your sales team works in Salesforce, creating customer orders that are automatically sent to SAP. The sales representatives never log into SAP, but SAP is still processing their orders through the integration.
- Customer or supplier portal: A web portal allows your customers to view inventory or suppliers to update delivery statuses in SAP. The portal talks to SAP in the background via APIs, so those external users are indirectly using SAP data.
- IoT and automation: Sensors or devices (e.g., an IoT sensor in a warehouse) feed data into SAP โ for instance, sending stock level updates or triggering a maintenance request. No human logs in, but the deviceโs actions create records in SAP.
- Reporting tools and bots: A third-party business intelligence tool queries SAP to display reports, or a robotic process automation (RPA) bot reads and writes SAP data to perform tasks. These also count as indirect usage of SAP.
In each case, SAP is being utilized behind the scenes, which SAP considers โuseโ that requires licensing. Historically, companies assumed if users werenโt logging in, they didnโt need licenses โ only to be hit with compliance claims later.
Next step: Identify all the places where non-SAP systems or users interact with your SAP data โ these are your indirect access scenarios and potential risk areas.
SAP Digital Access (Document-Based) vs Indirect Access (Named User)
To address indirect use, SAP introduced a new licensing model called Digital Access, which is a document-basedย licensing model.
This differs from the traditional named user licensing approach for indirect scenarios. Itโs crucial to understand both models and choose the one that fits your usage:
- Traditional Indirect Access (Named User model): In the legacy approach, any individual (or system) accessing SAP indirectly is supposed to be covered by a named user license. In addition, SAP offered special named-user licenses for certain indirect activities (like โSAP Sales and Service Order Processingโ users to cover external orders). Essentially, you pay per user (human or non-human) that triggers SAP activity. If 500 customers place orders via a portal, theoretically, you need 500 named user licenses โ an impractical and expensive approach in many cases. Some companies also used engine licenses or package licenses for certain interfaces, but generally, the onus was on counting every user.
- SAP Digital Access (Document model): Digital Access flips the model to count transactions/documents created, rather than the users. SAP identified nine core document types (e.g,. sales orders, invoices, purchase orders, etc.) that, when created in SAP by an external system or indirect usage, require a license. Under this model, you pay for the volume of documents created through indirect access. The upside is you donโt need to count every user or device โ unlimited external users can interact with SAP as long as you license the documents that get created. The downside is that you must estimate and manage document volumes, and you still need normal named-user licenses for your internal users who log in directly.
Nine Document Types in SAPโs Digital Access: SAPโs document licensing covers nine specific document categories that represent common business records in ERP.
These include Sales, Purchase, and Invoice documents, as well as records like Material movements, Financial postings, Manufacturing orders, Quality management entries, Service & Maintenance documents, and Time management entries. (See the FAQ section for the full list of all nine document types.)
If an indirect activity creates one of these documents in SAP, it counts toward your digital access consumption.
Notably, if an action does not create one of these document types, SAP does not charge for it under this model โ meaning read-only queries or updates to existing records are โfreeโ from a document count perspective.
Indirect Access vs. Digital Access โ Comparison Table
Below is a side-by-side comparison of the traditional indirect access licensing vs. SAPโs Digital Access (document-based) model:
Aspect | Traditional Indirect Access (Named User Licensing) | SAP Digital Access (Document Licensing) |
---|---|---|
What You License | Named user licenses for any human or system that indirectly uses SAP. In some cases, additional โorderโ or โinterfaceโ user licenses for external order processing. | Number of documents created in SAP by external systems (across 9 defined document types). No extra named users needed for those external users. |
Typical Scenarios | Best for scenarios with a limited number of external users or systems. For example, a small B2B integration with only a few partners, or internal systems interfacing with SAP where user count is low. | Best for high-volume or many-user scenarios. For example, a consumer webshop creating thousands of sales orders in SAP, or numerous IoT devices sending data โ situations where counting each user/device is impossible or too costly. |
Pros | Simplicity (in small scale): If only a few external parties access SAP, you just buy a few user licenses. Thereโs no need to track document volumes. No volume limit: A named user can generate unlimited transactions. A small number of licenses could cover large throughput (if allowed by contract). | Scalability: Unlimited external users or devices can use SAP without individual licenses โ cost scales with actual business activity. Fairness: You pay based on measurable transactions (documents) rather than arbitrary user counts. Read-only free: Indirect read/query of SAP data doesnโt create documents, so it incurs no license cost under this model. |
Cons | Costly at scale: Doesnโt work well when hundreds or thousands of external users are involved โ purchasing and managing so many user licenses is expensive and complex. Compliance risk: Hard to track every external user; high risk of โmissingโ some in audits. Duplicate licensing: Even non-humans (bots, interfaces) might each need a user license under strict rules. | Unpredictable cost: Document volumes can spike with business growth, leading to unplanned costs if you exceed licensed counts. Still need user licenses: You continue to license internal users by name; digital access only covers indirect usage. Counting needed: Requires monitoring and reporting document counts regularly, which is a new discipline for many. |
When It Fits Best | – When external usage of SAP is minimal or fixed (e.g., a handful of partners). – When you have alternative SAP package licenses in place covering certain transactions (legacy contract clauses). – If you can technically restrict access so that only known licensed users can trigger SAP transactions. | – When you have large numbers of external users (customers, suppliers, devices) interacting with SAP. – When indirect use is a major part of your processes (e.g., an online store, mobile apps, integrations) and you want a clean, audit-proof solution. – If youโre looking to avoid the nightmare of tracking each and every user and prefer to track overall usage. |
Risks & Watch-Outs | – โInvisibleโ usage: interfaces might enable thousands of users behind the scenes, far exceeding your named user count. An audit can uncover these and result in massive findings. – Multiplexing: If a middleware pools connections, SAP might still insist each end user needs a license (no technical workaround avoids liability). – Under-licensing: Itโs easy to underestimate how many named users you actually need for indirect scenarios. | – Overage fees: If you create more documents than licensed, SAP will expect you to true-up (buy more). Without an agreed cap or price, this could be costly mid-contract. – Double-counting: Internal users who already have a license still trigger document counts if they use an external app โ you pay twice (once for the user, once for the document). Careful contract terms are needed to avoid unfair double charges. – Document scope: Only the nine defined document types count. If SAP ever expands that list, it could increase costs; ensure any contract locks the scope. |
Negotiation Levers | – Named-user discounts: Negotiate volume discounts for large numbers of users if you stick with this model. – Engine licenses: In some cases, SAP offers special licenses for specific indirect scenarios (like external order processing engines) โ ask if those apply, as they might be cheaper than many user licenses. – Contract clauses: Define known interfaces and agree they are covered by existing licenses to prevent surprise claims later. (List out third-party systems in your contract if possible.) | – DAAP (Digital Access Adoption Program): Use SAPโs incentive program to get steep discounts (up to 90% off) on your initial digital access purchase, plus credit for old licenses and audit amnesty (more on this below). – Growth protections: Negotiate a buffer or price lock for additional documents if your business grows (e.g. fixed price for extra document packs, or a 10% free growth margin). – Conversion credits: Trade in shelfware (unused licenses) for credit toward document licenses so you donโt pay twice. Ensure the contract reflects these credits and maintains your support cost base (so maintenance fees donโt jump unexpectedly). |
For a deeper dive into choosing between traditional named-user licensing and the document-based model, see our dedicated guide โSAP Indirect vs Digital Access โ Choosing the Right Model.โ It explores in more detail how to evaluate which approach is right for your organization.
Next step: Decide which licensing model aligns with your usage profile โ map out the number of external users vs. the volume of documents to see where the break-even lies.
SAP Indirect Access Audit: How Detection Works & What Triggers It
SAPโs Global License Audit and Compliance (GLAC) team has become very savvy at detecting indirect usage during audits.
An indirect access audit typically begins like any SAP audit: you receive an official notice, and SAP requests you to run measurement programs (like USMM for user counts) and provide system data.
However, now SAP often adds specific requests about interfaces and document usage:
- System interfaces inventory: SAP will ask for a list of all external systems interfacing with SAP (inbound and outbound). They may request technical details, such as RFC connections, API endpoints, and even network diagrams. Any connection that isnโt an official SAP product is a red flag for indirect usage.
- Technical logs and tables: Modern SAP systems have tools to track document creation via external calls. SAP may instruct you to run the Digital Access Evaluation Service or specific SAP notes/programs (for example, note 2992090 on ECC or a
/S4HANA
report) that count how many of each of the nine document types were created by external sources. They also analyze tables like RFC logs, IDoc logs, or the โSAP Passportโ data (a technical marker in SAP that flags externally originated transactions). - License Administration Workbench (LAW/SLAW2): As part of the audit, SAP consolidates license data from across systems. SLAW2 (the updated SAP License Audit Workbench) can compile cross-system usage and may highlight users or documents that appear to come from integrations. For instance, if a single technical user ID has created thousands of documents, LAW reports will call that out for scrutiny.
- Interviews and questionnaires: SAPโs audit team often conducts interviews with your IT staff about how each interface is used. They will ask: โDoes this interface allow non-SAP users to access SAP data? Does it create any of the nine document types in SAP?โ How you answer these determines if they pursue an indirect access finding.
What triggers an indirect access audit?
In many cases, major contract events like renegotiations, a push to move you to S/4HANA, or if you declined the Digital Access model in the past, can prompt SAP to look harder at indirect use.
Also, if your SAP account team knows you have a popular e-commerce site, mobile app, or large partner network tied into SAP, they might flag that for compliance review. Unusual usage patterns (e.g., a sudden spike in SAP transactions not tied to named user activity) can also draw attention.
To prepare, transparency is key.
Understand how SAP sees your system: any third-party access, even for reading data, is technically โuse.โ For example, running large queries from a BI tool through SAPโs APIs might be considered indirect use of SAP (because SAP is doing the work to fetch and send the data).
During audits, SAP has argued that even read-only access via live interfaces requires a license.
The safest stance is to assume that if data is live from SAP and served to an external party, it is considered valid. (One exception: if you fully extract data out of SAP into a separate database and reports run off that copy, those external report users donโt need SAP licenses โ since they arenโt touching the SAP system.)
Scope control:
When facing an audit, respond only to whatโs asked and manage the scope. Youโre typically required to provide truthful data, but you donโt have to volunteer details about every interface if not requested.
Work with your compliance team or advisors to carefully document what each interface does (read vs. write, which doc types, which users).
Provide SAP with the necessary info, but avoid oversharing extraneous data that could confuse matters. If possible, segregate indirect usage metrics โ for example, run SAPโs Digital Access evaluation yourself ahead of time, so you know the numbers before SAP does.
For more detailed tips on detection and monitoring, see our article โMeasuring & Monitoring Indirect Usage (Tools & Tips),โ which covers using SAPโs license measurement tools, reading RFC logs, and proactively tracking document counts to stay ahead of audits.
Next step: Run an internal self-audit focused on indirect usage. Identify your high-risk interfaces and measure how many documents they create โ before SAP comes knocking.
DAAP in 2025: Discounts, Trade-Ins, and When to Switch
SAPโs Digital Access Adoption Program (DAAP) is a voluntary program that can turn a looming indirect access liability into a (somewhat) manageable cost.
Launched in 2019 and still available in 2025, DAAP is basically SAPโs carrot to entice customers to switch to the Digital Access document model before an audit forces the issue. It offers steep discounts and other incentives, but itโs a one-time opportunity per customer.
Hereโs what DAAP provides (as of 2025):
- Massive discounts on document licenses: SAP offers two options in DAAP โ often referred to as Option A and Option B. Option A (โ15% growthโ): You estimate your current annual document count from indirect use and then purchase 115% of that volume, but only pay for 100% (so you get 15% extra capacity free). This is roughly an 85% effective discount (pay for 100, get 115). Option B (โ90% upfront discountโ): You purchase licenses for 100% of your current usage, but pay only 10% of the list price (a 90% discount). Both options dramatically reduce the cost of adopting Digital Access. Option A is aimed at companies expecting future growth (a buffer of extra docs), while Option B minimizes initial spend if your usage is stable. In practice, many organizations choose Option B for the biggest immediate savings.
- License trade-in credits: SAP doesnโt want you to feel youโre โdouble-paying.โ Under DAAP, you can convert some existing licenses into credit towards the new document licenses. For example, suppose in the past you bought a bunch of extra named users or a special โindirect usage packageโ that you havenโt fully used. In that case, SAP may let you return those (relinquish the licenses) and reduce the price of your Digital Access purchase equivalently. This way, the money you already spent on covering indirect use isnโt wasted. (Keep in mind: SAP will usually require that your overall maintenance fees donโt drop. Theyโll apply credits to license fees, but they expect support revenue to continue on the new licenses โ effectively moving your spend from one bucket to another.)
- Amnesty for past indirect use: Perhaps the most attractive incentive โ SAP promises that if you sign up for Digital Access via DAAP, it will forgive any past unlicensed indirect usage. This means SAP will not back-charge you for any indirect usage that occurred before the DAAP agreement. Itโs essentially a get-out-of-jail-free card for historical compliance issues. For many, this is significant: without DAAP, if an audit reveals five years of under-licensing, SAP could demand reimbursement of maintenance or penalties for those years. DAAP wipes the slate clean in the future (youโre agreeing to properly license now, and SAP agrees not to dwell on the past).
Is DAAP still available in 2025? Yes โ as of 2025, SAP has extended the program with no fixed end date announced. Initially, DAAP was โtime-limitedโ through 2021, then SAP extended it multiple times due to customer interest.
Now it remains open-ended (though SAP could terminate or change it in the future). SAP sales reps often hint that โthese deals wonโt last forever,โ using a bit of FOMO to encourage sign-ups. But for now, the generous terms are on the table.
When does it make sense to switch via DAAP? The general rule: if you have significant indirect usage risk, itโs better to approach SAP on your terms (with DAAP) rather than wait for an audit.
Ideal times to evaluate DAAP include:
- Before a contract renewal or S/4HANA migration, SAP is usually more flexible and generous when a big deal is on the line. If youโre renewing a license agreement or planning a move to S/4HANA or RISE, bring up DAAP as part of that negotiation. You might secure even better terms or, at the very least, bundle it in cleanly.
- After measuring your indirect use: Use SAPโs Digital Access Evaluation Service or your own tools to get a ballpark of how many documents youโd need to license. If the number is high (and would cost a lot without discounts), thatโs a sign DAAP could save you a fortune. If the number is very low, you might consider deferring switching (traditional licensing could suffice for now, but monitor the situation).
- When audit risk is high: Perhaps youโve received informal queries from SAP about your interfaces, or you know your industry peers are being audited for indirect access. If the writing is on the wall, proactively opting into DAAP can transform an unknown penalty into a planned expense (with a huge discount). Itโs essentially insurance โ pay a small premium now to avoid a big hit later.
One caution: DAAP is a one-time offer. Once you convert to Digital Access, any future growth in document count will be at full price (unless you negotiated some price protections).
So, itโs critical to โright-sizeโ your initial purchase. If you underestimate your needs, youโll be buying additional document licenses later at list price (ouch). If you overestimate wildly, youโre paying maintenance on shelfware.
Aim to get it just right, and consider taking Option A if you foresee growth (that 15% buffer can be very useful and cost-effective).
Finally, even with DAAPโs amnesty, get everything in writing in the contract.
Ensure the agreement explicitly states that SAP releases any claims for past indirect use and that the number of documents licensed covers your scenario. Clarity now prevents disputes later.
Next step: Engage your SAP account team (or an independent licensing advisor) about DAAP if you suspect youโd benefit. Leverage the program while itโs available, especially if audits in your sector are ramping up.
Cost Modeling: Named Users vs Digital Access Documents (Scenarios)
To truly understand which model saves money, you need to run the numbers.
Letโs walk through two simplified scenarios to illustrate cost modeling for traditional vs. document-based licensing. (Note: exact prices vary, but the point is to compare relative costs.)
Scenario A โ Many Users, Low Transactions:
Imagine you have 1,000 external partners (like suppliers or customers) who each interact with SAP through a portal.
They mostly check info or enter occasional orders. Collectively, they create approximately 10,000 SAP documents (e.g., purchase orders) per year, averaging around 10 documents each annually.
- Traditional model: You would need 1,000 named user licenses (one for each external user, assuming each needs their own credentials). Even if you bargain for a cheaper license type for these partners, itโs a large number of licenses to buy and maintain. Letโs assume a low-tier named user costs $1,000 each (just for illustration). Thatโs roughly $1M in licenses, plus annual maintenance ($220k/yr at 22%).
- Digital Access model: Instead of users, you license the 10,000 documents. SAPโs price per document varies, but using a rough figure of $100 per document list price, 10,000 documents would be $1 million at list. However, with DAAPโs 90% discount, youโd only pay $100k for the licenses, plus maybe $22k/year support. Even without DAAP, if each document license is cheaper than a user license, it could be less than the cost of 1,000 users. In this scenario, document licensing clearly wins โ you cover all 1,000 usersโ activities by paying for 10k docs, often at a fraction of the cost of individual user licenses. Plus, itโs cleaner: if next year 500 more partners join but activity per partner stays similar, your costs only go up if document count goes up significantly (not just because user count increased).
Scenario B โ Few Interfaces, High Volume:
Now consider a case with machine-to-machine integration. Suppose you have two automated systems (no human users) that push data into SAP โ say, an online store and a warehouse IoT system.
There are only two integration points, but they generate 500,000 documents in SAP per year (for instance, 500k sales order lines, deliveries, etc.).
- Traditional model: Technically, you might handle this with just a couple of technical user licenses (one for each system) since only two systems connect. In theory, youโd buy 2 named users (cost negligible in comparison), and those accounts can create unlimited transactions. However, SAPโs rules might not so easily allow โunlimitedโ in this case โ they might insist that each end-customer placing an order via the online store is an indirect user. If a million customers use the store, SAP could argue a million named users are required (which is impossible and is exactly why the old model breaks down). Often, in the real traditional approach, it was to buy a special engine license or just risk it and not license each customer. This is where many companies got into trouble before the advent of Digital Access.
- The Digital Access model:ย 500,000 documents clearly dwarfs a few user licenses in terms ofย cost. At $100 per doc, thatโs $50M list โ far more than the cost of a handful of user licenses! Even with a 90% DAAP discount, $5M is huge compared to maybe $10k for two technical users. But remember, under the old rules, SAP wouldnโt accept just two users covering half a million transactions for anonymous customers โ youโd be non-compliant and facing audit penalties. Digital Access provides a way to become compliant for that high volume, but youโd want to negotiate aggressively. Perhaps you use Option A (115% of current volume) to establish a buffer, and you may also negotiate a custom discount beyond 90% for such a large volume. You might also analyze if all 500k documents are one type (e.g., financial postings) that have a 0.2 multiplier (meaning effectively 1/5th of a doc each), which could reduce cost. In any case, in this scenario, the only practical way to license legitimately is the Digital Access model โ but you must make sure itโs priced affordably through negotiation.
Breakeven considerations: The break-even point between models depends on the ratio of external users to documents:
- If you have very few external users/systems, but they create a large number of documents, the traditional model (few user licenses)ย may seem cheaper. Still, it likely violates SAPโs contract if those documents originate from unlicensed users. In reality, the old model doesnโt scale legally in such cases โ SAP wants you on the document model.
- If you have a large number of external users with relatively light usage each, the document model is almost always the cheaper and simpler option. Buying thousands of named users for light occasional use would be overkill.
- In moderate cases, you should calculate: e.g., 100 external users vs 5,000 documents โ weigh the cost of 100 user licenses vs 5,000 docs. Remember to factor in maintenance and future growth. Also consider risk: a named-user approach might look cheaper on paper, but only until SAP changes rules or your user count spikes unexpectedly.
Document pricing and bundles:
SAP sells Digital Access in blocks of documents (often structured in multiples of 1,000 documents or similar). Typically, you purchase a certain quantity of each document type or an overall allowance.
Itโs a perpetual license with annual maintenance. If you exceed your licensed document count in a year, you are expected to true-up by buying additional blocks. Unlike cloud subscriptions, thereโs usually no automatic โturn offโ โ but an audit would catch the overage.
You can negotiate provisions like annual true-down (if you over-bought, can you reallocate or drop some licenses later?) or price locks for additional blocks (so that if you need more in 2 years, you pay the same unit price as initial, not list price).
In summary, model your own scenarios.
Use actual data from logs or the Digital Access Estimator to see how many documents your external processes generate. Compare that to how many user licenses you would otherwise need (and of what type).
Also factor in qualitative aspects: compliance risk, ease of management, and future scalability. Often, even if the document model is slightly more costly in pure dollars, the predictability and compliance peace-of-mind tip the scales in its favor.
Next step: Create a spreadsheet of your key indirect usage scenarios. Calculate costs under your current model vs digital access. Identify the breakeven point and use it to inform your negotiation with SAP.
Read-Only & Reporting Scenarios: Do You Still Owe Licenses?
A common question is: If users only view SAP data through an external system (read-only access), do we need licenses?
This scenario arises with tools such as third-party reporting tools, portals where data is displayed but not modified, or batch exports of data.
The answer depends on how the data is accessed:
- Live read access via SAP APIs or interfaces: If an external application is pulling data in real-time from SAP (using SAPโs APIs, OData services, RFC calls, etc.), SAP considers that use of the software. Even read-only use triggers the need for a license because the SAP system is doing work to provide that data. For example, an analytics dashboard that queries SAP every time a user opens it is essentially using SAP as the engine behind the scenes. Under traditional rules, each person viewing that dashboard might need a named user license (even though they arenโt logging in to SAP directly). This is obviously hard to enforce, but itโs the letter of the contract. Under the Digital Access model, read-only queries typically do not create any of the nine chargeable document types, which means those interactions wouldnโt count toward your document license usage. In effect, if youโre fully on digital access, pure data retrieval does not incur additional cost. This is a notable benefit of the document model for companies with heavy external reporting: you could have many people viewing SAP data externally and not pay extra, as long as they arenโt creating new records.
- Static exports and data replication: If you periodically extract data from SAP (say nightly ETL to a data warehouse, or CSV exports) and then users access the data on a separate platform, those users do not need SAP licenses. Since the SAP system isnโt being accessed indirectly in real-time โ the usage happens completely outside of SAP โ thereโs no SAP license requirement. Many companies employ this strategy: push data to a non-SAP database or application, and allow outside users to hit that instead of SAP directly. This โair gapโ ensures youโre not unintentionally violating SAPโs rules when providing data to a broad audience (like hundreds of users running reports).
- Cached or intermediary systems: Similarly, if you have an intermediate layer (like a middleware or caching server) that aggregates SAP data and handles queries, you might reduce the license impact. Be careful, though: SAPโs multiplexing clause states that you canโt avoid licensing by funneling multiple users through one connection. Even if one technical user account is pulling data on behalf of many people, SAP will argue that each end user still needs a license (in a named user model). In a digital access model, if that technical user is just reading data and not creating documents, youโre in the clear (no documents = no charge). The key difference is whether youโve adopted digital access or not.
Bottom line: If you are still on the named user model, even read-only indirect access can be considered licensable.
In practice, SAP audits have historically focused more on write transactions (like creating orders) because thatโs easier to prove value being obtained from SAP. But itโs wise not to rely on goodwill; the contract is usually unambiguous that โdisplaying information from SAPโ is also usage.
If you have a scenario with hundreds of external viewers, strongly consider either moving that to a data warehouse or switching to Digital Access licensing to avoid a potential licensing minefield.
Mitigating read-only licensing exposure:
- If real-time data access is needed, explore data caching solutions where a limited number of licensed users fetch data from SAP and store it, and then external users query the cache. This can drastically reduce direct hits to SAP.
- Useย SAPโs own user typesย cleverly: SAP sometimes offers a read-only user license type (for internal use, e.g., an โESSโ or Employee Self-Service type), but not really for external use. Thereโs also the concept of a โplatform userโ for technical access โ talk to SAP if a specialized license can cover a read-heavy scenario.
- Most importantly, have architectural governance: any new interface or reporting tool that wants to connect to SAP should be reviewed by your ITAM or compliance team. Ask, โWill this create indirect use that we need to license? Can we do this another way?โ Often, a minor design change (like using a copied dataset) can save hundreds of thousands in licenses.
Next step: Review all reporting and analytics tools that pull from SAP. For each, decide whether to allocate licenses, switch to a data replication approach, or include that usage under a digital access license in the future.
Third-Party & Machine-to-Machine Integrations (IoT, APIs, RFC/BAPI)
Modern enterprises connect SAP to a multitude of systems: e-commerce platforms, supply chain systems, IoT sensors, RPA bots, mobile apps โ the list grows every year.
Each integration is a potential indirect access scenario. Itโs crucial to classify and manage these machine-to-machine usages with an eye on licensing.
Common integration patterns and licensing impact:
- Third-party front-ends (portals, e-commerce): A non-SAP front-end where users initiate transactions that hit SAP. For licensing, you typically have many users behind a few system accounts. These are prime candidates for the digital access model, since counting users is infeasible. If you remain on named users, you might try SAPโs special solutions (like an โSAP Internet Accessโ license or industry-specific engines), but those are complex and often costly. In any case, ensure such interfaces are documented in your contract. At a minimum, list the external application and how itโs licensed to avoid later confusion.
- APIs and middleware (SAP PO/CPI or third-party ESBs): You may have a middleware that funnels requests to SAP. While middleware itself might manage connections efficiently, from SAPโs perspective, each end call that results in data creation is what counts. If 10 different systems all create sales orders via one middleware pipeline, you still have 10 systemsโ worth of indirect usage. Throttling and filtering become important: configure your integrations to only send necessary transactions to SAP. For example, if an IoT sensor sends readings every second, maybe aggregate the data and send one summary per hour to SAP โ thatโs 24 documents a day instead of 3600. Multiply such savings across interfaces, and you significantly cut license requirements.
- Remote Function Calls (RFC/BAPI usage): SAPโs classic integration mechanism is RFC/BAPI. These are often used for deep integrations and can be tricky because they allow not only data creation but also reading and complex transactions. To detect these, SAP uses the โPassportโ technology and specific logging. From a licensing view, treat any custom RFC integration as an indirect access use case. If the RFC writes data, it will produce a document (such as a financial posting or material movement). You can instrument your RFC calls to log how many documents or records they create in SAP โ this will help in measuring digital access usage. Also consider API user segregation: use distinct technical user IDs for each external system. This way, if an audit finds documents created by user โAWS_IoT_Botโ, itโs clear which system caused it, making conversations with SAP more straightforward (and you can license precisely for it).
- IoT and automated devices: IoT scenarios often involve high volumes of machine-generated data. For instance, sensors updating inventory, smart meters creating billing records, or robots logging maintenance events. In such cases, not every event requires an SAP transaction. Implement rules: consider creating a SAP record only when a threshold is met or an exception occurs. Use edge computing or IoT platforms to preprocess data. Every reduction in document creation not only saves licensing costs but also performance load on SAP. If IoT is core to your business, evaluate Digital Access early โ it was practically designed with IoT in mind (since no way youโll license each device as a โuserโ).
- Bulk data interfaces (file imports, ETL): Some third-party interactions are batch jobs, like nightly file imports updating SAP. These can generate many documents in one go. If you use SAPโs tools (like Data Services or SLT replication) and the source is non-SAP, those created records still count as indirect. But one advantage of batch: you can schedule around license counts. If a batch process is temporarily creating documents that get reversed or adjusted, see if those interim documents can be avoided so they do not count unnecessarily. Also, double-check if some batch inputs could use anย SAP-provided interfaceย (some industry solutions have inclusive licenses for certain data loads).
Technical mitigations summary: To minimize indirect access exposure, design integrations thoughtfully. Use gateways and middleware not just for technical reasons but as control points โ where you can monitor usage, enforce limits, and produce logs for license compliance.
Implement alerts in your integration platform if transaction volume from a particular source spikes beyond normal (e.g., if an API starts suddenly pumping thousands of extra orders due to a bug or surge, you want to know and react, possibly before SAP does).
For critical high-volume interfaces, discuss with SAP if thereโs a specific alternative license; in some cases, SAP has offered custom agreements for IoT scenarios that donโt neatly fit the standard models.
Lastly, treat non-human access like assets: maintain an inventory of all service accounts, bots, and devices interacting with SAP.
Assign each a โlicensing categoryโ (e.g., covered by named user X, or counted under Digital Access, or exempt because itโs SAP-to-SAP). This inventory will be invaluable during an audit or when negotiating contract renewals.
Next step: For each integration or third-party system touching SAP, create a one-page profile: what it does, how many transactions, what document types, and current licensing coverage. This will highlight any high-risk integrations that need optimization or discussion with SAP.
RISE with SAP / S/4HANA Cloud: Where Indirect Access Shows Up
Many organizations are transitioning to RISE with SAP or S/4HANA Cloud, which are subscription-based cloud offerings.
A big question arises: Does indirect access go away in the cloud? The good news is that RISE significantly reduces indirect access headaches, but it doesnโt eliminate them.
Indirect access in RISE:
RISE with SAP (which bundles S/4HANA licensing, cloud infrastructure, and services in one subscription) uses a metric called Full User Equivalents (FUEs) for licensing.
Essentially, you subscribe to a certain number of users (classified by roles like Professional, Functional, Self-Service, etc., each with an FUE weight) that covers your entire usage.
In the RISE model, most typical indirect usage is included as part of that user count or underlying package:
- Standard third-party integrations (say, your e-commerce platform creating orders in S/4HANA) are generally covered by the fact that you have subscribed to S/4HANA for X users and a certain level of digital usage. SAP is not separately charging โdocumentsโ in these cases for RISE customers โ there is an assumption that reasonable integration usage is part of the service.
- In effect, if you have a sufficient user subscription, your external interfaces that create documents are considered part of the workload your subscription covers. SAPโs cloud contracts often state that the subscription includes the use of the software for your internal users and โbusiness partnersโ interacting with the system.
This simplification is a major benefit of moving to RISE or SaaS: youโre less likely to get a separate indirect access bill because youโre already paying a recurring subscription for the system. SAP is incentivized to make you comfortable connecting SAP with other systems in the cloud era, rather than scaring you with extra fees.
However, โsimplifiedโ doesnโt mean โunlimitedโ. There are still scenarios to watch:
- If you have an extremely high-volume integration (imagine pumping millions of transactions from IoT sensors into a RISE S/4 system), SAP might say that goes beyond normal usage. While the contract may not explicitly specify document limits, performance and capacity limits could be implicitly breached. SAP might suggest you need to upgrade your subscription (more FUEs or an add-on) to handle that load. In some cases, SAP could require a separate document license even for RISE if the usage is clearly outside standard parameters (though this would likely be negotiated on a case-by-case basis).
- RISE contract clarity: Itโs important that your RISE contract explicitly covers what you expect. Standard RISE agreements may not detail indirect usage at all โ SAPโs position is โitโs all included under the user subscription.โ But to be safe, you should insert language confirming that integrations and external usage (to a reasonable degree) are included. If there are known heavy-use integrations, list them and agree theyโre allowed within your subscription. This way, thereโs no gray area later. Remember, if something is not mentioned, and your usage spikes, SAP could come back at renewal and say, โYouโve outgrown your subscribed use case.โ
- S/4HANA Public Cloud (SaaS): In the multi-tenant SaaS version of S/4HANA (often just referred to as S/4HANA Cloud, without the โprivate cloudโ or RISE branding), the concept is similar: you have a subscription based on users or consumption metrics. You generally donโt deal with indirect access licensing separately. However, SaaS offerings may have stricter technical limitations (due to their multi-tenant and highly standardized nature). Always review the usage policies โ for example, some SaaS might limit API calls per user license. Indirect access in SaaS might show up as an API usage metric rather than a licensing bill, but if you exceed it, you might need a higher tier of service.
Overall, RISE with SAP shifts indirect access risk into a more manageable form โ you worry about overall subscription compliance rather than surprise audits for a specific interface. CIOs can integrate systems more freely, accelerating digital transformation, with less fear of being nickel-and-dimed for each integration.
That said, governance is still needed: monitor your cloud usage and user counts, and keep an eye on those outlier cases (like an unplanned surge in transactions from a new digital initiative).
SAP might not call it โindirect accessโ in the cloud, but if your usage pattern changes dramatically, it will surface in some form (either performance or cost at renewal).
If youโre moving to RISE, itโs wise to reconcile your current indirect use as part of the migration. Sometimes SAP will offer a clean break: e.g., forgive past indirect usage if you commit to RISE. Make sure that any such promises are documented.
And if you maintain some on-premises SAP systems alongside RISE (a hybrid environment), remember that indirect access rules still apply to the on-prem part.
Next step: Include indirect access considerations in your RISE migration plan. Work with SAP to ensure your RISE contract covers your integrations, and set up monitoring for any unusually high usage that might require subscription adjustments.
Compliance Checklist: Preparing for an SAP Indirect Access Review
Licensing compliance can be daunting, but adopting a proactive approach can make it a routine part of governance
. Use this 10-step checklist to prepare for a potential SAP indirect access review or audit.
This will help you uncover issues on your terms and have a solid defense (or resolution plan) ready.
- Inventory all interfaces to SAP: Document every system, application, or device that connects to your SAP ERP/S/4HANA system. Include both inbound and outbound connections. For each interface, note the technical integration method (API, RFC, IDoc, etc.), the data flow direction, and business purpose. Ownership: Assign an owner for each interface who can explain its function.
- Classify each data flow: Determine for each interface whether it is read-only, write (creates or updates data in SAP), or mixed. If write, identify if it creates any of the nine Digital Access document types (sales order, invoice, etc.). This classification indicates which interfaces have potential license impact (anything that creates documents or allows transactional updates is a high priority).
- Map external users/devices to licensing: For interfaces that involve external users (like portals) or devices/bots, map who/what those users are. Are they internal employees, business partners, consumers, or IoT devices? For each category, map it to a current licensing approach: e.g., โWe have 50 supplier portal users covered under Supplier named-user licensesโ or โOur consumer website users are not licensed individually (potential gap)โ. This gives a clear view of where you might be under-licensed.
- Run USMM and consolidate with SLAW: Execute SAPโs USMM (User Measurement) in each SAP system to get the baseline user counts. Then use LAW or SLAW2 (License Administration Workbench) to consolidate results if you have multiple systems. Review the consolidated user list for any generic or technical users with high activity โ those often indicate interface accounts. Ensure no active human users are unclassified (e.g., someone using a generic login).
- Clean up and optimize users: Before any formal audit, clean your user base. Dedupe users (especially if the same person has accounts in multiple systems โ LAW can combine those if configured). Remove or lock dormant users who havenโt been active โ why pay for licenses or count them if theyโre not used? This step might not directly solve indirect licensing, but it strengthens your overall compliance position and reduces noise in the data.
- Estimate Digital Access document counts: Using SAPโs evaluation tools or logs, estimate how many of each of the nine document types are created by your interfaces per year. If you have access to SAPโs Digital Access Evaluation Service, run it (itโs a program that simulates document counts without requiring a contract change). If not, try to pull document creation stats from tables or use the Digital Access Estimation notes SAP provided. Make a simple table: e.g., โSales Orders: 12,000/year via interfaces X and Y; Purchase Orders: 5,000 via portal Z; Financial postings: 20,000 via system Q,โ etc.
- Validate results with SAPโs free tools (if possible): SAP offers a Digital Access Evaluation Service โ essentially a workshop where they help you measure your doc counts free of charge. Consider doing this informally beforeย an audit. It shows you what SAP would find. Just be cautious: do it when youโre ready to possibly engage in a licensing discussion, because if the numbers are high, SAP sales will follow up. Alternatively, use an independent license consultantโs tools to validate the counts. The goal is to have a reliable baseline that you trust.
- Draft contract language or clarifications: Review your current SAP contracts for any clauses about indirect use or third-party interfaces. Many older contracts are silent on this, which means SAP will default to standard policy (not in your favor). Proactively draft clauses youโd like to add at next renewal or order form: for example, โExternal users accessing SAP via the Acme Portal are covered under the Acme Portal license and do not require individual SAP Named Usersโ or โSAP Digital Access license covering X documents per year shall cover all indirect usage of the SAP system, with no additional named users required for such usage.โ Collaborate with legal and procurement to have a preferred language ready for the proposal.
- Monitor and set thresholds: Establish internal KPIs/alerts for indirect usage. For example, set up an alert if the number of sales orders created via interface ABC in a day exceeds a certain number, or if a technical user suddenly spikes in activity. This helps catch runaway scenarios (such as a malfunctioning script generating thousands of transactions) before they become a licensing incident. Track document counts quarter-by-quarter โ this also helps in forecasting and in negotiations (you can show trends).
- Prepare an audit response plan: Donโt wait for an audit letter to decide who does what. Form an internal license audit response team with roles from IT Asset Management (to provide data), BASIS/SAP admin (to run tools), and Legal/Procurement (to handle communications and negotiations). Have a communication protocol โ for instance, all audit requests funnel through a single coordinator, and no data is sent to SAP without review. Also, prepare a negotiation strategy in case findings arise: for example, โIf SAP finds indirect use, we plan to propose adopting Digital Access via DAAP at $X cost rather than paying full back maintenance.โ Having this playbook ready will make the audit process far less panicky and more under your control.
By following these steps, you essentially simulate an audit on your own terms and fix issues proactively. Even if you find you are out of compliance, you can often address it via DAAP or internal changes before SAP ever audits you, which puts you in a much stronger negotiating position.
Next step: Set a recurring calendar (at least annually, ideally quarterly) to revisit all these steps. Indirect usage isnโt a one-time check โ make it part of your ongoing IT governance to avoid nasty surprises.
Negotiation Playbook: Contract Language, DA Evaluation, and Price Levers
When it comes to indirect access, the best time to โnegotiateโ an issue is before it becomes an audit finding.
Whether you are proactively adopting Digital Access or facing an audit resolution, use these negotiation tactics to protect your organization:
- Get definitions and scope in writing: Your contract should clearly define key terms. Insist on language that spells out what โIndirect Useโ covers for your situation. For example, define โSAP Application Accessโ vs โThird-party Access,โ or explicitly list the nine document types if youโre moving to Digital Access (to prevent SAP from later saying some other document is chargeable). If youโre sticking with named users, clarify things like whether API calls by external systems are permitted under a technical user license or not. Ambiguity is your enemy โ nail it down in the contract or order form.
- Include a โcapโ or buffer on digital documents: If you go with Digital Access licensing, try to build in flexibility for growth. For instance, negotiate an agreement that the purchased document volume is an annual entitlement with, say, 10% excess allowed before any true-up. Alternatively, you can arrange tiered pricing: for example, if you exceed the initial purchase by up to 20%, you can purchase the extra at the same discounted per-document price as the initial purchase. Avoid open-ended exposure. In essence, this is like negotiating a predictable overage fee instead of an unknown penalty.
- Ensure conversion and trade-in credits are applied:ย If, as part of adopting Digital Access, you are trading in existing licenses (perhaps those previously used to license indirect scenarios), detail that in the contract. List exactly which license part numbers are being returned or reduced, and how the credit is applied to the new licenses. Make sure it also says that any returned licensesโ maintenance base is transferred, not lost โ meaning your overall maintenance payments to SAP remain the same for now. This prevents SAP from โdouble dippingโ (you paying maintenance on old licenses you no longer use and on new digital access licenses).
- State the amnesty in settlement agreements: If you resolve an audit by purchasing licenses (be it named user or digital documents), have the settlement or purchase agreement explicitly state that SAP waives any claims for past usage up to the date of signing. This is basically your legal protection that the matter is closed. SAP typically will include this, but read the fine print. For example, if you only partially cover what SAP found, ensure the wording is that this purchase fully settles those findings.
- Leverage the Digital Access Evaluation Service results: If you engaged SAP to do an official Digital Access evaluation and they delivered a report of document counts, use that as a baseline for negotiation. Often, those reports might overshoot (they might count some docs that are actually not chargeable or include internal usage). Review it critically โ you might find you can argue the count down by excluding certain document types that were misclassified. If the evaluation shows, say, 100k documents, you could negotiate to license a bit less on the argument that not all are truly indirect. The key is showing SAP you understand the data as well as they do.
- Time your negotiations strategically: The best leverage with SAP comes when SAP wants something from you โ typically at a renewal, a big purchase, or when youโre considering moving to RISE or S/4HANA. Use those moments to address indirect access. For example, if your ECC support contract is up for renewal, you might say: โWeโll sign up for RISE (or extend support) if you include X documents of digital access at Y discount or include it free.โ SAP sales teams have targets that allow them to remain flexible at those junctures. The worst time to negotiate is after an audit, when you have no leverage โ so try to anticipate and bundle it in earlier.
- Consider DAAP vs. keeping legacy in your threat arsenal: If SAP isnโt offering acceptable terms, subtly remind them that you could stick with your legacy model and fight it out in audits or even court if necessary. While thatโs not ideal, SAP knows the public relations and legal cost of another indirect access dispute (like the 2017 Diageo case) isnโt great for them. They prefer customers move to the new model amicably. This means you can push for a better deal under DAAP (maybe better than a 90% discount, or extra goodies) by showing youโre not afraid to say no. Itโs a bit of a poker game โ convey willingness to adopt the new model but only at a fair price.
- Push for protective clauses: If you do adopt Digital Access, ask for clauses that protect you, such as: โSAP will not audit customer for indirect use of SAP software provided customer stays within the purchased document limits,โ or โIf SAP introduces new document types or licensing models, customer may elect to remain on the current model without forced migration.โ SAP may not agree to all, but even one or two protective statements can help in the long run. At a minimum, ensure your contract doesnโt explicitly allow SAP to retroactively adjust things.
- Negotiate long-term pricing: Indirect access needs can grow with your business. Try to get a price hold for future purchases of digital access licenses for a few years. For example, an addendum that any additional document licenses in the next 3 years will be at the same percentage discount as the initial DAAP deal. This way, if you were slightly off in your estimates, you wonโt be punished with the full list price later.
- Document everything: In negotiations, you might have lots of discussions, emails, and side assurances. Only the contract governs. If your SAP rep says, โSure, that integration is fine, you wonโt be charged for it,โ kindly ask to have that written into the contract or at least an official letter. Verbal assurances wonโt hold up later. Often, itโs useful to summarize your understanding in writing and send it to SAP for confirmation. While they may not sign a side letter, you creating that paper trail can help if disputes arise (โas per our understanding on date Xโฆโ).
Finally, donโt shy away from using experts. Indirect access negotiations can get technical and nuanced. Bringing in a third-party SAP licensing expert or legal counsel whoโs seen these deals can pay for itself many times over by finding concessions and favorable terms you might not know to ask for.
Next step: Before your next SAP contract negotiation, list out your indirect access โmust-havesโ โ the clauses or terms you want. Engage your procurement and legal teams early so they understand the importance of this initiative. Approach SAP with a well-prepared ask, and donโt be afraid to push back to protect your interests.
For more insights, see SAP Indirect Access Mitigation & Contract Clauses.
Actionable Recommendations for SAP Indirect Access (Buyer-First)
To wrap up, here are concrete recommendations to help you take control of indirect access licensing in 2025 and beyond.
These are focused on empowering you, the SAP customer, to minimize risk and cost:
- Measure first, decide model second: Never commit to SAPโs Digital Access or any licensing change without data. Measure your indirect usage now. Use SAPโs tools or independent analysis to quantify how many documents and which users are involved. Let the numbers drive your decision on whether to stick with named users or switch to documents. Data can also strengthen your negotiation position.
- Pilot the Digital Access math: If youโre on the fence, do a trial run. Simulate what your costs would be under Digital Access. SAP may assist with an evaluation license, or you can internally count transactions for a few months. This pilot can reveal surprises (perhaps your volumes are higher or lower than expected) and will either give you confidence to switch or provide evidence to stay put.
- Bake protections into the contract (not in emails): Handshake deals and friendly emails from reps wonโt protect you in an audit. Ensure all agreements about indirect access are explicitly written into your SAP contract. That includes any special terms, exceptions, or understanding of usage. For example, if SAP promises your specific B2B portal is โcovered,โ get that in the contract. The contract is your only safety net if personnel change or memories fade.
- Treat integrations as licensed assets: Manage your third-party interfaces with the same rigor you manage user licenses or SAP engines. Assign owners, track usage, and revisit quarterly. Make indirect usage a standing item in your IT asset management reviews. By treating it proactively, you turn a potential unknown risk into a monitored metric. If a new integration is proposed, involve compliance in the design phase โ itโs easier to build in a solution (like a data cache or a license plan) than to fix an exposed integration later.
- Re-baseline regularly: Business evolves โ new partners, new apps, acquisitions, etc., can change your indirect usage profile. Re-baseline your indirect access risk at least annually. Re-run measurements, update your interface inventory, and adjust your licensing if needed (better to buy one extra engine or 1,000 docs knowingly than be caught under-licensed). Keeping an eye on this ensures youโre always in compliance.
- Leverage SAPโs programs, but on your terms: SAP will continue to offer programs like DAAP and push cloud transitions. These can be beneficial, but make sure the timing and terms align with your needs. Use these programs as tools, not responses to pressure. For instance, if an audit threat is looming, opting into DAAP preemptively (with negotiation) can turn a surprise into a planned budget item. Always aim to be one step ahead of SAP โ doing things because it makes sense for your business, not simply reacting to an audit letter.
By following these recommendations, youโll foster a proactive stance on SAP indirect access. Instead of fearing the next audit or rule change, youโll have a handle on your usage and a plan for optimizing licenses. The ultimate goal is to avoid unnecessary costs while staying compliant โ with knowledge and preparation, that balance is entirely achievable.
FAQ: SAP Indirect Access Questions (2025)
What is SAP indirect access in simple terms?
SAP indirect access is when people or systems use SAPโs software without logging in directly, typically via a third-party application or automated process.
For example, if a salesperson enters an order in a non-SAP CRM and that order flows into SAP, the salesperson is indirectly accessing SAP. SAP requires that such usage be licensed, even though the user isnโt in the SAP GUI. In short, any utilization of SAP functionality (reading or writing data) through an external intermediary counts as indirect access.
Does read-only access to SAP data require licenses?
It can. Under traditional licensing, yes, even read-only scenarios via live SAP interfaces technically require a named user license for each person who views or uses the data. For instance, someone viewing an SAP report through a third-party portal is supposed to have a license because SAP is generating that information on their behalf.
However, under SAPโs Digital Access (document-based) model, pure read-only actions do not incur a charge because no chargeable document is created. Additionally, if you extract data out of SAP into another system and users view it there (with no live connection to SAP), those users donโt need SAP licenses. The safest practice is to assume live indirect reads are licensable and design around it (either license those users or use data replication to avoid direct queries).
What are the nine document types in SAPโs Digital Access model?
The nine digital document categories SAP counts for licensing are: Sales Documents, Purchase Documents, Invoice Documents, Material Documents, Manufacturing Documents, Quality Management Documents, Service & Maintenance Documents, Financial Documents, and Time Management Documents.
These cover the most common transactions in SAP ERP. For example, a Sales Document would include things like sales orders or quotations; a Purchase Document covers purchase orders; an Invoice Document might be a billing document or supplier invoice; Material Documents cover inventory movements; Manufacturing could be production orders; Quality Management might be inspection lots or results; Service & Maintenance include service orders or maintenance notifications; Financial Documents are journal entries or postings; Time Management could be time sheet entries.
Each document type has a specific definition in SAPโs notes, but in essence, if an external system creates one of these in SAP, it counts as indirect usage that the Digital Access license covers.
Is the DAAP (Digital Access Adoption Program) still available in 2025, and what discounts does it offer?
Yes, SAPโs DAAP is available in 2025. SAP has extended the program beyond initial deadlines, and as of now, thereโs no announced end date. DAAP offers very steep discounts to encourage customers to switch to the document licensing model.
There are typically two options: one gives about an 85% effective discount with some growth buffer, and the other is a 90% discount upfront on the needed document licenses. In practice, many companies have received around 90% off the list price for their initial digital access purchase. Additionally, DAAP can include credits for existing licenses you trade in and an amnesty on past indirect usage (SAP forgives past compliance issues once you sign on).
The exact deal can vary, but itโs not uncommon to negotiate millions of dollars of list-price licensing down to a few hundred thousand via DAAP. The advice is to take advantage of these discounts while they last, and negotiate the best terms you can (e.g., maximize credit for your unused licenses).
SAP offers RISE with SAP โ does having RISE or S/4HANA Cloud eliminate indirect access charges?
RISE with SAP and S/4HANA Cloud greatly reduces the classic indirect access problems. In a RISE subscription, youโre paying for a bundle of software and services based mainly on user count and some metrics, and typical indirect integrations are included in that subscription.
You generally will not receive a separate bill for โindirect accessโ as long as your usage falls under what your RISE contract covers. However, this doesnโt mean itโs unlimited. Exceptionally heavy use (like millions of transactions from an external source) might require you to upgrade your subscription or buy an add-on.
The key is to ensure your RISE contract is scoped properly: list any unusually high-volume interfaces and get confirmation theyโre covered. For standard uses (connecting your e-commerce, etc.), RISEโs philosophy is that itโs all part of the service.
Essentially, RISE moves you to a world where indirect access is a smaller concern, but make sure to negotiate any special needs up front. In pure S/4HANA public cloud, the approach is similar โ no separate indirect license, but watch out for any API usage limits in the contract.
For more help, read SAP Indirect vs Digital Access: How to Choose the Right Licensing Model.
How does SAP actually detect indirect access in an audit?
SAP uses a combination of tools and analysis to find indirect usage.
They will review system logs, such as RFC call logs, IDoc transaction logs, and the outputs of the Digital Access estimation programs. SAPโs โPassportโ technology tags external calls, so they can see if documents in SAP have an external origin. In an audit, SAP might ask you to run specific SAP Notes/programs that count digital documents created by external systems.
They also analyze the named user list for any โgenericโ users that have high activity (a sign that one user ID might be serving many people via an interface). Additionally, they often send questionnaires or conduct interviews to gather feedback on how each interface is used. For example, theyโll ask, โDoes this interface allow non-employees to access SAP data?โ If yes, they probe deeper.
Essentially, any route into SAP that isnโt a direct login is examined. SAPโs Global License Audit and Compliance team has a playbook of tables and metrics (such as table USAGE and STAD stats) that help them pinpoint indirect usage. Being prepared with your own data and understanding of your interfaces is the best defense โ you can then validate or challenge SAPโs findings with confidence.
Can SAP engine licenses or special licenses cover indirect access scenarios?
In some cases, yes, SAP has offered specific licenses to cover particular indirect scenarios in the past. For example, there were โSAP Platform Userโ licenses intended for non-dialog technical access, or Industry solutions that allowed external party ordering (like SAPโs external order engine for utilities or telecom). Thereโs also the classic โSAP NetWeaver Foundation for Third-Party Applicationsโ license that was meant to cover certain third-party add-ons accessing the SAP platform. However, SAPโs clear direction now is the Digital Access model for all indirect use.
They are less inclined to sell or promote those older solutions since the introduction of Digital Access. That said, if you already own an engine or special license (say for a B2B portal or an API bundle), SAP will honor that as long as you stay within its terms. In negotiations, itโs worth asking if any alternative licensing approaches exist for a very specific scenario.
Occasionally, SAP may allow a workaround, such as a flat-fee license, for a particular interface. These are more the exception than the rule. Most customers today either use named user licenses or the digital document licenses to cover indirect use, as engines often end up just as pricey and more confusing. Always have SAP clarify in writing that a given engine license indeed covers the indirect scenario you intend โ donโt assume coverage without explicit confirmation.
How long does an SAP audit take, and what data is required for an indirect access review?
A full SAP license audit (covering all aspects) can take a few months from start to finish. When indirect access is in play, the timeline often extends because of additional data collection and discussions.
Typically:
- Initial request: SAP provides approximately 1-2 weeks to run the standard measurement (USMM/LAW) and any specific scripts for digital access counts.
- Data analysis: SAP might take a few weeks to analyze what you send. If they find potential gaps or need clarifications, theyโll come back with questions.
- Follow-up and interviews: Expect another few weeks of back-and-forth. SAP may request meetings with IT or business owners to explain certain interfaces. They may provide preliminary findings and ask for your input or rebuttal.
- Preliminary findings: If indirect use issues are found, SAP will outline them (e.g., โwe see 50,000 documents created via interface X which are unlicensedโ). They might invite you to discuss how to resolve it (which could be purchasing licenses).
- Negotiation/settlement: This phase can vary a lot โ if you agree and buy licenses quickly, it could wrap up in a month. If you negotiate, it could stretch for several more months.
Data required will include: the LAW report (consolidated user license audit data), a list of all systems and clients, details of interfaces (often a questionnaire describing each interfaceโs purpose and users), and the output of the Digital Access estimation tool (which lists document counts by type).
SAP may also request usage logs or ST03N workload statistics if anything is unclear. They sometimes request user lists with last login dates or specific user roles to determine if some users were intended to cover indirect usage. In short, be prepared to provide technical evidence of how data flows.
The clearer your documentation of interfaces, the quicker you can satisfy their queries. If you have done your homework (as per our checklist above), you can often shorten the audit by pre-answering many questions. Always engage your internal team and perhaps a license expert to ensure what you provide is accurate and not over-sharing.
If an SAP audit identifies indirect use issues, can I negotiate the findings or settle by switching to Digital Access?
Absolutely. In fact, itโs very common that when an audit uncovers indirect access shortfalls, the resolution is a negotiation rather than a simple bill. SAP typically is open to discussing a deal โ often steering you towards adopting the Digital Access model through DAAP. For example, if an audit says โyou owe $5 million in user licenses for all these indirect users,โ you could negotiate to instead purchase a digital access license (maybe with DAAP discounts) for far less, and SAP, in return, drops the compliance claim (thatโs the amnesty in action).
You can also negotiate the count โ maybe SAPโs initial position is that you need 100,000 document licenses. Still, you show some transactions were miscounted or not actually in scope, and you settle on 60,000 documents licensed.
Almost everything is negotiable: the number of licenses, the type of license (maybe you convince SAP that a cheaper license type is sufficient for certain users), the timeline for purchase (you might phase it over a year), and of course, the price/discount. Switching models mid-audit is common; SAP would prefer you on the new model in the future, so they have an incentive to make that route attractive. Just remember, once you settle and sign, itโs binding โ so get all concessions in writing.
And if you negotiate a switch, be sure your new contract language clearly closes the issue (no lingering โgotchasโ). Many customers successfully negotiate audit findings down by 50-90% of the initial ask, especially by leveraging DAAP. The key is demonstrating that youโre willing to remediate the issue (not just deny it), but on terms that are reasonable for your business.
Read more about our SAP Digital Access Advisory Service.