Executive Summary
SAPโs licensing model has evolved in response to a growing challenge: indirect access. Indirect access occurs when users or systems interact with SAP software through third-party applications or interfaces, rather than directly logging in to SAP.
This seemingly technical nuance became a boardroom issue after high-profile cases, such as SAPโsย legal victory against Diageo in 2017, which exposed the risks of under-licensing indirect use and resulted in tens of millions of unplanned fees.
In response, SAP introduced a new Digital Access licensing model (often referred to as โdocument-basedโ licensing) to clarify and monetize these indirect usage scenarios.
CIOs and IT leaders must now navigate two parallel licensing approaches: the traditional Named User model and SAPโs newer Digital Access model.
This playbook provides a strategic overview and guidance to help you manage indirect access in your SAP ECC or S/4HANA environment.
Key considerations include:
- Understanding what constitutes indirect access (with real examples of third-party systems like CRM, eCommerce, or warehouse applications linking to SAP).
- Learning from the SAP vs. Diageo case and subsequent industry fallout that put indirect usage on every CIOโs radar.
- Evaluating SAPโsย Digital Access model,ย which charges by the number of certain business documents created via third-party systems, versus the Named User model, to decide which licensing approach (or combination) best fits your organization.
- Proactively measuring indirect usage using SAPโs tools (USMM, LAW, and Audit Information System reports) and/or SAPโs Digital Access evaluation services to gain visibility into where indirect access is occurring.
- Mitigating theย risks of indirect access non-compliance,ย such as unbudgeted license fees or audit penalties, through diligent planning and savvy negotiation of your SAP contracts.
Bottom line: CIOs should treat indirect access as a manageable risk. With the right insight into your system integrations, an optimized licensing model, and strong contractual safeguards, you can avoid surprises and even leverage SAPโs licensing options to support innovation in your digital ecosystem.
Background
What Is Indirect Access?
In the SAP context, indirect access refers to any scenario in which SAP software is accessedย indirectlyย by a user or process through a third-party application, interface, or middleware.
In other words, the user isnโt logging into SAP directly; instead, an external system queries or updates SAP on their behalf. For example, consider these common integration scenarios that can trigger indirect usage:
- A sales team uses a CRM system,ย such asย Salesforce,ย to input customer orders, which are then automatically transmitted into SAP ECC or S/4HANA as Sales Orders. The end users never log in to SAP, yet SAP is still processing their transactions.
- An online e-commerce webshopย (customer-facing portal) retrieves product availability from SAP and posts new orders backย into SAP. Shoppers on the site or customer service reps may indirectly invoke SAP processes without a named SAP login.
- A Warehouse Management System (WMS) or logistics system updates inventory levels in SAP or reads stock data from SAP in real-time to drive warehouse operations.
- An externalย HR or payroll systemย manages employee data and then synchronizes relevant information into the SAP HR module.
- Even custom mobile apps, partner portals, RPA bots, or IoT devices that interact with SAP through APIs can all contribute to indirect SAP usage.
In all these cases, SAPโs intellectual property is being utilized by people or devices that are not directly logged into the SAP system. Historically, SAP has considered such users and their system activity as requiring proper licensing, even though they may not appear in the traditional SAP user list.
Why CIOs Should Care: Indirect access went from a niche technical issue to a mainstream licensing concern due to the SAP vs. Diageo lawsuit. Diageo, a global beverage company, had connected a Salesforce cloud application to its SAP system for order processing.
A UK court ruled that users accessing Salesforce constituted unlicensed SAP use, resulting in an award of around ยฃ54 million in damages against Diageo. Around the same time, SAP pursued other customers, such as Anheuser-Busch, for large sums, with claims of indirect use.
This high-profile case shocked many SAP customers, revealing how a vague contract clause regarding โaccess (direct or indirect)โ could lead to massive financial exposure. CIOs realized that integrations enabling digital business (such as CRM, mobile, and eCommerce) could inadvertently trigger an โindirect accessโ wire, incurring fees not accounted for in project budgets.
SAPโs initial approach was to enforce compliance via audits and legal action under existing named-user licensing terms. However, the backlash over the fairness of the Diageo case (and the ambiguity of older contracts) prompted SAP to rethink how to license indirect usage more transparently. In 2018, SAP introduced the Digital Access licensing model as part of its pivot toward a clearer policy.
SAPโs Digital Access Model Explained:
Under Digital Access (sometimes referred to asย Indirect/Digital Access), SAP no longer charges based on counting named human users for indirect scenarios. Instead, licensing is based on the number of documents generated in the SAP system by external (third-party) digital access.
SAP identifiesย nine core document typesย that count toward Digital Access, including key records such as sales orders, purchase orders, invoices, and delivery notes. Each document type has an associated โweightโ or multiplier, but in essence, the model charges for the initial creation of a document in SAP triggered by an external system.
Notably, read-only access (also known as โstatic readโ) is not charged under this model. If an external system only queries data from SAP without creating new records, SAP does not require a license for that read access.
Likewise, suppose one external-triggered event in SAP spawns other documents (e.g,. creating a delivery or invoice as a follow-on to a sales order). In that case, SAP only counts the originating document for license purposesโ.
This usage-based approach shifts the conversation from โHow many users are indirectly accessing SAP?โ to โHow many business documents is my SAP system processing due to third-party integrations?โ SAPโs CEO at the time emphasized that this model ties licensing to measurable business outcomes (e.g., the number of orders) rather than to nebulous user counts, and was intended toย eliminate the uncertaintyย that led to cases like Diageo.
Named User vs. Digital Access:
Today, SAP customers in ECC or S/4HANA environments have a choice (and sometimes a mix) of these models:
- The traditional Named User model remains in effect by default. Every individual (or system account) that directly or indirectly uses SAP functionality is supposed to have an appropriate named user license type, such as Professional, Limited Professional, or Employee Self-Service, depending on their role. In an indirect scenario, this could mean every end-user of a third-party system might need an SAP license, even if they never see the SAP GUI. This model can be challenging to police for indirect use, but it offers flexibility in that a licensed user can perform an unlimited number of transactions. Historically, some customers managed indirect use by assigning a generic license to a middleware or by ignoring indirect usage until an audit forces the issue. The risk, of course, is non-compliance if indirect users are not licensed, and difficulty tracking actual usage. On the other hand, if indirect transactions are few, the cost of a handful of named users may be cheaper than document-based fees.
- The Digital Access document model is an alternative licensing metric SAP now offers (and strongly encourages customers to consider). Instead of worrying about counting users coming through third-party systems, you measure how many documents are created by those systems in SAP. For example, 1,000 sales orders created via an eCommerce platform in a year would count as 1,000 documents. SAP typically sells bundles of documents, such as blocks of 1,000, for a fee. The model includes a volume discount mechanism, where the unit price decreases with the number of documents licensed. If your indirect usage is heavy โ e.g., millions of transactions from various apps โ this model provides a straightforward way to pay for that usage, potentially avoiding the need to purchase hundreds or thousands of named user licenses for all external users. However, cost outcomes can vary widely. Companies with only light third-party interactions may find the Named User model more economical, as they generate relatively few documents and can be covered with a small number of named user licenses. Conversely, organizations with extensive integrations (e.g., an online business where every web sale creates an SAP order, or an IoT setup generating numerous maintenance notifications) might find Digital Access simpler and more predictable, and it could be cost-effective compared to purchasing SAP licenses for all those external users. It truly depends on the volume of document-generating events and the types of licenses involved in the current status.
Measuring Indirect Usage:
A crucial step in choosing and managing the right model is understanding your current indirect use footprint. SAP provides standard tools for license auditing โ USMM (Usage Measurement) and LAW (License Administration Workbench) โ which customers typically run on an annual basis.
USMM collects data from each SAP system about users, classifications, and certain metrics, while LAW aggregates this data from multiple systems into a consolidated report for SAP. Traditionally, these tools were focused on direct named users and engine metrics, and did not explicitly flag indirect usage. It has largely been up to the customer (or an SAP auditor) to identify where third-party connections exist. In recent years, SAP has introduced updates (via OSS notes and new measurement programs) to help capture digital access document counts.
For example, SAP Note-based tools can scan SAP transaction logs to count the documents created by external technical users (such as RFC or API users) over a specified period. SAP also offers a Digital Access Evaluation Service โ essentially a one-time measurement service (free of charge) where their auditors help run scripts to estimate how many billable documents your systems are generating via indirect accessโ.
This service can provide a baseline count to help determine whether switching to Digital Access makes sense. Itโs essential to note that these counts require careful interpretation โ you must identify all external interfaces and the technical users or service accounts they use in SAP, then run the measurement for a specific timeframe.
The output will tell you how many documents of each type were created as a result of those external calls. CIOs should ensure that their Basis or SAP admin teams are familiar with running USMM/LAW. If considering Digital Access, they should also implement SAPโs notes or engage the evaluation service to quantify indirect document usage.
Audit Information System (AIS) reports are another tool in SAPโs arsenal. AIS is an auditing framework within SAP ERP/S/4HANA that includes predefined audit queries, including those related to security and licenses.
SAPโs license auditors may use AIS reports or custom scripts to find evidence of indirect access, such as looking at tables of RFC connections, IDoc interfaces, or document creation logs by interface users. While AIS is more often used for security audits, it can also aid in analyzing usage patterns, for instance, by identifying large volumes of transactions created by a generic interface user ID.
CIOs should be aware that indirect use may not be immediately apparentย in standard reports and that hidden usage can surface during an audit if SAP scrutinizes integration points. Therefore, having internal transparency (through regular internal audits or tools from third-party software asset management providers) is key to avoid being caught off guard.
Strategic Insights
1. Be Audit-Ready: Proactive Indirect Usage Visibility
In the era of indirect access, waiting for SAPโs audit team to tell you about a compliance issue is a recipe for unpleasant surprises. A strategic insight for CIOs is to treat indirect usage visibility as an ongoing IT governance task.
This means establishing processes to regularly inventory all third-party systems connected to SAP and to monitor the activity they drive in the SAP system. Donโt assume that just because a user isnโt logging in to SAP, that youโre in the clear โ if their actions cause SAP to process data, it counts.
Start by compiling an up-to-date interface catalog, documenting every integration to your SAP environment (APIs, middleware, batch data feeds, etc.), including the technical accounts used in SAP. Many CIOs are surprised to find forgotten interfaces or new cloud services hooked into SAP without a formal review.
With this catalog, work with your SAP basis or security team to map these interfaces to SAP usage logs. For example, identify which SAP user IDs (service accounts) are associated with each interface and check which transactions or tables they access. SAPโs USMM tool wonโt list โSalesforce -> SAPโ usage, but it will report the activity of the technical user that Salesforce uses.
Some newer SAP measurement notes can flag document counts for specific interface usersโ. By analyzing those, you can infer how much indirect activity is happening.
In addition, consider using SAPโs โPassportโ technology, which tags external calls for tracking, if available. Alternatively, you can use third-party license management tools to help distinguish indirect usage.
Being audit-ready also involves simulating an SAP audit internally. Before SAPโs official audit or annual license statement is due, run the USMM/LAW and then scrutinize the results internally. Identify anomalies, such as a low number of named users but high document throughput (a red flag that a lot is happening through a few interface users). Look at SAPโs Audit Information System for any reports on external interfaces.
The goal is to catch any indirect use cases that havenโt been licensed properly and address them on your terms, not under audit pressure. Remember that SAP auditors actively look for signs of unlicensed use โ for instance, if your company publishes a press release about a new non-SAP front-end for an SAP process, that could trigger audit interest.
By maintaining visibility and documentation (e.g., โSystem X creates Y orders in SAP per monthโ), you can enter any licensing discussion with hard data and avoid panic.
Lastly, educate your project teams: ensure that whenever a new integration with SAP is proposed (such as adopting a new e-commerce platform or building a customer mobile app that pulls SAP data), the project review includes a licensing impact check. This way, indirect access considerations become a standard part of architecture governance, preventing surprise exposures down the line.
2. Optimize Your License Model (Named User vs. Document-Based)
Another key strategy is optimizing your SAP licensing model to fit your usage patterns. CIOs should not automatically accept one model or the other without analysis; instead, perform a side-by-side comparison of scenarios to determine the most cost-effective and risk-reducing approach for your organization.
When the Named User model makes sense:
If your indirect usage is relatively limited โ say, only a couple of third-party systems with low transaction volumes โ it might be cheaper and simpler to stick with traditional licensing.
For example, imagine you have an HR portal that sends only a small number of updates to SAP, such as updating basic employee information a few times a year per employee. In such a case, you might only need a few named user licenses (or extend existing ones) to cover the technical accounts or end-users hitting SAP.
The administrative overhead is low, and you don’t have to count documents. Additionally, in the Named User model, SAP has less direct visibility of each transaction โ you self-declare user counts based on your knowledge.
Some CIOs prefer this approach if they believe SAPโs document counts currently overestimate their indirect usage; they would rather manage compliance in-house than hand over a fully transparent document count to SAP.
However, this approach carries the risk that if you underestimate and an audit finds more users or uses, you could face a bill. Itโs critical to ensure that every individual who indirectly triggers SAP activity is properly licensed, often as a โSales & Service Coreโ user or a similar role if they are external. This can be tricky if those users are customers or partners, as you may need special license categories.
When the Digital Access model shines:
If your SAP system is integrated with many digital channels or high-volume automation, Digital Access can provide predictability and scalability. For instance, consider a web shop that generates thousands of SAP sales orders daily. Licensing each web customer or each e-shop user as a named SAP user is not practical (or even possible).
Digital Access allows you to pay for the documents (sales orders) created, regardless of the number of shoppers on the site. In many modern IT landscapes, there are also machine-to-machine interactions (such as IoT sensors creating maintenance orders or robotic processes) where there isnโt even a human’ user’ to license.
The document model cleanly covers these cases by focusing on the outcome (documents) rather than the origin. SAP also touts the fairness of not charging for read-only scenarios here โ for example, if your analytics system pulls data from SAP, you wouldnโt pay for each query. CIOs should quantify their annual document volumes (for the relevant types) to determine what their bill would be under Digital Access, then compare it to their current licensing costs.
Keep in mind that SAP has offered conversion programs. For instance, under a license exchange program, you can convert some of your existing named user license investment into a credit toward document licenses. They also provided steep discounts at times as incentives in the early years of Digital Access adoption. The economics can therefore be negotiable.
Mind the details:
Whichever model you lean towards, be aware of pitfalls. A significant one is double licensing: if you adopt Digital Access for indirect documents, ensure youโre not also paying for a named user license for the same usage.
A classic example is an internal employee who has an SAP user license for their direct use but also interacts with SAP via a third-party system. You shouldnโt have to pay twice (one user license and one document license) for the same personโs activity. SAPโs standard policy might inadvertently double-count in such cases unless it is negotiated otherwise. Clear contract language or an adjustment in license assignment can prevent this.
Another consideration is the mix-and-match approach: some enterprises use named users for certain processes and purchase Digital Access licenses for others. SAP allows a hybrid model, but you must carefully distinguish between what is counted as a document and what is covered by a user license to avoid overlaps or gaps.
The trend in SAPโs strategy is toward pushing customers onto the Digital Access model, especially as they migrate to S/4HANA. It offers SAP more transparency into usage and,, thus, revenue opportunities. As a CIO, you should leverage this trend in negotiations โ SAP may grant concessions, such as a larger conversion credit or a price lock on document licenses, if you agree to move to the newer model.
In summary, optimizing the model means running the numbers for both scenarios. This requires cross-functional input: your SAP Basis team to provide usage data, your procurement and licensing experts to calculate costs, and your enterprise architects to forecast how integrations might grow. Revisit this analysis periodically (e.g., annually or before any major SAP contract renewal or S/4HANA migration) because whatโs best for you can change as your business and systems evolve.
3. Fortify Contracts and Negotiations to Safeguard Your Position
Even with full visibility and an optimal model in mind, the reality is that SAP licensing agreements are complex legal instruments. CIOs should treat contract negotiations and ongoing license management as strategic activities, similar to risk management, especially when it comes to indirect access.
Here are key insights on negotiation tactics and contractual safeguards:
- Insist on Clarity in Contract Language: Many older SAP contracts used vague wording that stated all usage, โdirect or indirect,โ must be licensed, without defining indirect access. This ambiguity favored SAP in disputes, as they could interpret it broadly. During your next contract renewal or S/4HANA migration agreement, push for explicit definitions. For example, define what counts as indirect useย and perhaps carve outย โstatic readโ scenarios as non-chargeable,ย aligning with SAPโs public statements. The goal is to eliminate grey areas. If you plan to stick with Named Users, ensure the contract doesnโt later allow SAP to retroactively enforce document counting unless you agree to it. If you adopt Digital Access, clarify that it replaces named user requirements for those indirect scenarios. Getting these points in writing can prevent โgotchaโ situations later. Itโs wise to engage legal counsel or licensing specialists who are familiar with SAP to review any indirect usage clauses.
- License Buffers and Forecasting: In negotiations, try to build in buffers or allowances for growth. For instance, if you currently generate ~100,000 documents via indirect access, negotiate a little headroom (e.g., 120,000 documents licensed) so you donโt immediately incur overage if business grows. Similarly, with named users, consider negotiating a pool of โextraโ user licenses at a discounted rate that you can allocate if new integrations bring in more users. SAP sales reps are often willing to grant a buffer (or at least lock in pricing for additional licenses) if it helps close a deal, especially for strategic customers. The key is to anticipate future digital expansion and secure pricing protections now. Also consider negotiating the unit metrics โ e.g., what constitutes a โdocumentโ can sometimes be adjusted or certain low-value document types excluded, depending on your use case and bargaining power.
- Use Data and Estimations to Your Advantage: When discussing Digital Access, SAP might want to run their estimation tools (or ask you to) to count your documents. You can use SAPโs Digital Access Evaluation Service results as a starting point, but donโt accept initial figures blindly. Those tools can sometimes overcount (for example, they might count internal SAP-generated documents or count the same event multiple times in certain complex workflows). Come prepared with your analysis or an independent expertโs report to challenge or refine the figures. The negotiation can involve agreeing on an estimated volume for license purposes. You might, for example, negotiate a flat price for a specific volume tier of documents, rather than paying per actual document, if that provides cost certainty. If you lack confidence in the measurements, one tactic is to negotiate aย trial period: for example, agree with SAP that for the first year of Digital Access, youโll pay for an estimated volume, then true up with a pre-agreed price if the actuals exceed that, with no penalties. This converts the unknown into a more manageable form.
- Trade and Optimize Existing Entitlements:ย Over the years of SAP usage, many companies accumulate shelfware (unused licenses) or have mismatches (e.g., having too many high-level Professional licenses when a lower-cost Limited license would suffice for some users). Before signing any new licensing deal, conduct an internal review of your license portfolio. Identify unused or underused licenses that you can propose to exchange or retire for credit. SAPโs formal License Exchange programs allow you to swap old licenses for new ones (like trading some user licenses for document licenses). Even outside of formal programs, in negotiations, you can say, โWeโll switch to Digital Access for indirect use if we can receive a fee credit for retiring these 500 unused user licenses.โ This kind of โhorse tradingโ is commonโ โ SAP would rather have you on the new model and consuming what you need than holding unused entitlements. Just ensure any trade or conversion truly addresses your compliance needs (donโt give up something you might need later unless the new model fully covers it).
- Defend Innovation, but Deliberately: A senior IT executiveโs nightmare is halting an innovative project because of licensing fear. Donโt let indirect access become a barrier to innovation โ instead, bake licensing into your innovation plan, for every new digital initiative involving SAP, set aside a budget and plan for any licensing impact.
- When negotiating, you can even mention your innovation roadmap to SAP: for example, โWe plan to roll out a direct-to-customer mobile app next year that will tie into SAP โ letโs negotiate the licensing for that now as part of this deal.โ This proactive approach turns a potential future audit into a current planning discussion. It also shows SAP that youโre serious about compliance, but on your terms. Many CIOs create an internalย โindirect use policyโย as part of their SAP governance, stating how new interfaces are handled from a licensing perspective, which is a good practice for institutionalizing awareness.
In summary, negotiations with SAP around indirect access should be approached as a strategic exercise of risk mitigation and cost optimization. Arm yourself with data (usage metrics, system interface inventory, cost modeling for both license options) and involve stakeholders from IT, procurement, and legal.
The outcome should be contract terms that are fair, clear, and allow your business to grow its use of SAP-connected systems without unwelcome financial shocks. Remember that SAP, as a vendor, ultimately wants to sell you more software and keep you as a happy customer.
If you come to the table prepared, you can often turn an audit threat into an opportunity to right-size your licenses and even secure new capabilities,ย such asย SAP SaaS products or S/4HANA incentives, as part of a broader negotiation package.
Recommended Actions
Based on the above insights, CIOs and senior IT leaders should take the following actions to manage SAP indirect access and digital access licensing proactively:
- Discover and Document All SAP Integration Points: Conduct a thorough mapping of all third-party systems, interfaces, and user communities that interact with your SAP ERP or S/4HANA. Update this inventory continuously and flag the ones that create SAP documents or transactions.
- Quantify Your Indirect Usage: Leverage SAPโs measurement tools and services to get data on indirect use. Run USMM/LAW reports with the latest SAP notes applied, and consider using the Digital Access Evaluation Service or similar tools to estimate document counts driven by external systems. Ensure your team understands which document types (e.g., orders, invoices) are counted and gather at least 1-2 years of baseline data for trend analysis.
- Assess License Compliance Gaps: Compare the discovered indirect usage against your current license entitlements. Identify any obvious shortfalls (e.g., unlicensed users or document-generating interfaces not covered under existing licenses). If you find โrogueโ usage, decide whether to address it via additional named user licenses or by planning a move to the Digital Access model.
- Perform a cost-benefit analysis of License Models:ย For your situation, model the total cost of staying with purely Named User licenses versus adopting Digital Access for indirect documents. Factor in not just current costs, but the projected growth of transactions. Use this analysis to formulate a go-forward licensing strategy (e.g., remain on the status quo, partial adoption of Digital Access, or full conversion).
- Engage SAP Early and Set Negotiation Terms: Donโt wait for an audit to open discussions with SAP. If your analysis shows you might benefit from Digital Access, approach SAP proactively (potentially under programs like the Digital Access Adoption Program) to negotiate a conversion. At the same time, you have leverage (e.g., before an audit deadline or contract renewal). If you prefer to remain on your existing licensing, communicate this understanding to SAP and also seek a written affirmation of your compliance approach to avoid future disputes.
- Negotiate Contractual Protections: When renewing or amending contracts, include clear definitions and clauses around indirect access. Ensure that โstatic readโ access is exempt as per SAP policy, and avoid double-charging scenarios by stipulating that users with named licenses will not incur document charges for their activities. Negotiate some buffer capacity (extra users or documents) and lock in pricing for additional licenses to cover growth. Document any specific interface licensing assumptions in the contract (for example, an agreed number of partner users or specific APIs included in the license).
- Optimize and Recycle Licenses: Before purchasing new licenses, optimize what you have. Reclassify users to the appropriate license level to prevent over-licensing and harvest inactive accounts. Those savings can offset indirect usage needs. In negotiations, be prepared to exchange or retire unused license categories for ones you need โ essentially reallocating your spend to cover indirect access without incurring new costs where possible.
- Audit-Proof Your Operations: Institute an internal SAP license audit at least annually. Simulate SAPโs audit steps: run the measurement, compile LAW, but instead of sending it straight to SAP, have your team review it in detail. Reconcile user counts, validate document counts from external systems, and ensure everything is within entitlements. This internal audit practice will catch issues early. If discrepancies are found, rectify them (either by cleaning up the technical cause or obtaining the necessary licenses) before the official audit.
- Stay Informed and Adaptive: Keep up with SAP licensing policy updates โ SAP occasionally refines the Digital Access model, offers limited-time exchanges, or introduces new licensing paradigms, especially with cloud services. Engage with SAP user groups or licensing advisory services to know what others are doing. Revisit your indirect access strategy whenever there is a major change, such as moving to S/4HANA, launching a new digital channel, or SAP altering its pricing. A flexible approach will ensure you always align licensing with actual usage in the most cost-effective way.
By taking these actions, CIOs can turn the challenge of SAP indirect access into a well-managed aspect of their SAP strategy.
The result will be fewer compliance surprises, better budget predictability, and a licensing setup that supports the businessโs digital initiatives rather than hinders them.
