SAP Indirect Access & Digital Access Guide 2026

SAP Indirect Access in 2026: Still One of the Highest-Risk Areas in Enterprise Software

SAP indirect access — the exposure created when third-party systems interact with SAP data without users logging in directly — remains one of the most financially significant and least well-managed risks in enterprise software. The 2017 Diageo vs SAP case resulted in a UK court awarding SAP £54 million for indirect access via Salesforce. The Anheuser-Busch InBev dispute, which reached claims in excess of $100 million, demonstrated that even the world's largest companies can be caught entirely unprepared.

In 2026, the risk profile has not diminished — it has expanded. Every new integration, RPA implementation, IoT deployment, and AI automation that touches SAP data is a potential indirect access scenario. SAP's audit teams — who use specialised ABAP scripts to detect non-licensed access — are increasingly systematic in how they identify these exposures ahead of contract renewals. Explore our SAP Knowledge Hub for the full context on SAP audit methodology and our SAP Audit Defence Framework download for the complete response process. If you are currently facing an indirect access claim or audit, book a call immediately — the first 30 days of an SAP audit define the outcome.

Understanding the SAP Indirect Access Model

Indirect access occurs when an external system, user, or process accesses SAP data without directly logging into SAP's licensed environment. Common examples include e-commerce platforms that read SAP product catalogue data; CRM systems (such as Salesforce) that write order data back into SAP ERP; RPA bots that extract SAP data for downstream reporting; IoT devices that trigger SAP transactions; and mobile field service apps that read and write SAP work orders.

Under the legacy SAP licence model (pre-2018), each person whose data flows through one of these integrations — even if they never touch SAP directly — could potentially be classified as a SAP Named User, requiring a full Named User licence at a cost of several hundred pounds per user per year. For enterprises with tens of thousands of customers accessing a SAP-connected portal, the exposure was arithmetically enormous and commercially catastrophic.

SAP's response was the Digital Access model, introduced in 2018 and now standard in S/4HANA and RISE with SAP contracts. See our RISE with SAP deep dive for how Digital Access is embedded within the RISE licensing structure.

SAP Digital Access: How the Document-Based Model Works

SAP Digital Access replaces the user-count exposure of the legacy model with a document-count model. Instead of licensing every external user who touches SAP data, you licence the outcome: specific SAP business documents created or modified by external systems. The document types covered under Digital Access include sales orders, purchase orders, delivery notes, service orders, and production orders — each carrying a per-document fee structure that varies by document type and volume band.

The per-document pricing for Digital Access operates on a tiered volume model. Typical enterprise pricing for the most common document types (sales orders and purchase orders) runs approximately $0.15–$0.80 per document depending on annual volume, with significant step-downs at 500,000, 1 million, and 5 million documents per year. For high-volume transactional environments — B2C e-commerce operations processing millions of orders annually — these fees can compound to millions of dollars if not actively managed and negotiated.

Digital Access negotiations have their own set of leverage points. The document volume projections SAP uses in its proposals are almost always higher than actual usage for newly deployed integrations, and locking in a high volume band at contract inception creates structural overpayment. Negotiate initial commitments conservatively with a clear mechanism to add volume at pre-agreed rates, rather than committing to projected volumes you have no historical basis to validate. Our SAP Indirect Access & Digital Access download includes the specific negotiation clauses and volume model templates we use with clients.

How SAP Detects Indirect Access: The Audit Methodology

SAP's audit teams deploy specialised ABAP programs — available via SAP Notes — to scan your system for non-licensed access patterns. These scripts examine RFC connections, IDocs, BAPIs, and web service calls to identify third-party systems communicating with SAP. They analyse user tables to detect shared system user IDs being used as integration proxies, and cross-reference interface directories against licensed user lists.

The scripts are not publicly documented and SAP's LMS (Licence Management Services) team does not disclose their full methodology. What they consistently identify: unregistered RFC connections from third-party systems; BAPIs called from middleware layers not covered by Digital Access documentation; and integration users that were created to avoid Named User counting but lack Digital Access coverage for the transactions they trigger. The most defensible position before any SAP audit is a complete interface inventory — every connection between SAP and any external system, mapped to either a Named User licence or a Digital Access document type. Without this map, you cannot accurately assess your compliance position and cannot negotiate from an informed position.

Mitigation Strategies for Indirect Access Exposure

The most effective mitigation for indirect access risk combines technical controls with contractual clarity. On the technical side, funnelling all third-party integrations through a controlled middleware layer — SAP Integration Suite (formerly SAP Cloud Platform Integration) or a non-SAP middleware such as MuleSoft — creates a single point of visibility for all external SAP data flows. This makes interface documentation manageable and reduces the surface area for audit exposure.

Contractually, any new SAP agreement — whether S/4HANA on-premise, RISE with SAP, or any SAP cloud product — should include an explicit statement of what indirect access and digital access coverage is included, documented in the Order Form or Statement of Work rather than by reference to SAP's general terms. SAP's general terms on indirect access are deliberately ambiguous; specificity in your contract is your protection. Our SAP CX Licensing Guide covers how SAP CX integrations — particularly Salesforce replacements — introduce their own indirect access scenarios, while our S/4HANA Cloud comparison explains how the indirect access model differs between public and private cloud deployments.