SAP indirect access remains one of the top triggers for licence compliance audits. Companies have faced surprise bills in the tens of millions of dollars when external systems accessing SAP data were deemed out of compliance. This guide combines technical controls, governance processes, and contractual protections to prevent surprise licence fees, defend against audit exposure, and future-proof your SAP licensing as digital integration accelerates.
SAP indirect access refers to when external systems or users access SAP software via a third-party interface rather than through direct SAP logins. Without mitigation strategies, an enterprise can suddenly owe unbudgeted licence fees and back maintenance for activity they did not even realise required an SAP licence.
To protect against indirect access risk, organisations need two things working together. First, implement technical and process controls to minimise and monitor indirect usage. Second, negotiate strong contractual protections that clearly define and limit how SAP licences indirect use. Together, these strategies create a robust defence that significantly reduces both the financial and compliance risks associated with indirect access.
A sound system architecture can prevent indirect access issues before they start. The goal is to control how external systems interact with SAP, minimise the licensing footprint of those interactions, and maintain visibility into what is happening at all times.
Funnel third-party integrations through a controlled gateway rather than allowing direct SAP connections. Use SAP's middleware (SAP PI/PO or Cloud Platform Integration) to channel external data in and out of SAP. Instead of creating thousands of SAP user accounts for external users, use a few licensed "proxy" user IDs that external systems share. This approach contains the licensing footprint and makes it substantially easier to monitor indirect usage.
Only give external systems the minimum access they need. Design interfaces so that third-party applications can retrieve or update only specific data and nothing more. Where feasible, keep critical transactions and document creation within SAP itself instead of letting outside systems directly create SAP records. Every document type, transaction, or record creation that can be kept internal rather than externally triggered is a potential licence cost avoided.
If you use SAP's Digital Access (document-based licensing), actively reduce the number of documents external systems generate. Archive inactive data. Eliminate unnecessary transactions: test orders, duplicate entries, automated processes that create records without business value. Consider whether batch processing can consolidate multiple events into fewer documents.
Set up monitoring to watch external calls into SAP. Regularly review interface logs and usage reports. Configure alerts for unusual spikes: a third-party system suddenly making excessive SAP calls could indicate a configuration error, a process change, or a new integration that was not assessed for licensing impact. Early detection lets you adjust before it becomes a compliance issue. See Measuring SAP Indirect Usage: Tools and Tips.
Technical controls alone are not sufficient. You also need governance processes to catch indirect access risks in day-to-day operations.
Require an indirect access impact check for every new integration project. Before connecting any third-party system to SAP, evaluate how it will interact with SAP and whether that interaction could trigger licence requirements. Catching these issues in the design phase prevents surprises and fees after go-live. Make this a formal gate in your project methodology, not an optional recommendation.
Loop in your SAP licensing or compliance team before integrating any external platform (CRM, e-commerce, IoT, partner portals, RPA bots) with SAP. They can spot indirect use risks in the architecture and suggest mitigations before deployment. The cost of pre-deployment licensing review is negligible compared to the cost of a post-deployment audit finding.
Educate project managers, solution architects, and development teams about what counts as indirect access. They should recognise the red flags: external applications reading or writing SAP data, APIs creating SAP documents, third-party systems using RFC or BAPI connections. Proactive awareness within technical teams is one of the most cost-effective risk mitigation measures available.
New integration deployed without licensing review. Shadow IT connecting to SAP (business unit deploys a cloud application that writes data to SAP without IT knowledge). Partner or vendor API access not assessed. RPA bots accessing SAP via API, creating documents through APIs rather than direct logins. Acquisition integration connecting acquired company's systems to SAP without evaluating indirect access implications. Each of these failures creates compliance exposure that could have been prevented with a simple process gate.
No matter how well you design your systems, it is critical to have contract language that protects you if SAP ever questions your indirect usage. When drafting or renegotiating SAP agreements, the following six clauses should be priorities.
Define "Named User" clearly in the contract to mean only direct human users who log into SAP. This prevents SAP from stretching the term to cover external systems, API connections, or casual data viewers as "users." If possible, explicitly exclude certain user types: users who only view SAP data via third-party reporting tools, automated system accounts, and read-only API connections. The tighter the definition, the smaller the surface area for SAP to claim additional users are required.
Include a clause that specific third-party integrations will not incur additional SAP licence fees. For example: "SAP access via external systems X, Y, and Z shall not trigger any additional named user charges." By naming your key non-SAP systems in the contract, you get SAP's agreement in writing that those use cases are exempt from extra licensing. You can also set reasonable limits (a capped number of external users or transactions) to define the scope clearly. This is the single most important contractual protection for organisations with established third-party integrations.
Modify the audit clause so that indirect usage findings are not automatically deemed non-compliant. Require that if an audit flags potential indirect use issues, SAP must review them with you first and allow a cure period (60 to 90 days) to resolve or licence any shortfall before penalties apply. This ensures you have a fair chance to address indirect access questions: evaluating whether the usage actually constitutes licensable activity, correcting configurations if appropriate, and purchasing additional licences at contracted rates if necessary.
Negotiate rights to convert between licence types as your needs change. For example, allow a certain number of unused Named User licences to be converted into Digital Access document credits if you shift to the document-based model. As organisations move from traditional user-based access to API-driven integration, conversion flexibility ensures that historical licence investments retain value rather than becoming stranded assets.
If you opt for SAP's Digital Access model, lock down the details. List exactly which document types count as chargeable and how each is measured. Secure a fixed pricing or a cap on the cost per document for the contract term, so SAP cannot unexpectedly raise rates on your indirect usage. Define the true-up process for overages: the rate, the timeframe, and the dispute mechanism. Clear definitions and price locks prevent the surprises that have caught many organisations off guard. See SAP Digital Access Pricing Explained.
Ask SAP to help you monitor indirect use. Include a clause that SAP will provide Digital Access Evaluation Tool (DAET) reports or similar usage data to you periodically at no charge. This gives you ongoing visibility into your indirect usage, allowing you to address any overages long before an audit. Transparency prevents the adversarial dynamic where SAP discovers years of accumulated overuse and demands a large back-payment.
Clear Named User definition with specific exclusions for certain use cases (data viewers, reporting users, API connections). Indirect use carve-out clause covering key external systems by name so they do not incur extra fees. Pre-agreed measurement method: a defined, transparent way to measure indirect usage with no surprises in counting. Licence conversion rights: flexibility to swap Named User licences for Digital Access documents as needs change. Price protections or caps: locked pricing or fee caps on Digital Access to prevent cost spikes during the contract term.
The balance of technical versus contractual mitigation depends on your SAP landscape, contract timing, and transformation plans.
Older ECC agreements were written before the era of ubiquitous API integration, IoT connectivity, and cloud-based ecosystem architectures. The definitions of "user," "access," and "use" in these contracts often do not contemplate the ways modern systems interact with SAP. This vagueness creates exposure. The priority for ECC customers is to add explicit language that defines what counts as indirect access in the context of your specific integrations, excludes named categories of interaction (read-only queries, data synchronisation, reporting), and establishes a fair process for resolving disputes.
The move to S/4HANA is a major commercial event and the single best opportunity to reset your indirect access licensing on favourable terms. SAP wants customers on S/4HANA and will offer incentives. Use this moment to: secure conversion credits for existing Named User licences, negotiate a favourable per-document rate or unlimited flat fee for Digital Access, obtain explicit amnesty for any historical indirect access usage, and ensure the new contract clearly defines how every integration is licensed.
SAP's cloud subscription models use different commercial structures, but that does not mean indirect access is automatically covered. Cloud contracts often include usage metrics (FUEs, API call volumes, transaction limits) that may not adequately account for heavy integration scenarios. Spell out every significant integration in the contract and confirm that each is covered by the subscription without incremental fees. Vague assurances from sales teams do not protect you in an audit. Contract language does.
| Customer Profile | Primary Strategy | Key Actions |
|---|---|---|
| Legacy ECC | Contract-first: tighten definitions | Add named user clarity, carve-outs for existing integrations, explicit indirect access definitions. Technical controls as supporting defence. |
| S/4HANA migrators | Leverage the transition | Secure conversion credits, negotiate Digital Access rates, obtain historical amnesty, define all integration licensing clearly. |
| RISE / Cloud | Explicit coverage confirmation | Spell out every integration in the contract. Do not assume "all inclusive" covers every API connection. Add clarifying language. |
SAP indirect access refers to when external systems or users access SAP software via a third-party interface rather than through direct SAP logins. This includes customer portals creating SAP sales orders, CRM systems writing leads into SAP, e-commerce platforms triggering SAP transactions, IoT devices feeding data into SAP, and RPA bots creating SAP documents through APIs. SAP considers many of these interactions as requiring additional licences, either through Named User licences or the newer Digital Access (document-based) model.
The financial risk is substantial. Companies have faced audit claims in the tens of millions of dollars for indirect access violations. The Diageo case in 2017 resulted in a reported penalty of approximately 54 million pounds. Even mid-sized enterprises routinely face claims of $5 to $15 million. Without mitigation strategies, the risk is unbudgeted licence fees and back maintenance for activity the organisation did not realise required an SAP licence.
Named User licensing requires a licence for every individual (human or system account) that accesses SAP data, regardless of how they access it. Digital Access licensing is a newer document-based model that charges based on the number and type of documents created in SAP by external systems, rather than counting individual users. Many organisations find Digital Access more cost-effective for high-volume, API-driven integrations, but the economics depend on your specific document volumes and types. See SAP Digital Access Pricing Explained.
The indirect use carve-out clause. This names your specific third-party integrations in the contract and confirms that they do not incur additional SAP licence fees. By getting SAP's written agreement that your CRM, e-commerce platform, partner portal, and other key systems are covered, you eliminate the ambiguity that SAP exploits in audits. This single clause provides more protection than any technical control because it removes the contractual basis for SAP to claim additional fees for those integrations.
Not necessarily. SAP's cloud subscription models use different commercial structures, but indirect access is not automatically covered. Cloud contracts include usage metrics (FUEs, API call volumes, transaction limits) that may not adequately account for heavy integration scenarios. If your RISE subscription does not explicitly address your CRM integration, e-commerce platform, IoT data feeds, or partner API connections, you could face additional charges. Spell out every significant integration in the contract and confirm coverage without incremental fees.
Three approaches: first, negotiate contractual protections (carve-outs, clear definitions, cure periods) that protect your existing integrations. Second, implement monitoring to track and quantify your actual indirect usage so you have data to defend your position. Third, optimise document volumes by archiving inactive data, eliminating unnecessary transactions, and consolidating batch processes. These measures reduce risk without requiring you to redesign your integration architecture.
The best time is during a major commercial event: S/4HANA migration (maximum leverage), contract renewal, or a significant new product purchase. SAP is most flexible when the total deal value is large enough to justify concessions. Start negotiation preparation 6 to 12 months before the event. If you are facing an audit, negotiate protections as part of the audit resolution rather than accepting penalties without structural improvements to your contract terms.
Redress Compliance provides independent SAP advisory for indirect access mitigation: contract clause drafting and negotiation, technical architecture review, Digital Access evaluation, audit defence, and compliance assessment. We help enterprises quantify their indirect access exposure, negotiate protective contract language, and implement governance processes that prevent future compliance issues. Complete vendor independence. No SAP partnerships, no resale commissions.
SAP Advisory ServicesIndependent SAP advisory helping enterprises mitigate indirect access risk through contract protections, technical controls, and Digital Access evaluation. Fixed-fee engagement models.