sap licensing

SAP License Compliance: Best Practices for Indirect and Digital Access

sap Best Practices for Indirect and Digital Access

SAP License Compliance: Best Practices for Indirect and Digital Access

Executive Summary:

If not managed proactively, SAPโ€™s indirect access rules can pose significant compliance risks. This article guides CIOs, CTOs, and SAM professionals in ensuringย SAP license complianceย in scenarios where third-party systems or external users interact with SAP data.

It explains the concept of indirect access and the Digital Access licensing model and provides best practices for identifying, monitoring, and licensing indirect usage to avoid hefty audit penalties.

Understanding Indirect Access in SAP

Indirect access occurs when people or systems use SAPโ€™s functionality or data without directly logging into SAP. For example, an e-commerce website creating sales orders in SAP, or employees entering time through a third-party app that updates SAP in the backend.

Traditionally, SAP required a named user license for each indirect user or system, which meant hundreds of external users could trigger the need for hundreds of SAP licenses.

This was illustrated in a well-known case where a company faced millions in fees for customers interacting with SAP data via a non-SAP portal. Understanding how your SAP environment might be accessed indirectly is the first step to compliance.

Read SAP License Compliance: Best Practices for Cloud and Hybrid Environments.

SAPโ€™s Digital Access Model Explained

SAP introduced theย Digital Accessย licensing model to address the complexities of indirect usage. Instead of counting each external user, Digital Access licenses the documents created indirectly (such as Sales Orders, Invoices, Purchase Orders, etc.).

Companies purchase document licenses in blocks (e.g., per 1,000 documents) for relevant document types. This model can simplify compliance for high-volume, external scenarios.

For instance, if 500 customers place orders through a website, you could license the resulting sales documents instead of buying 500 named user licenses.

Best Practice: Evaluate whether the Digital Access model benefits your use cases. Digital Access may lower compliance risk and cost if your indirect usage involves large numbers of external users creating relatively few document transactions. However, itโ€™s not automatic โ€“ you must opt in via a contract addendum with SAP.

Identifying All Indirect Usage

A critical compliance step is inventorying every interface and integration touching your SAP systems.

Work with integration architects and application owners to list out:

  • Third-party applications (CRM, e-commerce, portals, IoT devices, etc.) that create or modify SAP data.
  • External users or partners (customers, suppliers) who receive data from or send data into SAP.
  • Any reports or analytics tools that query SAP data via APIs?
    For each identified case, determine if it triggers SAP transactions or document creation. For example, a plant floor system posts production data into SAP ERP, or a supplier portal reads inventory levels from SAP. Document these and assess how theyโ€™re currently licensed. Often, companies find โ€œhiddenโ€ indirect usage during this process (e.g., a marketing system updating customer info in SAP). Uncovering these allows you to address compliance proactively rather than during an audit.

Licensing Strategies for Indirect Access

Once indirect uses are identified, decide the best licensing approach for each:

  • Named User Licenses: Sometimes, assigning an appropriate named user license to the external system or users is the simplest solution. For instance, if a third-party system is used by only a few known employees, licensing those users in SAP might suffice. Ensure the license type matches their usage (e.g., a read-only external user could have a cheaper Employee Self-Service license).
  • Digital Access Documents: If indirect usage involves many users or automated systems (like hundreds of customers or IoT sensors), consider purchasing Digital Access licenses for the documents generated. Calculate an estimate of documents per year (SAP provides a Digital Access Estimation tool/note that can help count document creation in your systems). Negotiate a block of documents that covers your needs with some buffer. For example, if your integrations create ~8,000 sales orders yearly, you might license 10,000 documents to stay safe.
  • Mixed Approach: It is common to use a mix of named user licenses for some scenarios and Digital Access for others. Best Practice: Map each integration to one of these licensing methods and avoid double-licensing. If you opt into Digital Access, be sure not to also count those external users as named users in your user count. Clear contract language can prevent paying twice for the same usage.
  • Contract Clauses: Proactively manage indirect use in your SAP contract. If possible, negotiate clauses that clarify or cap indirect usage liability. For example, some customers secured contract language allowing certain read-only third-party access without extra licenses. While not always granted by SAP, itโ€™s worth discussing during renewals or expansions to mitigate future compliance risk.

Monitoring and Auditing Indirect Usage

Indirect access compliance isnโ€™t a one-and-done exercise โ€“ it requires continuous monitoring:

  • Technical Monitoring: Use SAP tools and logs to track document creation and RFC/API calls from external systems. SAPโ€™s โ€œPassportโ€ technology can tag indirect documents. Also consider solutions like SAPโ€™s EarlyWatch or third-party products that specifically monitor interfaces for license-relevant activity.
  • Internal Audits for Interfaces: Include interface reviews in your regular internal license audits. Each quarter, verify that all documented integrations are still licensed correctly and check for any new integrations introduced by IT or business teams. Itโ€™s easy for a department to connect a new tool to SAP without realizing licensing implications, so a governance process is key.
  • Usage Trends: Watch the trends of documents created via indirect access. Suppose you see volume growing (e.g., your web orders increased 30% this year). In that case, you may need to adjust your licensing (such as purchasing additional document licenses) before SAPโ€™s official auditors do an assessment. Itโ€™s far better to true-up licenses proactively than to be caught under-licensed in an audit, which could lead to a large unplanned bill, including back maintenance fees.

Being Audit-Ready for Indirect Usage

To avoid nasty surprises, treat indirect usage with the same diligence as direct usage in audit prep:

  • Keep Documentation: Maintain a log of all integrations with details on how each is licensed. For digital access, keep records of your document counts and how you arrived at those figures. For named users covering an interface, document which user IDs or technical accounts are assigned and their license type.
  • Simulate Audit Checks: SAP auditors will likely ask about third-party interfaces and might run tools to count documents (if youโ€™ve adopted Digital Access). Do your own simulation: run SAPโ€™s license measurement (USMM/SLAW) and include the indirect documents count. Some clients run SAPโ€™s Digital Access Evaluation reports annually as a โ€œmock auditโ€ to see if their document licensing is sufficient.
  • Update and Educate Stakeholders: Ensure that your architecture and development teams understand the importance of notifying the SAM/licensing team when new integrations are planned. Instituting an internal policy like โ€œno new interface goes live without a licensing impact checkโ€ can catch indirect access issues early. Regularly update these teams on what constitutes indirect access and how critical it is to remain compliant. This awareness can prevent well-meaning teams from unknowingly exposing the company to license liability (for instance, by creating a new direct database connection to SAP data for a reporting app).

Recommendations

  • Inventory All Touchpoints: Create and maintain a detailed inventory of all systems and users indirectly accessing SAP. Update it whenever new integrations are added.
  • Assess the Best License Model: Decide whether named user licenses or Digital Access document licenses (or a combination) is the most cost-effective and compliant approach for each integration.
  • Use SAPโ€™s Tools: Leverage SAPโ€™s tools (like the Digital Access estimation note and USMM/LAW) to measure indirect usage regularly. This ensures your internal numbers align with what SAP auditors will see.
  • Negotiate Proactively: During contract renewals or expansions, negotiate terms related to indirect access. Seek clarity on definitions and consider asking for specific allowances or converting to Digital Access as needed.
  • Monitor Continuously: Implement monitoring or alerts for interface activity. For example, set thresholds for document creation via interfaces and get alerts if exceeded, indicating you might be approaching your license limits.
  • Educate Your Organization: Train IT and business units about indirect access compliance. Include it in project checklists to evaluate SAP license impact whenever new third-party integrations or tools are introduced.
  • Document License Allocations: Keep documentation showing how each third-party interface is licensed (e.g., โ€œOrders from web storefront covered by Digital Access licenses โ€“ 10k documents/year licensedโ€). This is invaluable evidence in an audit.
  • Perform Mock Audits: Periodically perform a โ€œmock auditโ€ on indirect usage. Simulate what SAP auditors would check regarding external access to ensure you can confidently demonstrate compliance anytime.

FAQ

What is SAP indirect access?
Indirect access is when SAP is used by external systems or users who log in through a third-party interface rather than directly. For example, a customer ordering through a web portal that feeds into SAP is indirect usage. Such use still requires proper SAP licensing.

Why is indirect access a compliance risk?
Itโ€™s risky because itโ€™s easy to overlook. Companies might assume only direct SAP users need licenses, but an audit finds hundreds of unlicensed indirect users or transactions, leading to large fees. If not managed, indirect access has historically led to surprise audit penalties.

What is SAPโ€™s Digital Access licensing?
Digital Access is SAPโ€™s licensing model for indirect use. It charges for the number of documents (like sales orders and invoices) created by external systems instead of requiring a named user license for each external user. It was introduced to provide a fairer, more transparent way to license certain indirect scenarios.

Do I automatically have Digital Access coverage?
No. You must opt into Digital Access by negotiating an addendum to your SAP contract (often via the Digital Access Adoption Program or similar deals). If you havenโ€™t, youโ€™re likely still under traditional rules, meaning indirect usage could require named user licenses. Always confirm your contract terms.

How do I decide between named users vs Digital Access?
It depends on the scenario. If you have a small, known group of external users, assigning them named user licenses (with the correct type) might be simplest. Counting documents via Digital Access can be more cost-effective if you have many external users or automated processes (IoT, B2C scenarios). Analyze volume: for example, 1000 external users creating 2000 orders might be cheaper under document licensing than buying 1000 user licenses.

Can I mix Digital Access with regular licensing?
Yes, and many companies do. You might use Digital Access for certain document-heavy integrations (like customer orders), but still use named user licenses for others. Just be careful not to double-count. If you switch an area to Digital Access, ensure that those documents or users are excluded from named user counts to avoid overlap.

How can I monitor indirect usage?
Use SAPโ€™s user logging and audit tools. SAP Note tools for Digital Access estimation can count documents created indirectly. You can also monitor middleware logs or SAP interface transactions (like SOAMANAGER logs for web services, RFC logs, etc.) to see external call volumes. Third-party Software Asset Management tools often have features to detect indirect usage patterns.

What happens if we ignore indirect access licensing?
Ignoring it can lead to a painful audit outcome. SAP auditors will ask for details on integrations and may detect unlicensed usage. If found, SAP can bill for all unlicensed users or documents retroactively, often with back-dated maintenance fees and possibly penalties. This can run into millions of dollars for large cases. In short, non-compliance here can be very expensive and damaging.

Can we negotiate away indirect access charges?
You can negotiate terms to mitigate future charges (like clarifying usage rights for certain interfaces). Still, if an audit finds non-compliance under existing terms, SAP will expect a license purchase to remedy it. Some organizations have negotiated one-time settlements or special deals (especially when moving to Digital Access), but this is case-by-case. The safer bet is to manage compliance proactively rather than rely on negotiation after the fact.

Does indirect read-only access require a license?
Often yes, unless your contract explicitly permits it. Even read access (say, a third-party reporting tool pulling data from SAP) can be considered indirect use. However, some contracts or SAP policies might not charge for purely read-only, low-level access โ€“ youโ€™d need to see if any such clause exists for you. Generally, assume any access, read, or write should be evaluated for licensing unless exempted in writing.

Read about our SAP License Management Services.

Do you want to know more about our SAP License Management Services?

Please enable JavaScript in your browser to complete this form.
Name
Author
  • Fredrik Filipsson has 20 years of experience in Oracle license management, including nine years working at Oracle and 11 years as a consultant, assisting major global clients with complex Oracle licensing issues. Before his work in Oracle licensing, he gained valuable expertise in IBM, SAP, and Salesforce licensing through his time at IBM. In addition, Fredrik has played a leading role in AI initiatives and is a successful entrepreneur, co-founding Redress Compliance and several other companies.

    View all posts
Redress Compliance