SAP Licensing Pitfalls for CIOs – Indirect Access Underestimation (failing to account for third-party system use of SAP data)
SAP Indirect Access is a hidden licensing trap that many CIOs and CTOs underestimate. It occurs when third-party systems or users access SAP data or functions without directly logging into SAP, potentially incurring license fees.
Failing to account for this indirect use can lead to compliance audits and multi-million-dollar surprises. This article explains what indirect access is, why it poses a significant risk, and how to proactively manage it to prevent unbudgeted costs.
Read Top 10 SAP Licensing Pitfalls for CIOs.
SAP Indirect Access
SAP Indirect Access refers to any scenario where a person or device uses SAP’s software via a third-party interface rather than through direct SAP login.
In simple terms, if an external application (such as a web portal, mobile app, or IoT sensor) reads or writes data in your SAP system on behalf of a user, that constitutes indirect use.
For example, a customer places an order on a non-SAP e-commerce website, which then creates a sales order inside SAP. The customer never logs into SAP, but SAP is working in the background to fulfill the order.
Not all external interactions require a license. SAP typically allows “Indirect Static Read”. If data is exported from SAP to another system and merely viewed there (in read-only mode) with no updates made back into SAP, it usually doesn’t incur a fee.
The moment an external system creates or changes records in SAP (e.g., posting an order, updating inventory, triggering a transaction), SAP considers it licensable usage.
Essentially, any non-SAP user or system that causes SAP to execute business processes may need to be licensed, unless your contract explicitly exempts it.
Read SAP Licensing Pitfalls for CIOs: User Misclassification in ECC and HANA.
Why CIOs Underestimate This Pitfall
Many CIOs underestimate indirect access because it occurs behind the scenes, making it an invisible usage.
Traditional SAP licensing focuses on named users (employees logging into SAP), so leaders might assume only those count.
However, older SAP contracts often include broad language that “all use, direct or indirect, must be licensed.”
This ambiguity means that integrating new digital channels (customer portals, APIs, partner systems) can unintentionally breach licenses.
Key reasons for underestimation include:
- Vague Contracts: The definition of “use” in SAP agreements is broad and unclear, leaving room for SAP to claim many scenarios as indirect use.
- Innovation Outpacing Licensing: Companies rapidly deploying web services, mobile apps, or IoT devices may not realize that each integration point with SAP could carry licensing obligations. CIOs focus on functionality and assume that technical connectivity (such as using SAP’s API or middleware) covers it, not realizing that licenses for end users or documents are separate.
- Assumed Coverage: Some believe that if they purchased SAP middleware (e.g., SAP Process Orchestration) or interface software, it automatically covers the external usage. In reality, middleware enables integration but does not exempt users or data transacted through it from license requirements.
- Lack of Monitoring: Indirect use is not obvious from SAP user lists. Without tools to track transactions initiated via interfaces, organizations may be unaware of the extent of SAP activity generated by their external systems.
The result is that indirect access often goes unnoticed until an SAP audit brings it to light – by then, it’s a costly discovery.
Compliance Risks and Real-World Examples
Indirect access became infamous due to high-profile compliance cases:
- Diageo (2017): The global beverage company connected Salesforce to SAP to create orders. A UK court ruled that those Salesforce interactions counted as SAP use for thousands of users. Diageo faced an estimated £54 million bill for unlicensed indirect access – a shocking wake-up call to the industry.
- Anheuser-Busch InBev (2017-2018): SAP claimed the brewer owed over $600 million for widespread indirect use via multiple systems (e-commerce, supply chain portals, etc.). The case was settled confidentially, but it highlighted the significant exposure that large enterprises can incur.
- Other Scenarios: Manufacturers have been flagged for updating warehouse devices in SAP, retailers for feeding point-of-sale systems into SAP, and utilities for querying customer self-service portals against SAP data. In each case, what seemed like normal integration turned into a compliance issue when SAP’s auditors applied strict licensing rules.
These examples illustrate the pitfall: unbudgeted liability. A CIO might proudly digitize processes with third-party platforms, only to later learn that each external user or each transaction triggered in SAP should have been licensed.
Audits can demand back-license fees plus maintenance for past years, turning a small interface into a multi-million-dollar back charge. The indirect access “tax” can also stifle innovation – some firms delay projects for fear of unknowingly incurring SAP fees.
Traditional Named Users vs. SAP’s Digital Access Model
SAP responded to the outcry by introducing a new licensing approach in 2018, called Digital Access (often informally referred to as “document licensing”).
Now, organizations typically have two models (and can use both) to cover indirect use:
- Traditional Named User Licensing: Every individual (or system) that uses SAP, even indirectly, needs a named user license. This means that if 1,000 customers or partners are interacting via a third-party app that integrates with SAP, you theoretically need 1,000 SAP user licenses for them. In practice, this is extremely costly and impractical. Companies historically either ignored this (hoping not to get audited) or tried to cover it by purchasing a handful of “external user” licenses or a package license for an interface. The risk is obvious: if auditors interpret usage literally, the shortfall is huge. One SAP Professional user license can cost around $3,000 (perpetual, plus ~22% annual maintenance), so licensing hundreds of external users can blow up budgets. (For instance, 500 unlicensed external users could equate to roughly $1.5M in licenses, and over $300k per year in maintenance.)
- SAP Digital Access (Document-Based Licensing): Instead of licensing each user, SAP charges for the number of specific documents created in SAP by external systems. SAP identified nine core document types (e.g., Sales Order, Invoice, Purchase Order) that cover common transactions. Under this model, if an external system triggers (creates) one of those documents in SAP, you need to license that event. Reading data is free; it’s focused on writing and creating. The cost is volume-based – for example, you might buy a block of 1,000 documents as a starting entitlement. Each document (often counted per line item) consumes one license “tick.” SAP often sells these in tiered bundles (with volume discounts at higher tiers). Example: If your e-commerce site created 10,000 sales order lines in SAP last year, you’d need at least 10,000 digital access licenses. The pricing is typically negotiated, but generally a few tens of thousands of dollars for a 1,000-document pack (pricing per document decreases with larger quantities).
Comparison of Indirect Licensing Approaches:
| Model | How It’s Licensed | When It’s Best | Potential Pitfalls |
|---|---|---|---|
| Named User (Traditional) | Per human/user (each external user or device requires a license, often as a “Professional” or special user type). | Suitable if external usage is very limited or easily counted (e.g., a small number of known partner users). Also needed for all direct SAP users (employees). | Becomes impractical and exorbitant for high-volume external scenarios. Hard to track “every user,” and audits can reveal hundreds of unlicensed users you weren’t tracking. |
| Digital Access (Document) | Per document created by external systems (license packs for document counts, covering all external users/devices collectively). | Ideal for web portals, integrations, or IoT with lots of transactions. Scales with business activity: you pay for actual documents (business outcomes) rather than infinite user licenses. | If transaction volumes explode, costs can rise quickly. Need monitoring to avoid exceeding purchased document counts. Hybrid licensing (mix of user and document) adds complexity. Also requires understanding which activities count as which document type. |
In practice, many SAP customers now employ a hybrid approach: internal users hold named user licenses, and indirect use is managed through Digital Access for external scenarios. Some have not switched and remain on traditional licensing, but they must be very vigilant about compliance.
Hidden Costs and Audit Surprises
Underestimating indirect access can lead to substantial unplanned costs:
- Back Maintenance Fees: If an audit finds you’ve been unlicensed for indirect use for, say, 3 years, SAP may require you to pay the license for each of those years (or maintenance fees for past usage) in addition to buying the licenses in the future. This retroactive charge often doubles or triples the cost impact.
- List Price vs. Negotiated Price: Compliance shortfalls are usually charged at full list price. When caught in an audit, you have less negotiating leverage – SAP can demand the high “penalty” rate. In contrast, if you proactively address it, you might negotiate discounted terms or trade-in credits (especially under programs like SAP’s Digital Access Adoption Program, which offered incentives to switch).
- Indirect Use Engines: In some cases, SAP offers specific engine or package licenses for certain indirect scenarios (for example, a “SAP Application Interface” package). But if you didn’t procure those upfront, an audit won’t be sympathetic. You’ll likely have to buy them at true-up time, often at a premium cost.
- Operational Disruption: Beyond financial costs, an unresolved indirect access dispute can delay projects or require you to temporarily disable integrations until the issue is resolved. For CIOs, this means a compliance issue can become a business continuity issue if not managed.
Consider a simple scenario: a supplier portal used by 200 vendors to confirm orders and send invoices, interfacing with SAP. If unlicensed, SAP could deem each vendor as an indirect user.
At approximately $1,500 per external user license, that’s $300,000, plus perhaps $ 60,000 per year in back maintenance that remains uncovered. Over five years, that could exceed $ 600,000 in exposure.
Yet, if those interactions resulted in, say, 5,000 purchase order documents annually, a Digital Access license might have covered it in a more predictable way (e.g., purchasing a block of 5,000 documents upfront).
The point is that planning is far cheaper than paying post-audit penalties.
Managing Indirect Access Proactively
The good news is that indirect access risk can be managed with foresight and governance. CIOs and CTOs should treat this as an ongoing aspect of IT asset management.
Key strategies include:
- Assess and Inventory Integrations: Identify all third-party systems, interfaces, and APIs connected to SAP. Map out what data they exchange and how (do they create SAP documents, read data, or both?). This “interface inventory” allows you to identify where indirect usage is occurring.
- Measure Usage: SAP provides tools like the Digital Access Evaluation Service (DAES) and log analysis to estimate document counts. Even if you haven’t bought Digital Access licenses yet, use these tools to get a baseline of how many documents your external systems generate. Similarly, review SAP user logs for any generic interface accounts that perform numerous transactions – behind those could be many actual end users.
- Review Contracts for Clarity: Review your SAP license contract and any associated amendments. Some newer agreements (especially post-2018 or cloud contracts) may include specific language on indirect use or even some allowance for certain scenarios. If your contract is outdated and unclear, you have a higher risk. Knowledge of your contract terms helps in planning negotiations with SAP.
- Educate Stakeholders: Ensure your architecture teams, project managers, and procurement staff understand that connecting a system to SAP isn’t “free” from a license standpoint. Bake license impact assessment into the design phase of projects. For instance, if the marketing team wants to launch a new customer mobile app that retrieves order status from SAP, IT should flag this and determine if additional licenses are required before launch.
- Consider External License Types: SAP does offer some license types meant for external parties (like “SAP Employee Self-Service” for employees or “SAP Business Partner” user licenses for third parties). In some cases, these can be more cost-effective than professional users for indirect scenarios. Evaluate if any such license category fits your use case – it could legitimize access at a lower cost. However, these still require you to count users, which isn’t feasible for open consumer access.
Recommendations
To avoid the indirect access trap, CIOs should adopt a proactive and disciplined approach. Key recommendations include:
- Regularly Audit Your SAP Interfaces: Inventory all third-party systems connected to SAP and audit their functionality. Use SAP’s tools or logs to identify how many documents or transactions are generated indirectly. Treat this like a routine health check (at least annually or before any SAP true-up) so you have no surprises.
- Leverage SAP’s Evaluation Services: Make use of SAP’s Digital Access evaluation tools or programs. They can simulate how many document licenses you’d need under the digital model. This insight helps you determine the best licensing approach and reveals your current level of exposure. Think of it as turning on the lights in a dark room – get the data first.
- Analyze Cost Scenarios: Conduct a cost comparison between staying with named user licensing and adopting digital access. Factor in not just current usage, but also growth – e.g., if your customer transactions are expected to double in 2 years, how would each model scale in terms of cost? Choose the model or mix that minimizes your total cost and compliance risk. Don’t assume the new model is automatically cheaper; it’s a case-by-case basis.
- Engage with SAP Proactively: If you discover a potential shortfall, approach SAP before an audit is conducted. Initiate a conversation to adjust your licenses or migrate to a better model. When you approach SAP proactively (especially around a renewal or new purchase), you are more likely to negotiate favorable terms – possibly trading in existing licenses for credits or obtaining discounts through programs. Always push for explicit contract terms that clarify indirect use (e.g., define what counts, carve out read-only data sharing, etc.).
- Govern New Integrations: Institute a policy that no new integration goes live without a licensing review. Have your architecture review board include a checklist item: “Does this project involve SAP data? If yes, have we addressed licensing?” By catching it early, you can budget for the necessary licenses or design the solution in a compliant manner. This governance step will save headaches in the future.
- Monitor and Alert: Set up monitoring on your SAP system for unusual spikes in usage by interface accounts or document creation rates. For example, if a new IoT deployment suddenly generates thousands of material movements in SAP, you want to be notified immediately. Early warning allows you to react – maybe throttle the process or quickly acquire additional licenses – before it violates terms.
- Budget for Indirect Use: Include a line item in your IT budget for indirect access. This could serve as a buffer for additional licenses or an expected expenditure as your digital channels expand. It’s easier to get approval for “supporting our new e-commerce channel with proper SAP licensing” upfront than to beg for emergency funds after an audit claim. A modest contingency fund for licensing can turn a surprise hit into a planned expense.
- Consult Licensing Experts: If you lack in-house expertise, consider bringing in independent SAP licensing advisors. They can audit your usage, identify loopholes or over-licensing, and suggest optimizations to improve efficiency. They can also assist in negotiations by benchmarking what other companies have achieved. Given the potential cost exposure, an expert assessment can pay for itself many times over.
- Foster Enterprise Awareness: Indirect Access Isn’t Just an “IT problem.” Communicate the issue to finance, procurement, and business unit leaders. If every department is aware that SAP integrations have a cost, they are more likely to involve IT and legal early in the planning process for new initiatives. This cross-functional awareness creates a safety net, allowing fewer things to slip by unnoticed.
By implementing these steps, organizations can turn indirect access from a lurking liability into a manageable aspect of their SAP environment.
The goal is to enable innovation – whether it’s customer-facing apps, partner portals, or automated bots – without fear of violating your SAP license.
With clear policies and the right licenses in place, CIOs can confidently support the business’s digital growth while staying compliant.
FAQ
Q1: What exactly counts as indirect access in SAP?
A1: Indirect access is when a user or application uses SAP’s functionality without directly logging into SAP. This typically happens via a third-party system or interface. For example, if a mobile app or external website triggers SAP to create or update data, that’s indirect access. Simply viewing exported SAP data (read-only) usually doesn’t count, but any creation or update from outside does.
Q2: How can we detect and measure indirect usage in our SAP systems?
A2: Start by listing all non-SAP systems that connect to SAP (APIs, interfaces, middleware). Use SAP’s logs or tools, such as the Digital Access Evaluation Service, to determine the number of documents generated by those systems in SAP. Also, review any “technical” user accounts in SAP that are used for integrations – if one account posts thousands of transactions, investigate what external users or devices are behind it. Regular internal license audits are key.
Q3: What is SAP’s “Digital Access” licensing, in simple terms?
A3: Digital Access is SAP’s document-based licensing model for indirect use. Instead of needing a named user license for each person or device that indirectly uses SAP, you buy a certain number of document licenses. Whenever an external system creates a predefined business document in SAP (such as a sales order or invoice), it consumes one license from the pool. It’s essentially a method of payment based on transaction volume rather than user headcount.
Q4: Is switching to Digital Access automatically better and cheaper?
A4: Not always – it depends on your usage pattern. Digital Access simplifies compliance for large numbers of external users; however, if those users collectively generate a high volume of transactions, the cost could be significant. If you have only a small, fixed number of external integrations with low transaction counts, traditional user licenses may be more cost-effective. Many companies opt for a hybrid approach: they retain named-user licenses for internal users (and possibly a select few partners) and utilize Digital Access for high-volume external scenarios.
Q5: What can we negotiate with SAP to reduce indirect access risk?
A5: When negotiating contracts or renewals, you can seek clarity and caps on indirect use. For instance, negotiate definitions – explicitly allow certain B2C scenarios (such as customers viewing their data) without requiring a license. When transitioning to Digital Access, negotiate a reasonable price per document and include a growth buffer (offering extra documents at a discounted rate). You can also negotiate to convert some existing user license values into digital access credits. Importantly, try to include an audit clause that states if you’re found non-compliant, you will pay at discounted rates (not a full list) – some customers manage to secure “audit relief” terms.
Q6: What happens during an SAP audit related to indirect access?
A6: In an audit, SAP will review your usage statistics and may send questionnaires about connected systems. They can identify interface accounts and ask what they’re used for. If they find indirect usage not covered by licenses, they’ll present compliance findings, usually requiring you to purchase the necessary licenses retroactively and in the future. That can include back-dated maintenance fees. You’ll have a short timeframe to respond or negotiate. It’s much better to have your assessment done beforehand so you know where you stand before SAP does.
Q7: Does using SAP’s products (like SAP-owned cloud apps) still pose indirect access issues?
A7: SAP has been evolving its policies in this area. If you use SAP’s cloud offerings (such as SuccessFactors and Ariba), these typically have their licenses and should integrate without requiring additional ERP user licenses. SAP generally doesn’t double-charge for its software integrations. Also, newer RISE with SAP contracts often bundle some Digital Access entitlements. However, if you have older on-premise contracts and you connect non-SAP software or even a custom app, indirect use rules still apply. Always clarify with SAP if an add-on product includes the necessary ERP use rights or not.
Q8: We use SAP Process Orchestration/Middleware – doesn’t that cover indirect access?
A8: Not by itself. SAP middleware (such as SAP PI/PO or SAP Integration Suite) is merely a technical tool for connecting systems. It does not license the end users of those systems. In the Diageo case, the company had implemented SAP PI to link Salesforce, thinking that was enough – it wasn’t. You still need to license the SAP usage that results from this. Think of it like a bridge: you might own the bridge (integration software), but if 1000 people are walking across it into SAP-land, SAP expects each person to have a “ticket.” The bridge toll isn’t the same as the tickets to enter SAP.
Q9: If we migrate to SAP S/4HANA or RISE (cloud), do indirect access issues disappear?
A9: Not entirely. SAP S/4HANA (on-prem) uses the same concepts – you still must license indirect use either via named users or digital documents. In RISE with SAP (which is a subscription cloud), SAP often includes some Digital Access in the subscription, but you need to ensure it’s sufficient. The risk shifts a bit – you’d be paying a subscription fee for a package that includes a certain volume of transactions. If you exceed that limit, you may incur overage charges or need to upgrade your subscription. The advantage is that you may obtain a more modern contract that clearly outlines digital access. But you must still manage and monitor usage; cloud doesn’t mean unlimited free integrations.
Q10: What’s a practical first step to tackle indirect access management?
A10: A great first step is to form a cross-functional team (including IT, licensing/procurement, and business process owners) and conduct an indirect usage workshop. Map out where SAP interacts with other systems. Then, pick one or two known interfaces (such as your web store or CRM integration) and dive deep into the data: how many orders or records flow to SAP each month? What license would cover that? This exercise often uncovers the gaps. From there, you can prioritize which areas require immediate attention (such as licensing adjustments or contract negotiations) and create an ongoing plan. Essentially: know your environment and engage with SAP on your terms, not just theirs.
Read about our SAP License Optimization Service.
