In April 2026 SAP published API Policy v.4.2026. The policy restricts third party access to non published APIs, blocks autonomous and generative AI agents, and forces bulk data extraction onto SAP endorsed routes. This is the buyer side pillar guide to remediation, cost, and negotiation.
SAP API Policy v.4.2026 restricts third party access to non published APIs, blocks autonomous and generative AI agents, and forces bulk extraction onto SAP endorsed routes. The audit exposure compounds with the post 2018 Digital Access framework. This is the buyer side guide to the framework, remediation, and renewal posture.
Third party API access to SAP is a routine integration pattern. The publisher commercial framework is anything but routine. The pre 2018 named user framework and the post 2018 Digital Access framework operate in parallel, and most enterprises are caught between them.
This guide draws on more than one hundred SAP indirect access engagements at our SAP advisory practice. Read the related SAP audit defence guide and the SAP indirect access framework.
The new policy is anchored on the SAP Business Accelerator Hub as the only sanctioned API surface. SAP also documents the policy direction on the SAP API Management community hub.
SAP operates two principal commercial frameworks for indirect access. The pre 2018 named user framework charges per human user with backend access. The post 2018 Digital Access framework charges per document created via third party API.
Two SAP commercial frameworks for third party API access
| Framework | Pricing basis | Audit posture | When it favors the customer |
|---|---|---|---|
| Named user licensing (pre 2018) | Per human user with backend access | Heavy, names every user touching SAP | Few users, heavy document volume |
| Digital Access (post 2018) | Per document created via third party API | Document trace, less invasive on user names | Many users, predictable document volume |
| Hybrid (transition period) | Named user plus document, layered | Both audit dimensions | Customers mid transition |
| Outcome based commercial | Pre negotiated annual cap | Predictable | Mature integration estate |
Digital Access charges per document created through third party API. Nine principal document types carry distinct rates published in the SAP on premise agreement library.
Digital Access licensing document types and rate bands
| Document type | What triggers it | Typical rate band |
|---|---|---|
| Sales Order | Order header creation via API | Highest |
| Purchase Order | PO header creation via API | High |
| Financial Document | Journal entry creation via API | High |
| Material Document | Goods movement created via API | Medium |
| Service Entry Sheet | Service confirmation via API | Medium |
| Quality Document | Inspection result via API | Low |
| Manufacturing Order | Production order via API | Low |
| Maintenance Document | Notification or order via API | Low |
| Time Management | Time recording via API | Low |
Four principal choke points control the API access posture. The buyer side framework routes traffic through one or two of the four rather than allowing direct RFC calls.
API access control choke points
| Choke point | What it controls | Buyer side leverage |
|---|---|---|
| SAP Business Accelerator Hub | Published REST and OData APIs from cloud applications | Documented, predictable license posture |
| SAP Cloud Connector | On premises to cloud integration | Log based, controllable |
| RFC Gateway | Direct backend RFC and BAPI calls | High audit risk if uncontrolled |
| IDoc framework | Asynchronous document exchange | Document based, transitions well to Digital Access |
SAP audits routinely include the indirect access dimension. The publisher preferred audit posture relies on SAP managed logs and the RFC trace. The buyer side audit posture relies on the customer maintained access control log paired with a documented integration inventory.
The standard advice from SAP account teams and most resellers is to accept the Digital Access transition as a uniform discount swap and reprice the entire integration estate at the same time. We disagree. Across roughly 50 of the 60 indirect access estates we audited between 2024 and 2025, the document mix was so concentrated in two or three document types (sales orders, financial documents, IDoc material movements) that a uniform conversion overbought the rest of the nine document framework by a factor of three. The buyer side move is to convert only the document types you can document at volume, carve out the rest under named users, and lock the conversion discount per document type rather than as a blanket rate.
Source: Redress Compliance advisory engagement file, 2024 to 2025.
“Our SAP audit identified eleven thousand named users behind a Salesforce integration. We transitioned to Digital Access licensing on a hybrid commercial framework. The audit settled at one third of the publisher initial claim.Keep going.
SAP · GuideSAP Indirect AccessDigital Access document licensing and the liability math.SAP · GuideSAP Audit DefenseThe framework for responding to an SAP license audit.SAP · GuideSAP RISE NegotiationSeven levers SAP will not volunteer at the table.SAP · GuideSAP PracticeEvery SAP licensing, indirect access, RISE, and audit guide.
The conversion discount is the most leveraged commercial move on the SAP indirect access track. SAP carries an internal conversion calculator that anchors the first quote; the buyer side framework anchors the counter.
Indirect access is human use of SAP backend data or functions through a non SAP front end. RFC calls, BAPI calls, and document creation via API all count. SAP enforces licensing on the indirect use under both the pre 2018 named user framework and the post 2018 digital access framework.
Not automatically. The transition is contractual not technical. Most enterprises stay on the pre 2018 named user framework while operating modern integration patterns, which creates the audit exposure. The transition is favorable for customers with high document volume and broad indirect user populations.
SAP runs the RFC trace against the production system, reviews the SAP Cloud Connector logs, and queries the document creation source field across the principal document types. The audit posture is heavy and the publisher interpretation drives the licensing claim unless the customer maintains an independent access control log.
Highly variable. Audit claims commonly run from two to thirty million for enterprises with broad third party integration estates. The eventual settlement is typically one third to one half of the initial claim under a structured buyer side posture.
Not eliminated, but materially reduced. The combination of the digital access transition, the customer maintained audit log, and the structured integration inventory typically reduces exposure by 60 to 80 percent against the publisher first audit claim.
Three to six months for the commercial framework. The technical implementation is shorter, typically four to eight weeks across the principal integration patterns. The transition covers document classification, conversion discount negotiation, and audit log implementation.
The framework is set out in the SAP advisory practice. Read the related SAP audit defence guide and the SAP indirect access framework.
The eight move negotiation playbook, the seven step remediation framework, the BTP capacity model, the third party tool carve outs, and the contract amendment patterns we use across more than five hundred enterprise software engagements.
Independent. Buyer side. The advisory firm SAP account teams quietly hope you do not hire.
SAP framed v.4.2026 as a routine technical refresh. The Redress framework reframed it as the largest contractual repricing event since the original Digital Access reset. Material commercial protection against SAP's opening Integration Suite framework.
Twenty years on the buy side. 500+ enterprise clients. $2B under advisory. Industry recognized.
SAP framework signals, API policy signals, Digital Access framework signals, and the broader SAP licensing leverage signals across the practice.
Once a month. Audit patterns, renewal benchmarks, vendor commercial signals across Oracle, Microsoft, SAP, Salesforce, IBM, Broadcom, AWS, Google Cloud, ServiceNow, Workday, Cisco, and the GenAI vendors. No follow up sales pressure.
Free providers (Gmail, Yahoo, Outlook) cannot subscribe. Work email only. Unsubscribe in one click.
