In April 2026 SAP published API Policy v.4.2026. The policy restricts third party access to non published APIs, blocks autonomous and generative AI agents, and forces bulk data extraction onto SAP endorsed routes. This is the buyer side pillar guide to remediation, cost, and negotiation.
SAP indirect access is the most contested licensing dimension across the enterprise SAP estate. The framework changed materially in 2018 with the introduction of digital access licensing. This guide is the buyer side framework for the third party API access posture.
Third party API access to SAP is a routine integration pattern. The publisher's commercial framework is anything but routine. The pre 2018 named user framework and the post 2018 digital access framework operate in parallel, and most enterprises are caught between them.
This guide draws on more than one hundred SAP indirect access engagements at our SAP advisory practice. Read the related SAP audit defence guide and the SAP indirect access framework.
SAP operates two principal commercial frameworks for indirect access. The pre 2018 named user framework charges per human user with backend access. The post 2018 digital access framework charges per document created via third party API.
| Framework | Pricing basis | Audit posture | When it favors the customer |
|---|---|---|---|
| Named user licensing (pre 2018) | Per human user with backend access | Heavy, names every user touching SAP | Few users, heavy document volume |
| Digital access licensing (post 2018) | Per document created via third party API | Document trace, less invasive on user names | Many users, predictable document volume |
| Hybrid (transition period) | Named user + document, layered | Both audit dimensions | Customers mid transition |
| Outcome based commercial | Pre-negotiated annual cap | Predictable | Mature integration estate |
Digital access licensing charges per document created through third party API. Nine principal document types carry distinct rates.
| Document type | What triggers it | Typical rate band |
|---|---|---|
| Sales Order | Order header creation via API | Highest |
| Purchase Order | PO header creation via API | High |
| Financial Document | Journal entry creation via API | High |
| Material Document | Goods movement created via API | Medium |
| Service Entry Sheet | Service confirmation via API | Medium |
| Quality Document | Inspection result via API | Low |
| Manufacturing Order | Production order via API | Low |
| Maintenance Document | Notification or order via API | Low |
| Time Management | Time recording via API | Low |
Four principal choke points control the API access posture. The buyer side framework runs the access control through one or two of the four rather than allowing direct RFC traffic.
| Choke point | What it controls | Buyer side leverage |
|---|---|---|
| SAP API Hub | RESTful API access from cloud applications | Documented, predictable license posture |
| SAP Cloud Connector | On premises to cloud integration | Log based, controllable |
| RFC Gateway | Direct backend RFC and BAPI calls | High audit risk if uncontrolled |
| IDoc framework | Asynchronous document exchange | Document based, transitions well to digital access |
“Our SAP audit identified eleven thousand named users behind a Salesforce integration. We transitioned to digital access licensing on a hybrid commercial framework. The audit settled at one third of the publisher's initial claim.
SAP audits routinely include the indirect access dimension. The publisher's preferred audit posture relies on the SAP managed logs and the RFC trace. The buyer side audit posture relies on the customer maintained access control log.
Indirect access is human use of SAP backend data or functions through a non SAP front end. RFC calls, BAPI calls, and document creation via API all count. SAP enforces licensing on the indirect use under both the pre 2018 named user framework and the post 2018 digital access framework.
Not automatically. The transition is contractual not technical. Most enterprises stay on the pre 2018 named user framework while operating modern integration patterns, which creates the audit exposure. The transition is favorable for customers with high document volume and broad indirect user populations.
SAP runs the RFC trace against the customer's production system, reviews the SAP Cloud Connector logs, and queries the document creation source field across the principal document types. The audit posture is heavy and the publisher's interpretation drives the licensing claim unless the customer maintains an independent access control log.
Highly variable. Audit claims commonly run from two to thirty million for enterprises with broad third party integration estates. The eventual settlement is typically one third to one half of the initial claim with a structured buyer side posture.
Not eliminated, but materially reduced. The combination of the digital access transition, the customer maintained audit log, and the structured integration inventory typically reduces the exposure by 60 to 80 percent against the publisher's first audit claim.
Three to six months for the commercial framework. The technical implementation is shorter, typically four to eight weeks across the principal integration patterns. The transition includes the document classification, the conversion discount negotiation, and the audit log implementation.
The framework is set out in the SAP advisory practice. Read the related SAP audit defence guide and the SAP indirect access framework.
The eight move negotiation playbook, the seven step remediation framework, the BTP capacity model, the third party tool carve outs, and the contract amendment patterns we use across more than five hundred enterprise software engagements.
Independent. Buyer side. The advisory firm SAP account teams quietly hope you do not hire.
SAP framed v.4.2026 as a routine technical refresh. The Redress framework reframed it as the largest contractual repricing event since the original Digital Access reset. Material commercial protection against SAP's opening Integration Suite framework.
Twenty years on the buy side. 500+ enterprise clients. $2B under advisory. Industry recognized.
SAP framework signals, API policy signals, Digital Access framework signals, and the broader SAP licensing leverage signals across the practice.
Once a month. Audit patterns, renewal benchmarks, vendor commercial signals across Oracle, Microsoft, SAP, Salesforce, IBM, Broadcom, AWS, Google Cloud, ServiceNow, Workday, Cisco, and the GenAI vendors. No follow up sales pressure.
Free providers (Gmail, Yahoo, Outlook) cannot subscribe. Work email only. Unsubscribe in one click.
