Indirect Access has emerged as a significant issue within the SAP licensing community, frequently causing confusion, and leading to audits for many organizations. This article aims to clarify the concept of Indirect Access and provide practical guidance on how customers can effectively manage the associated risk.

What is Indirect Access?

At its core, SAP’s Indirect Access policy refers to the definition of “Use” in SAP’s Software Use Rights document and involves deploying the software in ways that are not explicitly licensed. The formal definition was originally introduced in July 2013. It was updated with the second sentence in April 2015 and remains the same as of the date of writing:

Essentially, Indirect Access occurs when an external system interacts with SAP, triggering data updates or processing within the SAP environment—even if the user does not directly interact with SAP software. For instance, this is common in situations where an employee uses a third-party system that causes data to be sent to SAP. This interaction could require a license under SAP’s policy as they are activating SAP’s processing capabilities. Despite never interacting with the SAP software, they are causing the SAP system to be updated. Most SAP customers will have some form of Indirect Access that can cause a hidden risk of non-compliance.

Historical Context

In 2017, a UK court ruled in favour of SAP in a case involving British drinks manufacturer Diageo, related to the issue of Indirect Access. Diageo integrated SAP with Salesforce, allowing customer requests to access SAP data via Salesforce. This was a modernization of Diageo’s old system whereby customers needed to contact their call center staff to access this information. Diageo also used SAP middleware Process Integration as an intermediary step between the systems.

Despite using SAP middleware, the courts ruled that Diageo needed to license its customers for SAP usage. SAP’s initial demand was over £55M, although the final agreed settlement amount remains undisclosed. Despite the court case, Diageo continues to be an SAP customer, having announced their migration to S/4HANA Cloud using RISE with SAP in 2023.

In 2017 SAP also pursued legal action against the Belgian company Anheuser-Busch InBev (AB InBev), also a beverage manufacturer. It is presumed that this case bears similarities to the Diageo case, as it involved a third-party application (also Salesforce) interfacing with SAP. This case was settled out of court with a rumored settlement of around USD 600M. Like Diageo, AB InBev has also publicly announced a transition to S/4HANA Cloud using RISE with SAP.

Interestingly, two such similar cases ended in a long-term commitment to SAP’s cloud strategy. Perhaps it suggests that the vast sums quoted as settlement fees were not actualized. Regrettably, customers who have not faced court proceedings with SAP have nonetheless been required to pay audit settlement fees which have been extreme in some cases.

The fallout from these court cases led to significant dissatisfaction among SAP customers and SAP User Groups. In response, SAP introduced Digital Access, a type of license designed to be more straightforward and measurable compared to the ambiguous and often confusing terms of Indirect Access. This article focuses on the traditional Indirect Access model based on user licenses and provides guidance on managing licensing requirements if you have not transitioned to Digital Access.

Risks

A precedent has been set. SAP’s ability to audit for Indirect Access and request additional license fees is well-established if you are found in breach of the “Use” definition. As of the time of writing, enhanced SAP audits, including those for Indirect Access, are becoming more frequent. SAP is trying to encourage customers to move to S/4HANA Cloud with both a carrot and a stick, with Indirect Access audits serving as a significant deterrent.

(See our SAP’s Cloud First Strategy article here – Understanding SAP’s Cloud First Strategy – JNC (jncuk.com)).

The key risk often lies in discrepancies between the technical set-up of the SAP system and connected interfaces and the contractual licensing rights. How often does your organization review environmental changes for their impact on licensing? Regular reviews are crucial, and a technical & business change is what instigated the Diageo audit.

Steps to Manage Indirect Access Risk?

Due to the inherent nature of Indirect Access, it cannot be consistently and accurately measured through automated means.

  1. Holistic Review

Based on JNC’s experience, a comprehensive assessment of your SAP environment is essential. Utilize architecture diagrams and documentation to understand data flows and identify potential risk areas.

 

  1. Understand Data Flows

Once the landscape is identified, work with your business teams to understand the process and ascertain the risk. Trace how data is submitted to SAP, who triggers processes, and how these interactions align with licensing requirements. Following this trail will enable you to quantify what Indirect Access is apparent in your estate.

 

  1. Identify Exceptions

SAP has defined certain exceptions to Indirect Access. Although not contractually documented, SAP typically does not consider non-transactional data or ‘Indirect Static Read’ scenarios – where data is exported on a scheduled basis without updates to SAP – as requiring additional licensing, provided specific criteria are met:

 

  • A licensed Named User creates the process in SAP.
  • Data is exported on a scheduled basis.
  • No updates are made within SAP.

 

If the above three criteria are met, no license is required.

  1. Apply Appropriate Licensing

For scenarios requiring licensing, determine the correct type of license. Internal users and contractors can be covered under Named User licenses, while external users (customers, public) may require Order-based licensing.

 

Conclusion

Indirect Access continues to pose a significant risk for SAP customers in 2024, particularly with increasing audits aimed at encouraging migration to S/4HANA Cloud. Despite the complexities of this licensing model, JNC’s experts have extensive experience in reviewing and addressing these issues. Engaging with us can be a cost-effective strategy compared to the financial and operational impacts of a legal dispute.

If you’re navigating the intricacies of SAP licensing and Indirect Access, seeking expert guidance can help mitigate risks and ensure compliance.

Author: Martin Ridos
Other Insights

JNC offer a free 30-minute call with one of our expert consultants.

If you have any SAP licensing related questions, then get in touch.

Industry trusted SAP consultants

Start with an initial consultation to help you clearly understand the costs and benefits of fully leveraging SAP.

Connect with us

Name(Required)
Industry trusted SAP consultants