Avoid the SAP indirect access bill you didn’t know you had

The pandemic forced more and more organizations to turn to remote work. This changed the work process dramatically, and we are still seeing the effects three-plus years later.

The use of VPN connections skyrocketed. The number of third-party systems and applications people use for work from home also climbed. Furthermore, to remain agile and resilient, organizations adopted Software as a Service (SaaS) applications and turned to cloud services at record speed, seeking to automate processes wherever possible. While the result is more ready access to products and services (for instance, many organizations enabled contactless purchases and services delivery to survive), the digitization of business processes often requires third-party application integrations.

These new additions may include HR applications, CRM, online reporting, and others connected to SAP systems. Unfortunately, these additions can lead to unintended SAP indirect access and indirect usage, which may be difficult to find – and more difficult to defend if you’re audited.

What is SAP indirect access?

Direct access involves querying or entering information into an SAP system by logging directly into the platform. Indirect access occurs when you perform these same tasks indirectly.

In other words, when you connect to SAP through third-party or bespoke applications, it’s considered indirect access – and SAP can ding you for license violations. Additionally, if a group of co-workers all have their own SAP logins, but they access information indirectly through one employee, this is also indirect access.

In addition to indirect access, there’s indirect usage. This is when you update, alter, or change SAP-stored data using indirect access. Without proper licenses, this, too, can create unwanted problems.

How indirect access can get you into trouble

Most applications are set up to access and write data through one user license. However, SAP requires that every user who touches SAP-managed data has their own individual license, regardless of whether they’re accessing it through a third-party app.

This is where things get sticky.

Let’s say you built a web interface to make it easier for your customers to search for and order products. In using this interface, your customers are accessing SAP, albeit indirectly. If they make changes or update data through this same entry portal, that’s indirect usage.

According to SAP, this activity must all be licensed, and it’s unlikely you have individual licenses for each of these customers. So, you could get knocked for two different things.

In fairness, most organizations – even in the above scenario – have a license for what users are doing in the SAP system. However, there’s a good chance that what the license says you can do, and what you’re actually doing, don’t align. This puts you at even greater risk.

What are the risks associated with indirect access?

There is the financial implication for one. In 2015, SAP filed a claim against alcoholic beverage maker Diageo to the tune of over £54.5 million (around $76 million) in license fees (plus roughly £4 million in interest) for accessing SAP-stored data without the appropriate licensing. Two years later, a London High Court ruled in SAP’s favor.

One week after the ruling, SAP took Anheuser-Busch InBev (AB InBev) to arbitration over a similar charge. This time, it sought over $600 million in damages. The two sides eventually settled the dispute.

However, most organizations don’t truly feel threatened by an audit until they’re in the throes of one. By that point, it’s likely too late to do anything about it.

The real risk – and one that far too many ignore – is the unknown. Most organizations don’t know their threshold of SAP usage or even where the usage is coming from. Most don’t fully understand what they’re licensed for, if they’re architected correctly, or how SAP is going to interpret the configuration.

Consider this: all of IT should be a continuous improvement process. To effectively manage such a process, we first must know what is being used and how.

Three actions to take today

Here are three ways to guard against improperly licensed indirect access, bolster your digital stance, and improve business processes.

1. Map out how new infrastructure and systems are used

Many organizations faced interruptions to their strategic planning and growth. The struggle of the pandemic has influenced purchases and maintenance, with changes to business processes and procedures. As we continue our operations, we recommend mapping out how infrastructure and systems are used now vs. pre-pandemic.

2. Consider where temporary applications and connections were made to improve business operations

Investigate and analyze where they exist, and what effect they have on both operations and SAP requirements. This will provide valuable infrastructure and business intelligence. It is likely possible that the new additions could streamline overall operations and reduce your needs.

3. Get a “second pair of eyes”

Having a partner provide a critical analysis can be an invaluable resource to highlight the processes and applications which could induce risk. By investigating landscape and system usage along with application connections to SAP, you can address potential risks and adjust strategic plans based on the findings.

SAP Digital Document licensing

SAP offers a Digital Document/Digital Access (DD/DA) licensing option as a method to cover and mitigate possible indirect access. SAP’s DD/DA pricing model offers a calculable, transparent approach to licensing indirect and digital access for SAP S/4HANA and ERP – enabling licensing based on outcomes rather than the number of users. This can be a good option for some organizations, but not for all, as there are a number of factors to consider.

For example, for some organizations who do not utilize a large number of digital documents, the standard licensing model may be less costly and provide more flexibility. Another example where the standard model would be a better fit is an organization without many third-party connections which update or feed SAP data. In a Workday scenario where all employee HR record updates are created, and only basic ‘pay’ or ‘time off’ data is reported back to SAP, there would be little need for a Digital Access model.

However, for an organization who uses Workday for all HR functions, and all HR activities are subsequently piped into SAP for operational control and reporting, that would constitute third-party access (Digital Access), and the DD/DA model makes more sense.

Without first determining what is being used, and then establishing which options exist to license the usage, you may find your organization locked into contractual terms which are not necessarily in your favor. We can help determine which model is most advantageous for a given organization by performing a full optimization with contract abstract and comparing your usage with the licensing cost between the two models.

Solve what’s next with SHI’s SAP Insights

While many organizations depend on SAP for business-critical apps, effective license management requires a good amount of time and resources. We can help fill the gaps and combat indirect access with SHI’s SAP Insights.

Our SAP licensing specialists will review your current usage data, identifying opportunities to optimize, downgrade, re-harvest, or reallocate your licenses. After dissecting how you’re utilizing the SAP system, we’ll pinpoint any holes, risks, or areas that SAP might find issues with.

We’ll help you consolidate software contracts, provide recommended actions to reduce deployment risks, and highlight where indirect access may cause trouble. The sooner you identify potential issues, the sooner you can investigate and resolve them.

Discover how your organization can benefit from SHI’s SAP Insights by speaking with one of our specialists today.