Avoid the SAP indirect access bill you didn’t know you had

The pandemic forced more and more organizations to turn to remote work. This changed the work process dramatically.

The number of VPN connections skyrocketed. The number of third-party systems people needed to work from home also climbed.  Furthermore, to remain agile and resilient, companies adopted SaaS applications and turned to cloud services at record speed seeking to automate processes wherever possible.  While the result is more ready access to products and services (for instance, many businesses enabled contactless purchases and services delivery to survive), the digitization of business processes often requires third-party application integrations.

These new additions may include HR applications, CRM, online reporting, and others connected to SAP systems. Unfortunately, these additions can lead to unintended SAP indirect access/indirect usage, which may be difficult to find and more difficult to defend if you’re audited.

What is SAP indirect access?

Direct access involves querying or entering information into an SAP system by logging directly into the platform. Indirect access occurs when you perform these same tasks indirectly.

In other words, when you connect to SAP through third-party or bespoke applications, it’s considered indirect access – and SAP can ding you for license violations.

Also, if a group of co-workers all have their own SAP logins, but they access information indirectly through one employee, this is also indirect access.

In addition to indirect access, there’s also indirect usage. This is when you update, alter, or change SAP-stored data using indirect access. Without proper licenses, this, too, can create unwanted problems.

How indirect access can get you into trouble

Most applications are set up to access and write data through one user license. However, SAP requires that every user who touches SAP-managed data has their own individual license, regardless of whether they’re accessing it through a third-party app.

This is where things get sticky.

Let’s say you built a web interface to make it easier for your customers to search for and order product. In using this interface, your customers are accessing SAP, albeit indirectly. If they make changes or update data through this same entry portal, that’s indirect usage.

According to SAP, this activity must all be licensed, and it’s unlikely you have individual licenses for each of these customers. So, you could get knocked for two different things.

In fairness, most organizations – even in the above scenario – have a license for what they’re doing in the SAP system. However, there’s a good chance that what their license says they can do, and what they’re actually doing, don’t match up. This puts them at even greater risk.

What are the risks associated with indirect access?

There is the financial implication for one. In 2015, SAP filed a claim against alcoholic beverage maker Diageo to the tune of over £54.5 million (around $76 million) in license fees (plus roughly £4 million in interest) for accessing SAP-stored data without the appropriate licensing. Two years later, a London High Court ruled in SAP’s favor.

One week after the ruling, SAP took Anheuser-Busch InBev (AB InBev) to arbitration over a similar charge. This time, it sought over $600 million in damages. The two sides eventually settled the dispute.

However, most organizations don’t truly feel threatened by an audit until they’re in the throes of one. By that point, it’s likely too late to do anything about it.

The real risk – and one that far too many ignore – is the unknown. Most organizations don’t know their threshold of SAP usage or even where the usage is coming from. Most don’t fully understand what they’re licensed for, if they’re architected correctly, or how SAP is going to interpret this setup.

Consider this: All of IT should be a continuous improvement process.  To effectively manage such a process, we all know that we first have to know what is being used and how.

Here are three actions you can take today to guard against improperly licensed indirect access:

1. Map out how new infrastructure and systems are being used

Many companies faced interruptions to their strategic planning and growth. The struggle during the pandemic has influenced purchases and maintenance, with changes to business processes and procedures. As we come out of the pandemic and return to “normal” operations, we recommend mapping out how infrastructure and systems are being used now vs. pre-pandemic.

2. Consider where “temporary” applications and connections were made to improve business operations

Investigate and analyze where they exist, and what effect they have on both business operations and SAP requirements. This will provide valuable infrastructure and business intelligence. It is likely possible that the “new additions” could streamline overall operations and reduce your “needs”.

3. Get a “second pair of eyes”

Having a partner to provide a critical analysis can be an invaluable resource to highlight the processes and applications which could induce risk. Investigating landscape and system usage, and application connections to SAP provide you the opportunity to address potential risks early, while adjusting strategic plans with lessons learned and improved business processes.

Combating indirect access with SHI’s SAP Insights

While many companies depend on SAP for their business-critical apps, they frequently lack the time, energy, and resources to effectively manage their licenses.

We can help with SHI’s SAP Insights.

Our SAP licensing specialists will review your current usage data, identifying opportunities to optimize, downgrade, re-harvest, or reallocate your licenses. After dissecting how you’re utilizing the SAP system, we’ll pinpoint any gaps, risks, or areas that SAP might find issues with.

We’ll help you consolidate software contracts, provide recommended actions to reduce deployment risks, and highlight where indirect access may cause trouble.  The sooner you identify potential issues, the sooner you can investigate and resolve them.

To learn more about how your organization can benefit from SHI’s SAP Insights, reach out to your SHI Account Executive or contact us today.