How to monitor and comply your SAP indirect usage

SAP license types

SAP states that every use of SAP systems needs a license. There are two ways to access SAP systems:

• Named users : they refer to a direct SAP users as those who have have logins and passwords on the SAP systems.
• Package license : unlike the named users, the metric is more likely to be the sales revenue or the number of employees in the company. It is based on a package metric.

Indirect usage

For the SAP vendor, the indirect usage includes also the use of data stored on SAP by or via a third application (C.R.U.D. operations). An indirect use needs also a license. SAP states that every user of a third party application that uses indirectly the data stored in the SAP database needs a license.

To illustrate this, the indirect use can be forexample :

• Expense reports applications
• Factory mobile applications
• Billing exchange applications (EDI)
• WEB sites and clients access (e-commerce or online sells)

The indirect use can have a very high financial impact if the company has a high number of employees, external users or clients.

Sia Partners believes that a data extraction from SAP should not be considered as an indirect use. We are aligned with the Cigref (IT association for major French companies) position which states: “The data stored in the SAP databases by companies are not property of SAP but of the companies. What they do with it once it is extracted is their own business”.

It is important to thoroughly analyze the contracts in order to define the indirect use. Even if the definition remains unclear, the “old” contracts contains often less risks than the “recent” ones: the recent clients have not really challenged SAP on these indirect uses since the editor introduced them recently in their contracts.

Once a third application is concerned by an indirect use, it is necessary to identify the users of this application and to verify if they have a SAP license. The figure 1 gives an example of indirect usage.

In the current context, it is essential to comply before any SAP audit on indirect usage or named users.

The named users’ compliance has to follow a regular review cycle of SAP licenses: it represents the difference between the number of purchased licenses and the number of used licenses. 

Nevertheless, it is essential to dig deeper in each type of named user licenses (Professional, Limited Professional, worker, etc.) and to optimize the license repartition in accordance with the real use.

For the indirect usage, the compliance requests a more depth and complex study to give the appropriate answers to SAP. From our experience, SAP requests the following information from its clients during indirect uses audits:

• SAP systems from which data has been transferred
• Concerned third application
• Data type and format
• Transfer technology and methods used
• Business unit and/or business processes needing connection to SAP systems
• Data exchange way (in/out) and their interests
• Number of users having access to create, read, update or delete the data stored in SAP systems.

For the clients, it is important to know that the new version of the License Administration Workbench (LAW v2) covers the indirect uses. The SAP editor will easily be able to identify them and to present sufficient legal proofs.

These requirements must be followed by a thorough compliance exercises and risk assessment. We recommend three steps to comply your indirect use.

Identifying the indirect access of the SAP systems is the first main step. SAP does not define clearly this usage in its contracts. Their definition remains unclear to the companies.

The identification of indirect use can technically be done by an extraction of all SAP users. The extraction will contain the named users with their logins but also the third party applications having access to SAP systems.

This procedure allows obtaining a list of third applications having access to SAP systems or exchanging data with it. It is important to make sure that the connection or the data exchange still exist and that all third applications have a connection or a data exchange with SAP systems (identifying an outdated application for example).

Owners of third applications must be consulted to identify the purpose of the connection and its value. They will also provide some important information as the number of users or the technical solution used to interact with SAP systems.

Once the indirect uses are identified, you will have to assess the associated risk for each one. Here are two kinds of risks that an indirect usage can represent:

• Financial risk:
  • The cost of compliance before the audit: it represents the cost of purchasing the over used licensed to comply.
  • The cost of compliance after the audit: it represents the cost to comply after the audit depending on the terms of the licenses agreement.
• Technical risk:
  • Non authorized interface with SAP: they can be a technical risk regarding the support if the interface is not allowed by the editor.

These risks must be identified and assessed very carefully. They are the main points to define the appropriate compliance measures.

Once all the risks are assessed, you can define some measures to counter them. These measures can be for example:

• Financial
  • To delete some indirect uses or to reduce their number depending on the risk assessed
  • To negotiate with the vendor in order to cover the license deficiency: adopt an agreement to remove indirect use, to define the needed licenses etc.
  • To implement an harmonized calculation model of savings realized by the procurement team
• Technical:
  • To redevelop the flow between the tierce applications and SAP systems in order to encounter the indirect use notion
  • To identify an alternative solution to interface with SAP systems
  • To implement a regular analyze model of named users and indirect use
  • To disable the access of passive users
• Business:
  • To reduce the business functionalities or modifying the business usage by deleting the flow between the SAP systems and the tierce application
  • To try another license assignment based on business needs (one type of license = one business profile)

These measures shall be represented on a detailed action plan. Their implementation depends on the financial, technical and business constraints of each company.

SAP is using an offensive strategy to sell SAP S/4 HANA. To reach its 2020 objectives, the vendor is willing to use two main levers:

• SAP stated they will not provide support for the SAP systems running on Oracle databases from 2020. The vendor will provide support only for the systems running on HANA databases
• SAP is known to audit annually its clients, however they have started to strongly focus on indirect access issues during these audits as a key lever. It has a commercial purpose to push their clients to adopt the new versions and avoid sanctions more than regularizing the situations.

Faced with these two levers, Sia Partners advises a pro-active approach to the companies by:

• Adopt the third party maintenance of SAP which represents an alternative to the vendor. The third party maintenance companies can raise the risk of an audit, but they reduce the expensive costs of maintenance and represent a strong negotiation lever.
• Initiate a compliance approach as soon as possible regarding the indirect use to bring forward proposals during the negotiations.

Each company should analyze and control its compliance on a regular basis. The software asset manager is an essential player for the indirect use compliance. The SAM manager is responsible of the SAP compliance.

---------------------------------------------

Thierry Borgel - Senior Manager

Stefano Fois - Manager

Christophe Lambert - Manager

Badr Bouganga - Consultant

Latest articles on the same subject