Nov 29, 2018

How to Deal with SAP Indirect Access by Yourself in 7 Complicated Steps

You worry about SAP indirect access. Other SAP customers grumble about it. SAP promises to address it. Everyone agrees how complex it is.

But it can’t be measured with a click of a button. Some customers turn to SAP license management experts and Software Asset Management (SAM) tools. Too often, SAP customers pay up whatever SAP tells them to.

How to Deal with SAP Indirect Access by Yourself in 7 Complicated Steps

To make things easier, SAP released a new pricing model on April 10. This will help customers determine how many additional licenses they need for indirect access. However, the legal basis for this hasn’t changed and is still controversial. Customers can now decide between the named user and document-based pricing models. Before switching, we recommend calculating demand based on the named user licensing model (the old model). You’ll be able to make financial comparisons between the two models when the new SAP measuring tools are released next year.

If you’re a Do-It-Yourself-SAM type, there are ways to find and resolve SAP indirect access. We don’t recommend it, but if you’re serious about digging into this tricky topic on your own, here’s where to begin with your named user licenses.

1) Get an overview of your data connections

Let’s say your company uses 3rd party invoice software that automatically sends data to an SAP solution. You’ll want to note that data connection.

SAP often sends a list of software that cause indirect access for other customers. It’s a good starting point. Mostly, you must pick through your IT infrastructure, looking for data connections between your SAP systems and other software. It’s tedious, intensive work, but it must be done.

One way around this is looking for RFC users created to interface with 3rd party applications, then you have that data connection. You could then use a software license management tool to find specific usage or roles in that interface. That would take you straight to step 4, but you’re doing this yourself.

2) Analyze your data connections

Examine each data connection on your list and ask yourself:

  • What are the 3rd party applications doing?
  • Who is using them?
  • Is the data coming out of SAP systems to non-SAP software?
  • If so, is the data going back into the SAP systems unaltered? Or is it going back at all?
  • Is the data coming out of 3rd party system into the SAP system?
  • What kind of protocol is used?
  • What’s the trigger event?

Ideally, you’d put this information into a spreadsheet. You might have 200 interfaces or over a thousand, but you must be thorough – this is where you’ll see your SAP indirect access.

If you’re pressed for time or short on people, search for the top data connections with the most users at risk of possible SAP indirect access and analyze them.

How to Deal with SAP Indirect Access by Yourself in 7 Complicated Steps
SAP License Management S4HANA Cloud Webinar

3) Recognize what SAP indirect access is

Classic SAP indirect access is when a 3rd party application is used to enter something into an SAP system without logging into that SAP system. You need an SAP license for that.

When it goes the other way around – creating a file in SAP, then, with a pre-defined trigger, automatically putting it into non-SAP software without altering it – and if the user is sufficiently licensed for SAP systems, and if it follows a couple more parameters, then it’s a static read scenario that does not has to be licensed.

Seems simple, but, let’s say a user logs into Salesforce and sends a request to SAP software asking for open offers. That wouldn’t be a static read, because there was no pre-defined trigger like the previous scenario.

Knowing SAP’s definitions of indirect access and understanding your data connections is critical. Seeing where the data is going, what triggers the exchanges, and what’s being done to it reveals exceptions to indirect access that could avoid extra licensing costs. And it reveals software compliance audit risks.

How to Deal with SAP Indirect Access by Yourself in 7 Complicated Steps

4) What your users use

You have found SAP indirect access, so who needs to be licensed, and with what license?

Start by getting a user list from the interfacing 3rd party application from the team responsible for the interfaces/applications . If you don’t have a team dedicated to this, then ask around for it.

So, let’s say you find that 100 users are on the 3rd party application. If you were using a SAP license optimization tool, you’d run a user grouping and license consolidation on them. This reveals that 50 users require an SAP license for indirect access, while the other 50 are sufficiently licensed.

But you’re doing this yourself, so you won’t be able to do that.

How to Deal with SAP Indirect Access by Yourself in 7 Complicated Steps

If you’re a smaller company, you can use spreadsheets and create your own identifier or numbering system that allows you to see how many accounts belong to one person.

You can also use LAW, SAP’s measurement tool, although its functionality for user grouping and license consolidation isn’t easy to use. LAW also can’t read out named user attributes beyond logon name, first, last name and e-mail address, so user grouping and license consolidation is difficult. And good luck assigning a cost-effective license type, because LAW can’t review the usage either.

At this point, it’s fine if you’re asking yourself why you decided to do this on your own when you’re saving neither time nor money.

How to Deal with SAP Indirect Access by Yourself in 7 Complicated Steps

5) How much will this cost?

When you know which users are accessing SAP systems indirectly, you can assign them licenses. If they’re simply entering their timesheets or booking vacation time, an Employee Self Service Core (ESS-Core) license will do. It’s inexpensive and covers the basic indirect access scenarios such usage creates.

On the other end of the price scale, the Platform User covers indirect access of heavy users of 3rd party applications interfacing with SAP software and Professional User has the most comprehensive authorizations for direct and indirect access. Deciding between them depends on their usage.

There are cost-effective license types in between the two extremes of the price scale, but you’d need to know every instance of SAP indirect access caused by those users to assign a suitable license – their concrete usage. As mentioned above, parsing those differences is difficult without a software license management tool, so you’ll likely have to settle with ESS licenses for the minimal indirect access scenarios and the pricey Platform User or Professional User licenses for the rest.

6) Dealing with SAP

Now you know what you need to license your indirect access. How do you deal with SAP?

You could proactively approach SAP for these additional licenses. You could wait until your next annual SAP audit to purchase them. You might not want to tell SAP until they say something first. The choice is yours.

By being aware of your risks, you’re prepared if SAP audits you and seeks licenses for indirect access. If they tell you to buy Platform User licenses, you could counter with the data you gathered that proves another, more affordable named user license is a better fit to your indirect access scenarios.

7) Ask Yourself Why Bother Doing It Yourself?

A software license management tool could have helped you analyze data connections with RFC users that cause indirect access, consolidate your named user licenses, view usage, find the most cost-effective named user licenses, and save you a lot of time.

With or without a SAM tool, understanding your SAP indirect access risks empowers you – you know more about your indirect access situation than SAP. You’re able to counter SAP’s measurements with your own and make informed decisions about your licenses. Not every SAP customer can say that.

SAP License Management S4HANA Cloud Webinar


Topics: Audit Defense, SAM Education, SAP