- Nov 17, 2016
- Guido Schneider
Indirect Access: Untangling Truth from Trickiness
According to the “Cynefin Framework”, simple systems are based on cause and effect, while complex systems require a specific analysis and precise knowledge to understand the connections. SAP users are all too familiar with tangled systems, and indirect access opens up a complex web of uncertain vulnerabilities and high costs.
What is indirect access?
The topic of “indirect access” has two sides for SAP users. On one hand, it’s about whether you’re accessing SAP software directly or indirectly. Depending on the type of use, each user is required to have a corresponding user right in the form of a “Named User License”.
On the other hand, there are applications that use SAP technology. In these cases, SAP customers should purchase a corresponding user right for “SAP NetWeaver Foundation for Third Party Applications” from SAP.
Anything but simple: usage by the user
Usage by the user means that anyone using SAP software needs to have the appropriate user rights – independent of how they access the software. The burden of proof lies with you, as the SAP customer.
This means that for each application that accesses SAP, you must verify if the system is being accessed indirectly, if they have the required SAP license types, and know how many users use the application. The application must access SAP functions in SAP, and you must determine who already has a sufficient SAP license and who does not.
Let’s look at Salesforce.com to see an example of how this works. If you are an SAP customer who decides to connect Salesforce.com to your SAP system, rather than using SAP’s CRM solution, then the SAP functions (from the SD module, for example) are still used in certain circumstances. SAP requires user rights for this, and you will be responsible to determine whether that user already has a sufficient “Named User” License. If the employee only had the so-called “Employee” License initially, then this isn’t actually sufficient to access the SD module via Salesforce.com. In this case, an “SAP Professional User” or an “SAP Platform User” License must be purchased and the existing “Employee” License can be used by another employee.
Complicated and expensive: “SAP NetWeaver Foundation for Third Party Applications”
Excerpt from the current PCL 2016: 5.22 SAP NetWeaver Foundation for Third Party Applications
The above description has changed repeatedly since the introduction of SAP Netweaver. It’s extremely important to determine when the customer acquired the NetWeaver License respective to the time SAP licenses were most recently purchased. For example, if the last time you purchased additional licenses was three years ago, then that PCL from three years ago is valid, not the one from 2015 or 2016.
Up to and including the PCL 2016/1, SAP customers who purchased the NetWeaver License are granted the right to run SAP software only on SAP technology (NetWeaver Runtime Environment). According to SAP, in-house applications and applications from third-party providers require a separate user right, namely the “SAP NetWeaver Foundation for Third Party Applications“ License. From a legal perspective it’s highly debatable if, in addition to the purchase of the so-called Developer License, additional authorization is required for the company and for the use of in-house development.
Additional purchases must also be analyzed on a case-by-case basis to determine if SAP copyright law is being violated. Since the PCL 2016/2 and PCL 2016/3 didn’t further change in this context, it’s no longer a question of whether SAP technology is used or not. Rather, the focus shifts to using an SAP interface and accessing information in SAP application tables.
Recognize, analyze, react
Indirect access is complicated, because it always includes new modifications and conditions that are not easy to understand. To determine if – and with which – applications you have licensing requirements, I recommend conducting the following analyses.
- SAP Contract Analysis. When and what did I purchase and which PCL (with respect to Netweaver usage) did I accept? If you have several active contracts, different definitions may apply.
- SAP Architecture Analysis and User Analysis. Which ‘third-party application’ accesses SAP application data using an interface? Or is only your own data accessed in the SAP tables? How many users use this application? Whether or not the application runs on NetWeaver technology is now irrelevant based on the latest definition. Prior to the PCL 2016/2, the application had to run based on NetWeaver technology. However, the current valid definition states that this is no longer necessary.
Know your license position better than SAP!
Complete both of these analyses to determine your maximum financial risk. The next step should be a legal analysis. You need to evaluate, per application, if copyright infringements are present. Just because SAP writes different definitions of their NetWeaver technology in their PCL, does not mean a legally justifiable claim can be derived from it.
While contract analysis and legal evaluation are manual activities, system and user analyses can be performed with the support of automated tools such as License Control for SAP. However, a system analysis of SAP cannot accurately determine indirect access risk. Every SAP customer is required to determine whether a “SAP NetWeaver Foundation for Third-Party Application” license is necessary or not.
Understand financial risk
The topic of indirect access is deliberately complex. But what remains clear is that you need to understand the systems that you’re dealing with and adapt your procedures accordingly for peace of mind. If the Cynefin Framework didn’t convince us of how important it is to evaluate contract terms and to transform complex systems into transparent systems, then surely the development of “indirect access” by SAP will motivate a plan of action.