Locations

Resources

Careers

Contact

Contact us

SAP Indirect Access & Digital Licensing

Understanding SAP Indirect Access: The Hidden Licensing Risk

Understanding SAP Indirect Access: The Hidden Licensing Risk

Understanding SAP Indirect Access The Hidden Licensing Risk

Introduction: Why Indirect Access Is Still a Hot Topic

SAP indirect access remains a hot topic in 2025 because it hides one of the biggest licensing risks for SAP customers. Indirect access occurs when non-SAP systems or external users interact with your SAP software without logging in directly.

In other words, if data flows from SAP into another application (or vice versa) and triggers SAP functionality, that’s indirect usage. This seemingly technical detail has huge financial implications.

Why does it matter? In recent years, several companies have been hit with surprise multi-million euro license claims due to indirect access. Read our ultimate guide, SAP Indirect Access & Digital Licensing (2026 Guide): Risks, Costs, and Negotiation Tactics.

High-profile cases (like a landmark UK lawsuit where a customer was charged ~£54 million for SAP data accessed via Salesforce) shocked the industry.

SAP audits continue to uncover “hidden” usage where companies unknowingly violate licensing terms. For IT asset managers, procurement teams, and legal departments, indirect access can create unpredictable costs and legal exposure.

SAP has attempted to address the issue by introducing a new “Digital Access” licensing model; however, confusion persists. Many organizations remain unclear about what constitutes indirect use, how to license it properly, and how to avoid a potentially costly audit surprise.

The goal of this article is to clarify what SAP indirect access really means, illustrate common risk scenarios, explain SAP’s licensing stance (old and new), and help you prepare for negotiations – including whether SAP’s Digital Access model truly solves the problem.

(Keep reading to learn how indirect access works, why it caught so many by surprise, and what you can do to protect your organization.)

Definition: What Is SAP Indirect Access?

In plain language, SAP indirect access (also referred to as indirect use) occurs when someone or something utilizes SAP’s data or functions without directly logging into the SAP system.

Instead of an employee using the SAP GUI or Fiori interface with a named user account, think of a third-party application or interface acting on their behalf.

If an external system retrieves information from SAP or pushes transactions into SAP, that external system and its users are indirectly using SAP.

For example, consider these scenarios of indirect usage:

  • Customer Web Portals: A web portal allows customers to view or update their orders. The portal pulls data from SAP and updates SAP in the background. Those customers (and the portal app itself) are using SAP data indirectly.
  • E-Commerce Platforms: An online store or marketplace creates sales orders in SAP automatically. Shoppers on the site never log into SAP, but their orders are still processed through SAP – an indirect use of SAP’s sales order functionality.
  • Third-Party CRM (e.g., Salesforce): Your sales team uses Salesforce CRM, which syncs customer info and pricing from SAP ERP. When Salesforce queries SAP or creates quotes that update SAP, it has indirect access to SAP’s data.
  • IoT Devices and Sensors: Machines on a factory floor send production data to SAP or pull inventory levels from SAP. No human logs in, but the device’s automated data feed is interacting with SAP – another form of indirect access.
  • Robotics and RPA Bots: Robotic Process Automation bots or scripts perform transactions in SAP (like posting invoices or moving data) through an API. Although it’s a “bot” and not a person, it still indirectly accesses SAP functionality.

In each case, SAP is working behind the scenes, but the end users or devices don’t have SAP user accounts. SAP’s view is that any person or system benefiting from SAP data or transactions must be licensed, regardless of the method of connection. This means indirect use is not free – it’s subject to licensing just like a direct login would be.

Many companies historically overlooked this distinction. They focused on counting named SAP users (employees, contractors, etc., with direct logins) but didn’t realize that external integrations were creating additional indirect users.

This oversight can lead to compliance surprises, as you may have hundreds or thousands of uncounted users (or devices) technically using SAP through other systems.

Checklist: Identifying Indirect Use in Your Landscape

  • Map all external systems interfacing with SAP: List any non-SAP applications, websites, or devices that read or write SAP data.
  • Document what they do: For each integration, note what SAP data is accessed or what transactions are triggered (e.g., creating an order, reading customer data).
  • Associate users/devices: Estimate how many end users or devices are behind each external system (e.g,. 500 portal users, 50 IoT sensors). This is your potential indirect user base.

Read more insights, SAP Digital Access Explained: Document Licensing for Indirect Use.

SAP’s Traditional Indirect Access Licensing Policy

SAP’s traditional stance on indirect usage has long been strict: any use of SAP software – direct or indirect – requires a license. In older ERP contracts, SAP defined “use” very broadly to include accessing SAP functionalities through any third-party interface.

The result was that even if a person never logged into SAP themselves, if they received SAP data or triggered an SAP transaction via another tool, SAP considered them a user who should be licensed.

For many customers, this policy came as a surprise. Companies would purchase enough SAP Named User licenses for their employees, but didn’t account for external parties.

For instance, you might have a supply chain portal for partners or a mobile app for customers that talks to SAP. Those external users weren’t in your SAP user list, so you assumed no license was needed. Audits proved otherwise – SAP auditors began scrutinizing interfaces and discovered these “invisible” users.

Why did this lead to compliance issues? Traditionally, SAP sold licenses primarily by named user or by CPU capacity for specific engines. If 100 employees used SAP, you bought 100 user licenses. But if 1,000 customers were accessing SAP data via an e-commerce site, you might not have accounted for them at all.

During an audit, SAP could claim that each of those 1,000 people should have had an SAP license, resulting in a shockingly large compliance bill. Indirect users were essentially uncounted in many organizations’ license planning, creating a hidden risk.

Audits over the past decade exposed numerous cases of such hidden usage. Typically, the sequence was:

  1. Audit Request: SAP requests information on interfaces, third-party systems, and the flow of data in/out of SAP.
  2. Usage Analysis: The audit team identifies transactions or data queries coming from a generic account or middleware. They trace it to an external app (e.g., the “OrdersInterface” account, which creates thousands of orders).
  3. Compliance Claim: SAP then estimates the number of unique users or devices that accessed that interface. They present a license compliance claim – often demanding back maintenance fees and new licenses for that indirect use.

Companies were caught off guard because those external users were never part of SAP licensing conversations. This resulted in tense negotiations and sometimes public disputes.

Why was SAP so firm on this?

From SAP’s perspective, if third-party systems can interact with SAP freely, customers may attempt to reduce their SAP licenses by having people use alternative front-ends.

SAP’s policy ensures that the value derived from SAP is paid for, regardless of how users access it. However, critics argue this turned into a revenue grab, especially when applied retroactively.

Checklist: Reviewing Your License Coverage

  • Contract check: Review your SAP contract and usage definitions. Does it explicitly mention “indirect use” or similar terms? Knowing the exact wording is key to understanding your liability.
  • Named user audit: Ensure every human and technical user accessing SAP (even indirectly) is accounted for. Do you have license types for external parties (e.g., “external user” licenses) or are they missing entirely?
  • Interface logs: Work with IT to review interface accounts in SAP. Identify high-volume interface users and trace which external application is behind them – these often signal indirect usage clusters.

Examples of Indirect Usage Scenarios

Indirect access can take many forms. Here are some common indirect usage scenarios and why they pose a licensing challenge:

  • Supplier or Customer Portals: A supplier portal might allow vendors to check inventory or submit invoices directly into your SAP system. Similarly, a customer self-service portal could allow customers to view SAP-stored data, such as order status. What happens? The portal communicates with SAP via an API or middleware, creating and retrieving records on behalf of the external users. Licensing risk: High – potentially hundreds of external users (suppliers, customers) are consuming SAP functionality without named accounts. Every one of them technically needs to be licensed under traditional rules.
  • E-Commerce Websites: Your company’s online store or B2B e-commerce site creates orders in SAP in real-time. What happens? A customer on the website fills their cart and checks out; behind the scenes, the site calls SAP to create a sales order and maybe update inventory. Licensing risk: High – all those shoppers (who have no idea SAP is involved) count as indirect users. Volume can be substantial, especially for B2C sites, resulting in significant licensing requirements.
  • External CRM Systems (e.g., Salesforce): The sales team may use Salesforce CRM for day-to-day work, but Salesforce is integrated to pull data from SAP (including product availability and pricing) and push updates (such as won deals, which create orders in SAP). What happens? Salesforce, through integration middleware, queries SAP or automatically creates transactions. Licensing risk: High – none of the Salesforce users have SAP logins, yet they are getting value from SAP data. This scenario famously triggered litigation when SAP insisted that those CRM users needed SAP licenses.
  • IoT and Smart Devices: In manufacturing or warehousing, IoT sensors and machines often connect to SAP. For example, a sensor might report inventory levels to SAP or trigger a production order when the materials are running low. What happens? Devices send data via APIs on a schedule or in response to an event, updating SAP tables or invoking functions (such as creating a restock request). Licensing risk: Medium to High – while each device isn’t a “person”, SAP still counts these interactions as use. You could have hundreds or thousands of sensors – impossible to license individually under a user model, but a big exposure if not addressed (this is where SAP’s newer model comes in, as we’ll discuss).
  • Robotic Process Automation (RPA) Bots: Companies use RPA tools to automate SAP tasks (like processing invoices or transferring data between systems). What happens? An RPA bot logs in with a technical account or uses an SAP interface to perform transactions just as a human would. Licensing risk: Medium – the bot itself needs a license (it’s effectively a non-human “user”). If the bot serves multiple processes or departments, it might cover actions for many people. Without careful licensing, one bot could inadvertently cover dozens of indirect activities.

These scenarios show that indirect access is not rare or niche – it’s actually very common in modern IT landscapes. Any time you connect SAP with other software, you’re likely creating indirect usage.

The risk level depends on the number of users or devices involved and the criticality of the transactions being processed.

High-volume, external-facing scenarios (like customer portals or large CRM integrations) present the highest licensing risk. Lower-volume or internal automations (such as a handful of RPA bots) are still risks, but easier to contain.

Table: Common Indirect Access Scenarios and Their Risk Levels

Indirect Access ScenarioHow It Uses SAPLicensing Risk LevelMitigation Approach
Customer/Supplier PortalExternal users retrieve or input SAP data via a web portal interface.High – Many external users (customers, suppliers) indirectly using SAP functions.Consider special SAP licenses for external parties, or move to document-based licensing for transactions.
E-Commerce WebsiteOnline storefront creates sales orders in SAP in real time.High – Potentially thousands of customers generating SAP transactions.Use SAP’s Digital Access for sales documents, and negotiate a volume-based deal instead of licensing each customer.
Salesforce CRM IntegrationSalesforce queries SAP for data and creates orders in SAP via middleware.High – Entire sales team and customer base data flows involved with no SAP user IDs.Audit integration usage and either license Salesforce users as “SAP Indirect Users” or adopt document licensing for data exchange.
IoT Devices & SensorsMachines send readings/transactions to SAP (e.g. stock updates).Medium – High transaction count, but no human users (traditional user licensing not practical).Leverage document-based licensing (Digital Access) for high-volume device-generated documents.
RPA BotsSoftware bots perform automated SAP transactions (e.g. posting invoices).Medium – Limited number of bots, but each bot can execute many transactions.Assign each bot an appropriate SAP license (as a named user or a specialized license), and monitor bot activity.

Checklist: Are Any of These Scenarios in Your Environment?

  • Web or mobile portals connected to SAP: Customer, vendor, or employee self-service platforms that interface with SAP data.
  • Third-party platforms exchanging data, such as CRM, e-commerce, supply chain, or other enterprise systems, syncing with SAP in the backend.
  • Automation and devices: IoT sensors, manufacturing equipment, or RPA bots feeding data into SAP or pulling reports out.

If you checked any of the above, you likely have indirect access in play – and you need to manage it proactively.

The Risks of Indirect Access

What’s the worst that could happen if you ignore indirect access licensing? In short: major financial and legal pain. SAP has the contractual right (in most agreements) to audit your usage and charge for unlicensed use retroactively.

Indirect access can turn into a ticking time bomb that explodes during an audit, with the fallout including:

  • Audit Exposure: SAP auditors are trained to sniff out indirect usage. They will request lists of interfaces and may require logs or usage statistics. If they find undeclared use, they can calculate what license fees you “owe” for that usage. This can include back-maintenance for past years. The exposure can reach millions of euros because indirect usage often involves large numbers of users or high transaction volumes that were never licensed.
  • Surprise Costs: Indirect access issues destroy the predictability of your SAP spending. You may think you’re compliant and within budget, only to suddenly face an unplanned bill that can be 2, 5, or 10 times your regular license spend. This unpredictability is a nightmare for CIOs and CFOs – it’s hard to reserve budget for a risk you didn’t even know about.
  • High-Profile Legal Disputes: Some companies have challenged SAP’s claims, leading to lawsuits or settlements. The most famous example, Diageo vs SAP (2017), resulted in a UK court siding with SAP – Diageo had to pay around £54 million for indirect access via Salesforce. Another case involved Anheuser-Busch InBev, where SAP initially claimed hundreds of millions of dollars for indirect use through a third-party system; that dispute ended in a hefty settlement. These cases highlight that SAP is willing to enforce its rights even against very large customers, and courts have upheld SAP’s contract language in at least some instances.
  • Negotiation Disadvantage: If an audit uncovers compliance gaps, you lose leverage in any negotiation with SAP. The conversation quickly shifts from “What new functionality do we want to buy?” to “How do we settle this compliance debt?”. SAP sales representatives may encourage you to sign a new contract (perhaps transitioning to S/4HANA or the cloud) as part of resolving the audit findings. You’ll be negotiating under duress, trying to mitigate a compliance bill rather than negotiating from a position of strategic choice. In short, non-compliance weakens your hand.
  • Operational Disruption: In extreme cases, if you don’t resolve the licensing issue, SAP could theoretically restrict your usage rights. While rare, the fear of losing access can prompt companies to quickly agree to costly terms. Even the internal disruption – scrambling to analyze usage, cut off integrations, or justify spend to executives – can be significant.

Considering these risks, indirect access is not something to ignore. It can lead to cascading problems: financial loss, strained supplier relationships (if you have to suddenly license all your partners/customers), and internal blame games over why it wasn’t caught sooner. Prevention and preparation are far cheaper than reacting to an audit after the fact.

Checklist: Are You at Risk for an Indirect Access Nightmare?

  • Uncounted users or devices? You have external users or automated systems using SAP data that are not accounted for in your license count.
  • Outdated contract language? Your SAP contract language on “use” is broad or unclear, leaving room for SAP to interpret indirect use in their favor. (If your contract is older or hasn’t been reviewed in a while, this is likely.)
  • No internal monitoring? You aren’t actively monitoring or auditing indirect usage on your own. If you haven’t done an internal license audit, SAP’s audit might be the first time it comes to light.
  • High business dependence on integrations? Your business processes rely heavily on third-party systems integrated with SAP (e.g., all sales orders are processed via an online portal). The higher the dependence, the bigger the impact if SAP demands licenses for those interactions.

If you find yourself nodding to any of the above, it’s time to take action before SAP comes knocking.

SAP’s Evolving Stance: Digital Access as the “Solution”

Following the uproar over cases like Diageo and growing customer concerns, SAP introduced a new licensing model in 2018, known as Digital Access.

This was presented as SAP’s solution to the indirect access problem. Instead of charging every indirect user, SAP shifted focus to the outcome of those users’ actions: the digital documents created in the SAP system.

Under Digital Access (sometimes referred to as document-based licensing), you no longer need to license each user or device indirectly through SAP. Instead, you pay for the number of certain document types that are created or accessed in SAP through indirect means.

SAP identified key document categories, such as sales orders, invoices, purchase orders, material documents (inventory postings), and financial journal entries, and assigned a price per document or a bulk document license pack.

How is this an improvement?

It aims to align the cost with actual business activity rather than headcount. For example, whether 100 or 10,000 customers place orders via your e-commerce site, what matters is how many order documents get created in SAP.

If you’re handling 5,000 orders a month, you’ll pay for that volume. This model prevents the absurd scenario of needing a separate named user license for each customer or each IoT sensor.

It also offers transparency: you can count documents in SAP, which is more straightforward than trying to count nameless users scattered across various systems.

However, Digital Access is not a cure-all, and it comes with its own complexities:

  • Counting and Classification: You must accurately track the number of each document type that is created indirectly. This requires new measurement tools or SAP’s estimation notes. Miscounting could mean overpaying or underlicensing. It’s simpler than tracking individual users, but it’s still a task.
  • Cost Uncertainty: If your business activity spikes, so do your document counts (and costs). For instance, a booming sales season means many more order documents – under Digital Access, you’d owe more. Some companies worry that this model could end up more expensive if they have high transaction volumes.
  • Scope Clarity: Digital Access covers specific document types for indirect scenarios. But what if your integration doesn’t create a standard “document”? There can be gray areas where it’s unclear if a certain interaction is exempt or still needs a named user. You need to work closely with SAP to clarify these in your contract.
  • Adoption and Negotiation: SAP initially offered incentives (like the Digital Access Adoption Program) where customers could trade some existing licenses for a quantity of digital documents, easing the transition. Whether these incentives are applicable or beneficial depends on your specific situation. Adopting Digital Access often happens during a contract renewal or an S/4HANA migration, and you’ll want to negotiate the best deal (such as locking in rates or getting credits for past investments).

The promise of Digital Access was a more transparent and fair approach to indirect usage. In practice, companies must still conduct their own research to determine if it truly reduces their risk and cost.

For some, it has provided peace of mind – you pay for what you use and can stop worrying about unnamed users. For others, it introduced new questions – such as how to budget for fluctuating document counts or whether to stick with the old model for certain scenarios.

One thing is clear: SAP recognizes that indirect access is a problem and is pushing Digital Access as the future. If you haven’t had the conversation yet, expect it to come up during your next license negotiation or SAP contract renewal.

It’s wise to be prepared to discuss switching to Digital Access, or at least to compare the costs between staying on Named User licensing vs. moving to Document-based licensing for indirect use. Each has its pros and cons, depending on your environment (volume, number of integrations, and predictability of transactions).

Checklist: Preparing for SAP Digital Access

  • Understand your document volumes: Analyze the number of documents (such as orders, invoices, etc.) generated by your SAP integrations. This forms the basis of Digital Access pricing.
  • Model the costs: Work with SAP or an independent licensing expert to calculate what your annual cost would be under Digital Access vs. traditional licensing. Identify which model is more economical for your usage patterns.
  • Negotiate scope and price: If you opt for Digital Access, consider negotiating the types of documents and their associated prices. Ensure the contract clearly defines what constitutes indirect usage and that you receive credit for any existing licenses that overlap.
  • Plan the switch (if needed): Transitioning to Digital Access might require an SAP system update (to get accurate counts) and internal process changes. Plan so you’re not rushing this in a high-pressure audit situation.

5 Actionable Next Steps

Instead of a conclusion, let’s focus on practical steps. Here are five actionable next steps you can take now to mitigate the hidden licensing risk of SAP indirect access:

  1. Map Your Integrations: Create an inventory of all third-party systems, interfaces, and apps that read from or write to your SAP systems. This map should include the data exchanged and the number of users or devices involved in each integration. You can’t manage what you don’t know – so start by illuminating all those data paths into/out of SAP.
  2. Conduct an Internal Indirect Usage Audit: Don’t wait for SAP’s auditors. Proactively review your SAP logs and usage statistics for external interfaces to identify any potential issues. Identify the number of documents or transactions each integration generates. If possible, simulate an SAP audit internally to assess your current readiness. This helps quantify your exposure in a non-threatening way.
  3. Review Your Contracts and Definitions: Pull out your SAP license agreements and read the fine print on “users” and “use.” Pay special attention to any clauses about indirect access or third-party interfaces. In older contracts, the language may be vague or all-encompassing. Knowing exactly what rights SAP has will inform your strategy (and if needed, you might negotiate clearer contract terms next time).
  4. Estimate the Financial Risk: Collaborate with your asset management or finance team to determine the potential cost of a worst-case audit finding. For example, if you discovered 500 unlicensed indirect users, what would SAP charge to license them (or how many document licenses would that equate to)? Having a ballpark figure in mind prepares you for discussions with executives and gives you leverage to argue for a budget or a different licensing approach before an audit happens.
  5. Engage SAP (or an Advisor) About Digital Access: If your analysis shows significant indirect usage, start conversations about SAP’s Digital Access licensing sooner rather than later. This could involve discussing a contract amendment with your SAP account executive or engaging a licensing consultant to help you weigh your options. The key is to be ahead of the curve – if Digital Access will ultimately save money or reduce risk, plan for how to adopt it on your terms (ideally timed with a renewal or S/4HANA project when you have negotiating power).

Taking these steps will put you in a proactive stance. SAP indirect access doesn’t have to be a nasty surprise or an inevitable lawsuit.

With careful preparation, clear visibility into your system landscape, and informed negotiation, you can turn this hidden risk into a manageable part of your IT strategy.

The sooner you start, the better positioned you’ll be when SAP comes knocking or when you sit down at the table for your next licensing discussion.

Read about our SAP Digital Access Advisory Service.

SAP Indirect Access & Digital Licensing Explained: How to Cut Risks and Costs in 2025

Do you want to know more about our SAP Advisory Services?

Author

  • Fredrik Filipsson

    Fredrik Filipsson brings two decades of Oracle license management experience, including a nine-year tenure at Oracle and 11 years in Oracle license consulting. His expertise extends across leading IT corporations like IBM, enriching his profile with a broad spectrum of software and cloud projects. Filipsson's proficiency encompasses IBM, SAP, Microsoft, and Salesforce platforms, alongside significant involvement in Microsoft Copilot and AI initiatives, improving organizational efficiency.

    View all posts