Analysis of Snow Software on Determining SAP Indirect Access Exposure

What This Article Covers

  • Article Quotations
  • So What is Indirect Access?
  • SAP Add Ons
  • IoT and other Databases
  • Fee or No Fee?

Introduction

In this article, we will analyze Snow Software’s article on whether it is possible to determine your internet access exposure.

Article Quotations

SAP licensing is complicated. License entitlements can be open to interpretation and contract amendments can mean that financial liability for one customer may be very different in comparison to another, even if their usage and requirements are identical. It often depends on what deal was struck at the time of purchase.

Traditionally SAP licensing reviews and system measurements have focused on direct usage of an organization’s SAP environment. Direct usage on an individual level describes one user accessing SAP data directly through the SAP interface. The transactions which they perform determine what license type (or types) the user should be assigned. This in turn determines the associated cost for that user to perform their required tasks within the SAP system.

Even correctly managing licensing of direct users is more complicated than it might first appear. An organization with 10,000 users of its SAP environment could have many groups of users who transact in very different ways. The users may change jobs and so need to use the SAP environment differently from one year to the next. Other users leave the organization and of course it’s no longer necessary to have a license assigned to them.

Very true. Actually, most of what SAM software does is actually manage direct user licenses.

If your organization’s doesn’t keep on top of this and effectively manage licenses, you’ll almost definitely be paying over the odds for your licenses or you will be hit with a big fee following system measurement (LAW) submission or a more comprehensive SAP audit.

And this is in fact very common as most SAP customers do not use SAM software.

The risk becomes even greater when you consider Indirect Usage. That’s because you may face licensing liability for a far greater number of users compared to those who you know directly access the SAP system. That 10,000 user license requirement could two, three, even four times more if a third-party application accesses your SAP data.

There are really two ways to look at this. One is that the type of indirect access most often enforced by SAP is called Type 2 indirect access. Brighwork has repeatedly questioned the validity of SAP’s creation of Type 2 indirect access.

The second way of looking at it is that SAP does enforce Type 2 indirect access, although it does not actually have the right to do this.

One thing is clear. The better prepared your organization is, the better you understand overall usage of your SAP environment from every user and the better you can map this to existing entitlements, the stronger you will be when it comes to an audit or a negotiation. To do this effectively, you need a system that can automatically consolidate all of the necessary data and automate the required tasks.

That is certainly true.

So What is Indirect Access?

A simple example of Indirect Usage is where an SAP system is accessed or queried through a third-party application. The way in which that third-party system interacts with the SAP system, whether the interaction originates from a users’ actions and whether data is manipulated or changed within the SAP system all contributes to whether SAP defines the need for an additional license and, therefore, additional cost.

If you had to read that sentence twice, you’re likely not to be the only one. The fundamental issue is that SAP “Indirect Usage” changes definition from company to company and that is causing confusion amongst the SAP user community.

And the answer as to why is that SAP selectively applies indirect access in order to maximize the revenue taken from its customers. In some cases, it is not in SAP’s sales interest to bring up the topic, in other cases, it is.

In a rather ironic twist of fate, the push from the large SAP user communities across the globe for more clarity on Indirect Usage has actually led to potentially greater financial exposure. That’s because SAP made changes to their enforcement of the price and conditions list (PCL) in October 2016. More on this below. Indirect Usage is categorized in a few different ways depending on the technical method used to access the SAP environment. To add to the opacity around this, there is also a greater or lesser likelihood that SAP will choose to charge additional license fees dependent on the “type” of Indirect Usage there is.

That may be true. It seems that whenever SAP releases more information on indirect access, it expands what its definition of indirect access is.

External Third Party Systems

Common examples of this type of Indirect Usage include large ISVs like SalesForce.com, Workday and QlikView; Business Intelligence systems and payroll systems. This may also include smaller systems to perform a particular task not possible in default SAP software.

In this instance, the third party systems are accessing the SAP environment, pulling data and often writing it back via a connection to the SAP environment. Here a “user” must be set up to gain access to the SAP system. On the surface then it can appear like only one user (or a small number of users) is performing actions on the SAP system. In reality though, the “user” will be performing far more tasks than is possible for a single person to undertake.

Multiple users are indirectly using SAP data to perform tasks. The challenge that someone investigating this type of Indirect Usage often faces is that they are unaware of these third-party systems within their organization’s IT estate. To identify such systems requires either surveying application owners or looking for anomalous usage directly within the SAP system.

Once again, this is Type 2 indirect access. It is not historically what has been called indirect access.

Flags to look out for include:

#1: “Work time” check for all users: Checks rolling two-day time windows for constant activity without a pause of at least eight hours

#2: “Volume of work” check: Looks for users with an extraordinary amount of activity (measured by changed or newly created DB table entries)

#3: “Cross-component usage” check: Looks for users which changed DB table entries or newly created them from different SAP modules in the same second.

In practice, the interviewing process alone is insufficient and attempting to analyse the SAP system manually is impractical for a system with over a certain amount of users. This is because it requires manual consolidation of numerous data sources before any possible conclusions can be made.

The more efficient approach is to use a system which can automatically consolidate the data meaning that anomalous activity can be identified much faster.

This method of Indirect Usage is the clearest cut and we covered this in a lot more detail last year. If a system accesses SAP in such a way, you are likely to be financially liable. It’s extremely important to understand precisely how the interaction takes place, how may third-party users may require a license and what type of license they will require.

Yes, SAM software is one of the primary ways to determine the Type 2 indirect access that the customer is performing. Although this still may not provide the details of all the indirect access exposure.

SAP Add Ons

In October 2016, SAP made changes to their enforcement of the price and conditions list (PCL) with the intention of clarifying some of the definitions around SAP and based upon pressure from the various user groups across the globe. This is where the irony lies because it has, in fact, led to a new license requirement for third-party add-ons.

Within the PCL, SAP added that users, in addition to the Runtime usage right of the SAP NetWeaver Foundation, must acquire an additional SAP NetWeaver Foundation for Third Party Applications.

This means that users of a third-party system which is an add-on to SAP and installed via the NetWeaver platform must pay an additional license fee on top of their existing Named-User license.

So SAP charges double for NetWeaver? One to run SAP apps and one to run non-SAP apps. This double purchasing is very similar to SAP’s policy on HANA, which is covered in the article The HANA Police and Indirect Access Charges.

Many customers see this as a shift of the goalposts and it will be particularly frustrating to organizations who were recommended to develop customer-specific solutions into their landscape by SAP itself.

SAP has been constantly shifting the goalposts on the topic of indirect access. And this is something that my research indicates will continue in the foreseeable future.

Because this enforcement is new, many organizations will not be immediately exposed to financial liability and SAP typically takes a staggered approach to enforcing licensing rules.

The best advice and option would be not to rest easy because of the lag between rule creation and rule enforcement. Make sure that you understand what your potential liability might be. Consider whether there are named user licenses which are assigned to inactive users and making up shelfware. If there’s a potential for this shelfware to use a third-party add on, there may be a case for SAP to charge your organization the additional fee. If your shelfware is properly expired and retired, there is no risk. Again, an automated system which can do the leg work for you will ensure you are in a stronger, optimized position.

These are all very good points.

IoT and other Databases

The third and final category to consider is also the least well defined. However, it still absolutely should be taken into account. This category concerns “things” writing data to the SAP system. “Things” could mean sensors in a warehouse measuring temperature throughout the building and alerting when that temperature moves outside of defined parameters. It could mean data transferred from mining vehicles when they return to base, tracking usage of the vehicle and distance travelled to estimate when tyres need changing or when the truck must be serviced. In this real example, the customer wasn’t liable for any additional named user license because there is no human interaction. The data is transferred automatically when the vehicles cross a threshold.

On the other hand, a scenario where additional licenses were required was in a slightly different form of data exchange via Electronic Data Interchange or EDI. In this case, warehouse scanners were used to read data from barcodes into the SAP system. The difference was that humans click the button to read activate the scanner. The customer in this case was told that they needed named user licenses for each user who could potentially use the barcode scanner and hence “use” the SAP system.

The reason this requires drawing ludicrous distinctions is that SAP’s proposal on Type 2 indirect access makes no sense. If the scenario above means that SAP is owed indirect access fees, then all systems that connect to SAP also should receive indirect access fees as well.

”From a legal perspective, the issue of indirect usage and SAP’s respective license types is complicated as its assessment involves questions of contract law, copyright law and possibly also of competition law. What matters is that companies using SAP software are aware of the risk that is attached to indirect usage of the software.

In order to be able to evaluate such risks, technical tools that help to get an idea of the intensity of indirect usage helps. If a company believes that it has a high risk with regard to this issue and does not want to meet SAP’s additional payment request, an individual legal analysis may help to clear the picture.“

Fee or No Fee?

So that is the distinction. Involve a human user in some way and you may be asked to license that user. Remove any human interaction and you are unlikely to need to pay for additional licenses (at the time of writing). As in all of the examples above, however, this won’t stay the same forever and if your organization is embracing new technologies at a rapid rate, just remember that SAP might want a cut of the pie at some point down the line.

Again, the advice remains the same. Understand usage, understand the architecture of your environment and continually optimize. Do not let things change over time without tracking it. If you do, you could be faced with a substantial unbudgeted bill.

Conclusion

Snow Software has made a good effort in getting into the details and have provided some very good information in this article. There is a lot of detail in this article that does not appear to have been published elsewhere.

  • At Brightwork, our perspective on Type 2 indirect access enforcement by SAP is inconsistent with what all other software vendors do, and what has been the historical interpretation of indirect access.
  • It also is the case the indirect access is applied so differently by SAP based upon factors related to the sales situation at the customer, that it does not only come down to technically whether a customer meets the definition of Type 2 indirect access.

References

Indirect Access Contact

  • Interested in Independent Information on Indirect Access?

    Have you noticed that so much of the information published on indirect access is slanted in SAP's favor? We perform more research on indirect access than any other entity. Why not put that knowledge to work for you?

    • We can be used to answer a specific question.
    • We can provide more details on existing research or to perform new research.

    If you have an interest in hiring us to obtain independent research on indirect access, fill out the form below.

https://www.snowsoftware.com/int/blog/2017/01/30/sap-audits-it-really-impossible-accurately-determine-your-financial-exposure

Who is the Most Accurate Source on SAP?

Want to find out? See... A Study into The Accuracy of SAP