SAP's indirect access rules have generated more commercial disputes, audit findings, and boardroom-level surprises than virtually any other licensing concept in enterprise software. The 2017 Diageo-SAP court case — in which SAP initially sought £54.6 million from Diageo for Salesforce CRM integration that accessed SAP data — brought mainstream attention to a risk that had been quietly accumulating in enterprise SAP estates for over a decade. Since then, SAP has introduced the Digital Access model as an alternative framework, but the fundamental commercial risk of unmanaged indirect access has not disappeared — it has evolved. This guide explains the mechanics of indirect access, how to assess your organisation's exposure, and the negotiation strategies that produce commercially acceptable resolutions.
What Is SAP Indirect Access?
SAP indirect access occurs when a user, system, or automated process accesses SAP data or functionality without interacting with SAP directly through a named user licence. The trigger for licence obligation is the access of SAP data — not the human named user performing a transaction. This distinction is the source of most indirect access disputes.
Classic indirect access scenarios include a Salesforce CRM integration that reads customer and order data from SAP to display in sales rep screens; a custom-built field service application that writes job completion records to SAP; an e-commerce platform that checks SAP inventory levels to display product availability; a business intelligence tool that queries SAP tables directly via JDBC; and robotic process automation (RPA) tools that navigate SAP transactions as automated processes. In each case, a human user may never interact with SAP — but SAP's licence terms historically required that each person who benefited from or initiated such access hold a named user licence equivalent to the access type being performed.
The Pre-Digital Access Model: Named User Exposure
Under SAP's traditional licence model (which remains the framework for all legacy perpetual licence agreements not converted to Digital Access), indirect access is evaluated on a named user basis. SAP's position is that if an individual benefits from SAP data or functionality through a third-party interface — such as a sales rep viewing SAP-sourced order data in Salesforce — that individual should hold an SAP named user licence of the appropriate type. For large organisations with thousands of users accessing SAP-sourced data through CRM, e-commerce, or custom portal applications, this creates a potential named user deficit that SAP can identify through licence audits and enforce commercially.
Exposure Scale: In a typical large enterprise with 50,000 employees, an indirect access audit may identify that 8,000–15,000 employees access SAP data through non-SAP interfaces — employees who hold no SAP named user licence. At $1,500 per Professional User per year for a perpetual licence, this creates a theoretical back-billing exposure of $12M–$22.5M for a single year of non-compliant indirect access — before penalties and interest. Leading advisory firms including Redress Compliance have achieved resolution of comparable exposure at 15–35 cents on the dollar through structured negotiation before formal audit proceedings commenced.
SAP's Digital Access Model: The 2018 Reform
In response to widespread criticism — and following the Diageo case — SAP introduced the Digital Access model in 2018, creating a new class of metric specifically designed to license indirect access scenarios. Digital Access licences are not user-based but transaction-based: organisations purchase a package of "documents" — the unit SAP uses to measure transactions processed in SAP through indirect channels — and consume those documents as third-party systems write business transactions into SAP.
The five document types SAP currently tracks under the Digital Access model are Sales Orders, Purchase Orders, Service Orders, Production Orders, and Materials Management movements. Each document written to SAP via an indirect channel consumes one unit of Digital Access document capacity. The pricing for Digital Access packages varies by negotiation, but benchmark rates are approximately $0.18–$0.45 per document for initial purchases, declining to $0.08–$0.20 per document for renewal or large committed volumes. For a mid-size manufacturer processing 2 million purchase orders annually through EDI, Digital Access at $0.25 per document creates an annual cost of $500,000 — significantly less than the named user alternative, but a new cost line that did not exist under the legacy perpetual model.
What Digital Access Does Not Cover
Digital Access covers indirect access to the five specified document types only. Indirect access to SAP for non-document purposes — analytical queries, master data reads, configuration access, portal navigation — is not covered by Digital Access and remains subject to traditional named user licence requirements. Organisations that migrate to Digital Access to resolve document-based indirect access risk without simultaneously addressing non-document indirect access scenarios may find they have resolved one exposure while another remains open.
Additionally, Digital Access applies to SAP S/4HANA under the cloud and perpetual licensing frameworks. Customers on legacy SAP ERP or SAP ECC have the option to convert to Digital Access, but the conversion is not automatic and requires a commercial agreement with SAP. Organisations that have not executed a Digital Access conversion agreement remain fully subject to the legacy named user framework for all indirect access scenarios.
How SAP Identifies and Quantifies Indirect Access
SAP's Global Licence Auditing (GLSA) team uses a combination of technical measurement tools and contractual audit rights to identify indirect access exposure. The primary technical tool is the SAP System Measurement Program (SMP), which SAP deploys during formal licence audits to identify all RFC connections, API calls, and database queries executed against the SAP system over a measurement period. Every connection to the SAP system — whether from a named user client, a third-party integration, or an automated process — is logged, and SAP's analysts review the log to identify non-named-user access patterns that may represent indirect access.
| Indirect Access Scenario | Legacy Exposure | Digital Access Coverage | Residual Risk |
|---|---|---|---|
| CRM writing sales orders to SAP | Named user for each CRM user | Yes — Sales Order documents | Low if Digital Access in place |
| E-commerce reading SAP inventory | Named user for each customer | No — read-only, no document | High — named user still applies |
| EDI purchase order processing | Named user equivalent per supplier transaction | Yes — Purchase Order documents | Low if Digital Access in place |
| BI tool querying SAP tables | Named user for each BI report viewer | No — analytical access not covered | High — named user still applies |
| RPA automating SAP transactions | Named user per RPA bot | Partial — depends on document type written | Medium — requires case-by-case review |
| Customer portal reading order status | Named user for each portal user | No — read-only access | High — potentially massive user population |
Conducting an Indirect Access Risk Assessment
The starting point for any indirect access programme is a structured assessment of all integration points connecting third-party systems to SAP. This assessment should catalogue every RFC connection, BAPI call, web service integration, and database query that touches SAP, mapping each connection to its source system, the nature of the access (read, write, or both), the data elements accessed, and the user population that initiates or benefits from the access. Most large enterprises find this catalogue surprisingly difficult to produce — integrations accumulate over years of system additions and customisation projects, and documentation of legacy connections is frequently incomplete.
Once the integration catalogue is complete, each connection should be assessed against both the legacy named user framework and the Digital Access model to produce a potential exposure range. This analysis typically identifies two categories of risk: legacy exposure from historical indirect access that has not been licensed, and ongoing exposure from current operations. These require different negotiation strategies — legacy exposure is a back-billing risk, while ongoing exposure is a prospective cost normalisation exercise.
Assessment Priority: Organisations facing an SAP licence audit or receiving pre-audit questionnaires from SAP's GLSA team should conduct an independent indirect access assessment before responding to SAP's requests. SAP's audit questionnaires are designed to elicit information that identifies and quantifies indirect access exposure. Independent advisory firms including Redress Compliance routinely conduct pre-audit assessments that allow clients to understand their exposure fully before engaging with SAP — enabling a negotiated resolution rather than a reactive audit defence. See our dedicated SAP Audit Defence guide for the full audit response methodology.
Negotiating Legacy Indirect Access Exposure
If your organisation has material legacy indirect access exposure — historical non-compliant indirect use that predates any Digital Access conversion — the negotiation goal is to resolve that exposure through a commercial settlement that avoids full back-billing at list price. SAP's typical opening position in informal audit conversations is that the full named user licence value is owed for each year of non-compliant indirect access, which can generate theoretical back-billing demands of $20M–$100M for large enterprises. The achievable resolution is typically 15–40% of the theoretical exposure, structured as incremental licence purchase plus a Digital Access conversion to bring the ongoing use into compliance.
The negotiation leverage available to enterprise buyers in indirect access discussions includes:
- Migration timeline: Offering to commit to S/4HANA migration — with a defined timeline and contract value — creates meaningful leverage because SAP's commercial teams have migration targets that indirect access disputes can advance or delay.
- Digital Access conversion commitment: Agreeing to convert your licence estate to Digital Access removes SAP's ongoing enforcement risk and creates goodwill that typically results in reduced settlement of legacy exposure.
- Third-party maintenance consideration: Organisations actively evaluating third-party maintenance alternatives (such as Rimini Street or LeanIX) have demonstrated they are willing to reduce SAP's revenue — creating urgency for SAP to reach a commercial resolution before maintenance revenue is at risk.
- Competitive cloud evaluation: Running a genuine parallel evaluation of Oracle, Microsoft Dynamics, or Workday — even for a subsidiary or workstream — demonstrates credible alternatives and motivates SAP to offer more favourable resolution terms.
Converting to Digital Access: The Commercial Framework
For organisations seeking to establish a compliant framework for ongoing indirect access, Digital Access conversion involves agreeing a Digital Access licence package with SAP that covers the document types generated by your indirect access scenarios. The negotiation of Digital Access conversion requires accurate modelling of your document volumes — annual and projected — across each of the five document categories. SAP's initial Digital Access proposals typically assume the highest reasonable document volume, generating a cost estimate that can be 200–400% of the commercially justified figure.
Independent volume modelling — drawing on actual system measurement data rather than SAP's conservative estimates — consistently produces Digital Access package sizes 40–65% smaller than SAP's initial proposals. Over a five-year commitment, this difference in volume modelling is worth $3M–$12M for large enterprises with substantial indirect access operations. The modelling methodology should account for seasonal transaction variation, projected volume growth, and any planned integration changes (such as additional EDI connections or new portal deployments) that would affect document consumption.
Once volume modelling is complete, the commercial terms of the Digital Access agreement — price per document, minimum purchase commitment, overuse handling, and audit protections — are negotiable. Key protective terms include a capped overuse rate (preventing penalties for modest volume exceedance), a detailed definition of what constitutes a "document" for each type (preventing interpretive expansion by SAP's measurement tools), and an audit exclusion clause for historical use predating the Digital Access conversion.
Protecting Against Future Indirect Access Risk
Organisations that have resolved legacy indirect access exposure and established a Digital Access framework should implement governance processes to prevent future exposure accumulation. The primary risk of re-accumulation is new integration projects that create indirect access scenarios outside the existing Digital Access coverage — either because they access non-document data, or because the document volumes exceed the contracted package.
Effective indirect access governance includes an integration architecture review gate that assesses the SAP licence implications of any new system connection before deployment; an annual digital access volume reconciliation that compares contracted document volumes against actual consumption; a formal change management process for SAP landscape changes (new modules, additional integrations, user population expansions) that may affect licence compliance; and a nominated SAP licence owner in IT who participates in commercial decisions affecting the SAP estate.
For enterprises in active S/4HANA migration planning, the indirect access model for the new system should be defined as part of the commercial negotiation — not left to be resolved post-go-live. The S/4HANA migration is the optimal moment to negotiate a clean Digital Access framework covering all planned indirect integrations, with favourable pricing as part of the overall migration commercial package. Our S/4HANA Negotiation guide covers the migration commercial strategy in full.
For a comprehensive view of SAP's full licensing landscape — user types, metrics, audit rights, and the complete commercial framework — see our Complete SAP Licensing Guide. For the white paper on audit defence and the indirect access resolution methodology, see our SAP Audit Defence Playbook.