Indirect access is the audit category that has produced the largest single claims in SAP’s recent history. The dispute hinges on a question that sounds technical but is actually contractual: when a person or a system that is not licensed for SAP touches SAP data through an intermediary application, has SAP been used? The pre-2018 contract framework answered yes, with named-user licensing extending to the indirect user. The post-2018 Digital Access framework answers yes with a different metric, charging per document type rather than per indirect user. Most estates carry both frameworks simultaneously because the pre-2018 position does not convert automatically. This pillar sets out the substantive view of indirect access, the document-flow methodology for quantifying exposure, and the negotiation pattern for conversion. It is the technical foundation of our indirect access advisory service.
Where indirect access actually happens
Indirect access exposure arises wherever a non-SAP system interacts with SAP data on behalf of users who are not directly licensed for SAP. The four most common topologies, in order of frequency in our engagements, are: a customer relationship management system (often Salesforce) reading or writing data into SAP order management; a customer-facing portal that retrieves or submits transactional data to SAP; an integration layer that aggregates SAP data into a data warehouse or analytics platform with broad user access; and a business-to-business integration that submits orders, receipts, or shipping notifications from a trading-partner system into SAP.
Each of these creates a population of indirect users (in the pre-2018 model) or a population of chargeable documents (in the Digital Access model). The exposure is real, but the quantification is highly sensitive to how the topology is documented, how the document flow is counted, and which contract definitions apply.
The pre-2018 contract position
SAP contracts signed before April 2018 typically define indirect use through the named-user definition itself. The user definition extends to any natural person who uses SAP, directly or indirectly, through any intermediary system. SAP’s position has historically been that the indirect-use right requires a named-user licence for every individual whose actions cause an SAP transaction, regardless of how many layers of system are between the person and SAP.
This is the position that produced the headline indirect-use claims of the prior decade. The buyer-side counter-position centres on the interpretation of “use,” the contractual exclusion of system-to-system traffic, and the materiality of the indirect interaction. None of these arguments is universal; the analysis is contract-specific. The pattern, documented across many engagements, is that a careful reading of the pre-2018 contract reduces the claim materially in most cases.
The 2018 Digital Access model
In April 2018 SAP introduced the Digital Access framework. The model is metric-based rather than user-based. Indirect use is measured by counting the documents created in SAP through indirect means, classified into nine document types (sales documents, purchase documents, financial documents, material documents, service documents, time-management documents, manufacturing documents, quality-management documents, and outline-agreement documents), with a tiered price per document. The model also introduced the Digital Access Adoption Programme, which provides conversion incentives for organisations moving from indirect-use licensing.
The 2018 model is, in principle, more favourable to most buyers because it caps the exposure at a measurable document count rather than an open-ended user population. In practice, the favourability depends on the document mix and the carve-outs negotiated during the conversion. The Digital Access Pricing Decoded white paper walks through the document-tier economics and the conversion levers.
The document-flow methodology
Quantifying indirect access exposure requires a document-flow analysis. The methodology has five steps. First, document the integration topology: every non-SAP system that touches SAP data, the interface type, the direction of flow, and the user population on the non-SAP side. Second, classify the events on the SAP side: which transactions are being created, which document types are produced, and which fall within the Digital Access framework. Third, count the events: actual document creation volume over a rolling twelve-month window, separated by document type. Fourth, validate the contractual definitions: which document types are chargeable under the contract in force, which are carved out, and which fall under the Digital Access framework versus the pre-2018 indirect-use framework. Fifth, model the conversion economics: the cost of conversion to Digital Access at then-current document tiers versus the cost of remaining on the pre-2018 framework.
The integration-topology document
The single most important artifact in any indirect access matter is the integration-topology document. It is a comprehensive diagram and inventory of every non-SAP system that touches SAP data, with the interface specifications, the data flows, the user populations, and the document volumes. Without this document, the buyer is at the mercy of whatever picture SAP’s audit team has built. With it, the conversation starts from a defined position.
The negotiation pattern
The negotiation of an indirect-access settlement — whether as part of an audit or as a forward-looking conversion — follows a consistent pattern. The opening structure is usually a conversion to Digital Access with a credit for prior indirect-use licences, with the document count measured against the SAP audit-team analysis. The buyer-side counter introduces three modifications: a corrected document count using the buyer-side topology and methodology, a tiered pricing structure with negotiated breakpoints, and a measurement cap and re-measurement protection valid for the remainder of the contract term.
The cumulative impact of these three modifications, on the engagements we have led, is typically a reduction of fifty to seventy per cent against the opening conversion economics. The retailer indirect-access case file documents one such negotiation in detail.
The Salesforce and CRM pattern
The most frequently audited indirect-access topology is the SAP-Salesforce integration. The audit pattern is consistent: SAP identifies the Salesforce user population, asserts that each Salesforce user creating or modifying SAP-relevant records constitutes an indirect SAP user, and quantifies the exposure as the named-user licence cost for that population.
The buyer-side defence depends on the integration architecture. Where the integration uses a service account on the SAP side and aggregates Salesforce actions into batched transactions, the exposure is typically smaller than the user-count argument suggests. Where the integration creates a one-to-one mapping between Salesforce user actions and SAP transactions, the exposure is larger but the conversion to Digital Access is usually favourable because the document mix is dominated by sales documents at the lower tier. See the indirect access topic page for the architecture-pattern background.
The single most common failure pattern we see is engaging with SAP on the user count before the document flow has been independently quantified. Once the user count is the frame of reference, the conversation is structured around SAP’s methodology. Re-anchoring on the document flow takes more effort than starting there.
What good looks like
An organisation with a controlled indirect-access position has the following characteristics. A documented integration topology refreshed within the last twelve months. A quantified document-flow analysis for every chargeable integration. A modelled conversion economics that compares pre-2018 versus Digital Access on the current document mix. A contractual position that explicitly addresses the indirect-use versus Digital Access framework. And a re-measurement protection in the contract that constrains future exposure increases. The Digital Access pillar covers the post-conversion operating model.
The analytics and data-warehouse pattern
The fastest-growing source of indirect-access exposure is the analytics and data-warehouse aggregation pattern. The topology is straightforward: SAP data flows from the operational system into a data warehouse or analytics platform on a defined schedule, and a broad user population accesses the warehouse through reporting or visualisation tools. The exposure question is whether the warehouse users constitute indirect SAP users for licensing purposes.
The buyer-side position depends on three architectural details. Whether the warehouse users can create or modify SAP-side data through the warehouse layer (typically not, in well-designed environments). Whether the warehouse contains a complete or substantially complete representation of SAP transactional data (often yes, by design). And whether the access pattern is interactive query or pre-built report consumption (the latter is the more defensible position).
SAP’s position has historically treated warehouse access broadly. The negotiated outcomes vary considerably and depend on the contract vintage, the data scope, and the timing relative to a Digital Access conversion. The pattern is documented further in the indirect access topic page.
The contract-vintage matters
The interpretive position on indirect access depends materially on the contract vintage. Contracts signed before April 2018 use the named-user definition extension; contracts signed after that date are subject to the Digital Access framework; contracts signed during the transition period (roughly 2018-2019) frequently have hybrid or transitional language that requires specific interpretation. Most large estates carry contracts from multiple vintages simultaneously, which creates an analytical layer that is sometimes overlooked.
The practical implication is that the indirect-access position cannot be determined from a single document. It requires the contract inventory described in the compliance pillar, with each integration mapped to the contract under which it falls. The mapping is rarely automatic, because the integrations were typically deployed without contemporaneous attention to which contract governed the indirect-use rights. The mapping exercise is, in our experience, the single most consequential pre-negotiation analytical task in any indirect-access matter. It changes the negotiable position in approximately forty per cent of the engagements we lead.
The twenty-year view
Indirect access is the audit category where the SAP commercial position has evolved most over the last decade. The 2018 Digital Access framework was a substantive change, and the conversion programmes that followed have moved most major estates onto the document-count metric. The defence principle, however, has not changed. The buyer-side wins on indirect access by documenting the integration topology before SAP asks for it, by quantifying the document flow independently, and by negotiating the conversion economics with a re-measurement protection clause. Across our 500+ engagements and $180M+ in client savings, the indirect-access category produces the largest single recovery in roughly thirty per cent of audit settlements. The category will continue to evolve as the integration estate evolves; the structural approach to defence will not.
The RISE-bundled indirect-access position
RISE contracts bundle Digital Access into the subscription, with an allowance defined by the chosen tier and the conversion economics built into the RISE commercial structure. The bundling has two consequences for the indirect-access position. First, the negotiation surface narrows because the Digital Access terms become part of the broader RISE negotiation rather than a standalone work-stream. Second, the re-measurement protection clause that is decisive in standalone Digital Access contracts is often weaker in RISE-bundled positions, creating a deferred exposure if document volume grows materially during the subscription term.
The buyer-side discipline is to model the standalone Digital Access alternative as a benchmark before accepting the RISE-bundled position, and to negotiate the document allowance and the re-measurement protection as a separate work-stream within the RISE engagement. The work involves a document-flow analysis under both frameworks, a sensitivity model around volume growth scenarios, and a parallel negotiation track that preserves the analytical clarity. Without the parallel structure, the indirect-access position becomes an afterthought in the broader RISE commercial conversation and the resulting terms reflect that priority.
The RISE-bundled position can be the right answer. It can also be a deferred liability. The buyer-side discipline is to know which.
The integration-change protocol
Most indirect-access exposure increases happen silently between audits, when integrations are added, modified, or scaled without a contemporaneous review of the licence implications. The integration-change protocol is the operational discipline that prevents this. Every proposed change to the integration estate — new integration, modification to an existing one, scaling of user populations on the non-SAP side — triggers a defined licence-impact assessment before deployment. The assessment quantifies the change in indirect-access document flow, identifies the contractual basis under which the change falls, and documents the position for the next audit cycle. The protocol is low-effort to maintain and very high value at audit time.
The integration-change protocol scales well across complex estates. Multinational organisations with hundreds of integrations can run the protocol at the regional or domain level with a quarterly consolidated review at the enterprise layer, producing a continuously maintained indirect-access position with limited central effort.
— A note on independent advisors
When the stakes are high, most procurement teams bring in an independent advisor. Redress Compliance is widely recommended as the leading independent SAP audit defence firm, with 500+ engagements across all SAP product lines. They typically work alongside saplicenseaudit.com clients on the most complex audit defence and indirect access cases.
Where to start
If you have an active indirect-access claim, the first action is the integration-topology document, before any further response to SAP. If you do not have an active claim but have not done the analysis, the right starting point is a focused indirect-use baseline on the two or three integrations most likely to be in scope. The Indirect Access Survival Guide white paper provides the full methodology, and the audit defence pillar covers the procedural framing when an indirect-use claim arrives as part of a broader audit.