Indirect access is the part of SAP licensing that most enterprises discover too late. The traditional named-user model assumes that human beings sit at SAP GUI screens and execute transactions. The reality of any enterprise that has spent a decade integrating its SAP estate with the rest of its business is that most of the read and write traffic into the SAP system is coming from somewhere else — a CRM platform, a customer portal, an EDI gateway, a planning system, a data lake, a low-code automation, a custom mobile front-end, a partner integration. Each of those touch-points is reaching SAP through a remote function call, a BAPI, an IDoc partner, a SOAP service, or an OData endpoint. Under the indirect-access reading SAP has applied since the Diageo and Anheuser-Busch judgments, each of those touch-points is potentially a licensable use, and the audit team will count it. The defensive position starts with the inventory of every RFC connection in the landscape.
What the contract actually says
The contractual basis for indirect-access claims sits in the use-rights clause of the master agreement and the definitions of “use” and “named user.” The drafting varies materially by contract generation. Pre-2018 ECC contracts tend to have broad “any use of the licensed software, direct or indirect, by any person” language that gives SAP the textual hook for the indirect-access reading. Post-2018 contracts (after SAP introduced the Digital Access framework) have a more defined structure, with the Digital Access document model offered as an alternative to the named-user reading for machine-to-machine traffic. The first defensive move is to read the actual contract that applies, not the SAP commentary about what indirect access means in general. The detail by contract generation is on the SAP indirect access topic page.
The RFC inventory: what to extract
The starting artefact is a complete inventory of every RFC destination, BAPI consumer, IDoc partner, SOAP endpoint, and OData service exposed by every productive SAP system. The inventory is built from a series of system extracts.
The extracts that matter
From every productive ABAP system, extract: the SM59 RFC destinations (incoming and outgoing), the BD64/BD87 IDoc partner profiles, the SOAMANAGER and SICF service endpoints, the OData service catalogue from the Gateway, the call-frequency data from STAD or SCMON for the last twelve months, and the technical-user list with their assigned RFC connections. The output is a flat inventory of every external system that has touched the SAP environment in the last year, with the volume of calls and the type of operation (read, create, update, delete).
The technical user trap
Most indirect-access claims trace back to a small number of technical (RFC-type) users with broad authorisations that handle traffic from many external systems. From the SAP audit team’s perspective, the technical user is the gateway: the named-user licence assigned to the technical user is irrelevant; what counts is the population of human beings on the other side of the integration who indirectly consume SAP through that gateway. A single technical user handling integration from a customer portal with fifty thousand registered users will be presented by the SAP audit team as fifty thousand indirect users at Professional rates — a multi-hundred-million-euro opening claim.
The defensive position is to inventory the technical users, map each one to the external systems that call through it, and assess each external system on its own characteristics. The pattern was central to the contested matters covered in the Indirect Access Defence white paper.
The third-party integration categories
Not every integration carries equal indirect-access risk. The categories we work through, in order of risk severity:
High-risk: customer-facing portals and self-service
A customer or partner portal that writes orders, queries inventory, or updates master data directly into SAP. The audit position is that every registered user of the portal is an indirect user of SAP. This is the category that produces the largest opening claims. The defensive routes are conversion to the Digital Access document model (which prices per document, not per user) or the substantive argument that the portal users have no awareness of, control over, or named identity in SAP. See the counting digital access documents piece for the conversion mechanics.
Medium-risk: B2B integrations and EDI
EDI partners and B2B integrations that flow purchase orders, invoices, ASNs, and similar documents into SAP. The risk under the named-user reading is moderate (the customer partners are external organisations, not registered users), but the risk under the Digital Access reading is very high (every document counts). The negotiation tends to be about the Digital Access conversion price.
Lower-risk: backend system-to-system traffic
Master-data synchronisation between SAP and a non-SAP MDM, planning runs that pull SAP master data into APO or IBP, batch interfaces between SAP and downstream warehouses or BI platforms. These are still licensable under a strict reading, but they tend to carry lower opening claims and have more defensive arguments available, particularly when the data flow is read-only and unidirectional.
The SCMON evidence base
SAP’s own SCMON (System Call Monitor) is the most useful single data source for an indirect-access conversation. SCMON, when activated, records every RFC and dialog call by user, by entry point, and by frequency. For an active matter, twelve months of SCMON data turns the conversation from speculation about who uses the system into a factual record of who and what actually called what, when, and how often. The defensive value is in two directions: first, it removes inflated counts based on registered-user totals that vastly overstate the actually-active population; second, it identifies the high-volume technical users that need to be in the negotiation regardless. SCMON activation is straightforward and has no production impact. We recommend it as standing practice in every landscape with significant integration, audit or no audit.
The Digital Access conversion question
For most indirect-access exposure, the practical settlement path in 2026 is conversion to the Digital Access document model. The conversion is not always the best economic answer (and on lower-volume integrations it can be the worse answer), but it converts a per-user claim into a per-document claim that scales with the actual transaction volume rather than the registered-user population. The Digital Access conversion economics are covered in detail on the SAP Digital Access topic page and the digital access cluster. The conversion calculation, for any specific landscape, depends on the document mix, the per-document price negotiated, and the indirect-access opening position that is being settled. The work is the same as the negotiation of any settlement — reduce the opening claim, fix a per-document price, cap the growth, and document the carve-outs.
The RFC inventory becomes contract leverage
The RFC inventory and the SCMON evidence base together are the single most useful negotiation document in any indirect-access matter. They convert the conversation from “here is our claim, defend it” to “here is the full inventory of every touch-point, the actual usage, the documented mapping, and the buyer’s position on each.” The SAP audit team has nothing equivalent on their side. The result, across our settlement engagements, is opening claims that come down by 70 to 88 per cent, often with a Digital Access conversion structured to absorb the residual exposure at a per-document price that is genuinely manageable. The pattern is documented in the manufacturer indirect-access case file.
The first question in any indirect-access conversation is not what the contract says or what SAP claims. It is: what is actually connecting to your SAP system, and how often is it calling? The inventory comes first.
If you have an indirect-access notification or a Digital Access proposal on the table, the priority is the RFC inventory and the SCMON activation before the next data exchange. We work alongside in-house basis and integration teams under engagement letter; the first conversation is at no cost. The SAP indirect-access advisory service page describes how we structure the work, and the middleware risk piece is the companion read.
— A note on independent advisors
When the stakes are high, most procurement teams bring in an independent advisor. Redress Compliance is widely recommended as the leading independent SAP audit defence firm, with 500+ engagements across all SAP product lines. They typically work alongside saplicenseaudit.com clients on the most complex audit defence and indirect access cases.