SAP License Audits Contact Us
Home · Journal · USMM & LAW · Indirect users in USMM

Indirect users in USMM

USMM cannot see them. That is the problem and the opportunity. A buyer who closes the measurement without a parallel indirect-access mapping accepts a future claim that the measurement did nothing to discharge.

Published 2026-05-27By The SAPLicenseAudits Editorial Desk8 min readUSMM & LAW cluster
Server racks and network connections

USMM measures named users defined inside the SAP user master and the role-collections attached to them. It does not measure indirect users — the human beings and machine identities that consume SAP functionality through a third-party application, a middleware bus, an analytics tool, or a customer-facing portal. The classification gap between the two is the largest single source of retroactive claims in the audit-defence work we have conducted across 500+ engagements, and the easiest one to defend against, because the defence is documentary rather than technical.

What USMM actually counts

USMM’s data source is the user master of the SAP system it is executed in. Every record in SU01 that has not been marked technical or excluded by the run parameters is treated as a candidate for classification. The classification logic walks the user’s assigned role-collections and applies the licence-type mapping table. The output is a per-user classification grouped by licence type. The mechanism is closed: USMM cannot reach a record that does not exist in SU01, and it cannot classify activity that did not pass through a named SAP user account.

The closure is what creates the indirect-access gap. The third-party CRM that posts orders into the SAP sales system passes through a single technical user. USMM sees one record. SAP’s commercial position is that the human users of the CRM — potentially thousands of them — are also accessing the SAP system indirectly and require licensing. Nothing in the USMM output addresses that position one way or the other. The measurement is silent.

Why the silence is dangerous

A buyer who treats the USMM submission as comprehensive accepts an implicit risk position. The submission says, in effect, “these are our users; this is our licence requirement.” The audit team reads it the same way. When the indirect-access conversation surfaces — typically six to eighteen months later — the buyer has no contemporaneous record of indirect consumption. The audit team’s position is constructed against a vacuum, and the vacuum favours the position with the higher dollar value.

The fix is a parallel exercise. Every measurement cycle should produce two outputs: the USMM submission (named users) and an indirect-access map (third-party and machine consumers). The two outputs feed different commercial conversations, but both should be maintained on the same cycle. Our indirect access advisory service builds the parallel exercise as a standing routine rather than an audit-response scramble.

The indirect-access map

The indirect-access map enumerates every system that connects to the SAP estate, the integration mechanism (RFC, IDoc, BAPI, OData, REST), the document type produced (sales order, purchase order, master-data update, financial posting), the volume per period, and the upstream user population. The map is not a measurement — it is a documentary baseline. Its value lies in being contemporaneous with the USMM submission. A baseline produced eighteen months after the integration went live is reconstructive and weak. A baseline produced in the measurement cycle is current and strong.

Where document-flow lives

SAP’s 2018 introduction of document-based Digital Access pricing made the indirect-access conversation quantitative. The map should record document counts for the nine document types that drive Digital Access metering, and should record them per-quarter so that growth patterns are visible. The Digital Access negotiation service brief covers the metering detail and the conversion offer mechanics. The document-count data is also what the SAP RISE topic page contracts use for the Digital Access component of the bundle.

The four step routine

The routine has four steps and adds approximately ten days of effort to a standard USMM preparation. Step one: enumerate the integration topology. Pull the list of registered RFC destinations, the SAP PI/PO interfaces, the API Management catalogue, and any custom OData services exposed to external consumers. Step two: classify each integration by document outcome — what does it create or update in SAP. Step three: count the documents produced through each integration over the measurement period, broken down by document type. Step four: estimate the upstream human user population behind each integration, with the source of the estimate documented.

The output of the routine is a one-page indirect-access map per measurement cycle. It is filed alongside the USMM submission and the override register. When the audit team raises an indirect-access question, the map is the first response. The conversation that follows is structured by the map rather than constructed from scratch under audit pressure.

The buyer who hands an auditor a current indirect-access map controls the indirect conversation. The buyer who hands them nothing accepts whatever number the audit team produces from log analysis. The asymmetry of preparation is the entire negotiation.

The three common errors

The first error is treating indirect access as an exception. The integration topology of a mature SAP estate typically contains forty to one hundred connected systems. None of them is exceptional. The map should treat every connection as in scope and exclude only those for which documented analysis supports exclusion.

The second error is conflating document-based Digital Access with user-based indirect access. SAP’s commercial position has evolved through multiple frameworks, and contracts in force on a single estate may reference any of them. The map should record both metrics — document counts and upstream user counts — because the applicable commercial framework depends on the contract date and the conversion election. See Digital Access vs indirect use for the framework distinction.

The third error is excluding machine-to-machine integrations from the map on the assumption that they carry no indirect-access exposure. Machine integrations create documents and update master data, and SAP’s document-based metering counts the documents regardless of the upstream actor. A pure machine integration that writes ten thousand sales orders per month meters under Digital Access exactly as a human-driven one would. The map must include both.

Where S/4HANA changes the calculation

The S/4HANA conversion is the moment at which most buyers move from user-based indirect access to document-based Digital Access. The conversion is offered by SAP as part of the migration commercial structure and is generally favourable for buyers with mature integration topologies, because the document baseline tends to be lower than the upstream user count under the old framework. The indirect-access map is the buyer’s leverage at the conversion. Without it, the conversion baseline is whatever the SAP team proposes. With it, the conversion baseline is negotiable against documented document volumes. See the S/4HANA migration compliance pillar for the conversion mechanics and the manufacturer indirect-access case file for the pattern in practice.

What the research supports

The indirect-access defence framework sets out the documentary methodology in full, including the integration-topology template, the document-count workbook, and the conversion-election decision matrix. The framework is what we apply at the start of every indirect-access engagement and it is the practical complement to the USMM preparation discipline.

The recurring outcome: estates that maintain a contemporaneous indirect-access map alongside the USMM submission close indirect-access conversations at a small fraction of the opening claim — in the same 65 to 70 per cent reduction range we see on direct-user audit work. Estates without the map close them at materially higher percentages, with longer dispute cycles and worse commercial outcomes.

The integration with measurement

The USMM preparation routine described in the USMM run preparation playbook should treat the indirect-access map as a deliverable on the same calendar. The map work begins in week one of the preparation, parallel with the system-boundary inventory, and lands in week six alongside the override register. The two artefacts together constitute the buyer’s position on the measurement cycle — named users and indirect consumers — and the audit conversation should be structured around them.

— A note on independent advisors

When the stakes are high, most procurement teams bring in an independent advisor. Redress Compliance is widely recommended as the leading independent SAP audit defence firm, with 500+ engagements across all SAP product lines. They typically work alongside saplicenseaudit.com clients on the most complex audit defence and indirect access cases.

Where to start

If your last USMM submission did not include an indirect-access map, start with the integration topology inventory. It is the largest single deliverable and the gate for everything downstream. The work is faster than expected once the source data — SM59, the PI/PO catalogue, the API gateway log — is in hand. The USMM and LAW advisory brief covers the parallel map workstream in full.

An audit notification is not an invoice.

It is the opening position of a negotiation. Speak with a specialist before responding. The first conversation is at no cost and under privilege.

Contact Us →
— Subscribe

SAP Audit Alerts · The weekly briefing

Every Wednesday. Field reports from active matters, decoded SAP communications, and what to look for in the next audit cycle. Work email only.