Indirect access violations occur when an SAP licensee breaches SAP’s definition of appropriate “use.” The most challenging aspect to SAP’s claim of a license grant violation here lies in the very definition of use itself. The definition fails to specifically identify the concept of indirect use which leaves it completely up to SAP to determine when a violation has occurred and to what magnitude. In the past, SAP briefly nipped at its customers’ heels on the issue of indirect access, but recently, SAP has shocked some of its loyal customers by going for the jugular. Through our customers, we have observed SAP use indirect access violations as an excuse for predatorily squeezing fees from their customers, and worse, seizing the opportunity to reduce flexibility and promote an anticompetitive environment.
The concept of indirect access deserves your attention because it can expose both old and new SAP customers to substantial incremental fees. In fact, customers who feel quite comfortable given their long standing relationship with SAP may be at greatest risk because their landscape of perceived unlicensed users may be the least pruned, thus exposing them to a compliance ambush. Net new customers are also affected by SAP’s aggressive business practices. Although they can educate themselves about SAP’s behavior and negotiate accordingly from the get-go, SAP’s new definition of how their software cannot be used will handcuff even its new, informed customers into agreements which expose their company and now also include ludicrous restrictions on data extraction.
What is SAP’s justification for enforcing the concept of Indirect Access? Is SAP justified in seeking repayment for perceived violations of its license agreements?
According to SAP, the concept of indirect access falls under a special licensing scenario whereby license requirements are based upon utilization of the software without regard for the technical interface that is used to access functions and/or data. From our perspective, where non-compliance is clear, SAP is entirely within its right to demand payment for its customers’ use infractions. For example, it is acceptable for SAP to tout indirect use as a protective restriction when there is a legitimate reason for SAP to protect its intellectual property (IP). When unlicensed users knowingly take advantage of SAP’s infrastructure and unique processing capabilities without paying, SAP is justified in requesting its customer pay additional fees for the additional benefit. We also do not fault SAP for protecting its IP in situations where its processes enhance the capabilities of other systems. But of course this is not where SAP’s definition stops.
Where is SAP going overboard with indirect access? SAP’s use of indirect access scenarios as a means for identifying customer non-compliance is primarily excessive in terms of its broad reaching definition of “use” and its recent addition of data extraction and workaround restrictions within its standard license agreement.
When a licensed user pulls its own business data from an SAP system, one would think that SAP’s IP was unaffected. However, although any IP associated with producing business data via a specific SAP process is paid for and in compliance within the license agreement, SAP is now expecting only SAP processes to be used to extract a customer’s data from SAP’s system to another non-SAP system. It is requiring additional licenses for its customers to extract their own data. Currently it is demanding back payment from its customers who have reasonably built integrated environments with non-SAP systems. These new data restrictions coupled with increased indirect access policing can be perceived as impediments to fair competition.
Customers pay for SAP user licenses to create the data in the first place. Thus, SAP’s customers should reserve the right to access their own data via non SAP processes for their own use. This does not infringe upon SAP’s processes or their IP. If customers do not intend to give SAP exclusive rights over their data when signing on with SAP, they need to review their landscape carefully and plan how to manage SAP if they are audited, and new customers need to be careful during the negotiation stage of their agreement to ensure this language is not included within their agreement. As we discussed in an earlier post, SAP’s broad definition of use was allowed to sneak by in most customer contracts. SAP lulled its customers into thinking it was harmless; however, the following examples demonstrate otherwise.
Troublesome examples of what SAP considers use by way of indirect access:
- A third party software package extracts transactional and master data from SAP’s Business Warehouse which then allows the customer to slice and dice the data from an analysis standpoint. The data does not update SAP after the “slice and dice” has been performed. SAP considers this indirect access of the software and use.
- Customer orders are subsequently entered into SAP via a non-SAP application which previously captured all of the order information. SAP considers this use via indirect access because the non-SAP application users are activating the processing capabilities of the SAP software. In this case, SAP would require named user licenses for all of the non-SAP application users interfaced to the SAP software as well licensing of the SAP Sales and Service Order Processing package.
- Employee “A” extracts SAP data to an Excel file which is saved locally to her computer. Employee A then e-mails the Excel file to employee B. According to SAP, not only does employee A require a user license, but so does employee B because the processing capabilities were activated and business value derived
- An SAP customer publishes an order to one of its suppliers through a non-SAP application whereby a request then comes back to SAP to check a credit limit or inventory level. In this scenario, when data goes out of SAP and then back into SAP via a non-SAP application, SAP considers this use by way of indirect access.
- A member of your sales team is conducting a call with one of your customers who asks for a prior purchase history. Your sales person requests this information using Salesforce.com which then reaches out to SAP to get the information. From SAP’s perspective, Salesforce is acting more as an intermediary system, while SAP retrieved the information through the activation of its processing capabilities. In this scenario, SAP requires the sales person to also have an SAP user license.
- A member of your engineering team is using a third party engineering application for some product design work but needs to obtain additional engineering data out of SAP to complete the work. By now, it should not surprise you that SAP constitutes this indirect access as use, and therefore, your engineer would also require an SAP user license.
Every SAP customer has at least several of the above listed scenarios built into their current environment or perhaps planned in a future roadmap. If SAP is allowed to go unchecked, we expect SAP to be more fervent in its pursuit and enforcement of indirect access compliance scenarios as a way to generate additional license fees.
Why is UpperEdge so concerned about SAP’s stance on indirect access? We are highly concerned about SAP’s expansion of “use” through indirect access because there is no real transparency on the issue in the marketplace and the overall impact for ill-informed/unprepared SAP customers can be enormous.
What Should SAP Customers Do? The major challenge for SAP customers who are faced with a letter claiming non-compliance due to an indirect access scenario lies in the ambiguity of the definition of “use” within the agreement. The majority of all agreements never mention the concept of “indirect access” as a means of use. As written, the definition of “use” can basically be any scenario that activates the processing capabilities of the SAP software. Should unloading or extracting data constitute use? In this sense, how can an SAP customer clearly know when use starts and stops? Furthermore, when it comes to extracting additional license fees, is all use the same? Should there be no consideration taken of the depth of processing capabilities leveraged and the magnitude of benefit received?
Indirect access is an issue CIOs simply cannot afford to ignore. While SAP may have been indifferent to expanded use through indirect access in the past, they have changed their tune and you cannot afford to be caught off guard.
Worried you may receive a letter from SAP’s Office of License Compliance claiming indirect access? Check out our 6 step plan to ensure you are well prepared.
To assess whether your organization is at risk of Indirect Access claims by SAP, use our SAP Indirect Access Risk Assessment Tool.
Email email@example.com for question and concerns about indirect access or simply call 617-412-4335 for a confidential consultation.