Analysis of Snow Software on Determining SAP Indirect Access Exposure
Executive Summary
- SAM software helps software companies manage their licenses and control predation on the part of software vendors. Indirect access, but type 2 indirect access, is a type of license control enforced by SAP.
Introduction
This article will analyze Snow Software’s article on whether it is possible to determine your internet access exposure.
Article Quotations
“SAP licensing is complicated. License entitlements can be open to interpretation and contract amendments can mean that financial liability for one customer may be very different in comparison to another, even if their usage and requirements are identical. It often depends on what deal was struck at the time of purchase.
Traditionally SAP licensing reviews and system measurements have focused on direct usage of an organization’s SAP environment. Direct usage on an individual level describes one user accessing SAP data directly through the SAP interface. The transactions which they perform determine what license type (or types) the user should be assigned. This in turn determines the associated cost for that user to perform their required tasks within the SAP system.
Even correctly managing licensing of direct users is more complicated than it might first appear. An organization with 10,000 users of its SAP environment could have many groups of users who transact in very different ways. The users may change jobs and so need to use the SAP environment differently from one year to the next. Other users leave the organization and of course it’s no longer necessary to have a license assigned to them.”
What SAM Software Does
Very true. Most of what SAM software does is manage direct user licenses.
“If your organization’s doesn’t keep on top of this and effectively manage licenses, you’ll almost definitely be paying over the odds for your licenses or you will be hit with a big fee following system measurement (LAW) submission or a more comprehensive SAP audit.”
And this is, in fact, very common as most SAP customers do not use SAM software.
“The risk becomes even greater when you consider Indirect Usage. That’s because you may face licensing liability for a far greater number of users compared to those who you know directly access the SAP system. That 10,000 user license requirement could two, three, even four times more if a third-party application accesses your SAP data.”
The Type of Indirect Access Enforced by SAP
There are two ways to look at this. One is that the indirect access type most often enforced by SAP is called Type 2 indirect access. Brightwork has repeatedly questioned the validity of SAP’s creation of Type 2 indirect access.
The second way of looking at it is that SAP does enforce Type 2 indirect access, although it does not have the right to do this.
“One thing is clear. The better prepared your organization is, the better you understand overall usage of your SAP environment from every user and the better you can map this to existing entitlements, the stronger you will be when it comes to an audit or a negotiation. To do this effectively, you need a system that can automatically consolidate all of the necessary data and automate the required tasks.”
That is undoubtedly true.
So What is Indirect Access?
“A simple example of Indirect Usage is where an SAP system is accessed or queried through a third-party application. The way in which that third-party system interacts with the SAP system, whether the interaction originates from a users’ actions and whether data is manipulated or changed within the SAP system all contributes to whether SAP defines the need for an additional license and, therefore, additional cost.
If you had to read that sentence twice, you’re likely not to be the only one. The fundamental issue is that SAP “Indirect Usage” changes definition from company to company and that is causing confusion amongst the SAP user community.”
And the answer as to why is that SAP selectively applies indirect access to maximize the revenue taken from its customers. In some cases, it is not in SAP’s sales interest to bring up the topic; in other cases, it is.
“In a rather ironic twist of fate, the push from the large SAP user communities across the globe for more clarity on Indirect Usage has actually led to potentially greater financial exposure. That’s because SAP made changes to their enforcement of the price and conditions list (PCL) in October 2016. More on this below. Indirect Usage is categorized in a few different ways depending on the technical method used to access the SAP environment. To add to the opacity around this, there is also a greater or lesser likelihood that SAP will choose to charge additional license fees dependent on the “type” of Indirect Usage there is.”
That may be true. It seems that whenever SAP releases more information on indirect access, it expands what its definition of indirect access is.
External Third-Party Systems
“Common examples of this type of Indirect Usage include large ISVs like SalesForce.com, Workday and QlikView; Business Intelligence systems and payroll systems. This may also include smaller systems to perform a particular task not possible in default SAP software.
In this instance, the third party systems are accessing the SAP environment, pulling data and often writing it back via a connection to the SAP environment. Here a “user” must be set up to gain access to the SAP system. On the surface then it can appear like only one user (or a small number of users) is performing actions on the SAP system. In reality though, the “user” will be performing far more tasks than is possible for a single person to undertake.
Multiple users are indirectly using SAP data to perform tasks. The challenge that someone investigating this type of Indirect Usage often faces is that they are unaware of these third-party systems within their organization’s IT estate. To identify such systems requires either surveying application owners or looking for anomalous usage directly within the SAP system.”
Once again, this is Type 2 indirect access. It is not historically what has been called indirect access.
“Flags to look out for include:
#1: “Work time” check for all users: Checks rolling two-day time windows for constant activity without a pause of at least eight hours
#2: “Volume of work” check: Looks for users with an extraordinary amount of activity (measured by changed or newly created DB table entries)
#3: “Cross-component usage” check: Looks for users which changed DB table entries or newly created them from different SAP modules in the same second.
In practice, the interviewing process alone is insufficient and attempting to analyse the SAP system manually is impractical for a system with over a certain amount of users. This is because it requires manual consolidation of numerous data sources before any possible conclusions can be made.
The more efficient approach is to use a system which can automatically consolidate the data meaning that anomalous activity can be identified much faster.
This method of Indirect Usage is the clearest cut and we covered this in a lot more detail last year. If a system accesses SAP in such a way, you are likely to be financially liable. It’s extremely important to understand precisely how the interaction takes place, how may third-party users may require a license and what type of license they will require.”
Yes, SAM software is one of the primary ways to determine the Type 2 indirect access the customer performs. Although this still may not provide the details of all the indirect access exposure.
SAP Add Ons
“In October 2016, SAP made changes to their enforcement of the price and conditions list (PCL) with the intention of clarifying some of the definitions around SAP and based upon pressure from the various user groups across the globe. This is where the irony lies because it has, in fact, led to a new license requirement for third-party add-ons.
Within the PCL, SAP added that users, in addition to the Runtime usage right of the SAP NetWeaver Foundation, must acquire an additional SAP NetWeaver Foundation for Third Party Applications.
This means that users of a third-party system which is an add-on to SAP and installed via the NetWeaver platform must pay an additional license fee on top of their existing Named-User license.”
So SAP charges double for NetWeaver? One to run SAP apps and one to run non-SAP apps. This double purchasing is very similar to SAP’s HANA policy, which is covered in the article The HANA Police and Indirect Access Charges.
“Many customers see this as a shift of the goalposts and it will be particularly frustrating to organizations who were recommended to develop customer-specific solutions into their landscape by SAP itself.”
The Shifting Goalposts of Indirect Access
SAP has constantly been shifting the goalposts on the topic of indirect access. And this is something that my research indicates will continue in the foreseeable future.
“Because this enforcement is new, many organizations will not be immediately exposed to financial liability and SAP typically takes a staggered approach to enforcing licensing rules.
The best advice and option would be not to rest easy because of the lag between rule creation and rule enforcement. Make sure that you understand what your potential liability might be. Consider whether there are named user licenses which are assigned to inactive users and making up shelfware. If there’s a potential for this shelfware to use a third-party add on, there may be a case for SAP to charge your organization the additional fee. If your shelfware is properly expired and retired, there is no risk. Again, an automated system which can do the leg work for you will ensure you are in a stronger, optimized position.”
These are all excellent points.
IoT and other Databases
“The third and final category to consider is also the least well defined. However, it still absolutely should be taken into account. This category concerns “things” writing data to the SAP system. “Things” could mean sensors in a warehouse measuring temperature throughout the building and alerting when that temperature moves outside of defined parameters. It could mean data transferred from mining vehicles when they return to base, tracking usage of the vehicle and distance travelled to estimate when tyres need changing or when the truck must be serviced. In this real example, the customer wasn’t liable for any additional named user license because there is no human interaction. The data is transferred automatically when the vehicles cross a threshold.
On the other hand, a scenario where additional licenses were required was in a slightly different form of data exchange via Electronic Data Interchange or EDI. In this case, warehouse scanners were used to read data from barcodes into the SAP system. The difference was that humans click the button to read activate the scanner. The customer in this case was told that they needed named user licenses for each user who could potentially use the barcode scanner and hence “use” the SAP system.”
All Systems Should be Subject to Indirect Access Fees…or Only SAP?
This requires drawing ludicrous distinctions because SAP’s proposal on Type 2 indirect access makes no sense. If the scenario above means that SAP is owed incidental access fees, then all systems that connect to SAP also should receive indirect access fees.
”From a legal perspective, the issue of indirect usage and SAP’s respective license types is complicated as its assessment involves questions of contract law, copyright law and possibly also of competition law. What matters is that companies using SAP software are aware of the risk that is attached to indirect usage of the software.
In order to be able to evaluate such risks, technical tools that help to get an idea of the intensity of indirect usage helps. If a company believes that it has a high risk with regard to this issue and does not want to meet SAP’s additional payment request, an individual legal analysis may help to clear the picture.“
Fee or No Fee?
“So that is the distinction. Involve a human user in some way and you may be asked to license that user. Remove any human interaction and you are unlikely to need to pay for additional licenses (at the time of writing). As in all of the examples above, however, this won’t stay the same forever and if your organization is embracing new technologies at a rapid rate, just remember that SAP might want a cut of the pie at some point down the line.
Again, the advice remains the same. Understand usage, understand the architecture of your environment and continually optimize. Do not let things change over time without tracking it. If you do, you could be faced with a substantial unbudgeted bill.”
Conclusion
Snow Software has made a reasonable effort in getting into the details and has provided some excellent information in this article. There is a lot of detail in this article that does not appear to have been published elsewhere.
- At Brightwork, our perspective on Type 2 indirect access enforcement by SAP is inconsistent with what all other software vendors do and what has been the historical interpretation of indirect access.
- It is also the case the indirect access is applied so differently by SAP based upon factors related to the customer’s sales situation that it does not only come down to technically whether a customer meets the definition of Type 2 indirect access.
The Problem: Secrecy Around Indirect Access
Oracle, SAP, and their consulting partners, ASUG, and the IT media entities all have something in common. They don’t want indirect access understood. Media outlets like Diginomica are paid to distribute PR releases as articles, as we covered in the article SAP’s Recycled Indirect Access Damage Control for 2018. The intent is to lower SAP customers’ concern around indirect access so that indirect access is underestimated, as we covered in the article The Danger in Underestimating SAP Indirect Access.
The primary providers of information in the SAP space are all financially linked to SAP. SAP does not want indirect access understood, so these entities do as they are told by SAP.
Being Part of the Solution: Changing Information Sources on Indirect Access
No information from an financially connected entity to SAP (either through payment or shared interests) is credible or reliable on indirect access. We are trustworthy and reliable as we have no financial or other connection to SAP. We are well known to publish the truth around both SAP and indirect access.
If you need independent advice and access to our indirect access research and fact-checking outside of the vendor and vendor consulting system, reach out to us with the form below or with the messenger to the bottom right of the page.
References
https://www.snowsoftware.com/int/blog/2017/01/30/sap-audits-it-really-impossible-accurately-determine-your-financial-exposure