Indirect usage in SAP: How to avoid the risks

in Advisory, 31.05.2017

The recent judgement in favor of SAP in the litigation concerning indirect usage disconcerts the global SAP community. As an outcome, transparency, related to the entire SAP infrastructure is becoming a high priority.

Disconcertion has struck the global SAP Community since the London high court allowed the request for remuneration of SAP in litigation around indirect usage. Within a few hours, the news spread around the globe and SAP customers started asking the few well-known experts for advice. What does this judgment mean for SAP customers? Well, first let’s point out that indirect usage is not exclusively an SAP topic. Rather, there is a large number of software editors who demand compensation for appropriate scenarios.

Asking the critical questions to mitigate risk

The key question is how to deal with this topic and prepare accordingly to protect against indirect usage risk. Technical tools and “standard procedures” offered by various tool manufacturers need to be critically challenged. However, there are some approaches that are fundamental in every case. For example, it does not help to keep track of RFC connections and to counter against blacklists which are in circulation amongst the user groups. Is it possible, according to the existing judgment, to assume that a Salesforce application always result in indirect usage of SAP? Obviously, but the real question is: Is it licensing relevant? This is a much more difficult question to answer.

Experts are making their life simpler than they should be by just looking at the endpoints of communication. Rather, it is important to evaluate existing usage scenarios holistically:

  • Is data being exchanged in real-time (or regularly) between systems?
  • Is the exchange initiated by human interaction or by a technical user?
  • Is the communication uni- or bidirectional?
  • Are records being transferred to the database by starting a dedicated query or as bulk transfer?
  • Or, is there even a kind of message queue as a data collector placed between the systems?

Clearly, there are many other notes that need to be considered, and the usage rights in the target systems or authorizations in the Active Directory environment can play a further role.

The road to transparency

A possible approach to the existing problem could for example be as follows: Start by tracing RFC connections to identify potential third-party applications. It is equally important, however, to gather information about applications that, for example, communicate via IDoc interfaces, IP-Sec connections, HTTP, CHC, SNA, TCP / IP, OSS or other communication paths. If the systems that are potentially affected by indirect use have been identified, they should be classified and appropriately prioritized based on the expected monetary risk.

The next step is to collect detailed information on the prioritized systems and their associated SAP users, and outline the infrastructure diagrams for setting the starting point for an accurate assessment. The use of external applications should also be identified. For this purpose, a check of usage and access authorizations outside SAP may be necessary.

Subsequently, all identified scenarios are evaluated individually, as well as evaluated as to whether technical measures can minimize or even eliminate the risk.

Once you have arrived at the end and have identified the most cost-efficient licensing variant (or technical solution for risk mitigation), existing scenarios are sensibly combined into overlapping use cases in order to avoid cost-inefficient purchase of multiple-usage entitlements for a unique user.

For those users who are actually affected by the necessity of acquiring new licenses, we recommend that you investigate the latest functionalities within the SAP environment that have been accessed by each relevant individual. A match against the corresponding price and conditions list (PCL) results in the identification of the most cost-effective cover variant(s) and leads to the long-awaited transparency and lasting risk minimization.

 

 

Further information