The SAP® Indirect Usage Time Bomb – PT II
In my first blog of this series I explained the concept of Indirect Usage, why it is a significant financial risk to organizations and provided an overview of how to gain control of it.
Here I explore Indirect Usage in further detail and provide practical steps to ascertain a full picture ready for contract re-negotiation and license audits.
A brief history of Indirect Usage
Access to enterprise data managed by SAP generally requires a named user license. This is a unique license associated with an individual that can be used by them across any device and any location.
There are some exceptions, but the bulk of the SAP model is centered on named user licenses. If others in the value chain such as employees, contractors or business partners are accessing SAP-stored data through third-party software such as Workday or Salesforce, or through a bespoke internally developed application, organizations must ensure that all the users of those applications have an SAP named user license of the right type provisioned for them.
The challenge for many large enterprises is that they have been building out their SAP deployment over the past 15-20 years, and dozens if not hundreds of applications have been interconnected to SAP over that timeframe. Many of these enterprises were strongly encouraged by SAP themselves to use their solution as the system of record and platform for executing the operations of the company – financial accounting, manufacturing, procurement, supply chain management, channel and distribution management, human capital management and various other key processes.
While indirect usage was not historically open to scrutiny, we are seeing more focus on it from audit teams as SAP looks to monetize the value it brings to third-party applications that use data supplied from SAP systems.
This has required companies to step up their licensing requirements to remain compliant.
Examples of indirect access from third-party or bespoke applications
Indirect access is the result of third-party and bespoke applications that allow users to send, receive and change SAP data through what are often referred to as ‘access points’. This is an integration mechanism that funnels SAP activity through a single user account.
An organization may find itself in violation of their license if those accessing users are not correctly licensed. Most enterprise applications such as human resource management/ human capital management, procurement, customer relationship management, logistics and channel management all work best when they can access the centralized information in SAP about sales, customers, manufacturing and supply chain management. Web and mobile-based applications can also be problematic without the properly-licensed SAP infrastructure components.
These become increasingly difficult to track and manage in the interconnected world. For example, a company may choose to allow its channel partners to launch a web page and query the inventory of parts before ordering.
This is an indirect use of SAP, and each partner that accesses this web page to receive the content must be properly licensed by either a named license or SAP’s infrastructure software that provides web and mobile linkage.
With larger enterprises, the challenge is that these applications have been layered into the landscape over a long period of time and some, indeed many are forgotten a decade later. Advanced SAP license management and optimization tools are able to identify and highlight those that may be problematic in minutes rather than months.
How can you isolate the access points?
Many third-party and bespoke applications do not rely on the individual user logging on to their application with their SAP credentials. Most set up a single integration point from which all users connect to the SAP systems. That single integration point is often entered with one SAP user ID. When this is the case, these particular users surface as having anomalous behavior patterns that are distinctly different from a normal individual.
As discussed in my prior blog (part I) in this series, I suggested that there are three leading indicators that SAP will generally look at to determine if there should be concern about indirect access – multiple logons simultaneously from different devices/ locations, an extraordinary work level compared to the normal activity on a particular system, or excessive work time, perhaps a user remaining logged on for 10 days and constantly carrying out transactional activity.
An advanced license management and optimization tool such as Snow Optimizer for SAP® Software can automatically isolate and detect these activities and keep the SAP administrators and management appraised of these potential concerns. A dashboard will assist in identifying irregular activities that require closer scrutiny to determine whether indirect usage is occurring.
How do I determine if this is an issue to address?
Once a list of possible access points has been established then, working with SAP System Architects and SAP Basis Administrators, a screening process must occur. Many of the access points may be system-to-system integrations that only involve internal SAP applications but because these access points are automatically identified the process of elimination is far more efficient.
As the list is narrowed down, each application that is connecting through a particular suspect user ID should be mapped. Each application owner must be established and then interviewed to document what the application is and does, who the users are, if those users have an SAP license and if so, what the license type is.
Using a Software Asset Management (SAM) solution that provides metering capability, one can track all the users in an enterprise that have accessed a particular application. This automation can save hundreds of hours of time being expended by the internal IT staff. As part of the interview process with the application owner, an understanding of what the application and user are doing is important. This determines what license type is required.
Within Snow Optimizer for SAP Software, the historic behavior of the application from an SAP transactional perspective can be isolated and determined. For instance, if the application is a query and solely provides read-only access for the user, then a special license type from SAP may be the best means of achieving compliance.
How should I prepare my findings for an audit or contract renewal?
The most important preparation for an annual SAP self-audit and submission of LAW data is to be sure to have cleaned up inactive SAP users and that the best license type is assigned to each user based on the cost of the license and the individual activity.
When it comes to a contract renewal or on-site audit by SAP it’s crucial to not only prepare the requirements above, but also to fully understand potential contractual compliance issues, in particular those around indirect access and usage.
For many enterprises, preparing for an audit or contract renewal where indirect access/usage is an issue becomes a four to six -month period with a significant diversion of IT resources. Software Asset Management vendors and SAM consulting firms use highly automated and advanced tools to dramatically reduce the time and labor required to pull these requirements all together.
Snow Optimizer for SAP Software constantly monitors system measurements across the hundreds (or even thousands) of SAP systems in an enterprise, aggregates that data and highlights key compliance concerns for the SAP Administrators. Essentially, the technology becomes your own in-house SAP license optimization expert. It provides an informative dashboard with potential indirect access compliance issues and warns the SAP staff as concerns are identified. In the final part of this blog series on SAP Indirect Usage, I will focus on how to negotiate the best outcome with SAP around your indirect usage financial exposure.
For help understanding your organization’s likely exposure to unbudgeted SAP Indirect Usage costs, why not speak with a SAP licensing expert from Snow today?