Xpandion’s CEO, Moshe Panzer, a recognized professional advisor for SAP Licensing, has some excellent advice about a topic that’s been disturbing a lot of SAP customers recently – indirect access. I hope you’ll find this information beneficial for your organization.
Question: What is indirect access in terms of SAP licensing and why are we hearing so much about it recently?
Moshe: “Indirect access” is a term for SAP data use by an end user or by an application, which is not via SAPGUI. Here’s the exact definition from the SAP SYSTEM MEASUREMENT GUIDE:
13.8 Indirect Use
Named users are also upstream and intermediary technical systems that exchange information with the SAP software system, as well as the users of those systems, if the users exchange information with the SAP software in dialog or prompt mode. It makes no difference whether the software is accessed directly or indirectly.
In most cases, the technical appearance of indirect access is entry by an RFC (Remote Function Call) module. A common example would be using a handheld device in the warehouse and accessing SAP ERP to get data on materials. Another example would be using SalesForce to update customer cards (in Salesforce: Accounts) while in the card itself the annual sales data of the customer is fetched from the account in SAP ERP. These cases are examples of indirect access, in which the user is using data from SAP indirectly.
Indirect access by handheld device: Each user should have its own username to access SAP data
According to the SAP contract, users who indirectly access SAP must have an SAP user license too. Although many companies do not notice it, bringing SAP data into another application and using it by this application’s users must be considered carefully from an SAP licensing point of view. While technically a software interface can require only one user account to access SAP and fetch the data, this is not sufficient for SAP licensing. In most cases, if 3,000 employees use this data indirectly online, then an additional 3,000 SAP licenses should be in place to cover this indirect access to SAP.
And why are we hearing so much talk about this topic recently? Because even though it is covered in most SAP contracts, in 2013 SAP started paying special attention to indirect access, specifically looking for it in their annual licensing inspections.
Question: In the case of indirect access, how can one be sure that they’re not under-licensed?
Moshe: The answer is divided into two parts. The first part is to verify that the current situation is OK, and the second part is to ensure that the company remains in good compliance with its SAP licensing.
The way to do this is to carefully inspect current RFC accesses. Map each application and purpose. For each RFC access create a table:
|RFC User||Business Owner (Employee in Charge)||Purpose||Used By Application/User||Indirectly Used By #Users|
|LegacySampleUser||John Indern||Access accounts data||Financial Department||5|
How do you monitor current RFC connections? By using the data from SAP T-Code ST03N (Workload and Performance Statistics) or better yet, by using automated user behavior analysis tools like ProfileTailor LicenseAuditor.
Now, when the table is in place and you’re monitoring all current indirect access, apply an alert for when any new RFC use occurs within the organization. Each new RFC usage should then be carefully inspected and mapped or eliminated. We recommend using an automated alerting tool for new RFC access, again, offered in the ProfileTailor Dynamics suite.
A good automated alerting tool like ProfileTailor Dynamics will enable you to inspect each new RFC use as it occurs
Question: What is the future of indirect access? Do you think this will still be a hot topic 3 years from now?
Moshe: Based on our experience now, we can get a good idea about how it will be looking then. Primarily, companies will be extra aware of indirect access so the current situation will disappear and more companies will be organized around it. However, as many applications move to the cloud and require base data from the SAP system, it will be necessary to access SAP indirectly and therefore the budgets to cover this will need to be increased. Eventually, companies will discover that they are paying for the same data over and over and will re-think the whole thing.
The main point now is to get informed and be prepared for a licensing audit. Know who is currently accessing SAP indirectly, and be alerted when new indirect access begins. Once you are armed with this information, you can make smarter decisions regarding your SAP licensing.
ProfileTailor LicenseAuditor gives you full control over indirect access. This is what this means:
Prior to a Licensing Audit, ProfileTailor LicenseAuditor can find users who access SAP indirectly, and it can find users who alternate between indirect and regular access.
On on-going basis, ProfileTailor alerts about new applications that access SAP indirectly so you can know what needs immediate attention to avoid additional expenses and legal obligations.