Risk of indirect use - Better Practice

Uncertainty has gripped the global SAP community since SAP's request for compensation in the indirect use litigation was granted.

Within a few hours, the news spread around the globe and SAP customers are increasingly seeking advice from the few known experts. What does this ruling mean for SAP customers?

First of all, I would like to point out that indirect use is not a purely SAP issue. There are many manufacturers who claim compensation for corresponding scenarios.

But how can you deal with this issue and prepare or safeguard yourself accordingly?

Technical aids and "standard procedures" offered by various tool manufacturers must be critically scrutinized. However, there are some approaches that must be fundamentally observed in any case.

For example, it does not help to track purely RFC connections and check them against blacklists in circulation.

For example, according to the existing ruling, can one now claim across the board that a Salesforce application causes indirect use in every case? Of course, but the real question is: Is this use subject to licensing? And this is significantly more difficult to answer.

If you only look at the end points of communication, you are making life a bit easy for the experts. Instead, existing usage scenarios must be evaluated holistically.

• Is data exchanged in real time between systems, or is it done on a frequency basis?
• Is the exchange by human interaction or by technical user?
• Is the communication uni- or bidirectional?
• Are records exchanged via dedicated query to the database or in bulk?
• Or is there even some kind of message queue hanging between the systems as a collection station?

Of course, there are a number of other notes that need to be taken into account, and usage rights in the target systems or permissions in the Active Directory environment can also play a further role.

A possible approach to the existing problem can be as follows, for example: As a start, tracing RFC connections to identify potential third-party applications can be done. Equally important, however, is the collection of information on applications that communicate via IDoc interfaces, IP sec connections, HTTP, CHC, SNA, TCP/IP, OSS, or other paths, for example.

Once you have identified the systems potentially affected by indirect use, you should classify them and prioritize them sensibly based on the level of expected monetary risk.

The next step is to gather detailed information on the prioritized systems and their associated SAP users and outline the infrastructure diagrams as a starting point for an accurate assessment.

The use of external applications should also be identified. This may require an audit of non-SAP authorization and access administrations.

Subsequently, all identified scenarios are individually assessed and evaluated as to whether technical measures can minimize or even eliminate the risk.

Once the most cost-efficient licensing option (or technical solution for avoiding risk) has been identified, existing scenarios are combined into comprehensive use cases to avoid having to purchase usage rights for the same user more than once.

For those users that actually entail a corresponding license purchase, the last step should be to evaluate in detail which functionalities are used indirectly within the SAP environment.

A comparison against the corresponding price and conditions list results in the identification of the most cost-effective coverage option(s) and leads to the long-awaited transparency and sustainable risk minimization.