The global and independent platform for the SAP community.

Risk of indirect use - Better Practice

The recent ruling in favor of SAP in the legal dispute regarding indirect use has unsettled the global SAP community. This is one of the reasons why the creation of transparency with regard to the entire SAP infrastructure has become more important.
Florian Ascherl, KPMG
March 31, 2017
Licenses
avatar
This text has been automatically translated from German to English.

Uncertainty has gripped the global SAP community since SAP's request for compensation in the indirect use litigation was granted.

Within a few hours, the news spread around the globe and SAP customers are increasingly seeking advice from the few known experts. What does this ruling mean for SAP customers?

First of all, I would like to point out that indirect use is not a purely SAP issue. There are many manufacturers who claim compensation for corresponding scenarios.

But how can you deal with this issue and prepare or safeguard yourself accordingly?

Technical aids and "standard procedures" offered by various tool manufacturers must be critically scrutinized. However, there are some approaches that must be fundamentally observed in any case.

For example, it does not help to track purely RFC connections and check them against blacklists in circulation.

For example, according to the existing ruling, can one now claim across the board that a Salesforce application causes indirect use in every case? Of course, but the real question is: Is this use subject to licensing? And this is significantly more difficult to answer.

If you only look at the end points of communication, you are making life a bit easy for the experts. Instead, existing usage scenarios must be evaluated holistically.

  • Is data exchanged in real time between systems, or is it done on a frequency basis?
  • Is the exchange by human interaction or by technical user?
  • Is the communication uni- or bidirectional?
  • Are records exchanged via dedicated query to the database or in bulk?
  • Or is there even some kind of message queue hanging between the systems as a collection station?

Of course, there are a number of other notes that need to be taken into account, and usage rights in the target systems or permissions in the Active Directory environment can also play a further role.

A possible approach to the existing problem can be as follows, for example: As a start, tracing RFC connections to identify potential third-party applications can be done. Equally important, however, is the collection of information on applications that communicate via IDoc interfaces, IP sec connections, HTTP, CHC, SNA, TCP/IP, OSS, or other paths, for example.

Once you have identified the systems potentially affected by indirect use, you should classify them and prioritize them sensibly based on the level of expected monetary risk.

The next step is to gather detailed information on the prioritized systems and their associated SAP users and outline the infrastructure diagrams as a starting point for an accurate assessment.

The use of external applications should also be identified. This may require an audit of non-SAP authorization and access administrations.

Subsequently, all identified scenarios are individually assessed and evaluated as to whether technical measures can minimize or even eliminate the risk.

Once the most cost-efficient licensing option (or technical solution for avoiding risk) has been identified, existing scenarios are combined into comprehensive use cases to avoid having to purchase usage rights for the same user more than once.

For those users that actually entail a corresponding license purchase, the last step should be to evaluate in detail which functionalities are used indirectly within the SAP environment.

A comparison against the corresponding price and conditions list results in the identification of the most cost-effective coverage option(s) and leads to the long-awaited transparency and sustainable risk minimization.

avatar
Florian Ascherl, KPMG

Florian Ascherl is Senior Manager and Authorized Signatory at KPMG


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 24, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.