SAP Indirect Access Risk Mitigation – PT II
With an optimized direct license estate (as described in the first blog of this series), an organization has the firm foundation required for estimating potential Indirect Access costs and effectively minimising them. Without truly understanding the Indirect Access to your SAP system, it could leave you on the back foot if an audit were conducted – that is not a desirable position to be in with any vendor, let alone SAP.
Identifying Indirect Access and documenting it, as described below, can be performed whilst optimizing an organization’s direct user licenses. We recommend that direct licenses are optimized prior to considering your Indirect Access licensing options. There are many variants to Indirect Access but the most common relates to Named User licensing, which I examine in this blog post.
First though, discover where your third party and bespoke systems are accessing SAP.
Identify where Indirect Access is occurring
When a bespoke or third-party system accesses SAP, a typical method to interface is through a Named User. All functions (read, write, edit etc.) route through this user. Because of this, the observed behavior is very different from that of a human user. Looking for these behaviors enables the administrator to detect such users and therefore third-party systems accessing SAP.
These anomalous behavioural patterns that are typical indicators of Indirect Access are generally very labour intensive to manually identify, especially when managing multiple SAP systems. Thankfully while some points of review must be performed manually, a great deal can be automated.
These are the following indicators to look out for:
- Cross-component usage – Accessing multiple systems in a very short time is unusual behavior for a “real” user.
- Extended work time – Even the most conscientious of users will not work continuously for 24 hours without a break.
- Extraordinary volume of work – Any “Named User” whose workload (i.e. number of transactions performed or CPU usage per day) is significantly above average indicates activity from a system.
Once a list of possible access points through the anomalous users has been established, the SAP team should undertake a screening process to identify the low- and high-risk areas of financial exposure.
Many of the access points may be system-to-system integrations that only involve internal SAP applications. These are the low-risk access points and can be discounted. As the list narrows down, each application that is connecting through a suspect user ID should be mapped.
Application owners must be established and then interviewed to document what the application is, its purpose, and who its users are.
Next the organization should establish whether those users have an SAP license and if so, what the license type is. It’s important to establish with the application owner, what users’ requirements are, for example, do they process orders through the application, are they just reading or are they performing tasks unrelated to SAP data.
Cleaning up
Unless otherwise stated in the contract or as part of an amendment to the organization’s agreement, any individual who accesses SAP-stored data in real time, directly or indirectly, must have an SAP Named User license of the correct type provisioned for them.
So, it follows that when a third-party system interfaces with the SAP system and all users of said third-party application can indirectly access the SAP system, they must all have a Named User license assigned to them, regardless of whether they need to access the SAP-held data or not.
However, the third-party system should be reconfigured so that access is partitioned off to only those who require it. This minimizes the number of indirect users who require a license. It also follows a “secure-by-design” principle because it prevents unauthorized access.
In addition, consider whether the data needs to be accessed in real time. If the third-party application/ system does not require real-time access to data in the SAP system, it should be configured as such. This might be considered a ‘Static Read’ and may not need an SAP license. Recent experience with Snow’s customers suggests that SAP rarely accepts this scenario.
Decision time
At this point, you should have a clear view of the number of users who require a license through your third-party systems and how many can be assigned a license from the pool of licenses collected from your optimization efforts. You are now able to make a call whether to use this license model or to adopt SAP’s new licensing models, explained below.
In May 2017, SAP created new licensing models to cover scenarios where users of a third-party system process sales and/ or purchase orders. SAP offers the option to use the Procure to Pay (P2P) or Order to Cash (O2C) pricing method. The definitions are covered in the SAP Indirect Pricing White Paper.
Typically, the more users that you have accessing the SAP system, the more likely it is that you will want to adopt SAP’s new licensing rules. To illustrate, consider the following examples. (This is simplified by assuming that all users should be assigned a Platform User license.)
Example 1
Company X places ~ 700,000 orders/ year through 2,000 indirect users
- User-based scenario: 2,000 x €1,300 = €2,600,000
- Order-based scenario: 700,000 x €5.00 = €3,500,000
In this case, Company X should choose the Named User licensing model.
Example 2
Company Y takes ~1,200,000 orders/ year through a web portal accessed by ~30,000 users
- User-based scenario: 30,000 x €1,300 = €39,000,000
- Order-based scenario: 1,200,000 x 3.00 = €3,600,000
In this case, Company Y should choose the order-based pricing model.
—————
By now, you should generally be engaged with an SAP licensing specialist as the true scenario often is a lot more complicated and will be affected by negotiation with SAP. The important point, is that the organization is best prepared to make informed decisions, armed with all necessary data upfront. An enviable position!
Conclusion
Organizations must have full visibility of their SAP estate and understand how all “users”, human or otherwise use SAP. They should understand their contracts, terms and conditions and tie them to their direct users to create an optimized license position. The better a direct estate is managed, the better one can understand the financial liabilities associated with Indirect Access.
As a further step, organizations should automate any license administration processes to simplify management and receive alerts on defined parameters such as a reaching the licensing limit for a given Named User type. By doing this, the organization will not only be ready for an audit and be aware of costs upfront, it will most likely have discovered significant savings along the way. Arduous licensing tasks performed by the SAP Basis team can be dramatically reduced in time.
Ultimately, by following the steps above, the organization will be in a far stronger, financially predictable position.
To understand this in more detail, read Snow’s guide: FOUR STEPS TO REDUCE SAP® INDIRECT ACCESS RISK