SAP indirect access audits are among the most financially significant compliance events an enterprise can face. Six- and seven-figure settlements are common — and the complexity of SAP's licensing model means many findings are challengeable with the right expertise. This guide explains how to defend your position.
← Back to Software Audit Defense PlaybookSAP indirect access (now partially addressed by the Digital Access model introduced in 2018) remains the most commercially impactful area of SAP licence compliance. The core issue: when third-party systems, custom applications, or automated processes read from or write data to SAP — without licensed SAP users interacting directly — SAP has historically claimed additional licence fees are owed.
For organisations on SAP ECC, the indirect access risk remains significant. For S/4HANA customers, the Digital Access model provides a clearer framework — but introduces its own complexities around document-based pricing. This guide covers both scenarios. For broader SAP licence context, see our SAP Licence Negotiation Guide, SAP Indirect Access Guide, and SAP Audit Defense Guide. For the best SAP audit defence firms, see Best SAP Negotiation Consulting Firms.
SAP "indirect access" refers to scenarios where SAP systems are accessed by automated processes, third-party applications, or custom interfaces — rather than directly by named users through the SAP GUI or Fiori. SAP's original licence model was built around named users interacting directly with SAP. As organisations built integrations, custom apps, IoT pipelines, and RPA processes that touched SAP data, SAP began claiming these scenarios required additional licences.
SAP's indirect access claims are calculated based on the number of documents created in SAP (post-Digital Access) or on the number of users of the third-party system that could theoretically access SAP data (pre-Digital Access). When a large ERP is integrated with a CRM used by 5,000 sales reps, SAP could claim 5,000 equivalent user licences are owed — even if those users never log into SAP directly. This is why indirect access claims regularly reach seven figures.
The landmark legal case that clarified the severity of SAP's indirect access position was SAP v Diageo (UK High Court, 2017), in which SAP was awarded £54.5 million for unlicensed indirect access through Salesforce CRM integration. This case accelerated SAP's rollout of the Digital Access model as a commercial resolution mechanism.
Introduced in 2018, SAP's Digital Access model replaced (partially) the prior indirect user licence model for S/4HANA. Instead of pricing indirect access based on the number of users in third-party systems, Digital Access uses a document-based pricing model:
Want independent help negotiating better terms? We rank the top advisory firms across 14 vendor categories — free matching, no commitment.
| Document Type | Examples | Pricing Model |
|---|---|---|
| Sales Orders | SO created via Salesforce, EDI, B2B portal | Per document (tiered) |
| Purchase Orders | PO created via procurement portal, RPA | Per document (tiered) |
| Production Orders | MES-triggered production orders | Per document (tiered) |
| Service Orders | Field service apps, IoT-triggered | Per document (tiered) |
| Billing Documents | Automated invoicing, EDI billing | Per document (tiered) |
| Deliveries | WMS-triggered deliveries | Per document (tiered) |
| Material Documents | Automated goods movements | Per document (tiered) |
Digital Access pricing is volume-tiered — the per-document cost decreases significantly at higher volumes. SAP provides a "conversion offer" to move existing ECC customers to Digital Access terms, which typically involves buying Digital Access licences in exchange for relinquishing indirect user claims for legacy deployments.
The Digital Access model covers specific document types for S/4HANA customers. It does not automatically cover ECC deployments, all document types, all integration scenarios, or "read-only" data access patterns. Organisations assuming that purchasing Digital Access licences resolves all indirect access exposure are often surprised when SAP audits identify uncovered scenarios.
CRM systems integrated with SAP that create sales orders, customer records, pricing conditions, or service cases in SAP via API or middleware are among the highest-risk indirect access scenarios. Post-Digital Access, the risk is document-based for S/4HANA; for ECC, the risk remains based on the number of CRM users who could access SAP data.
Robotic Process Automation bots that interact with SAP — creating documents, extracting data, or processing transactions — represent a direct indirect access scenario. SAP has specifically targeted RPA deployments in recent audits. Each bot is treated as a user by SAP unless covered by specific Digital Access terms.
E-commerce platforms that create orders, update inventory, or trigger fulfilment in SAP create indirect access exposure. High-volume B2C or B2B e-commerce can generate millions of SAP documents annually — potentially creating very large Digital Access licence requirements.
Manufacturing Execution Systems and IoT platforms that write production orders, material movements, or quality notifications to SAP represent significant indirect access exposure in manufacturing environments. The document volumes in high-throughput manufacturing can make Digital Access pricing substantial.
Third-party procurement systems (Coupa, Ariba non-SAP, Jaggaer, Ivalua) that push purchase orders or invoices to SAP create indirect access exposure. Supplier portals that allow vendors to receive orders and submit invoices via SAP integration are also in scope.
Non-SAP HR systems integrated with SAP HR/Payroll that create personnel records, trigger payroll calculations, or synchronise organisation data can create indirect access claims, particularly where the integration creates or modifies SAP documents in scope under Digital Access.
SAP's Digital Access model was primarily intended to cover document-creating integrations, not read-only data extractions. However, SAP has attempted to claim indirect access fees for high-volume data extractions in some audits. The contractual basis for such claims on pure read-only access is generally weak, but the risk exists and should be documented.
SAP audits are conducted by SAP's Global License Audit & Compliance (GLAC) team. The process typically runs 6–18 months and follows a defined structure:
Get the IT Negotiation Playbook — free
Used by 4,200+ IT directors and procurement leads. Oracle, Microsoft, SAP, Cloud — all covered.
| Factor | SAP ECC | SAP S/4HANA |
|---|---|---|
| Indirect access model | Named User / indirect user model | Digital Access (document-based) |
| Primary audit risk | Third-party system users × licence fees | Document volume × per-doc pricing |
| Calculation method | Users of connected systems (broad) | SAP documents created indirectly |
| Predictability | Low — highly subjective | Moderate — document counts auditable |
| Typical claim size | Very large (user-based) | Variable (volume-dependent) |
| SAP conversion offer | Digital Access conversion available | Annual Digital Access licence |
| Dispute viability | High — many claims challengeable | Moderate — document counts verifiable |
For ECC customers facing indirect access claims, the dispute viability is generally higher because SAP's methodology for calculating indirect user exposure is less precise and more contestable than document-based pricing. The SAP v Diageo case outcome notwithstanding, many SAP ECC indirect access claims rest on questionable contractual interpretations that can be successfully challenged with specialist legal and licensing expertise.
Facing an SAP indirect access audit or claim?
SAP indirect access claims are contractual and legal in nature, not just technical. Engage legal counsel with specific SAP licensing expertise before responding to any audit notification. General IP or IT lawyers are typically insufficient — the nuances of SAP's licence terms require specialist knowledge.
For ECC customers, SAP's indirect access claims are based on contractual interpretation that is widely disputed. Many SAP ECC contracts signed before 2015 do not explicitly address indirect access scenarios in terms that support SAP's current claims. The contractual basis for each claim should be analysed by specialist counsel before any commercial engagement.
Conduct your own comprehensive mapping of all SAP integrations and interfaces before the SAP audit data collection phase. Understanding exactly what data flows in and out of SAP, which systems are involved, and what SAP documents are created enables you to assess exposure accurately and challenge SAP's assumptions.
For S/4HANA Digital Access claims, SAP's audit is document-count based. Run your own analysis of documents created by indirect access scenarios before SAP presents their findings. Independent document counts allow you to verify SAP's numbers and challenge discrepancies — SAP's document counting methodology is not always consistent or accurate.
Not all SAP document types are covered under Digital Access pricing. Some document types — particularly those created by SAP-certified integration scenarios, SAP BTP standard content, or SAP's own middleware — may be excluded from indirect access claims. Identify every document type in SAP's claim and verify whether exclusions apply.
SAP's Digital Access model and most contractual interpretations of indirect access do not cover pure read-only access to SAP data. If SAP's audit claim includes data warehouse extractions, reporting systems, or BI tools that only read from SAP without creating documents or modifying data, challenge these inclusions explicitly.
SAP's treatment of RPA bots as "users" for indirect access purposes is contested. The contractual basis varies by agreement and SAP's own policies have shifted over time. Each RPA scenario should be assessed individually — the case for treating automated processes the same as human users is not universally sound.
If you are an ECC customer facing indirect access claims, your migration timeline to S/4HANA is your strongest commercial leverage. SAP's revenue growth depends on ECC customers migrating to S/4HANA. Committing to an S/4HANA migration in exchange for favourable resolution of indirect access claims (including Digital Access conversion terms) is a consistently effective settlement strategy.
SAP's standard Digital Access conversion offer for ECC customers is negotiable. The document tier pricing, the historical back-period covered, and the terms of the conversion agreement are all open to commercial discussion. Do not accept SAP's first conversion offer — it is an opening position, not a fixed price.
SAP's commercial position is strongest when you have no credible alternative. Credible assessments of alternative ERP platforms (Oracle, Microsoft Dynamics, SAP GROW for smaller business units) or CRM replacements (Salesforce, Dynamics) weaken SAP's leverage and typically accelerate settlement on better terms.
SAP's indirect access claims often include backdated licence fees for the period during which the unlicensed indirect access has been occurring. Challenge both the start date of any back-period and the licence rates applied. Many contracts contain provisions that limit SAP's ability to claim backdated fees beyond a specific period or at full list price.
Where a genuine indirect access exposure exists, negotiate the settlement to include reductions in SAP annual maintenance (standard 22% rate) as part of the commercial resolution. Reducing ongoing maintenance costs over a 3–5 year period can significantly reduce the total cost of the settlement beyond the one-time licence purchase.
SAP indirect access settlements involve three components: the licence gap (additional licences required), the back-period (historical fees SAP claims for prior unlicensed use), and ongoing maintenance. Expert settlement negotiation focuses on challenging all three elements simultaneously:
Organisations that engage specialist SAP audit defence firms — particularly those with experience of the post-Diageo SAP indirect access landscape — consistently achieve 40–60% reductions below SAP's initial settlement demands. See Best SAP Negotiation Consulting Firms for firms with proven SAP indirect access track records. For broader SAP licence optimisation context, see the SAP Renewal Negotiation Strategies guide.
Specialist SAP audit defence firms have resolved hundreds of indirect access disputes — achieving 40–60% reductions below SAP's initial demands. Don't settle without specialist support.