This E-3 Special is available for download at the bottom of the page and was co-authored by KPMG Partner Carsten Lang and Assistant Manager Justina Kurzawa.
The discussion concerning indirect use is neither a new nor a SAP-specific issue. It is apparent from the definition of use contained in the SAP general terms and conditions that users of third-party applications have to be licenced, and also that, where necessary, further licenses might be necessary to permit the application to commute to SAP.
Indirect use – not specific to SAP
If one were to go a step further, this definition of use can be interpreted in such a way that, essentially, no distinction is drawn between direct and indirect use. As already indicated, it is not only at SAP that the implication on indirect usage has to be considered in greater detail.
This was already an issue more than ten years ago; Microsoft, IBM, Oracle and other producers have been tracking developments for some time. Among Microsoft customers, the situation is known as multiplexing: a process in which hardware and software are used to pool connections to the software, redirect information or reduce the number of devices or users directly accessing the system.
Time and time again, questions on the issue are the subject of software audits. In order to adopt a reliable approach to the issue of SAP licensing, a distinction also has to be drawn between a simple breach of licence and an increased licensing requirement resulting from indirect use. Indications such as multiple logons by a user could possibly point to indirect use if the account of a user shows an extremely large number of parallel access operations, as it would then be possible to infer automated access.
For example, the account of a software developer acting on behalf of the company in question may be used not only for the developer, but also for all customers of the web shop that has been programmed by the developer and that accesses SAP functions. The same example could arise if there is proof of a high workload or constant use (24/7) by users, or if the measurement provides indications of corresponding cross-component use. None of this is absolutely 100 per cent conclusive but it at least provides possible signs that give rise to a more in-depth analysis of the connections and usage. Multiple logons, a high workload or longer working hours could, of course, also involve a “simple” breach of the licence, i.e. parts of the account or a technical user mistakenly classified, for example, as a dialogue user.
Indirect use can be caused as follows: for example a user (licensed or unlicensed) accesses SAP functions via a non-SAP third-party application or the information stored in the SAP environment. Indirect access to data in the SAP CRM, ERP or other components is thus gained via the upstream non-SAP system. What is important is not only the access via a non-SAP application, but also how the access was gained: do the users of the third-party application have the necessary SAP named user licences?
Depending on the licensing conditions applicable in the scenario, whether data is transferred in real time or with a time delay can also play a role, as well as other criteria, depending on whether SAP provides an appropriate solution that could replace the external functions. In which direction does the data transfer take place (unidirectional, bidirectional, inbound, outbound, etc.)? Does a mass outflow of data take place (bulk)?
An assessment has to be carried out for each indirect use scenario in the corporate landscape and seems particularly useful if room for interpretation can be identified from possible contract terms and conditions that could prevent unnecessary multiple licensing. For example, in older contractual constructs (interaction arising from the relevant contract, LPC, GTCs and SUR) there are often indications that the use of information can be covered via existing rights of use, provided that this does not take place in real time and that several other criteria are fulfilled..
Terms and conditions in old contracts could thus present options for solutions that only require the licensing of the use of third-party applications, but not the third-party application itself. However, this has to be reviewed with a critical eye in each case and requires that SAP does not provide any corresponding functionalities. The use of middleware could thus be an accurate solution; however this applies only to dedicated cases and requires that corresponding licence terms and conditions be valid. In this case, it is also essential that the contracts are analysed in order to guarantee fulfilment of the licence terms and conditions as well as the necessary compliance. At this point, it must be noted that middleware can be a technical solution in this respect as long as the functions of the upstream non-SAP software are not already offered by SAP.
For example, a time recording system developed in-house that reports data via message queuing middleware to the relevant SAP system in non-real time and by bulk outflow does not represent a suitable solution as SAP itself offers corresponding functions. However, if a very industry-specific solution is involved and not currently included in the SAP software programme, the situation could be beneficial for the licensee.
SAP included the ‘SAP NetWeaver Foundation for Third-Party Applications’ licence in the programme in 2010 for the purpose of correct licensing of third-party applications, which is necessary in the majority of cases of use. The licence has to be acquired based on Named User or Core metrics. The configuration of one of the metrics is possible on only one occasion, namely prior to the first purchase. This means it is advisable to review the rights and terms and conditions of the old contracts and to make optimal use of existing room for interpretation.
A trend towards a larger selection of licences is emerging to cater to the diverse and increasingly complex scenarios involving indirect use. The diagram illustrates some of these scenarios, including alternative licensing options that are currently being developed by SAP. As communicated in the course of this year’s Sapphire in Orlando, SAP has thus adapted to the most common scenarios (procure-to-pay, order-to-cash and static read). As shown in the example above, SAP provides customers with licence metrics with relevant rights of use to map the correct licensing in a cost-efficient way.
Provided that customers are otherwise correctly licenced, SAP also understands current requirements of customers by communicating the allowances in the course of necessary upgrades. Regardless of the manufacturer involved, it is always advisable to analyse whether indirect use scenarios exist in the company and assess these in terms of licensing regulations. It is only in this way that compliance with a licence, a task that falls within the scope of responsibility of the licensee, can be ensured.
Companion to progress
Just two decades ago, SAP systems, primarily in the form of ERP components at that time and with their all-encompassing portfolio of business options, were the ideal front end for customers that allowed them to dare to take the step into the future. Suddenly there was the possibility of designing business processes more efficiently and drastically reducing lead times. It was also already possible to map diverse workflows in partially or fully automated ways.
The introduction of ERP software was thus a prestigious and at the same time courageous step into a world of business processes and applications and was characterised by digitalisation as a means of keeping pace with the growing structures of international competition. It was a time of radical change and of seemingly unlimited technical possibilities, but not a time of anticipation or consideration of the accompanying licence and thus compliance risks.
Over time and with the development of today’s technical possibilities, such as virtualisation, cloud applications, regulatory requirements of adequate storage appliances and high-performance database solutions, the first major challenge emerged for all those involved, licensors as well as users. The licensors had to anticipate future technical possibilities when they were elaborating their licence models, while the licensees saw themselves exposed to an increasingly complex variety of licence models, metrics and licence terms.
In the case of SAP, a mature, homogeneous system landscape has developed over two to three decades and has moved away from the past importance as a general front end towards an integrated ecosystem, to which a large number of specialised on-premise and cloud applications are connected. Prominent examples are the CRM functions of Salesforce.com and Workday’s Human Capital Management.
Both generally replace or supplement SAP functions. SAP provides the appropriate technology for the technically accurate integration of these, and other, specialised applications. For instance, this was carried out in the past in the form of the Process Integration (PI) product. In addition to technical integration, the use of the underlying SAP ecosystem may also require acquisition of additional rights of use.
A well-known example is the aforementioned ‘SAP NetWeaver Foundation for Third-Party Applications’ licence. A user who accesses SAP functions purely via an external platform could be granted rights of use in conformity with the licence through a corresponding platform licence. However, this is not valid as sufficient licensing – something that is mistakenly disregarded by many clients – but may also require additional purchase of the ‘NetWeaver Foundation for Third-Party Applications’ licence if the goal of the application is based on the NetWeaver Platform. Even an interposed PI system would not change anything.
In this respect, SAP is often accused of a lack of innovation and its original front-end systems are downgraded to a back-end system for young, innovative solution providers. However, upon closer inspection, a clear picture emerges of this change, which allows it to be seen as the logical further development of the SAP system landscape. Corporate requirements have changed and flexibility has gained in importance in global IT structures.
Continue reading in Part 2 by clicking on the arrow on the right side of the screen.