Disconcertion strikes the global SAP Community, since the High Court in London has granted the request for remuneration of SAP in a litigation revolving around indirect use. Within a few hours, the news spread around the globe and SAP customers are increasingly turning to the few well-known experts for advice.
What does the ruling mean for SAP customers?
Well, first I would like to point out that indirect use is not a topic limited to SAP. There are is large number of manufacturers who demand compensation for corresponding scenarios. The key question is how to deal with this topic and prepare accordingly, respectively to protect a company from indirect use risks.
Technical tools and “standard procedures”, which are offered by various tool manufacturers, need to be critically scrutinized. However, there are some approaches that share fundamental similarities in every case.
For example, it does not help to keep track of RFC connections and to counter-check them against blacklists which are in circulation amongst the user groups. In this context, a question needs to be answered: Is it possible, according to the existing court ruling, to assume that a Salesforce application is always resulting in indirect usage of SAP?
Obviously, but the more important question is: How is the whole case even relevant in terms of licensing? This of course is much more difficult to answer. Limiting perspective on the endpoints of communication allows experts to also limit the issue’s complexity.
Additionally, it is important to evaluate existing usage scenarios holistically. Is data being exchanged in real-time between systems, or frequential? Is the exchange initiated by human interaction or by a technical user?
Is the communication one- or bidirectional?
Are records being transferred to the database by starting a dedicated query or as bulk transfer? Or is there even a kind of message queue as a data collector placed between the systems?
Obviously, there are a lot of other factors that need to be considered, and the usage rights in the target systems or authorizations in the Active Directory environment can play a further role.
An Approach to Transparency
A possible approach to the existing problem can, for example, be as follows:
As a start, tracing of RFC connections can be used to identify potential third-party applications. It is equally important, however, to gather information about applications which, for example, communicate via IDoc interfaces, IP-Sec connections, HTTP, CHC, SNA, TCP / IP, OSS or other communication paths.
If the systems, which are potentially affected by indirect use have been identified, they should be classified and appropriately prioritized based on the expected monetary risk.
The next step is collecting detailed information on these prioritized systems and their associated SAP users as well as outlining the infrastructure diagrams to determine a starting point for an accurate assessment. The use of external applications should also be identified and considered. For this purpose, a check of usage- and access-authorizations outside SAP may be necessary.
Subsequently, all identified scenarios are evaluated individually, as well as evaluated as to whether technical measures can minimize or even eliminate the corresponding risks.
Once you have arrived at the end and have identified the most cost-efficient licensing variant (or technical solutions that enable you to deal with the identified risks), existing scenarios are sensibly combined into overlapping use cases in order to avoid cost-inefficient purchase of multiple usage rights for a unique user.
For those users who are actually affected by the necessity of acquiring new licenses, it is recommended to investigate the latest functionalities within the SAP environment which have been accessed by each relevant individual.
A match against the corresponding price and conditions list (PCL) results in the identification of the most cost-effective cover variant(s) and leads to the long-awaited transparency and lasting risk minimization.