By Chris Hughes
Indirect access occurs when users access the functionality of a software system through a secondary application or third party interface. For systems where this is commonplace, such as in the case of SAP Enterprise Resource Planning (ERP) software, vendor license agreements may include clauses to ensure that functionality accessed in this way is subject to the same license requirements as functionality accessed using the primary interface of the system.
Complications arise when multiple systems are connected and information is transferred between them, with software vendors and their customers often taking conflicting views on what is a fair and reasonable interpretation of indirect access. The software vendor can use indirect access issues as the basis for a software license compliance audit or other customer engagement meant to drive additional revenue. Most recently, I came across this article, which captures the tone of the indirect access issue from the buyer’s perspective.
The disconnect between vendors and their customers is the starting point for many discussions on this topic which should lead to a strategy for how an organization can negotiate a favorable outcome, counter vendor demands or otherwise parry their advances. Each of these tactics has something in common – they are most effective when an organization has quantified its exposure and knows precisely where it stands.
Quantifying exposure to indirect access requires a number of steps:
1. Identify interfaces that are connected to the system.
ASUGNews.com recently published the results of an SAP survey conducted by UpperEdge, in which most respondents indicated they had more than 5 interfaces to non-SAP applications, and remarkably, some organizations had more than 50. Many interfaces can be discovered through technical analysis of SAP systems by inspecting RFC-based communication coming from non-SAP systems, for example. Others may require a manual effort to find inter-dependent systems.
2. Categorize the interfaces and the data flowing across them.
This includes whether the data flow is one-way or bi-directional, and whether communication occurs in batch or real-time. Vendors may also treat raw customer data differently from data produced by the system as a result of applying business logic.
3. Measure the number of users and their roles.
This is particularly important for SAP licensing where a user’s license type depends on which roles they perform. It is strongly preferred that a user’s roles be determined not by the actions they are authorized to perform but rather those they are actually performing based on real usage data, as this will result in a more optimal license position.
4. Identify overlaps between system users (with direct access) and indirect users.
It is quite possible that many indirect users also access the system directly for other purposes. When this occurs, a single license—for example, an SAP Named User License, may cover that user’s activities through all interfaces. This is a key aspect of quantifying indirect access, because the existence of secondary interfaces does not necessarily imply a significant indirect access liability.
Taking a proactive approach to understanding indirect access exposure enables organizations to engage with a vendor on their terms and optimize the outcome.
***
To learn more, please view our on-demand webinar: Lifting the Lid on SAP Licensing
FlexNet Manager for SAP Applications calculates and optimizes an SAP license position inclusive of indirect access, in a fully automated and repeatable fashion. Indirect access needn’t be a source of uncertainty for your organization.