Analysis of Snow Software on Determining SAP Indirect Access Exposure

Executive Summary

  • SAM software helps software companies manage their licenses and control predation on the part of software vendors. Indirect access, but what is really Type 2 indirect access is a type of license control that is enforced by SAP.
  • Snow Software provides this helpful article in how to deal with SAP indirect access.
  • SAP, with the help of compliant media entities, have “shifted the goalposts” a to the official definition of indirect access so they can coerce customers into not being disloyal and purchasing non-SAP applications and databases.

Introduction

In this article, we will analyze Snow Software’s article on whether it is possible to determine your internet access exposure.

Article Quotations

“SAP licensing is complicated. License entitlements can be open to interpretation and contract amendments can mean that financial liability for one customer may be very different in comparison to another, even if their usage and requirements are identical. It often depends on what deal was struck at the time of purchase.

Traditionally SAP licensing reviews and system measurements have focused on direct usage of an organization’s SAP environment. Direct usage on an individual level describes one user accessing SAP data directly through the SAP interface. The transactions which they perform determine what license type (or types) the user should be assigned. This in turn determines the associated cost for that user to perform their required tasks within the SAP system.

Even correctly managing licensing of direct users is more complicated than it might first appear. An organization with 10,000 users of its SAP environment could have many groups of users who transact in very different ways. The users may change jobs and so need to use the SAP environment differently from one year to the next. Other users leave the organization and of course it’s no longer necessary to have a license assigned to them.”

What SAM Software Does

Very true. Actually, most of what SAM software does is actually manage direct user licenses.

“If your organization’s doesn’t keep on top of this and effectively manage licenses, you’ll almost definitely be paying over the odds for your licenses or you will be hit with a big fee following system measurement (LAW) submission or a more comprehensive SAP audit.”

And this is in fact very common as most SAP customers do not use SAM software.

“The risk becomes even greater when you consider Indirect Usage. That’s because you may face licensing liability for a far greater number of users compared to those who you know directly access the SAP system. That 10,000 user license requirement could two, three, even four times more if a third-party application accesses your SAP data.”

The Type of Indirect Access Enforced by SAP

There are really two ways to look at this. One is that the type of indirect access most often enforced by SAP is called Type 2 indirect access. Brightwork has repeatedly questioned the validity of SAP’s creation of Type 2 indirect access.

The second way of looking at it is that SAP does enforce Type 2 indirect access, although it does not actually have the right to do this.

“One thing is clear. The better prepared your organization is, the better you understand overall usage of your SAP environment from every user and the better you can map this to existing entitlements, the stronger you will be when it comes to an audit or a negotiation. To do this effectively, you need a system that can automatically consolidate all of the necessary data and automate the required tasks.”

That is certainly true.

So What is Indirect Access?

“A simple example of Indirect Usage is where an SAP system is accessed or queried through a third-party application. The way in which that third-party system interacts with the SAP system, whether the interaction originates from a users’ actions and whether data is manipulated or changed within the SAP system all contributes to whether SAP defines the need for an additional license and, therefore, additional cost.

If you had to read that sentence twice, you’re likely not to be the only one. The fundamental issue is that SAP “Indirect Usage” changes definition from company to company and that is causing confusion amongst the SAP user community.”

And the answer as to why is that SAP selectively applies indirect access in order to maximize the revenue taken from its customers. In some cases, it is not in SAP’s sales interest to bring up the topic, in other cases, it is.

“In a rather ironic twist of fate, the push from the large SAP user communities across the globe for more clarity on Indirect Usage has actually led to potentially greater financial exposure. That’s because SAP made changes to their enforcement of the price and conditions list (PCL) in October 2016. More on this below. Indirect Usage is categorized in a few different ways depending on the technical method used to access the SAP environment. To add to the opacity around this, there is also a greater or lesser likelihood that SAP will choose to charge additional license fees dependent on the “type” of Indirect Usage there is.”

That may be true. It seems that whenever SAP releases more information on indirect access, it expands what its definition of indirect access is.

External Third Party Systems

“Common examples of this type of Indirect Usage include large ISVs like SalesForce.com, Workday and QlikView; Business Intelligence systems and payroll systems. This may also include smaller systems to perform a particular task not possible in default SAP software.

In this instance, the third party systems are accessing the SAP environment, pulling data and often writing it back via a connection to the SAP environment. Here a “user” must be set up to gain access to the SAP system. On the surface then it can appear like only one user (or a small number of users) is performing actions on the SAP system. In reality though, the “user” will be performing far more tasks than is possible for a single person to undertake.

Multiple users are indirectly using SAP data to perform tasks. The challenge that someone investigating this type of Indirect Usage often faces is that they are unaware of these third-party systems within their organization’s IT estate. To identify such systems requires either surveying application owners or looking for anomalous usage directly within the SAP system.”

Once again, this is Type 2 indirect access. It is not historically what has been called indirect access.

“Flags to look out for include:

#1: “Work time” check for all users: Checks rolling two-day time windows for constant activity without a pause of at least eight hours

#2: “Volume of work” check: Looks for users with an extraordinary amount of activity (measured by changed or newly created DB table entries)

#3: “Cross-component usage” check: Looks for users which changed DB table entries or newly created them from different SAP modules in the same second.

In practice, the interviewing process alone is insufficient and attempting to analyse the SAP system manually is impractical for a system with over a certain amount of users. This is because it requires manual consolidation of numerous data sources before any possible conclusions can be made.

The more efficient approach is to use a system which can automatically consolidate the data meaning that anomalous activity can be identified much faster.

This method of Indirect Usage is the clearest cut and we covered this in a lot more detail last year. If a system accesses SAP in such a way, you are likely to be financially liable. It’s extremely important to understand precisely how the interaction takes place, how may third-party users may require a license and what type of license they will require.”

Yes, SAM software is one of the primary ways to determine the Type 2 indirect access that the customer is performing. Although this still may not provide the details of all the indirect access exposure.

SAP Add Ons

“In October 2016, SAP made changes to their enforcement of the price and conditions list (PCL) with the intention of clarifying some of the definitions around SAP and based upon pressure from the various user groups across the globe. This is where the irony lies because it has, in fact, led to a new license requirement for third-party add-ons.

Within the PCL, SAP added that users, in addition to the Runtime usage right of the SAP NetWeaver Foundation, must acquire an additional SAP NetWeaver Foundation for Third Party Applications.

This means that users of a third-party system which is an add-on to SAP and installed via the NetWeaver platform must pay an additional license fee on top of their existing Named-User license.”

So SAP charges double for NetWeaver? One to run SAP apps and one to run non-SAP apps. This double purchasing is very similar to SAP’s policy on HANA, which is covered in the article The HANA Police and Indirect Access Charges.

“Many customers see this as a shift of the goalposts and it will be particularly frustrating to organizations who were recommended to develop customer-specific solutions into their landscape by SAP itself.”

The Shifting Goalposts of Indirect Access

SAP has been constantly shifting the goalposts on the topic of indirect access. And this is something that my research indicates will continue in the foreseeable future.

“Because this enforcement is new, many organizations will not be immediately exposed to financial liability and SAP typically takes a staggered approach to enforcing licensing rules.

The best advice and option would be not to rest easy because of the lag between rule creation and rule enforcement. Make sure that you understand what your potential liability might be. Consider whether there are named user licenses which are assigned to inactive users and making up shelfware. If there’s a potential for this shelfware to use a third-party add on, there may be a case for SAP to charge your organization the additional fee. If your shelfware is properly expired and retired, there is no risk. Again, an automated system which can do the leg work for you will ensure you are in a stronger, optimized position.”

These are all very good points.

IoT and other Databases

“The third and final category to consider is also the least well defined. However, it still absolutely should be taken into account. This category concerns “things” writing data to the SAP system. “Things” could mean sensors in a warehouse measuring temperature throughout the building and alerting when that temperature moves outside of defined parameters. It could mean data transferred from mining vehicles when they return to base, tracking usage of the vehicle and distance travelled to estimate when tyres need changing or when the truck must be serviced. In this real example, the customer wasn’t liable for any additional named user license because there is no human interaction. The data is transferred automatically when the vehicles cross a threshold.

On the other hand, a scenario where additional licenses were required was in a slightly different form of data exchange via Electronic Data Interchange or EDI. In this case, warehouse scanners were used to read data from barcodes into the SAP system. The difference was that humans click the button to read activate the scanner. The customer in this case was told that they needed named user licenses for each user who could potentially use the barcode scanner and hence “use” the SAP system.”

All Systems Should be Subject to Indirect Access Fees…or Only SAP?

The reason this requires drawing ludicrous distinctions is that SAP’s proposal on Type 2 indirect access makes no sense. If the scenario above means that SAP is owed indirect access fees, then all systems that connect to SAP also should receive indirect access fees as well.

”From a legal perspective, the issue of indirect usage and SAP’s respective license types is complicated as its assessment involves questions of contract law, copyright law and possibly also of competition law. What matters is that companies using SAP software are aware of the risk that is attached to indirect usage of the software.

In order to be able to evaluate such risks, technical tools that help to get an idea of the intensity of indirect usage helps. If a company believes that it has a high risk with regard to this issue and does not want to meet SAP’s additional payment request, an individual legal analysis may help to clear the picture.“

Fee or No Fee?

“So that is the distinction. Involve a human user in some way and you may be asked to license that user. Remove any human interaction and you are unlikely to need to pay for additional licenses (at the time of writing). As in all of the examples above, however, this won’t stay the same forever and if your organization is embracing new technologies at a rapid rate, just remember that SAP might want a cut of the pie at some point down the line.

Again, the advice remains the same. Understand usage, understand the architecture of your environment and continually optimize. Do not let things change over time without tracking it. If you do, you could be faced with a substantial unbudgeted bill.”

Conclusion

Snow Software has made a good effort in getting into the details and have provided some very good information in this article. There is a lot of detail in this article that does not appear to have been published elsewhere.

  • At Brightwork, our perspective on Type 2 indirect access enforcement by SAP is inconsistent with what all other software vendors do, and what has been the historical interpretation of indirect access.
  • It also is the case the indirect access is applied so differently by SAP based upon factors related to the sales situation at the customer, that it does not only come down to technically whether a customer meets the definition of Type 2 indirect access.

References

SAP Licensing Contact Form

  • Have Questions About SAP Indirect Access and Licensing?

    Our independent experts get no compensation from SAP, so we can deliver you honest answers about indirect access and licensing.

    This article is free, we do not answer questions for free. Filling out this form is for those that have a budget. If that describes you, just fill out the form below and we'll be in touch asap.

https://www.snowsoftware.com/int/blog/2017/01/30/sap-audits-it-really-impossible-accurately-determine-your-financial-exposure

How Accurate Was Snow Software on their Optimizer for SAP?

Executive Summary

  • Snow Software covers topics related to SAP indirect access and how to minimize the ongoing SAP licensing overhead. In this article, we evaluate Snow’s article for accuracy.

Introduction

In this article, we will focus on Snow Software’s media output on SAP indirect access.

SNOW OPTIMIZER FOR SAP SOFTWARE AT A GLANCE

  • “View consolidated usage data across all SAP systems
  • Automate SAP user license administration
  • Identify and trace indirect usage
  • Centrally manage contracts and addendums
  • Contain HANA license costs
  • Optimize BusinessObjects licensing
  • Install and manage within the SAP environment (SAP certified)”

This is interesting in that it shows licensing for HANA and for BusinessObjects. It is curious that it is called out separately.

INVENTORY & ANALYZE SAP USAGE TO ELIMINATE WASTED SPEND

“Snow Optimizer for SAP Software provides deep-dive analysis into transactional and individual usage data, identifying opportunities to reduce costs and liabilities by eliminating duplicate users and unused licenses.  The solution can automatically recommend ‘best-fit’ license types based on user behavior, making it easy to switch from expensive licenses to cheaper ones where appropriate.  Automatic monitoring frees up SAP administrators to focus on core duties and ensures information is always up-to-date in case of an audit or review. Contract Management and compliance reports can provide guidance and insight as well as help achieve savings through better negotiations with vendors.”

This is what SAM software for SAP provides users. SAM software should allow companies to “right size” their licenses.

INDIRECT USAGE

Through this functionality, Snow Optimizer for SAP Software provides comprehensive data about Indirect Usage which enables the organization to significantly reduce financial exposure and to highlight risk in the future.

Another critical reason for SAM software is indirect usage. Indirect usage from SAP comes quickly, which is why it is essential to have SAM software already installed.

MINIMIZE ONGOING SAP LICENSE ADMINISTRATION OVERHEADS

“Snow Optimizer for SAP Software maintains up-to-date details on all SAP license allocations, giving SAP administrators the ability to adjust license types and distribution on-the-fly. Automated rule sets quickly align individual users with the correct license in the correct system based on their activities.

Alerts can be triggered when the organization nears license limits under current contracts or specific activity restrictions.  Pre-defined rules help organizations prevent actions that would incur unexpected or unacceptable costs.”

The concept of SAM software is that it is continuously used, to provide an accurate picture of usage versus the customer’s licensing. Alerts are particularly helpful in keeping logic working in the background that can tell the customer when a change occurs.

AVOID MISTAKES WITH ‘WHAT IF’ PLANNING

“Snow Optimizer for SAP Software can be used to test a variety of “what-if” scenarios that enable the organization to model how changing the deployed license types would affect SAP licensing and support costs. Scenarios can be played out in the solution without making any changes on the live system until the organization is happy with the results, avoiding potentially costly licensing mistakes.”

What if planning has quite a lot of uses. For instance, knowing what the costs will be when making changes to the software and the usage of the software that is planned.

Financial Disclosure

Financial Bias Disclosure

This article and no other article on the Brightwork website is paid for by a software vendor, including Oracle and SAP. Brightwork does offer competitive intelligence work to vendors as part of its business, but no published research or articles are written with any financial consideration. As part of Brightwork’s commitment to publishing independent, unbiased research, the company’s business model is driven by consulting services; no paid media placements are accepted.

SAP Licensing Contact Form

  • Have Questions About SAP Indirect Access and Licensing?

    Our independent experts get no compensation from SAP, so we can deliver you honest answers about indirect access and licensing.

    This article is free, we do not answer questions for free. Filling out this form is for those that have a budget. If that describes you, just fill out the form below and we'll be in touch asap.

References

https://www.snowsoftware.com/int/products/snow-optimizer-sapr-software

Enterprise Software Risk

See our free project risk estimators that are available per application. The provide a method of risk analysis that is not available from other sources.

How Accurate is the Certero Article on Software Audits?

 What This Article Covers

  • An Analysis of Certero’s Web Article Accuracy on SAP Software Audits
  • Virtualization
  • Monitoring Usage
  • Indirect Access

Introduction

Part of what we do at Brightwork Research & Analysis is review the accuracy of media output of IT entities. In this article, we will focus on Certero’s media output. Certero is a software vendor that offers SAM software.

Virtualization

“Virtualization is a mature technology that can help you save money, time and carbon emissions. Consequently, just about every major organization has adopted it in one form or another, somewhere on their IT estate.

But, there is a major issue with virtualization that many organizations overlook – the impact it has on your software licensing. Unless you are fully aware of these implications and are able to manage your license position, you could end up paying more for additional software licenses (and fines if the shortfall is discovered during a vendor audit) than you saved through virtualizing in the first place.”

That is quite true. In fact, a major motivation for virtualization was to save money on software licenses. However, eventually the software vendors became savvy to virtualization and they changed their license terms to account for it. This greatly reduced the incentives to virtualize as the potential software cost reductions were always greater than the hardware cost reductions.

And vendors do know how to audit and determine penalties on their software when virtualized.

Monitoring Usage

“Dependent on the terms of your license grant, the need to measure the usage of your software could be important in ascertaining whether you are compliant and also what you have to pay. Certain software vendors, like SAP and Oracle, charge for software based on metrics that can be unique to your business. For example, if you are a car manufacturer, the metric could be based on the number of cars you have built.”

Yes, that is also true. And SAP and Oracle as well as other differ from each other as well.

Indirect Access

“As if the licensing agreements of the likes of Oracle, SAP and Microsoft were not complicated enough already, many user organizations fall foul of something called indirect usage and end up owing significant amounts as a result of licensing non-compliance.

Indirect usage, indirect access, or multiplexing as it is sometimes called, is where your software (be it Oracle, SAP, Microsoft etc.) is accessed indirectly by a non-named third party, which can either be a person or machine. For example, an organisation has created a system that allows all their employees to enter their expenses. That system then sends all that employee expense information to a second system using a single named user account.”

True.

“Key to getting to grips with indirect access is the ability to correctly classify users of your software as direct or indirect and so make sure they are given the correct license type. Identifying indirect access can be tricky without the help of an automated monitoring tool.”

This is another way of saying monitoring usage also, which is what SAM software does.

“However, there are tell-tale signs that make indirect access easier to spot. These include things like a user accessing a system all day long (no human user would do that) or a very large volume of work processed within a set period by one user (again, no human could conceivably process such a volume within that time).”

That makes a lot of sense.

“One way to avoid indirect access problems in the Oracle world, for example, is to license via processor, rather than Named User. Sadly, there is no such corresponding license in the SAP world, where you are limited to Named User.”

The distinction that I would want to be drawn here is that SAP enforces indirect access quite a bit differently than Oracle. SAP is the only vendor I have yet observed charge for what I have called Type 2 indirect access.

Conclusion

This article by Certero earns a Brightwork Accuracy Score of 9.5 out of 10. There is nothing inaccurate in the article, and the only area that could be adjusted is adding some specificity.

Financial Disclosure

Financial Bias Disclosure

This article and no other article on the Brightwork website is paid for by a software vendor, including Oracle and SAP. Brightwork does offer competitive intelligence work to vendors as part of its business, but no published research or articles are written with any financial consideration. As part of Brightwork’s commitment to publishing independent, unbiased research, the company’s business model is driven by consulting services; no paid media placements are accepted.

SAP Contact Form

  • Want More Infomation on SAP?

    Our unbiased experts can deliver accurate research and honest advice on SAP.

    This article is free, we do not answer questions for free. Filling out this form is for those that have a budget. If that describes you, just fill out the form below and we'll be in touch asap.

References

Virtualization & Monitoring Usage

Why SAM Software Will Never be Included with SAP

 What This Article Covers

  • The LAW Transaction
  • What Many SAP Customers Think LAW is Used For
  • What the LAW Transaction is Actually Used For
  • How the LAW Transaction Works to Provide Information to SAP

Introduction

In this article, we will review the LAW transaction, particularly the interpretation of LAW versus true SAM software.

The License Administration Workbench (LAW)

This is what SAP says about their LAW transaction:

The License Administration Workbench (LAW) supports you during the License Audit Process for complex system landscapes. You use the LAW to collect and consolidate license-relevant measurement data (users and engines) for the component systems and the central system (LAW system) in which LAW is run. This provides system administrators with a better overview, and the system measurement is simpler and also more reliable.

Before you start LAW, you should classify the users in all measurement-relevant systems in accordance with their tasks; that is, assign them to a contractual user type (in transaction USMM, SU01, or SU10). During the consolidation that then takes place in LAW, the users for a person are listed and assigned one contractual user type. The multiple assessment of a person is therefore practically eliminated ‑ the Multi-Client/Multi-System classification is superfluous.

Actually this definition of the LAW transaction. A correction of the definition of what LAW actually is, would be the following:

The License Administration Workbench (LAW) supports you (No, it supports SAP) during the License Audit Process for complex system landscapes (No,the complexity of the landscape is immaterial. LAW is a transaction used for all SAP customers). You use the LAW to collect and consolidate license-relevant measurement data (users and engines) for the component systems and the central system (LAW system) in which LAW is run (True, but the output is not very useful for the customer, nor is it designed to be). This provides system administrators with a better overview, and the system measurement is simpler and also more reliable (No, this provides SAP with the usage of the system).

As should be evident from the corrections, SAP explains LAW as if it is some type of overall administration tool, and completely underplays how much SAP relies upon it during audits. This is why it is often the case that SAP’s technical literature cannot be taken at face value. This is not a technically accurate description of the LAW transaction.

This description, along with explanations by SAP consulting and SAP account executives is likely the reason that it is often assumed by many customers that LAW is SAM or software asset management software. It isn’t. SAM software is software that allows SAP customers to audit their SAP usage. SAM software is designed to be understood by the SAP customer. The LAW transaction is something that is primarily designed to provide information to SAP in order to audit companies.

How the LAW Transaction Works to Provide Information to SAP

The LAW transaction along with the USMM transaction are typically run once per year. This is the soft audit that SAP requires of all of its customers. The information is then sent to SAP so that SAP can review and determine if the customer is under licensed. If the customer is over licensed, the customer will not be informed of this fact by SAP. Instead over licensing is left to the customer to figure out for themselves.

SAM Software

SAP will not directly bring up the topic of SAM software. They will tell the customer about the LAW and USMM transactions but prefer that their customers not look beyond these transactions. This is because a SAM application allows a customer to determine their system usage, compare it to their licenses that they have purchased and to know their licensed position and which puts them in a better position to negotiate with SAP.

Conclusion

Companies should never accept SAP’s self-serving analysis of their licensing state. The LAW and USMM transactions are for SAP. SAP states that they are for the customer but that is a smoke screen.

References

https://help.sap.com/saphelp_erp60_sp/helpdata/en/ee/ee133bfae0750ce10000000a11402f/content.htm