SAP user and indirect access reconciliation process
This article suggests a four-step process for managing SAP users and indirect access. It is a mixture of feedback from our SIG calls on SAP Indirect Access and ITAM Best Practice using the ITAM Review’s 12 Box Methodology.
The article is designed to accompany our webinar on the 27th July – Webinar: Eradicate SAP Indirect Access Anxiety: 4 Practical Steps. If you can’t attend on the 27th or are reading this after broadcast – simply register and we’ll provide you the recording when it’s available.
Thanks to ITAM Review SIG members
The process and advice below is based on three ITAM readers, end user SAP customers who wish to remain anonymous. A nice gentleman from USA, a nice lady from USA and a nice gentleman from Sweden – all sharing how they manage SAP users and indirect access. You know who you are – Thank you. Stay tuned to The ITAM Review newsletter for news of future Special Interest Groups (SIG) calls.
Notes & Disclaimers
- This article is not licensing or legal advice – This process has not been verified by SAP as a good way to manage indirect access. Hell hasn’t frozen over yet – so in the absence of clarity from SAP I’m having a stab at it with the help of ITAM Review readers who are SAP customers.
- This is a way of managing SAP users and indirect access – it’s not the only way and as the Campaign for Clear Licensing advocates – 1) Get license metrics defined in the contract and 2) If you can’t measure it don’t consume it.
- You might call this article the “cynic’s guide to SAP license management” as it assumes you can’t trust SAP. I believe SAP is being deliberately vague about licensing as they don’t want you to explore competitive solutions. See “SAP restrictive practices rile customers. CCL files complaint with Competition and Markets Authority”
- The four-step process below is based on a user centric model assuming licensing based on ‘unique’ users accessing SAP infrastructure directly or indirectly. This might not apply to some SAP customers or SAP products.
- If you think there are mistakes, improvements, or alternatives to these steps please let me know (In the comments, by email, forum)
The ITAM Review Guide to managing SAP users and Indirect Access
The process recommends four steps to managing SAP users and indirect access as follows:
- Understand consumption
- Reconcile users
- Identify and manage risk
- Optimize and Improve
Step 1 – Understand Consumption
First of all we need to understand our consumption, how many users are actively using SAP, how are they using it and what others systems are connecting to our SAP infrastructure?
- Identify active users (why pay for inactive users) and how they are using SAP (why pay for functionality you are not using)
- Identify systems that are connecting to your SAP infrastructure – Identification of SAP Indirect Access should ideally be achieved by working with system owners and your internal SAP team to understand consumption
- Indirect access identified by SAM tools or third party specialists should be a failsafe not the main process for managing indirect access (The ongoing cost and risk of indirect access should be built into architecture and strategy – not an expensive afterthought)
- Do an inventory of all interfaces to SAP and third party applications and access their risk – RFC connections but also check IDocs, HTTP, SNA, TCP / IP and all other means of communications. It is better you find them first before SAP finds them.
Step 2 – Reconcile Users
The objective of reconciling users is to:
- Identify duplicate users (Reduce users, save money)
- Identify inactive user accounts (Reduce users, save money)
- Identify user accounts accessing indirectly that are not covered by existing user types (Indirect Access Compliance Risk)
- To ensure records are accurate to support informed decision making
The reconciliation process is to ensure compliance – not to do the work itself. Provisioning of users and indirect access should be embedded within day-to-day processes; the reconciliation process is to ensure things are working properly. A quarterly check is recommended, at least initially, but as will all things ITAM it is dependent on risk, maturity and frankly how much resource you have and risk you can tolerate.
Other tips for reconciling users:
- Verify SAP user accounts against another data source such as Active Directory. Ideally have universal naming conventions for user accounts to ease the matching process (e.g. username in SAP is identical to domain username in Active Directory)
- For more info on measuring asset accuracy and comparing data sources see “Verifying Asset Accuracy” from 2014 https://marketplace.itassetmanagement.net/2014/11/24/verifying-asset-accuracy/
- We also cover inventory, user and consumption verification in the INVENTORY, DEPENDENCIES and VERIFICATION modules of the 12 Box Training course https://marketplace.itassetmanagement.net/training/
Step 3 – Identifying and Managing Risks
The Diageo vs. SAP case cited a license fine of £54million based on 5,800 users indirectly “using” SAP via Salesforce.com. So I’ll use £9K as my guide for SAP named user pricing.
Best practice suggests any risk identified should be communicated to your senior management team in purely financial terms. So if you think you might have discovered 300 users of an application interfacing with SAP, that is a license risk (until proven otherwise) of £2.7m. The 300 might not need a professional named user license, and it might not technically be indirect access at all – but until we know otherwise I would raise it as a risk of that magnitude.
Best practice for managing Indirect Access Risk:
- As above, communicate in financial terms to drive the issue home
- Work to continually educate your organization about the risks
- Create checkpoints in the build process (How will interfaces to SAP work? Is there need for new or alternative licensing? Is the proposed technical design in keeping with our approach? / SAP contract?). Checkpoints don’t need to be a hindrance – as any experienced ITAM professional will know it can really add value to work early and collaborate with development teams.
- Agile Adults – Modern ways of deployment and building IT these days do not escape SAP license fines. Yes you might be agile, you might embrace DevOps and be pumping out incremental builds every five minutes – but governance is governance, SAP multi-million fines don’t care if you are agile – everyone needs to be grown up about license risk. There is no magic solution to this – work early, collaborate when projects are in scoping phase, and educate often.
- How are users actually accessing SAP indirectly? Is it only one user? But that one user happens to be the administrator account with a SQL Server with 500 users (£4.5M Named User Risk)? Has this access by proxy been validated? Is access real time? Bi-directional? One-way, synchronous, asynchronous, batch, triggered by a user, triggered by a technical user? All of these elements have potential financial impact.
- Have a structured approach to deal with demand from the line-of-business to implementing the new solution.
- Get a view of upcoming projects in the pipeline – This might sit with Enterprise Architecture, your Project Office, wherever it is – get visibility. In practice this means listening in on calls, sitting in on meetings or getting added to distribution lists which give you visibility of what is being built in the future. When negotiating with these teams to get involved – your goal is to help them de-risk their projects and support them with commercial and financial detail.
- Create internal rules and tools for interfacing with SAP to reduce risk and re-work for new interfaces
- When buying new third party applications – demand an in-depth description of the interface to SAP before buying. Validate them against your position.
- Changing existing systems: demand an in-depth description of interfaces to SAP before starting the project. Validate them against your position.
- Finally, don’t be afraid to get help to validate your approach. A few ten’s of thousands on an experienced contractor to check your work versus the gazillions you spend with SAP. A few SAP specialists can be found here. Please add any more you might know to the forum post.
Opting Out of Indirect Access Risk
When you have the salespersons attention, leverage the sales opportunity to opt-out of indirect access risk – “If we buy this new system from you I want it in writing you won’t come after us later for indirect access” or negotiate out indirect access entirely unless it can be defined in the contract in the context of your environment and infrastructure (Not easy, but possible).
Step 4 – License Optimisation
Our main cost optimisation opportunity with a SAP user based model is removing redundancy and right sizing user accounts.
When seeking investment and resources in SAP cost optimisation our primary opportunities are 1) Saving money removing unused accounts 2) Right sizing accounts to the right type and 3) Avoiding nasty surprises and the debilitating effect of audit defence cycles and penalties.
- A related video: the rising importance of user management https://marketplace.itassetmanagement.net/2016/09/08/user-management-rising-importance/
- A similar principle for SAP as with Office365, note the user profiling and optimisation process – https://marketplace.itassetmanagement.net/2017/07/10/office-365-optimisation/
Good SAM tools with SAP License Management components should be able to mostly automate this in a “Set it and forget it” fashion. Disabling dormant accounts and automatically changing user type based on consumption.
Webinar – 27th July
The article is designed to accompany our webinar on the 27th July – Webinar: Eradicate SAP Indirect Access Anxiety: 4 Practical Steps. If you can’t attend on the 27th or are reading this after broadcast – simply register and we’ll provide you the recording when it’s available.
Webinar: Eradicate SAP Indirect Access Anxiety: 4 Practical Steps
- Limiting Financial Exposure – How to identify users, usage, shortfalls and opportunities for optimisation
- A Methodology for how to mitigate the risk of SAP Indirect Access with new projects, systems and deployments
- SAP SAPPHIRE NOW announcements, what they mean for you.
Register here: https://marketplace.itassetmanagement.net/event/webinar-eradicate-sap-indirect-access-anxiety-4-practical-steps/
Thanks again to the three ITAM Review readers who help me put this together. ~ Martin
Related articles:
- Tags: 1_SAP_MR · Best Practice · ITAM · SAP · SAP Indirect Access · SAP license management · User Management
About Martin Thompson
Martin is also the founder of ITAM Forum, a not-for-profit trade body for the ITAM industry created to raise the profile of the profession and bring an organisational certification to market. On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
He is also the author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management. In addition, Martin developed the PITAM training course and certification.
Prior to founding the ITAM Review in 2008 Martin worked for Centennial Software (Ivanti), Silicon Graphics, CA Technologies and Computer 2000 (Tech Data).
When not working, Martin likes to Ski, Hike, Motorbike and spend time with his young family.
Connect with Martin on LinkedIn.