The Danger in Underestimating SAP Indirect Access
Introduction
Indirect access tends to only be known companies that have not been subject to an indirect access claim when a major indirect access (IA) public event occurs, such as a court case documents being filed. Good examples of this are Diageo and InBev. However, what is the prevalence of indirect access?
In this article, we will discuss information that has been coming in from the field. But first, we will begin with what SAP would like their customers to believe about the prevalence of indirect access.
What SAP and SAP Consulting Partners Would Like Customers to Believe
Generally, both SAP and the SAP consulting partners would prefer that their customers do not know anything about indirect access. It is amusing to see IBM, Deloitte or Accenture comment on how to manage indirect access, a consulting company that has a partner relationship with SAP may be able to run a SAM software project, but none can represent their client's interests against SAP. Consulting companies to compete to see how to ingratiate themselves to SAP, they don't dare risk offending them. As an example of a recent pursuit which the client was not told about indirect access and had to find out about it from a competing vendor. The customer asked the consulting company why they had not informed them of the indirect access liability.
How much does SAP want customers and prospects to lower their guard?
At SAPPHIRE SAP produced an announcement that was intended to assuage their customer's concerns about indirect access.
I analyzed this announcement in the article How to Best Understand SAP's Faux Policy Change on Indirect Access and concluded that it was really no change in policy aside from more specific charging of customers when SAP brings and indirect access claim. DSAG, which is the German SAP user group, and UpperEdge, were two of the only other media entities willing to call out SAP when they are wrong on indirect access, came to the same conclusion that I did on the announcement.
Since that article, I have learned that SAP will not even publish what it intends to charge per purchase order or sales order for indirect access, which was a major part of the announcement. Instead, SAP has stated that customers would be charged "on a case by case basis." Of course, they will be. This increases the secrecy of the cost of indirect access. The announcement made it seem like SAP is opening up, but then when asked questions, SAP goes back into secrecy mode.
Listening to ASUG on the Frequency of Indirect Access?
ASUG, which is supposed to be a user group, but is actually a marketing arm of SAP, has been telling members that indirect access is rare and that it is merely the high-profile cases (such as Diageo and InBev) that push it to the forefront. This is covered in more detail in the article Is ASUG Lying About the Frequency of SAP Indirect Access?
As ASUG is really just SAP in "sheep's clothing" what we can take from ASUG's stance, is that this is in fact what SAP wants customers to think about IA. I have never been in an SAP-ASUG meeting, but by the looks of it, they get together and SAP basically tells ASUG exactly what messages they want to relay, and ASUG relays those messages no questions asked.
All of this is curious, because ASUG members pay membership fees, and fly to ASUG conferences to be told information that is inaccurate, is 100% beneficial to SAP and to the customer's disadvantage and is what SAP wants them to believe. ASUG cannot both represent the interests of SAP and of their members.
- As I stated in the "Faux Policy Change Article," SAP's overall intent is to get its customers to lower their guard.
- The less that their customers are prepared, the more SAP is able to use indirect access as a hammer against them.
- Time is of the essence. SAP uses restricted timelines to get customers to acquiesce to their demands. The less preparatory work they have done before SAP drops an indirect access claim upon them, the more likely they will end up doing what SAP wants, and this is covered in the article The Time Issue Faced with Indirect Access.
The Reality of Indirect Access Frequency
SAP has been quite effective with indirect access to drive license revenues, so they don't have a very good reason to stop doing it. They are catching customers off guard and there is a very poor defense normally available to customers. And vendors that are affected by indirect access are uncoordinated. Essentially the issue is dealt with by individual account teams, that are in most cases not coordinated even within a single software vendor with respect to indirect access.
There are several other reasons for the success SAP is having against customers in indirect access.
- Source Issues and Finding Unbiased Representation: Many of the sources relied upon for information on indirect access have already aligned with or are in some way remotely controlled by SAP. This is covered in the article Taking a Multidimensional Approach to Indirect Access.
- Confusion with the Roll of Attorneys: Few attorneys know anything about indirect access. Unless the issue is going to court, and this is unlikely and unknown by anyone early in the process, unless the attorney already has a strong familiarity with indirect access, hiring an attorney is not going to help very much. There are several steps that do help. And keeping good notes is important whether an attorney is eventually contacted or whether they are not engaged. Secondly, bringing up attorneys that are unfamiliar with the topic is a lengthy process. If an indirect access claim is brought, time is of the essence in getting control over the situation.
- The Lack of SAM Software: Surprising as it may seem, most SAP customers still don't use SAM software. So when SAP drops an indirect access claim on them, they aren't even in a position to know what their overall license usage is or to know their specific indirect access exposure. SAM covers all usage measurement, indirect access being just one. Customers really don't want to not have SAM software installed and then have to deal with both going through a SAM project, negotiating with the SAM vendor, then learning how SAM software reports look, all with SAP and an indirect access claim and their short timelines for response putting extra pressure on the company. SAM software and projects are measured in the hundreds of thousands and are good for more than just indirect access. Indirect access claims are measured in the millions, and sometimes tens of millions.
Indirect Access Frequency
The information I am getting from the field is that indirect access is actually increasing.
I have been tracking indirect access for around a year and a half. This is the point when vendors first started communicating to me that SAP would bring up the topic of indirect access charges as soon as it looked like the other vendor was about to get a contract from SAP.
And what is also interesting is that the indirect access issues brought up to me have been all over the spectrum of the different software categories. Although CRM does seem to be one of SAP's favorite areas to bring indirect access claims. SAP seems to have an anger management issue when losing to Salesforce.
However, the outcome of these indirect access claims is normally the same. The customer is forced to purchase software from SAP it never wanted to purchase. When SAP reports sales to Wall Street it implies that 100% of them are voluntary. However, with SAP's use of indirect access, and increasing percentage are sales motivated by indirect access claims.
The Size of Indirect Access Claims
The size of indirect access claims is also increasing. I am now learning of tens of millions of dollars in indirect access claims. I have individual case studies, but I do not want to publish the specific multiple of tens of millions. SAP benefits if these case studies are kept as secret as possible.
The size of these claims is changing behavior and is allowing SAP to win license sales that they had lost prior to bringing the claim.
I am working on research into indirect access which I will publish, and the announcement is described in this article. Vendors and customers that are impacted by indirect access have to share their story. The more that it is kept secret, the more SAP wins. If vendors fear reprisal by SAP, that is what anonymous sourcing is all about. I have yet to expose any source that I kept anonymously.
Conclusion
SAP is ramping up, not ramping down its indirect access claims against its customers, and the claim sizes are growing. One should not be lulled into a false sense of security by Bill McDermott's happy face at SAPPHIRE on this topic. As I said previously, Bill McDermott was specifically chosen by Hasso Plattner, because he had a "happy face." But McDermott's pleasant demeanor is stark contrast to the hard edge I witness in SAP's use of indirect access for many SAP customers.
SAP customers are receiving a large amount of inaccurate information from sources ranging from ASUG to Deloitte, to Diginomica and this is because so many entities in IT are in some way dependent upon SAP for their revenues. The money is very clearly on the side of agreeing with SAP. I was told by one reader recently to switch sides and to begin writing in favor of SAP, as the pay is much better.
Companies that are dependent on SAP for their revenues cannot be expected to write objectively or to provide objective advice about SAP. Other entities like JNC Consulting do not even seem to question (in their articles) whether the Type 2 indirect access employed by SAP is actually valid or its historical context.
All of this combined with the timelines imposed by SAP on indirect access claims means that the deck is firmly stacked in their favor. And one of the ways of keeping it this way is to under-report and de-emphasize what is really a widespread usage of indirect access.
About Shaun
Shaun Snapp is the author of many books on technology and SAP. He is the Managing Editor of Brightwork Research & Analysis. Brightwork is a website focused on publishing storylines that do not have a way of getting out through the traditional mediums in enterprise software.
See Shaun's LinkedIn profile here. Think about connecting with him, as he likes to connect to his readers. His other LinkedIn articles are here. Follow him here.
FOSSH-voorvechter | Organisaties digitaal versterken | Duurzaamheidsgerichte IT-leider | Strategisch adviseur voor bedrijfstransformatie | Doelgericht leiderschap | Innovator in regeneratieve systemen
7 年Additional Advise on how to minimize SAP Indirect Access (IA) risks... With the usage of SAM Tools alone you are not able to measure all the usage of the complete SAP environment from a given organization. There are no SAM Tools with which you will be able to measure the usage of Hybris, BusinessObjects and Sybase at this moment, but we do that with our own scripts and knowledge. So, companies should search for the consultants/companies who are able to analyse, for example Sybase, Hybris and Business Objects usage. That's an important point to mention. Second one is, that IA is caused mostly by applications being used by employees from companies who are not aware of the specific clauses with regards to IA within the SAP master agreement which put their company at risk. So, one needs to understand these clauses in the MSA and activate the prevention(s) of IA and take these into the company processes and governance together with the implementation of a sound SAM program. Also the right SAP expert should analyse the applications being used and bring down the total number to a top 5 or 10, which should be considered representing the biggest IA percentage of the total risk. This being said, SAP users should consider their SAP roadmap for the coming 5-10 years seriously, including the percentage of added value what SAP products outside ERP may or may not bring for their company. My personal opinion is that SAP will probably push their clients to SAP HANA and eventually to S/4HANA which is a huge transformation (a few years work) for most of the SAP using organizations. In order to prepare oneself for a SAP IA claim which will certainly come within the coming years, companies could start to pro-actively implement a ITAM/Software Asset Management program including selecting experts to conduct a high level SAP IA assessment to start with or immediately order a High Risk SAP IA Risk Assessment from us.
Taking a break from Linkedin; but I'm an ERP observer, blogger and author. Please contact me if you think that I might have knowledge that is useful to you.
7 年I wonder when dropping data out of SAP into spreadsheets will be included in the IA definition?
Retired
7 年Really good article pulling together a lot of threads when read together with the others you have written. The thing I am stressing with our SAP customers is that they must understand exactly what their IA exposure is by reviewing all the touchpoints into/out of SAP to see if they class as indirect access; whether the users are already covered by licenses anyway; or if these can be mitigated somehow. Livingstone is totally independent from SAP (unlike other consultancies you mention) and have no relationship with them so we are always working with the customer either on a managed service basis to help them get control of their estate or tactical pieces of work such as audit defence. If I had any tips for SAP customers they would be that they should regularly review their SAP systems to ensure they are right sized for their usage and aren't over buying licenses or are under licensed (getting external help from truly independent consultancies or their SAM software partner if needed) and that they carry out a detailed review of their architecture to ensure that they know EXACTLY where indirect access may be taking place. Where IA is taking place they need to understand how many people are involved, what precisely they are doing and if there is any way to mitigate this via straightforward design changes. SAP like to drop the IA bombshell and give only a short time for the customer to pay up, but by understanding their SAP architecture the customer is ahead of the game and can immediately set about rebutting SAPs claims - or if they wish they can proactively set about considered purchases to address their position.
FOSSH-voorvechter | Organisaties digitaal versterken | Duurzaamheidsgerichte IT-leider | Strategisch adviseur voor bedrijfstransformatie | Doelgericht leiderschap | Innovator in regeneratieve systemen
7 年Great Article Shaun! Concerning your conclusion I would like to ask you what the next steps could be for organizations with a huge part of their critical systems relying on SAP? I mean what steps should they consider to avoid or at least minimize the indirect usage risks?
We help secure and manage the world's data, and help organisations unlock limitless value with data insights.
7 年Shaun, I enjoy reading these articles, it's clearly an emotional subject for a lot of companies and I think you handle what is a contentious issue delicately. In your conclusion, you get to a point where you feel you have a handle on where you feel the issues are. My question to you is what would you want SAP, their partners and even competitors like Oracle (disclaimer, I'm an employee of Oracle!) do differently? Quite often these ecosystems are very closely intertwined and that often stems from customer choice...