In this expert blog, David Morrison, SAP Consultant at Snow Software discusses the SAP license audit process.
SAP customers must submit to an annual license audit to identify usage exceeding contractual limits. System measurement is an arduous process performed by the customer pulling resources away from other value-adding work for weeks or months. This article describes that process focusing on named user licensing and offers a simpler solution.
Given the importance of performing annual license measurement it’s unfortunate that, typically, no guidance is provided during system implementations even when SAP professional services are utilized. This unplanned task is usually delegated to a security or basis administrator after the company receives their first license audit notification with a due date four weeks out. The first year’s audit response is likely a rush job reviewing the 57-page SAP Measurement Guide and trying to get something acceptable back to SAP before the deadline.
Unless the new license administrator is given time to review and install a better long-term solution whatever was put in place will most likely persist until the first in-depth audit identifies costly compliance gaps. With the first year’s license audit emergency put behind them, it’s likely the new license administrator will return to their regular job without putting measures in place to improve the audit process.
The most important steps in preparing for the annual license audit (LAW submission) are understanding which contractual user types (“license types”) are provided in the contract, restrictions on their use, and available methods for classifying user accounts with the appropriate license type. Audit findings arise when users are found to be operating SAP systems in ways that exceed their assigned license type use restrictions or when quantity limits are exceeded. SAP provides three primary methods for user license type classification which are explained in detail below: default, role inheritance, and manual.
The simplest method is accepting SAP’s default license classification of Professional. Since this is one of the most expensive operational licenses available it should only be assigned to users whose system use requires it. It is a costly method for allocating licenses to most users when lower cost license types are available.
Role inheritance can provide reasonable license allocations in smaller organizations with moderate effort, assuming good access management practices are followed. Here, license types are assigned to security roles rather than users directly. When system measurement is run, it allocates the highest cost license associated with security roles assigned to the user. The following effort is required to effectively utilize this method:
- Initial role classification – Security roles and authorizations must be evaluated relative to the available license types and use restrictions then classified accordingly. When security role authorizations span license types, the higher one should be assigned, but doing so will allocate a higher cost license than required to users accessing only the more basic functionality. If security roles are not well designed (e.g. display vs. maintain) then evaluating their authorizations to determine appropriate license classification can be very time consuming.
- Role development reviews – Security roles are routinely created and modified so processes must be followed to ensure role additions and changes are reviewed for proper license classification.
- Periodic access reviews – Periodic user access reviews must be performed to identify and revoke unused role assignments, otherwise this method will often allocate a higher cost license than required due to unused role assignments.
Manually assigning licenses to users directly based on their current system use is the most time-consuming method. However, it can result in allocating the lowest cost license appropriate for the user. Transaction usage statistics are available in CCMS or GRC, but evaluating this data efficiently is the challenge. Microsoft Access and Excel are commonly employed tools to systematically evaluate large amounts of data for making usage-based license determinations. Unless these solutions are well designed, documented, and maintained, they can create a dependency on their creator, putting organizations at risk if this critical process can only be run by one person. Despite the use of custom analysis solutions this is still a manual process requiring report generation, export, data cleansing, data load, and mass manual license assignment changes.
It’s unnecessary for a company to adopt only one of the above methods as all three can be used in combination even on the same system. Manual assignments win if used, otherwise role inheritance and lastly default if neither manual nor role inheritance methods are used for a user.
Let’s recap the classification effort and license cost result of the methods provided by SAP:
After your license administrator employs one or more of the methods above to classify users on your production ECC system the same must be done for all production and development ABAP systems (“license-relevant systems”) outlined in the Measurement Plan provided by SAP as part of the audit notification. Different methods can be used on different systems but ultimately all valid users on measured systems require a license assignment even if it’s the default Professional.
Terminated and inactive user accounts should be expired to avoid consuming licenses unnecessarily. This step can be done before allocating licenses to avoid spending time assigning licenses to user accounts that will only be expired anyway. Many companies have policies requiring the deactivation of inactive accounts but in practice few enforce it. There may be reasons for allowing inactive accounts to persist but this is often an area where substantial license reharvesting can occur. Identifying terminated users requires reconciliation of user accounts with HR records while identifying inactive accounts requires evaluation of the user last logon data. As with user license classification this step should be done for all license-relevant systems since all it takes is one account on one system to consume a license.
The steps above may seem sequential but in practice they’re often iterative where the license administrator can see additional work required after each round of cleanup. This is especially true where automation tools or process for terminated and inactive user expiry are lacking or when license evaluation is only done annually for the license audit rather than effective license position reporting throughout the year. Since the measurement process can run for several weeks or more, it’s likely that new accounts are added during that timeframe requiring a change from the default license type.
With user accounts cleaned up and properly classified it’s time to run the System Measurement program (USMM) in all license-relevant systems. This program checks engine metrics (e.g. number of active personnel records) to evaluate module license compliance (e.g. Payroll) and applies the user license type based on the methods above. Once measurement completes the results can be exported to a file for subsequent import to the License Administration Workbench (“LAW”) for consolidation or transmitted to LAW via an RFC connection.
As outlined above the effort to respond to audit requests is significant. What if there was a better way?
The automated solution
Imagine using an ABAP-based system designed specifically to automate the above. This is precisely what Snow Optimizer for SAP ® Software does. During implementation, named user contractual definitions and restrictions are evaluated and rules are custom built to evaluate user attributes, select HR data, authorizations, and usage data to recommend assigning the appropriate license or expiring terminated/ inactive users.
These rules can be scheduled to run monthly with recommendations applied automatically in all license-relevant systems. System measurement can also be scheduled to run automatically in all systems with landscape results transferred to LAW by the single push of a button.
What once took weeks of manual effort now runs on a schedule. Since licenses are allocated based on usage the optimal license will always be assigned. Instead of SAP finding deficits during an audit you can identify them proactively and negotiate more favorable purchase terms on your schedule. Rather than waiting until the audit for your effective license position it’s available monthly or notifications can be triggered when thresholds are met.
Compared to the SAP-provided methods here’s where this method fits:
Isn’t that how technology is supposed to work?
Download FOUR STEPS TO REDUCE SAP® INDIRECT ACCESS RISK, an essential guide for SAP best practice to ensure you get full visibility of your SAP estate.