A comprehensive self-assessment framework to uncover undisclosed licensing exposure across named users, indirect access, and engines. The 30-point compliance checklist identifies gaps, quantifies risk, and positions you for negotiation — not panic — when SAP audits arrive.
Most SAP licence disputes are not initiated by customers. They are initiated by SAP, through a formal audit notice. The moment you receive that notice, you have lost strategic control of the conversation. SAP has already defined the scope of the audit, identified what they plan to measure, and prepared a commercial strategy to convert findings into settlement demands. Your only options at that point are reactive: defend, remediate, or negotiate from weakness.
Self-assessment — a disciplined, comprehensive review of your own SAP usage against the licence terms you have committed to — inverts this power dynamic. By identifying exposure yourself, you control the narrative, the timing, and the remediation strategy. You can then use that intelligence in your next SAP renewal negotiation to either:
SAP's own data indicates that 60–70% of enterprise customers are under-licensed — most are unaware of it. This guide provides a structured framework to identify whether you are in that cohort, how significant the exposure is, and what to do about it.
SAP's compliance measurement approach centres on three core measurement systems: USMM, SLAW, and LAW. Understanding these tools is essential because SAP will use them in any audit, and you should be using them in your self-assessment.
Want independent help negotiating better terms? We rank the top advisory firms across 14 vendor categories — free matching, no commitment.
USMM is SAP's built-in system monitoring tool, embedded in every SAP instance (ECC, S/4HANA, SAP SuccessFactors). USMM automatically logs all user logins, system access, and usage patterns. SAP can extract this data directly from your systems during an audit — or request that you extract it on their behalf. USMM data is considered highly authoritative in SAP disputes because it is system-generated and difficult to dispute.
USMM typically captures: active user accounts, user logins over a measurement period (typically 12 months), named users vs shared account usage, and system access by module (HR, Finance, Procurement, etc). This data forms the foundation for SAP's named user licence calculations.
SLAW is SAP's commercial licensing database that tracks your current licence subscriptions, entitlements, and invoice history. SAP maintains this system centrally and uses it as the source of truth for what you have contracted to purchase. In any audit, SAP will cross-reference your actual usage (measured by USMM) against your contractual entitlements in SLAW to identify gaps.
LAW is the predecessor system to SLAW, still in use for some older SAP accounts. LAW serves the same function as SLAW — tracking your contracted entitlements and billing history — but with older data structures and less sophisticated reporting. If your account is on LAW, migrating to SLAW is often a first step in a compliance audit because it provides SAP with better visibility into usage trends.
Self-assessment using the same USMM, SLAW, and LAW frameworks gives you parity with SAP's audit approach. You see what they will see, understand what they will measure, and can respond with facts rather than assumptions. This eliminates surprises and strengthens your negotiating position.
Named user licensing is the foundation of SAP's commercial model. A named user is a person who is licensed to access an SAP system and use a specific module (Finance, HR, Procurement, Sales, etc). SAP tracks named users through USMM and cross-checks them against your invoiced entitlements in SLAW.
The most common source of under-licensing is undercounting active named users. Organisations often believe they have fewer active users than they actually do because they do not regularly audit user accounts, permissions, and access patterns.
Run an USMM report covering the past 12 months and extract the following data: total registered user accounts, users who logged in at least once in the 12-month period, users who logged in in the last 6 months, and users who logged in in the last 3 months. Each of these cohorts may have different licensing implications depending on your agreement terms.
Pay particular attention to "dormant" accounts — registered accounts that have not logged in for 6–12 months. Some SAP agreements provide a grace period for dormant accounts before they must be licensed as active named users. Other agreements require all registered accounts to be licensed regardless of login activity. Your agreement language is critical here.
Duplicate user accounts — multiple accounts registered to the same person — are common in large organisations with multiple systems (ECC, S/4HANA, SuccessFactors, Concur, Ariba). SAP generally requires a separate named user licence for each system, but duplicate accounts within the same system may indicate under-licensing if you are only licensed for one account per person.
Extract user name, email domain, and department from USMM and cross-reference to identify accounts registered to the same individual across different systems or user name formats.
SAP distinguishes between named users (human users with individual credentials) and system users (non-human accounts used for integrations, batch processes, and automation). System users are typically licensed at a flat rate rather than on a per-user basis. However, some organisations incorrectly classify human-initiated integrations or shared service accounts as system users to reduce licence costs.
Review the purpose of every user account flagged as a system user. If it is regularly used by humans (even for integration testing or configuration), it likely qualifies as a named user and must be licensed accordingly.
Shared accounts — where multiple people log in under the same user ID — are typically not permitted under SAP licence terms, except in specific, contractually agreed scenarios (e.g., supervisor accounts in SuccessFactors). However, shared accounts are common in practice, particularly in operational roles (warehouse staff, field service, manufacturing floor).
If your USMM data shows multiple IP addresses, login times, or transaction patterns from a single user account, you likely have a shared account situation that will require licensing adjustment. SAP's measurement methodology counts shared accounts conservatively — assuming one licence per distinct IP address or login pattern — which can significantly increase your measured licence obligation.
Indirect access is the highest-risk compliance category. It encompasses any use of SAP functionality by a person who does not hold a named user licence. This includes access through third-party applications, APIs, integrations, automation, and embedded usage in customer-facing or partner-facing systems.
Get the IT Negotiation Playbook — free
Used by 4,200+ IT directors and procurement leads. Oracle, Microsoft, SAP, Cloud — all covered.
SAP's digital access model (now the standard measurement for indirect access) has become increasingly aggressive. SAP now claims that any indirect interaction with SAP data or functionality — even read-only or automated — may require a licence. This has expanded the universe of indirect access exposure significantly.
Identify all third-party applications and systems that connect to your SAP instance to read, create, or modify data. This includes: ERP integrations (financial consolidation, HCM extensions, procurement), business intelligence tools (Tableau, Power BI, Qlik), ecommerce platforms, customer portals, supplier portals, analytics dashboards, and automation platforms (RPA bots, low-code platforms).
For each integration, document the data direction (read-only vs read-write), frequency (continuous vs scheduled), and user footprint on the third-party side (how many end users interact with SAP data through this channel).
If you have custom APIs or microservices that expose SAP data to internal or external users, each user of those APIs may require a licence. This is true even if they never directly log into an SAP system — they are accessing SAP functionality indirectly.
Audit all custom APIs and integrations for their user footprint and data sensitivity. If your API exposes read-only data (financial reports, inventory, master data), the licensing implication is typically lower than if it exposes transactional data (create purchase orders, post journal entries, hire employees).
Robotic process automation (RPA) bots that interact with SAP — submitting transactions, reading reports, triggering processes — may require licensing depending on the frequency, complexity, and data types involved. SAP's position is increasingly that bots should be licensed as users, though this remains somewhat contentious.
Document all RPA implementations that touch your SAP instance, including bot volume, transaction types, and data classifications. High-volume, high-frequency bot interactions are higher risk than low-volume, scheduled processes.
If you have embedded SAP capabilities in external-facing systems (customer self-service portals, supplier portals, partner dashboards), every external user who interacts with embedded SAP functionality may require licensing. This is a particularly high-risk compliance area because the user volume can be very large and external users are often not accounted for in traditional SAP licensing models.
Beyond named users, SAP licenses specific modules, components, and engines on a subscription or perpetual basis. Engine and package licences cover: SAP HANA (database), SAP Analytics Cloud, SAP Advanced Procurement, SAP Revenue Cloud, SAP SuccessFactors Modules (Recruiting, Performance, Development, Compensation), and numerous specialised packages.
Under-licensing in this category typically occurs when organisations deploy modules they have not contracted to purchase, or when they upgrade module editions without updating their licence subscriptions.
For each functional module in your ECC or S/4HANA instance, verify that you have a current licence for that module. Common gaps include: Analytics modules (BW, Embedded Analytics) deployed but not licensed; advanced features (Travel Management, Project Accounting, Funds Management) configured but not contracted; and SuccessFactors modules deployed without named user entitlements for each module.
If you are on RISE with SAP, your licence compliance obligations are bundled within the RISE subscription. However, RISE agreements specify exactly which modules, functionalities, and user counts are included. Many organisations deploy beyond their RISE entitlement without realizing they have incurred additional licence obligations.
Review your RISE agreement for module inclusions, user count limits, and any carve-outs or exclusions. Then cross-reference your actual usage in USMM and SLAW to identify over-provisioning. If you have deployed more named users, additional modules, or functionality beyond your RISE scope, you are likely out of compliance — and this will be flagged immediately in any audit.
Many organisations license SAP through SAP partners — resellers, system integrators, or cloud providers — rather than directly from SAP. When you license through a partner, compliance obligations typically remain yours, but enforcement may vary. However, SAP increasingly audits partner accounts, and partner compliance audits often cascade back to end customers.
If you use SAP solutions through a partner or cloud provider (hosted SAP, SAP-as-a-Service), verify that your compliance obligations are correctly documented in your arrangement with that partner, and that the partner has adequate compliance mechanisms in place.
The following areas carry the highest compliance risk and are most likely to be flagged in a SAP audit:
| Risk Area | Common Issue | Risk Level |
|---|---|---|
| Indirect Access (third-party integrations) | User footprint undercounted; API access not licensed | HIGH |
| System vs Named User Classification | Service accounts licensed as system users incorrectly | HIGH |
| Shared Accounts | Multiple users per account; not licensed for actual headcount | HIGH |
| Duplicate User Accounts | Same person licensed on multiple systems; counted once instead of multiple times | MEDIUM |
| Module Deployments Beyond Licence Scope | Analytics, Travel, Project Accounting deployed without entitlement | MEDIUM |
| RISE Over-Provisioning | User counts, modules, or add-ons deployed beyond RISE entitlement | MEDIUM |
| Dormant Accounts Licensed | Inactive accounts still receiving licence allocations (waste rather than exposure, but compliance issue) | MEDIUM |
| RPA and Automation Bot Usage | Bots interacting with SAP not licensed as users | MEDIUM |
| Partner/Reseller Compliance | Third-party implementing SAP on your behalf; compliance gaps not caught | MEDIUM |
| Historical Under-Licensing | Compliance gap extending back multiple years; back-support assessment required | HIGH |
Once you have identified compliance gaps, you have several options for remediation, each with different commercial and operational implications.
The straightforward approach is to identify the gap and purchase the additional licences you need. This is the fastest path to compliance but also the most expensive. If your gap is significant, this approach may result in a material cost increase that your business case has not accounted for. However, if the gap is small or primarily involves reducing over-provisioned system accounts, this is often the cleanest path.
If your identified gap is driven by shared accounts, RPA bots, or indirect access through third-party integrations, you may be able to remediate by changing operational practices — consolidating shared accounts, removing system users that are actually named users, or redesigning integrations to reduce the user footprint. This is slower but does not require purchasing additional licences.
The most powerful use of compliance self-assessment is in your next SAP renewal negotiation. Rather than waiting for SAP to discover your gap and use it as a negotiation hammer, proactively disclose the gap and negotiate it as part of a broader commercial reset. For example: "We have identified that our current licensing is technically non-compliant in the following areas [list]. To move to full compliance, we would need to purchase [specific items]. However, before we do that, we would like to discuss bringing these items into our renewal package at consolidated pricing rather than purchasing them at standard rates."
This approach typically results in a 15–25% discount on the remediation cost compared to purchasing outside of a renewal window. SAP prefers to resolve compliance issues through renewals rather than through audits, and they are often willing to offer commercial incentives to normalize the relationship early.
If you are approaching your SAP renewal window or have received any communication about usage monitoring, SAP assessment, or audit activity, proactively addressing compliance gaps before formal audit notification is dramatically more economical. Once an audit is underway, your negotiating leverage is nearly zero.
Use this checklist to systematically assess your SAP licence compliance across all five phases. For each item, assign a risk rating (Green = compliant, Amber = requires investigation, Red = likely non-compliant) and document findings.
| Area | Check Item | Risk Level |
|---|---|---|
| Phase 1: Named Users | ||
| 1 | Have you run USMM user activity report for the past 12 months? | Green |
| 2 | Have you counted all active named users (login activity in past 12 months)? | Green |
| 3 | Have you verified named user count matches your licence entitlement in SLAW? | Amber |
| 4 | Have you identified and documented all dormant accounts (no login for 6+ months)? | Amber |
| 5 | Have you checked for duplicate accounts (same person, multiple user IDs)? | Red |
| 6 | Have you classified all accounts as named user or system user with documented justification? | Red |
| 7 | Have you identified shared accounts (multiple people per user ID)? | Red |
| 8 | Have you estimated the licensing impact of shared account consolidation? | Amber |
| 9 | Have you reviewed licence terms for grace periods on dormant accounts? | Green |
| 10 | Have you documented the modules each named user has access to? | Amber |
| Phase 2: Indirect Access | ||
| 11 | Have you mapped all third-party applications that connect to your SAP instance? | Red |
| 12 | Have you counted the user footprint of each third-party integration? | Red |
| 13 | Have you assessed whether read-only access vs transactional access changes licensing requirements? | Amber |
| 14 | Have you identified all APIs exposing SAP data or functionality? | Red |
| 15 | Have you documented the number of external users consuming SAP data through APIs? | Red |
| 16 | Have you identified all RPA bots interacting with your SAP instance? | Amber |
| 17 | Have you estimated whether RPA bots require user licensing? | Amber |
| 18 | Have you reviewed customer/partner portals that embed SAP functionality? | Red |
| 19 | Have you counted external portal users who interact with embedded SAP? | Red |
| 20 | Have you assessed indirect access exposure under SAP's Digital Access model? | Red |
| Phase 3: Engines & Packages | ||
| 21 | Have you verified that all deployed SAP modules are licensed? | Amber |
| 22 | Have you reviewed module editions (Standard vs Advanced) and confirmed licence match? | Amber |
| 23 | Have you verified licensing for Analytics, BW, or embedded analytics usage? | Red |
| 24 | Have you confirmed SAP HANA licensing if deployed? | Amber |
| Phase 4: RISE Compliance | ||
| 25 | Have you reviewed your RISE agreement for included modules and user count limits? | Green |
| 26 | Have you verified that deployed modules match your RISE scope? | Amber |
| 27 | Have you confirmed that active named user count is within RISE entitlement? | Amber |
| 28 | Have you reviewed RISE add-on licensing for services consumed beyond base subscription? | Amber |
| Phase 5: Partner & Ecosystem | ||
| 29 | If you use a SAP partner or cloud provider, have you reviewed their compliance documentation? | Amber |
| 30 | Have you confirmed that your third-party implementation partner has not introduced compliance gaps? | Amber |
Self-assessment revealed gaps? Don't wait for SAP to audit.
Don't wait for an audit notice to discover what SAP will measure. Run your own assessment first, identify exposure on your terms, and use that intelligence in your next negotiation. The cost of self-assessment is recovered many times over in better renewal pricing and avoided settlement costs.