SAP License Audit Tools
SAP license audits are high-stakes events that can result in significant unplanned costs if not properly managed.
SAP provides a suite of native license audit tools, including user measurement transactions and consolidation workbenches, to help enterprises track software usage and ensure it aligns with their contracts.
This article offers a practical overview of these SAP license audit tools, including guidance on how to utilize them effectively to avoid compliance pitfalls and strategies for CIOs and SAP license managers to optimize license usage and mitigate audit risks.
Understanding the SAP License Audit Challenge
SAP’s software licensing is complex and expensive, with annual compliance checks (audits) built into most contracts.
In an audit, SAP expects customers to report actual usage and will charge for any under-licensing (usage exceeding purchased licenses) at list price, often with backdated maintenance fees.
This can lead to multi-million-dollar true-up costs – for example, a well-known SAP customer faced over £50 million in fees in 2017 due to unlicensed third-party usage. Over-licensing (buying more licenses than needed) is also wasteful, as it ties up budget in unused software.
The stakes are high, so proactive compliance management is essential. Enterprises must regularly measure their SAP usage and reconcile it with entitlements to avoid surprises.
SAP provides several native license audit tools to facilitate this measurement process, allowing customers to self-audit and correct issues before the official SAP audit.
SAP’s Native License Audit Tools
SAP offers a range of built-in tools to help customers monitor and report license consumption. These SAP-provided tools cover everything from counting users in a single system to consolidating data across an entire enterprise.
Key tools include:
- USMM (User and System Measurement Management): SAP’s primary on-premise measurement tool. Run USMM in each SAP system to count named users by license type and to measure engine metrics (package/module usage like HR records, sales documents, database size, etc.). Administrators classify each user (e.g., Professional, Limited, Employee) and execute USMM to produce a detailed report of license usage for that system. This is the foundation of SAP’s audit data collection – it ensures you capture all user and product usage in a format SAP accepts.
- LAW / SLAW (License Administration Workbench): A consolidation tool for multi-system environments. LAW aggregates USMM results from multiple SAP systems into one combined report. Using transaction SLAW (for classic LAW 1.0) or SLAW2 (LAW 2.0), you import measurement files from each system. LAW deduplicates users appearing in multiple systems (so a person with accounts in three systems is counted only once enterprise-wide) and aggregates all other license metrics. LAW 2.0, the newer web-based version, enhances the interface and supports newer metrics (such as HANA database counts) for a smoother experience. In any landscape with more than one SAP system, LAW is essential to prevent double-counting and obtain a single, consolidated view of your total license consumption.
- SAP Solution Manager – License Management (LMA): For those with SAP Solution Manager, SAP has introduced a License Management Application (LMA) that can centrally coordinate license measurements. It allows you to schedule and trigger USMM runs across all connected systems from one place and collect the results automatically. This “LMA” approach (often part of Solution Manager’s tools) essentially streamlines what administrators might do manually with USMM and LAW. While not all customers use it, it’s a useful option for large enterprises to automate license data collection and analyze trends over time, rather than treating measurements as one-off tasks.
- SAP NetWeaver Administrator (NWA) License Monitoring: In SAP’s Java-based environments (and some specific components), license-relevant metrics are tracked via the NetWeaver Administrator. NWA provides insight into technical usage, such as Java session counts, J2EE engine metrics, or other non-ABAP components. It’s particularly useful for monitoring engine-based licenses (for example, database licensing based on size or transactions) in real time. Administrators can use NWA’s license monitoring sections to keep an eye on metrics that USMM might not capture (since USMM mainly covers ABAP side measurements).
- LMBI (License Management by Indicator): A specialized tool SAP provides to measure certain technical indicators that affect licensing. For instance, LMBI might be used to track database size for HANA licensing, or the number of specific records in industry solutions. It goes beyond standard user counts, focusing on metrics like GB of data, throughput, or configured objects that correspond to license entitlements. Enterprises running SAP HANA or other metric-based licenses use LMBI reports to ensure they stay within licensed parameters (e.g., checking that the HANA in-memory database size hasn’t exceeded the licensed TB capacity).
- Indirect Access Monitoring Tools: Indirect access (when third-party systems or external users interact with SAP data) is a major licensing consideration. SAP now offers a Digital Access license model, where customers license documents (such as orders and invoices) created indirectly. To support this, SAP provides tools and guides (such as the Digital Access Evaluation Service and specific SAP notes/programs) to count documents generated by non-SAP systems. These tools scan logs and document tables to quantify the number of billable document events that occur via external interfaces. In addition, customers can monitor interface user accounts and RFC connections in SAP to identify indirect usage patterns. Using these tools, you can quantify indirect use and decide whether to license it via traditional named users or the Digital Access document model.
- SAP “License Utilization Information” Dashboard (SAP for Me portal): SAP has introduced a cloud-based license dashboard for customers on the SAP for Me portal (the customer support portal). This provides a consolidated view of license consumption versus entitlements. For cloud products (like SuccessFactors, Ariba, or S/4HANA Cloud), SAP automatically tracks usage (since SAP hosts the software) and displays it here. For on-premise systems, customers can upload their USMM/LAW results to the portal to visualize on-prem usage alongside cloud subscriptions. This dashboard is a newer convenience that gives CIOs a quick snapshot of compliance: e.g. how many user licenses are utilized out of purchased quantities, and whether any license category or engine is overused. It does not replace USMM/LAW, but complements them by comparing measured usage against your contract figures in one online view.
Using SAP’s License Tools Effectively
Having the right tools is only part of the equation – using them correctly and regularly is vital. Effective license management involves integrating these SAP tools into standard IT operations, rather than merely dusting them off for the annual audit.
Key practices include:
- Regular Internal Measurements: Don’t wait for SAP’s official audit notice. Schedule internal license audits quarterly or at least semi-annually. Run USMM on all production systems to catch any growth in user counts or engine utilization early. Regular measurements enable you to identify trends (e.g., a steadily rising user count or database size) and take action before you fall out of compliance.
- Proper User Classification: Ensure that each user ID in SAP is assigned the correct license type in USMM. Misclassification is common – for example, a user with limited usage left classified as an expensive Professional user will inflate your compliance gap. Use USMM’s User Classification reports to find users without a license type or with outdated classifications. Update these before running the measurement. The tool will default unclassified users to the highest license category (to be safe), so it’s on you to classify everyone appropriately to avoid over-counting expensive licenses.
- Data Consolidation and Deduplication: When using LAW to consolidate, take care to match identical users across systems. LAW will attempt to auto-match by username or email, but you should review the suggested matches. If one person’s accounts don’t match exactly (e.g., jsmith vs. john.smith), LAW might treat them as separate users, over-counting your total. Use LAW’s manual combination feature to accurately deduplicate users. Maintain a consistent naming convention or central user repository if possible – consistency makes the LAW consolidation much more accurate.
- Iterate and Validate: Treat the license measurement process as iterative. It’s common to run USMM and LAW, review the results, then discover some anomalies – e.g. a system that has many test users counted, or a misclassified user set. You can clean up the data (delete obsolete users, adjust classifications, correct system measurement settings) and rerun the measurement to get a cleaner result. SAP’s older LAW 1.0 lets you reconsolidate within the same run after adjustments; with LAW 2.0, you’d start a new consolidation run if changes are needed. Either way, verify the final numbers make sense (e.g., compare current user counts to last year’s audit plus known growth) before submitting anything to SAP.
- Cover All Systems and Metrics: An effective compliance check means no system is left behind. Include all SAP production systems in measurements – ERP, CRM, BW, SRM, any SAP solution you have – because SAP will require a complete landscape view. Don’t forget any separate Java-stack systems (use NWA or other provided tools for those) and check if any metrics aren’t automatically captured (some package licenses might require manual counts or separate scripts). Additionally, utilize tools like LMBI if you have specialized licenses (e.g., verify HANA memory usage against your licensed amount). This thoroughness ensures you won’t be caught off guard by a metric you overlooked.
- Leverage New Dashboards: Take advantage of SAP’s newer license dashboards and analytics. For example, once you upload your LAW result to SAP’s License Utilization Information portal, review how it stacks against your contract. The portal may highlight if you’re underutilizing certain licenses (an opportunity to optimize) or overutilizing them (a potential compliance issue). These tools can act as an early warning system. Similarly, if you have cloud subscriptions, monitor their usage in the portal. However, SAP auto-monitors these; you should be aware if you’re nearing a user cap or consumption limit so that you can purchase more or redistribute usage promptly.
By routinely using SAP’s license audit tools in this proactive manner, organizations can self-correct compliance issues and negotiate license adjustments on their timeline, rather than during the pressure of an official audit.
Indirect Access and Digital Usage Considerations
One of the trickiest areas in SAP licensing is indirect access – scenarios where third-party applications or external users interact with SAP data.
Standard SAP user measurements (SAP USMM/LAW) focus on direct SAP user accounts and engine metrics; they don’t automatically detect if, for example, a customer portal or middleware is pulling data from SAP without a named user.
This is where SAP’s Digital Access model comes in. Under Digital Access, instead of requiring a named user for every external touch, SAP licenses the outcome (documents) created by indirect activity.
To manage this, SAP provides tools to measure digital documents in your system. For example, SAP note tools or the Digital Access Evaluation Service can analyze your SAP system and count documents, such as sales orders, invoices, and purchase orders, created via APIs or external inputs.
It’s crucial to run these analyses (often provided as ABAP reports or scripts from SAP) to gain a better understanding of indirect usage volumes. If the counts are high, you have a few options: purchase Digital Access document packs (e.g. 100,000 documents) or consider adjusting your architecture to minimize indirect calls.
In some cases, SAP might allow exchanging some unused user license value for a Digital Access license to cover those documents.
Additionally, monitor technical integration accounts.
Many customers set up a generic user (or technical users) for interfaces – ensure each of those is either licensed appropriately or replaced with a SAP Cloud Platform Integration approach that might be covered differently.
SAP’s auditing teams will often ask for details on interfaces and may use specialized tools or scripts to check for common patterns of indirect use (like queries from non-SAP systems).
Preparing for this means proactively using the available indirect access monitoring tools to identify where data is flowing out of SAP.
In summary, indirect access requires a combination of SAP’s provided counting tools and internal diligence. It should be a focus area in your license compliance strategy, as it has historically led to significant compliance exposures.
By quantifying and licensing indirect use properly (for instance, leveraging SAP’s **flat fee “all-you-can-eat” digital access license if it makes financial sense, or carefully limiting external calls), you can avoid the nasty surprise of an indirect access audit finding.
Always incorporate the results of digital access measurements into your overall license compliance report before submitting to SAP.
Common Pitfalls in SAP License Audits
Even with the right tools and intentions, companies often stumble on a few common issues during SAP license audits.
Being aware of these pitfalls can help you avoid them:
- Incomplete User Cleanup: A frequent mistake is failing to remove or lock inactive users before running measurements. Old accounts (for former employees or system service accounts no longer in use) might still appear in USMM results. If not cleaned up, they will count against your licenses even if nobody is using SAP. Always purge or decommission unused user IDs before measurement.
- Misclassified Users: As mentioned, misclassification can be costly. If a user with minimal usage is left as a Professional user in the system, the tools will count an expensive license against you. Conversely, a heavy user mistakenly classified as a low-level license is a compliance risk. Double-check user license assignments with business owners to ensure accuracy. Implement a governance process to regularly review role changes. If someone’s job expands to include more SAP functionality, update their license type proactively rather than discovering it during an audit.
- Inconsistent Data Across Systems: If you operate multiple SAP environments (development, test, multiple production instances), inconsistencies can lead to errors. For example, users might have different IDs or slightly different names in each system. LAW can miss duplicates, or LMBI might count an object in one system but fail to correlate it with another. Maintain a consistent enterprise identity for SAP users (through HR feed or centralized ID management) to simplify matching. Also, ensure all systems are measuring the same license metrics – sometimes a satellite system might not have the latest measurement updates, causing mismatched engine counts.
- Overlooking Engine and Package Metrics: Many focus on user counts but forget the engine license metrics. SAP sells licenses for specific functionality (engines or packages) that are measured by their usage (e.g., number of SAP Payroll employees, number of actively used SAP CRM sales contracts, database size, etc.). USMM and related tools often collect this information, but it’s up to you to interpret it. Know which engines your company is licensed for and what the metric is (it’s usually defined in the contract). Then ensure your measurement covers it. For instance, if you have a license for “SAP Payroll (5000 employees)”, check the USMM output for the “HR Personnel Records” count. If it exceeds 5000, that’s a compliance issue to resolve (either by archiving data, acquiring additional capacity, or negotiating a different metric).
- Last-Minute Scramble: Perhaps the most pervasive pitfall is treating the SAP audit as an annual fire drill instead of a continuous process. Many companies scramble when SAP’s official audit notification arrives – rushing to run measurements, classify users, and address issues within a short timeframe. This reactive approach is stressful and prone to errors. By contrast, companies that treat license compliance as a year-round discipline have far smoother audits. They use the tools regularly, keep documentation of how they categorized each user or what assumptions were made, and enter the audit with confidence in their numbers. Avoid the last-minute panic by following the ongoing practices outlined above.
Recognizing these pitfalls and using SAP’s audit tools to preempt them can dramatically reduce your audit risk. It’s much easier (and cheaper) to fix a classification or clean up users before you send data to SAP than to try negotiating down a bill after an audit finds non-compliance.
Recommendations
- Establish a License Compliance Schedule: Treat SAP license management as a routine process. Schedule internal audits (e.g., quarterly) where you run USMM in all systems and review the output. Regular checkpoints catch issues early.
- Maintain a Single Source of User Data: Coordinate with HR or IT identity management so that SAP user accounts stay in sync (one person = one SAP identity). This makes deduplication via LAW straightforward and avoids over-counting.
- Train and Empower License Administrators: Ensure your SAP Basis team or license administrators are well-trained in using USMM, LAW (and LAW 2.0), and related tools. They should know how to adjust user classifications, interpret logs, and troubleshoot measurement errors. Consider designating a license manager role who “owns” this process year-round.
- Use What-If Analysis: Before making contract decisions, use the tools to simulate changes. For instance, run a digital access estimation to see if switching to document-based licensing would be cost-effective. Or classify all users as if a new license type (like a Business Partner or a Developer license) were introduced to see how many you’d need. This data-driven approach enables more effective negotiations with SAP.
- Engage Cross-Functional Stakeholders: Involve procurement, finance, and department heads in reviewing license usage reports to ensure comprehensive insights. They can help validate if a user truly needs a high-level license or if certain unused systems could be retired. A collaborative review ensures that IT isn’t making compliance decisions in a vacuum and helps right-size license allocations.
- Negotiate Audit Clauses and Flexibility: When renewing or signing SAP contracts, negotiate favorable terms related to audits and flexibility. For example, seek the right to remedy compliance gaps within a grace period before SAP can bill for them, or negotiate predetermined discount rates for any additional licenses you might need to buy. If SAP is introducing new models (such as converting to S/4HANA or cloud), use that as leverage to include some complimentary digital access licenses or to forgive minor overages.
- Document Everything: Maintain detailed records of your internal measurements, assumptions, and all correspondence with SAP regarding licensing. If an audit’s outcome is disputed, having documentation (e.g., proof that users were classified according to agreed-upon definitions, or that certain indirect usage was communicated) can be invaluable. It also helps year-over-year continuity, since personnel may change – the next person responsible should be able to pick up a file and understand how last year’s numbers were derived.
- Stay Informed on SAP Licensing Updates: SAP occasionally introduces new tools (like improved dashboards or measurement transactions) and changes license definitions. Subscribe to SAP’s support notifications or licensing blog updates to know about these changes. For instance, if SAP releases a LAW 3.0 or a new cloud measurement service, you want to adopt it early if it improves accuracy. Similarly, keep an eye on licensing policy changes (such as updated digital access rules or new license types in S/4HANA) so you can adjust your compliance approach accordingly.
Checklist
- Inventory Your Systems: List all SAP systems (both production and non-production) that require measurement. Include ABAP and Java stacks, and note which tools (USMM, NWA, etc.) apply to each.
- Run & Review USMM in Each System: Execute the user measurement in every system. Before running, update license classifications for all users and remove any obsolete accounts. Save the measurement logs and results from each system.
- Consolidate with LAW: Import all USMM results into the License Administration Workbench (LAW/SLAW2) on your central system. Match and merge duplicate users across systems. Generate the consolidated license audit report and review the combined totals for each license type and engine metric.
- Address Exceptions: Investigate any anomalies. For example, if LAW shows more users than you expected, identify which system/user is causing it. Check engine metrics that are close to or over your entitlements. If indirect usage documents are being counted, ensure you have a plan (such as licenses or a technical solution) to cover them. Make adjustments (reclassify users, clean data, and consider additional licenses) as needed, and rerun measurements if significant changes have been made.
- Validate Against Entitlements: Compare the final measured results to what you have purchased. Use your SAP license contract or entitlements list to see if you are within limits. Document any shortfall or surplus. Take action before submission – for shortfalls, decide whether to buy additional licenses or negotiate an alternative; for surpluses, consider optimizing by retiring unused licenses or converting them (if SAP allows swaps). When everything is reconciled, prepare the data and evidence for the official audit submission or internal records.
FAQ
Q1: How often should we run SAP’s license audit tools internally?
A: It’s advisable to run the license measurement tools well before the official annual audit – ideally quarterly or at least a couple of times a year. Regular runs of USMM (and consolidation with LAW) enable you to monitor usage trends and address any issues proactively. This way, you won’t be caught off guard by a sudden spike in usage or misclassified users when the audit deadline arrives. Essentially, treat internal measurements as “health checks” for your SAP license compliance throughout the year.
Q2: What’s the difference between USMM and LAW in SAP?
A: USMM is the system-specific measurement tool – you run it in each SAP system to get that system’s user counts and usage figures. LAW (License Administration Workbench) is a consolidation tool – you use it to combine all the individual USMM results from multiple systems into a single comprehensive report. Think of USMM as measuring the pieces, and LAW as assembling the full puzzle. LAW also eliminates duplicate user counts across systems (so the same person isn’t counted twice) and provides the enterprise-wide totals that SAP ultimately cares about.
Q3: How can we effectively monitor indirect usage and “Digital Access”?
A: Indirect usage isn’t directly tallied by USMM, so you need to use SAP’s digital access measurement tools and some technical analysis. SAP offers a Digital Access Evaluation report (available through Notes or via an SAP engagement) that scans your system for documents (such as sales orders, invoices, etc.) created indirectly. Run this to get a count of documents attributable to third-party interfaces. Additionally, keep an eye on interface accounts and external integrations – for example, review logs or use SAP Solution Manager to track RFC and API calls into SAP. By combining these approaches, you can estimate your indirect usage and ensure you have the appropriate Digital Access licenses or named user licenses to cover it. It’s essential to do this before an audit, as indirect use has been a source of significant compliance penalties in the past.
Q4: Do SAP’s license tools cover cloud products and hybrid environments?
A: The traditional tools like USMM and LAW are focused on on-premise SAP systems (ECC, S/4HANA on-prem, etc.). For cloud SAP products (such as SuccessFactors, Concur, Ariba, or S/4HANA Cloud), SAP itself monitors your usage (since they run the infrastructure). That data is made available to you via the SAP Cloud License Dashboard (for example, the License Utilization section in the SAP for Me portal). In a hybrid environment, you’ll use both: run USMM/LAW for your on-prem systems, and check the SAP portal for your cloud subscription usage. Some customers also export their on-prem results into the portal to see everything in one place. The key is to manage both sides – ensure on-prem usage is within entitlements and also that you’re not exceeding (or vastly underutilizing) your cloud subscriptions.
Q5: What are common mistakes to avoid during an SAP license audit?
A: Several pitfalls often trip up companies. One is waiting until the last minute to run the measurements – this can lead to errors and no time to correct them. Another issue is not classifying users properly; any unclassified user defaults to the most expensive license type, which can skew your results. Additionally, failing to remove inactive users or eliminate duplicates can skew your counts. And importantly, many overlook indirect usage – assuming the tools capture it, when in fact it needs to be assessed separately. Avoiding these mistakes comes down to preparation: run the tools regularly, validate the data carefully, and involve the right experts (technical and licensing) to review the outcomes. It’s much easier to handle these issues proactively than under audit pressure.
Read about our SAP Audit Defense Service.