Enterprises increasingly operate hybrid SAP landscapes combining traditional on-premises SAP ERP (ECC or S/4HANA) with cloud offerings such as SuccessFactors, Ariba, Concur, SAP Analytics Cloud, and Business Technology Platform. The intersection of on-premises perpetual licences and cloud subscriptions creates unique challenges: duplicate licensing for users who span both environments, indirect access triggered by cloud-to-on-prem integrations, multiple contracts with different metrics and renewal dates, and compliance gaps during migration transitions.
| Dimension | On-Premises (ECC / S/4HANA On-Prem) | Cloud (SuccessFactors, Ariba, Concur, BTP) | Hybrid Implication |
|---|---|---|---|
| Licence model | Perpetual: one-time purchase + 22% annual maintenance | Subscription: recurring annual or multi-year fee | Two cost structures to manage simultaneously |
| Primary metric | Named users (Professional, Limited, ESS) + engine packages | Named users, employees, transactions, spend volume, or API calls (varies by product) | Different metrics for the same person in different systems |
| Compliance enforcement | Periodic audits via LAW/USMM | SAP monitors usage from their side, reviews at renewal or true-up | On-prem risk = audit surprise; cloud risk = renewal-time overage charges |
| Over-use consequence | One-time true-up purchase (often at list price) + potential back-maintenance | Ongoing higher subscription fees or contract breach | Both environments carry financial exposure |
| Under-use consequence | Shelfware: paying maintenance on unused licences | Paying subscription for unused seats (no automatic reduction) | Optimisation opportunities exist on both sides at renewal |
| Adjustment flexibility | Limited: cannot easily return perpetual licences | True-up/true-down typically possible at renewal | Cloud renewals are the primary optimisation window |
On-premises compliance issues typically result in a one-time true-up cost (often significant), whereas cloud non-compliance results in ongoing higher subscription fees or service access restrictions. Both require vigilant management, but the financial dynamics differ. On-prem creates lumpy audit exposure while cloud creates continuous cost leakage.
The same employee may use both on-premises SAP and a cloud application, and each environment requires its own licence. An HR manager who accesses both on-prem SAP HCM and cloud SuccessFactors needs a named user licence in both systems. SAP does not offer a unified licence spanning on-prem and cloud. You pay separately for each. The optimisation opportunity: identify users who have fully migrated to cloud and remove their on-prem access to free those licences.
Cloud applications frequently integrate with on-premises SAP, and this creates indirect access exposure on the on-prem side. When SAP Ariba (cloud procurement) pushes purchase orders into on-prem SAP ERP, those documents constitute indirect access into ECC or S/4HANA. The cloud subscription covers access to the cloud application, but the on-prem transaction requires separate licensing, typically via SAP Digital Access (document-based) or a specific interface user licence. Every cloud-to-on-prem integration must be analysed for its on-prem licensing impact.
Each SAP cloud service has its own contract, metrics, and renewal dates, separate from the on-premises agreement. SuccessFactors may be licensed per employee record, Ariba by supplier count or spend volume, Concur by transaction or active user, BTP by consumption credits or API calls. Without centralised oversight, organisations lose visibility. Each contract requires independent monitoring, but compliance decisions should be coordinated across the full SAP footprint.
During transitions from on-prem to cloud (ECC to S/4HANA Cloud, HCM to SuccessFactors), both old and new systems run simultaneously for testing, parallel processing, or phased go-live. Without proper licensing for the transition period, organisations face compliance gaps in both environments. SAP sometimes provides temporary licence allowances or conversion credits, but these must be explicitly negotiated and documented. Assuming migration periods are licence-free is one of the most common and expensive hybrid compliance mistakes.
Implement a centralised identity management process that spans both on-premises and cloud environments. When a new employee joins, a single workflow assigns the correct on-prem SAP licence type and cloud subscriptions based on their role. When someone leaves or changes roles, the same process promptly removes or adjusts access in all SAP systems. Link de-provisioning to the HR offboarding workflow so that separation triggers automatic account deactivation across all environments. This prevents the most common source of licence waste: departed employees with active cloud subscriptions consuming paid seats.
Design access roles that correspond directly to licensing requirements. For on-prem, continue aligning roles to the appropriate named user licence type (Professional, Limited Professional, Employee Self-Service). For cloud, align roles to subscription tiers and licence types within each product (SuccessFactors module access, Ariba buyer vs supplier roles, Concur user categories). If only 50 people need Ariba access, ensure your role framework restricts provisioning to those 50, preventing accidental assignment of hundreds of users to a service you only licensed for 50.
Conduct quarterly reconciliation comparing user lists across three sources: HR records (the authoritative employee roster), on-prem SAP user administration (transaction SU01/SUIM), and cloud admin consoles for each SAP service. Look for: active cloud accounts for terminated employees (consuming paid subscriptions), active on-prem accounts for users who have fully migrated to cloud (unnecessary licence consumption), more active accounts in a cloud service than you have contracted (immediate compliance exposure), and cloud integration accounts that have created on-prem user IDs via automated provisioning (these may need licensing). Take immediate action on any discrepancies.
For every integration between cloud and on-prem, create a licence impact document that specifies: what data flows between systems, what transactions are created on each side, how many documents or users are involved, and which licence entitlement covers each. For example: "Ariba to SAP ECC purchase order integration generates approximately 15,000 PO documents per year in ECC, covered under Digital Access licence for 20,000 documents/year." This documentation ensures every integration is licensed, provides immediate audit defence, and enables proactive monitoring of document volumes against licensed thresholds.
| SAP Cloud Product | Primary Licence Metric | Monitoring Method | Common Over-Use Trigger |
|---|---|---|---|
| SuccessFactors | Employees or named users per module | SF Admin Center active user reports | Headcount growth, M&A, module expansion |
| SAP Ariba | Spend volume, supplier count, or documents | Ariba admin procurement analytics | Supplier base growth, increased procurement volume |
| SAP Concur | Active users or expense transactions | Concur admin usage reports | Travel rebound, workforce expansion, new departments |
| SAP Analytics Cloud | Users or capacity (storage, queries) | SAC admin consumption dashboards | Broader BI adoption, increased report consumers |
| SAP BTP | Consumption credits, API calls, or service-specific | BTP Cockpit consumption monitoring | Integration expansion, new custom apps, increased API traffic |
| S/4HANA Cloud (RISE) | FUEs (Full Use Equivalents) or named users | RISE dashboard FUE consumption tracking | User base growth, new processes, broader module adoption |
Configure administrative alerts in each cloud service to trigger when usage reaches 80% of the contracted quantity. This provides time to either optimise (deactivate unused accounts) or plan procurement (request additional capacity) before hitting the limit.
Unlike on-prem, cloud agreements typically allow adjustments at renewal. If you consistently have 1,000 Concur licences but only 800 active users, you can true-down to 800 at renewal and save 20%. Conversely, if consistently over, budget for a true-up. SAP will not automatically reduce your count. Optimising at renewal is your responsibility.
A user consuming licences in SuccessFactors, Ariba, and Concur simultaneously represents three separate licence commitments. Track cross-product user overlap to understand your true per-employee SAP cloud cost and identify optimisation opportunities (e.g., users with Ariba access who never use it). Integrate cloud usage reports into your regular SAM reporting cadence: monthly for fast-moving metrics, quarterly for stable metrics.
Where feasible, negotiate to co-term your SAP cloud contracts so they renew on the same date, ideally aligned with your on-prem maintenance renewal cycle. When all subscriptions renew together, you can conduct a single annual comprehensive licence review across the entire SAP footprint. This enables holistic evaluation: identifying users who no longer need specific cloud services, right-sizing subscription quantities, and negotiating bundle discounts across multiple products. Piecemeal renewals throughout the year fragment your negotiation leverage.
Engage SAP in discussions covering your full SAP footprint, on-prem and all cloud services together. This opens opportunities: if under-utilising one product but needing more of another, SAP may allow value reallocation or cross-product discounts. Your total SAP spend across all products represents significant leverage. SAP's push toward RISE means they have incentive to make cloud transitions attractive. Use that incentive to negotiate better terms on existing products and any conversion credits for on-prem licences being replaced by cloud equivalents.
Ensure each contract clearly defines how usage is measured and what happens when exceeded. For cloud: know the overage policy (automatic billing, negotiated true-up, or hard limit?). For on-prem: confirm audit rights, measurement methods, and true-up terms. Clarify interplay provisions: if you move users to S/4HANA Cloud, can you park or terminate equivalent on-prem licences? Can on-prem licence value be credited toward cloud subscriptions? Are there migration grace periods covering parallel operation? Having these terms documented prevents compliance surprises and wasted dual-licensing spend.
During migration from on-prem to cloud, old and new systems frequently run in parallel. SAP sometimes provides temporary licence allowances (additional test licences or conversion credits), but these must be explicitly secured in writing before migration begins. If you run parallel systems without documented licence coverage, an audit could flag the entire parallel period as non-compliant. Always negotiate "bridge" licence provisions as part of your migration contract, specifying that for a defined period (typically 12 to 18 months), combined usage across old and new systems will not exceed total licensed entitlements of both.
After decommissioning an on-prem system in favour of cloud, the unused on-prem licences become shelfware, still accruing 22% annual maintenance but generating no business value. Options: negotiate conversion credits (SAP periodically offers programmes to credit on-prem licence value toward cloud subscriptions), drop maintenance on shelfware licences (you retain the licence but stop paying 22% annually), or negotiate licence retirement as part of a broader deal. Each dollar freed from shelfware maintenance is available for productive cloud investment. See S/4HANA Licensing Migration Paths.
Before migration: negotiate bridge licence provisions in writing. During migration: maintain parallel licensing coverage for both systems. After migration: immediately deactivate on-prem accounts for migrated users, negotiate conversion credits or maintenance reduction for freed licences, and update all licence impact documentation to reflect the new architecture. The migration is not complete from a licensing perspective until the old environment is fully decommissioned and its licensing costs eliminated or redirected.
Yes. SAP does not offer a unified licence spanning on-premises and cloud environments. An employee who uses both on-prem SAP ECC and cloud SuccessFactors requires a named user licence for each. You pay separately for each environment. The optimisation opportunity is identifying users who have fully migrated to cloud and removing their on-prem access to free those licences.
Yes. When a cloud application (Ariba, Sales Cloud, third-party CRM) writes data into on-prem SAP ERP, the resulting documents or transactions constitute indirect access on the on-prem side. The cloud subscription covers access to the cloud application, but the on-prem transaction requires separate licensing, typically via SAP Digital Access (document-based pricing) or specific interface user licences. Every cloud-to-on-prem integration must be analysed for its on-prem licensing impact. See SAP Indirect Access Mitigation.
Each SAP cloud service (SuccessFactors, Ariba, Concur, BTP, Analytics Cloud) has its own contract, metrics, and renewal dates. Implement three practices: set 80% threshold usage alerts in each cloud admin console, conduct quarterly cross-system reconciliation comparing user lists against HR records and contracted quantities, and wherever possible co-terminate contracts so all renewals align to a single date for holistic review and negotiation leverage.
Unused on-prem licences become shelfware, still accruing 22% annual maintenance. Options: negotiate conversion credits (SAP may credit on-prem licence value toward cloud subscriptions), drop maintenance (retain the licence but stop paying 22% annually), or negotiate licence retirement as part of a broader deal. During migration, negotiate bridge licence provisions that cover parallel operation for 12 to 18 months without compliance exposure in either environment.
Quarterly at minimum for user access reconciliation across all environments. Monthly for fast-moving cloud metrics (BTP consumption, Concur transactions). Annually for a comprehensive cross-system compliance review covering on-prem LAW measurements, all cloud usage reports, integration document volumes, and contract alignment. The annual review should be conducted 6 to 9 months before the earliest renewal date to inform negotiation strategy.
Yes. Engaging SAP in discussions covering your full SAP footprint (on-prem plus all cloud services) creates volume leverage. If under-utilising one product but needing more of another, SAP may allow value reallocation or cross-product discounts. Your total SAP spend across all products represents significant leverage. Co-terminating contracts amplifies this further by concentrating all renewal discussions into a single negotiation event.
Integration indirect access: cloud applications writing data into on-prem SAP without proper licensing coverage for the on-prem transactions. This risk is invisible in standard SAP compliance reviews because it sits at the intersection of two different licensing models. Every cloud-to-on-prem integration requires a documented licence impact assessment specifying the data flows, document volumes, and licensing entitlement that covers each.
Redress Compliance provides independent SAP advisory for hybrid environments: cross-system compliance assessments, integration licensing analysis, cloud subscription optimisation, contract alignment, migration licensing, and audit defence. We help enterprises manage compliance across on-prem and cloud SAP while identifying cost reduction opportunities. Complete vendor independence. No SAP partnerships, no resale commissions.
SAP Advisory ServicesIndependent SAP advisory helping enterprises manage compliance across hybrid on-prem and cloud environments, optimise subscription usage, and align contracts for maximum value. Fixed-fee engagement models.