Enterprises increasingly operate hybrid SAP landscapes — combining on-premise ERP with cloud offerings like SuccessFactors, Ariba, and Concur. This guide provides CIOs and IT Asset Managers with best practices to maintain licence compliance across both environments, covering how on-prem and cloud licensing differ, strategies for managing user access and entitlements, avoiding common pitfalls when integrating cloud applications with on-prem SAP, and handling compliance during transitions.
In a hybrid scenario, it's crucial to understand that on-premise SAP and cloud SAP have fundamentally different licensing models. Compliance looks different in each, and managing both simultaneously requires distinct strategies.
| Dimension | On-Premise SAP | Cloud SAP (SaaS) |
|---|---|---|
| Licence Model | Perpetual licences (Named Users + Engines) + annual support (~22%) | Subscription — recurring fee per user or usage metric |
| Compliance Mechanism | Usage vs purchased entitlements; verified via SAP audits (LAW measurement) | Usage within contracted subscription quantities; enforced through subscription model |
| How Overuse Manifests | One-time true-up cost discovered during audit or self-measurement | Ongoing higher subscription fees, overage charges, or system access limits |
| User Counting | Named User licence types (Professional, Limited Professional, etc.) | Named user subscription, employee count, spend volume, FUEs, or credits |
| Indirect / Digital Access | Major compliance risk — requires separate Digital Access licensing | Generally covered by subscription terms, but cloud-to-on-prem integration creates on-prem indirect access |
| Audit Rights | SAP can audit annually per contract terms | SAP measures usage from their side; true-up at renewal |
Running on-prem and cloud SAP together introduces unique compliance challenges that don't exist in either environment alone:
The same employee may use both on-prem SAP and a cloud application, each requiring its own licence. Companies must track such users to avoid paying for unused overlap — or missing a licence. If you moved HR to SuccessFactors but still run SAP HCM on-prem for legacy data, ensure you're not maintaining on-prem licences for users who exclusively use the cloud.
Cloud apps often integrate with on-prem SAP. For example, SAP Ariba pushing purchase orders into on-prem ERP creates an indirect access scenario. This data exchange must be licensed on the on-prem side (via Digital Access or interface user licences). Managing cross-environment interactions is critical to compliance.
Each SAP cloud service has its own contract, metrics (users, transactions, spend volume), and renewal dates — separate from on-prem agreements. Without centralised oversight, unintentional overuse goes unnoticed until a hefty bill arrives. For example, exceeding SAP Concur expense report counts if more employees travel than anticipated.
| Challenge | On-Prem Impact | Cloud Impact | Hybrid-Specific Risk |
|---|---|---|---|
| Duplicate Users | Unnecessary named user licences maintained | Subscription slots consumed for inactive users | Paying twice for users who only need one environment |
| Integration / Indirect Access | Digital Access documents needed for cloud-originated transactions | Generally covered by subscription | Cloud → on-prem data flow triggers on-prem licensing requirements |
| Contract Fragmentation | Single on-prem agreement | Multiple cloud contracts with different dates/metrics | No holistic view; overuse in one product goes undetected |
Robust user access management spanning both environments is one of the most effective compliance controls in a hybrid landscape:
Use a centralised identity management process. When employees join, a workflow assigns the correct on-prem SAP licence type and cloud subscriptions. When they leave or no longer need access, promptly remove them from both environments. This prevents licence waste from departed employees' accounts consuming paid subscriptions.
Design roles that correspond to licensing needs. If only certain roles need an Ariba account, limit assignments to those roles. Don't accidentally give hundreds of users access to a cloud service you only have 50 licences for. For on-prem, align roles to licence types; for cloud, align to subscription levels and tiers.
Regularly reconcile user lists between HR records, on-prem SAP, and cloud admin consoles. If you find more active accounts in a cloud app than you have licences for, take action immediately — deactivate unused accounts or purchase additional subscriptions. Watch for integration-created accounts (e.g., SuccessFactors provisioning that auto-creates on-prem SAP user IDs).
SAP cloud services have usage metrics beyond user count that are critical for compliance monitoring:
Some cloud products impose limits on transactions, documents, spend volumes, or storage capacity. Set up administrative alerts at 80% of licensed capacity to give time to react — optimise usage or discuss subscription increases with SAP — before hitting the limit.
Unlike on-prem, many SAP cloud agreements allow adjustments at renewal. If you have 1,000 Concur licences but only 800 active users, reduce at renewal (true-down). If consistently exceeding, budget for true-up. Cloud providers won't automatically reduce your count, so optimising is up to you.
Leverage SAP-provided usage analytics: active users, storage consumed, transactions processed, BTP credit consumption. Review monthly or quarterly as part of SAM reporting. If BTP consumption is 90% of quota, proactively purchase capacity or throttle usage. The goal: no surprises.
Negotiate to co-term SAP cloud contracts so they renew on the same date — ideally aligned with on-prem support renewal. This enables an annual comprehensive licence review and true-up/true-down exercise, evaluating your entire SAP investment holistically rather than piecemeal.
Engage SAP in discussions covering your full SAP footprint. This can open opportunities for reallocating value (under-utilising one product but needing more of another) or securing better bundle pricing. Even if you don't adopt RISE, being informed helps negotiate.
Ensure each contract clearly defines usage measurement and overage policies. For hybrid scenarios, clarify: if you move users to S/4HANA Cloud, can you park or terminate equivalent on-prem licences? Having these terms sorted prevents compliance headaches and wasted spend.
Many companies are transitioning from SAP ECC on-prem to S/4HANA Cloud or shifting modules to cloud equivalents. During these transitions, compliance requires special attention:
During migration, old and new systems run in parallel (testing, phased go-live). SAP sometimes provides temporary licence allowances or conversion credits — but you must ensure they're in place. Running parallel systems without proper licensing will be flagged in an audit. Always secure contractual "bridge" licences for migration periods.
When decommissioning on-prem in favour of cloud, decide what to do with unused on-prem licences. Options: negotiate conversion credits with SAP (RISE conversion programs), terminate maintenance on shelfware to save costs, or repurpose for other on-prem needs. Unused subscriptions on the cloud side are equally wasteful — start with what you need and scale up.
Moving unused or less-critical on-prem systems to third-party support (Rimini Street, etc.) can free you from SAP's audit exposure on those systems and reduce maintenance costs. However, you can't upgrade those systems and must isolate them from SAP-supported environments. This is a complex but viable compliance strategy for shelfware you still need to run.
Establish a central Software Asset Management function responsible for tracking both on-prem and cloud SAP usage. This team needs admin or reporting access to cloud portals and coordinates with IT on on-prem compliance.
Run a comprehensive self-audit at least annually covering user counts and usage in every SAP system — ECC, S/4, SuccessFactors, Ariba, Concur, BTP. This holistic view catches overuse early across the entire hybrid landscape.
Use identity management tools to ensure that when a user is deactivated in HR, their accounts in all SAP systems (cloud and on-prem) are promptly deactivated. This prevents licence leakage from forgotten accounts.
Set up alerts in each SAP cloud service when approaching limits (user count, transactions, storage, credits). Treat these alerts seriously — clean up or purchase more before it becomes a compliance issue.
Don't rubber-stamp renewal counts. Analyse past usage: reduce subscriptions for consistently unused licences; increase or negotiate tier discounts if you consistently exceed. Renewals are your primary optimisation opportunity.
Co-term agreements where possible. Simultaneous renewals simplify management, enable holistic reviews, and strengthen your negotiating position through larger deal discussions.
Ensure system administrators of each SAP cloud product understand the licensing model and compliance implications. Your SuccessFactors admin should know how licences are counted and be vigilant about deactivating users who don't need access.
Document how each integration between cloud and on-prem is licensed (e.g., "Ariba-to-SAP PO integration covered under Digital Access with X documents/year licensed"). This demonstrates compliance and avoids confusion during staff changes or audit inquiries.
When moving functionality to the cloud, plan the licensing transition. Leverage SAP conversion programmes where available. Schedule go-lives near renewal dates to adjust licences promptly and avoid paying double.
Maintain open dialogue about hybrid usage with your SAP account team. SAP may offer conversion programmes, promotional bundles, or optimisation advice. Proactive communication signals compliance maturity and can reduce the likelihood of aggressive audits.
Not in the traditional sense. SAP can measure cloud usage from their side, so formal audit letters aren't typical for cloud services. However, SAP reviews usage at renewal and expects you to purchase more if you've exceeded contracted amounts. It's effectively self-enforced through the subscription model — use more, pay more. Compliance is still enforced; the mechanism is different.
SAP will charge for overuse (if defined in the contract) or at the next true-up/renewal. Some services may prevent additional users beyond your limit; others operate on trust with billing at reconciliation. Exceeding contracted metrics risks breach of contract if not addressed. Read your cloud contract carefully and proactively adjust subscriptions when trending high.
Not directly on a 1:1 basis. On-prem and cloud licences are different products. However, SAP offers conversion programmes (RISE with SAP, cloud transition credits) where you can surrender on-prem licence value for cloud subscription credits. This must be negotiated with SAP. Absent such a programme, you can reduce on-prem maintenance and separately subscribe to cloud services.
It depends on the interaction. If a user only uses the cloud product and doesn't touch on-prem SAP, no on-prem licence is needed. But if the cloud product integrates with on-prem and creates transactions in the on-prem system, those transactions constitute indirect access requiring on-prem licensing (Digital Access or interface user licence). Always analyse both ends of an integration.
SAP doesn't offer a unified licence covering on-prem and cloud. You generally pay separately. But optimise by not over-provisioning: if an employee moves to SuccessFactors for HR, remove their on-prem SAP HCM user licence. When someone leaves, remove them from all systems. You can't avoid dual licences for dual systems, but you can avoid unnecessary licences on either side.
Almost all SAP cloud subscriptions are named user (individual-specific) or employee-based — not concurrent. 100 employees using a cloud service require 100 licences even if not all use it simultaneously. One licence cannot be shared by multiple individuals. Remember this when planning — it's 1:1 per product per person.
They count separately for each product. Your SuccessFactors subscription covers them for SF; your Ariba subscription covers them for Ariba. No single SAP cloud licence spans products (aside from bundled RISE offerings). Track usage per product and treat each as its own silo for counting.
Data flowing between cloud and on-prem can trigger usage in the target system requiring licensing. For example, Ariba automatically creating purchase orders in on-prem ERP requires Digital Access coverage for those PO documents. Evaluate both ends of every integration: who/what generates transactions, and are those transactions covered by a licence entitlement?
RISE converts many elements into one subscription (infrastructure + S/4HANA Cloud + BTP). It simplifies by consolidating contracts and eliminating some audit scenarios (no separate HANA DB licence audit). But you still must manage FUE counts, additional cloud service subscriptions, and indirect access from non-SAP systems. RISE changes the nature of compliance rather than eliminating it.
Share your SAP landscape details — on-prem and cloud. We'll assess your compliance position across all environments, identify risks and optimisation opportunities, and build a unified management strategy — typically within 48 hours.