SAP licence compliance relies on accurate measurement of software usage across all systems. This guide covers SAP's native compliance tools (USMM, LAW, SLAW, STAR), the Full User Equivalent (FUE) model, digital access metrics, and best practices for validating licence data before submission to SAP.
The most effective audit defence is knowing your own numbers before SAP presents theirs. Running USMM/LAW quarterly, validating data internally, and cleaning up user classifications before submission eliminates the most common audit findings. Any user not assigned a licence type will default to the highest-cost category. See also: SAP Audit Survival Guide and SAP Audit Trends 2026.
| Metric Category | What It Measures | How It Is Counted |
|---|---|---|
| Named users | Individual people authorised to use SAP. Categorised by type (Professional, Limited, Employee/ESS) and counted against entitlements. | Counted by USMM per system. Consolidated by LAW across systems. Duplicates removed through user matching. |
| Engines / packages | Software components measured by usage metrics: sales orders, CPU cores, employee records, annual revenue, database size. | Some counted automatically by USMM. Others require manual self-declaration. SAP cross-checks reported figures. |
| Digital Access (indirect use) | Nine specific document types created in SAP via non-SAP systems (e.g., orders via API, portal, RPA). SAP's digital access licence requires tracking these counts. | Digital Access Evaluation tool scans audit logs for documents created by external interfaces. See SAP Digital Access Complete Guide. |
| Full User Equivalents (FUE) | The consolidated user metric for S/4HANA subscriptions (RISE with SAP). Different roles consume fractions or multiples of an FUE. Advanced = 1.0, Core = 0.2, Self-Service = ~0.033. | STAR report maps existing roles to FUE categories. SLAW/SLAW2 consolidates multi-system data. See SAP FUE Licensing Explained. |
| Tool | Purpose | Scope | Key Considerations |
|---|---|---|---|
| USMM (User and System Measurement Management) | Runs within each SAP system to scan and gather named user licences and engine usage. Identifies all user accounts and their assigned licence types. Tallies module-specific metrics. Flags unclassified or inactive users. | Single SAP system (ECC or S/4HANA on-premise). | Any user not assigned a licence type will default to the highest-cost category. Classify every user before running USMM. Keep USMM updated via SAP Notes. |
| LAW / SLAW (Licence Administration Workbench) | Consolidates USMM results from all systems into one combined report. Deduplicates user records by matching accounts for the same person across systems. Produces the consolidated measurement that SAP receives. | Central system. Aggregates and deduplicates users across the entire landscape. | Run LAW in simulation first. Use consistent attributes (email, personnel number) to improve auto-matching. Review before submission. Once transmitted, data is effectively final. |
| SLAW2 | Updated web-based LAW interface. Guided workflow, landscape registry, HANA database support. Same consolidation function as LAW with improved usability. | Central system. Same aggregation scope as LAW. | Preferred for S/4HANA and HANA-based environments. Ensure the latest SAP Notes are applied for correct user type definitions. |
| STAR (S/4HANA Trusted Authorization Review) | Specialised analysis that reviews each user's authorisations and maps them to FUE categories. Simulates classification and calculates total FUE consumption. Essential for migration planning. | Maps ECC roles to FUE categories for S/4HANA Cloud migration. | Often delivered as an SAP Note. Use before RISE negotiation to establish your own FUE baseline. SAP will run their own analysis. Having your data gives negotiating leverage. See ECC-to-2033 Transition Option. |
| Digital Access Evaluation | ABAP report that measures indirect usage documents (Sales Orders, Invoices, POs, etc.) created via APIs, IDocs, and other external interfaces. | Scans SAP system logs for documents created by non-SAP systems. | Run regularly. Cross-check with your own integration logs. Volume data is essential for DAAP negotiations. See Digital Access Audit Defense. |
Never hit "Send to SAP" without thorough internal review. Once transmitted, data is effectively final. Clean each system's USMM input before consolidating in LAW. Classify all users, lock obsolete accounts, and run LAW in simulation to test user matching before the real submission. See SAP Compliance Best Practices.
S/4HANA introduced simplified user types aligned to the FUE model. Instead of buying specific numbers of each user type, you purchase a total FUE count and allocate users under that allowance. SLAW/SLAW2 still consolidates multi-system data; the key difference is interpreting counts as FUE totals.
| FUE Category | FUE Weight | Measurement Method |
|---|---|---|
| Self-Service / Business User | ~0.03-0.2 FUE | STAR maps roles to this category based on authorisation scope. Light transactional usage, self-service portal access. |
| Advanced User | 1.0 FUE | Full business process access. STAR identifies users with broad cross-module authorisations. |
| Developer / Admin | ~2.0 FUE | Broad system authorisations. STAR flags users with development or administration roles. |
Always run your own STAR analysis before engaging SAP for RISE contract negotiations. SAP will run their own analysis and present their FUE estimate. If you have not run your own, you have no basis to challenge their numbers. Your STAR data is your negotiating baseline. See SAP FUE Licensing Explained.
SAP now uses a self-declaration approach: customers measure their own usage and report it back annually. While it feels routine, it carries the same weight as a formal audit. For digital access, SAP's evaluation tools scan for document types created by external systems, but you should also track volumes independently through your own integration logs.
| Self-Declaration Area | What to Measure | Key Risk |
|---|---|---|
| Engine metrics | Products licensed on specific metrics (annual revenue, active employees, database records, CPU cores). SAP cannot always measure these automatically. | Under-reporting risks penalties and back-maintenance fees. Over-reporting wastes budget. Validate against business data sources. |
| Digital Access documents | Nine document types created via external systems: Sales Orders, Purchase Orders, Invoices, Goods Receipts, etc. | High-volume integrations generate millions of documents. Even with DAAP discounts, costs compound rapidly. See SAP DAAP Strategy Guide. |
| Cloud subscription metrics | SuccessFactors user counts, Ariba document volumes, Concur transaction counts. SAP can see cloud usage directly but may ask for certification. | SAP cross-checks self-declared figures against cloud platform data. Inconsistencies trigger formal audits. See SAP Audit Trends 2026. |
| Capability | What Third-Party Tools Add | Limitation |
|---|---|---|
| Automated user analysis | Smarter matching using HR data or SSO directories to identify duplicates more effectively than LAW's standard matching. | Does not replace USMM/LAW for official SAP reporting. Use as pre-submission validation. |
| Licence type optimisation | Analyses actual transaction activity and suggests the most cost-effective licence classification per user. Identifies users with expensive Professional licences who only perform Limited-level tasks. | Recommendations still require manual implementation in SAP. See Named User Optimisation Playbook. |
| Cross-validation | Independent data acts as a second opinion. Catches discrepancies, inactive accounts, and misclassifications before submission to SAP. | Third-party data cannot be submitted to SAP in place of USMM/LAW output. |
| Scenario planning | Simulate S/4HANA migration FUE needs, system consolidations, and forecast growth. Model the impact of user reclassification before committing. | Simulations are estimates. Actual FUE consumption depends on final role assignments in S/4HANA. |
| # | Step | What to Do |
|---|---|---|
| 1 | Internal audit first | Run USMM/LAW weeks before the due date. Analyse in detail. Look for anomalies that do not match business changes. Compare with previous measurement results. |
| 2 | Clean up users and roles | Remove or deactivate former employees, duplicate test IDs, and generic accounts. Involve HR and security teams. Ensure every user has a correct licence classification. |
| 3 | Reconcile with HR and IT | If USMM reports 10,000 users but you have 9,000 staff, duplicates are inflating the count. Cross-reference with HR headcount, active directory, and SSO data. |
| 4 | Re-run and verify | After cleanup, run USMM/LAW again. Compare results with the previous run to confirm fixes had the intended effect. Validate engine metrics against business data sources. |
| 5 | Keep an audit trail | Document steps: users removed or reclassified, USMM SAP Note version, assumptions for manual metrics, who approved the submission. This documentation is your defence if SAP questions the numbers later. See SAP Audit Defence Service. |
| # | Recommendation |
|---|---|
| 1 | Run tools regularly. Schedule quarterly measurements. Catch compliance issues early before they compound. |
| 2 | Assign a licence owner. Designate someone responsible who understands contract metrics, tool operation, and the business context of each measurement. |
| 3 | Keep user data clean. Implement joiner/mover/leaver processes for SAP access. Automate de-provisioning through HR integration. |
| 4 | Verify before sharing. Cross-verify USMM/LAW output with a secondary source (HR, active directory, third-party tool) before submitting to SAP. |
| 5 | Leverage third-party tools. Optimise and validate, but align with SAP's contractual rules. Third-party tools supplement, not replace, SAP's measurement. |
| 6 | Stay informed on changes. Follow SAP Notes and user group events for metric and tool updates. New SAP Notes may change how users are classified. |
| 7 | Include digital access. If you use non-SAP front-ends, assume indirect usage exists. Measure it proactively. See SAP Digital Access Advisory. |
| 8 | Negotiate with data. Exact usage figures give you leverage at renewals and true-ups. SAP respects customers who know their own numbers. |
| 9 | Practice dry-run audits. Simulate a full audit yearly. Measure, consolidate, validate, and fix gaps. See SAP Audit Survival Guide. |
| 10 | Foster compliance culture. Ensure IT, finance, and functional teams understand licence costs. A developer creating a new interface without realising it triggers indirect access licensing is a common source of audit findings. |
At minimum once a year, with quarterly mini-checks if possible. Regular measurements let you spot trends early. Align runs with fiscal year milestones or after new SAP module rollouts. The cost of running these tools is negligible compared to the cost of an adverse audit finding.
The process (USMM/LAW) is similar, but the licence model may differ. S/4HANA on-premises introduces FUE-aligned user types. In S/4HANA Cloud (RISE), focus on total FUE consumption. SAP's STAR report translates existing usage into FUEs. Digital access also becomes more prominent in S/4HANA environments. See SAP FUE Licensing Explained.
Use SAP's Digital Access Evaluation tool to count documents created indirectly. To minimise costs: count only truly indirect documents, archive unnecessary auto-generated documents, and consider SAP's DAAP programme. A fixed-fee arrangement may work for high, stable usage. See Digital Access Audit Defense.
Depends on complexity. SAP's tools give compliance numbers but will not optimise them. Third-party tools identify inefficiencies and simplify continuous monitoring. Small landscapes may manage with SAP tools alone; large enterprises often find the investment pays for itself through licence savings identified before submission.
Address it before submission. Try remediation: retire unused accounts, reallocate licences, reclassify users. If gaps remain, approach SAP proactively. Negotiating on your terms is better than waiting for SAP to find the shortfall during a formal audit. See SAP Licence Optimisation Services.
STAR (S/4HANA Trusted Authorization Review) reviews each user's authorisations and maps them to FUE categories. Run it before any RISE negotiation to establish your own FUE baseline. SAP will run their own analysis; having your data gives you leverage to challenge their numbers and negotiate more favourable FUE counts.
Whether preparing for an audit, navigating self-declaration, or planning an S/4HANA migration, Redress Compliance helps you measure, optimise, and defend your SAP licence position. Independent advisory with SAP-specific tool expertise. Fixed-fee engagements.
SAP Licence Optimisation ServicesIndependent SAP compliance tool expertise, measurement validation, FUE sizing, and audit defence. Fixed-fee engagements. No vendor conflicts.