Review SAP Users Authorizations and Prevent License Compliance Gap
Annual SAP on premise systems license audit, as well as enhanced audit, might lead to a situation when real authorization of SAP users is far from actual contractual user types. Such case leads to a license compliance gap and SAP license invoice that is instantly following the evaluation report. Below I have described a way how extra authorization of users can be tracked and monitored in order to prevent an SAP license compliance gap.
Subject of Analysis
The subject of analysis in our approach is only authorizations of active users in SAP systems and consolidations of SAP systems. The ruleset used is the same as with SAP STAR service, and it is officially published in SAP Note 3113382.
First, we decided to focus on the analysis and mitigation activities, and below we describe the data flow, user experience and quick start steps.
Assuming that the data from your SAP system is transferred to SAP Landscape Potential Use solution, you will be able to see the dataset and create different snapshots to model the data.
NB: you can also import SAP Note 3113382 file from the main screen (or SAP STAR file).
Once you drill down to the system (clicked on the card), you will be able to see the datasets and snapshots.
You can open the list of users and revise their classifications that are calculated based on users’ authorization (or potential users’ footprint in the system, what they can potentially do):
Once you click on the user master, you can see the roles and profiles this user has in the system, and it is easy to understand why the user is classified as, for example, “HB – Professional”:
A role-based view is also available to review authorization-based classification of roles and profiles:
Alright, now let’s get back to the task, let’s assume that we designed a role to maintain the team as a productive role for many users, however, now we can see that it is classified as “HB – Professional” and we’d like to know the reason behind it, to prevent unlikely footprint in SAP system form users that have that role assigned to them. In this case we drill down to the role:
So, we can see that the role has three authorization objects with values that are classified as professional use of SAP system. Here there may be several options of how we can solve it:
- It might be the case that, for example, creation of objects in SAP system authorization with ACTVT = 01 is added by mistake and we can simply delete it or change to ACTVT = 03 that will allow users to see the data (read only access)
- Or, it might be that authorization in the role that is classified as professional use is required, but not by every user that has the role in the SAP system. In this case we can create a separate role with advanced access to move the authorization object to the role with advanced access in case it is already created in SAP
In our case, we change authorization objects in SAP Landscape Potential Use tool to model the role as “HD – Productive”:
NB: we are not making changes in SAP backend, but only modeling it in SAP LPU tool to understand and see the changes to be done in SAP system. Those changes can be discussed with business owners of the role to get approved by them first.
We have analyzed SAP users and SAP roles classification to allocate the potential SAP license compliance gap that can be caused by unplanned authorization of SAP users. By preventing an unwanted footprint in SAP system, we prevent receiving an unwanted invoice that might follow an SAP Evaluation report.
As mentioned above, here are some complementary sections to explain the data flow, user experience and how you can model it for your SAP landscape.
There are two ways how data can be extracted for analysis:
- File generation by ABAP report from SAP Note 3113382 (more information you can read in this blog). In this case it is also possible to mask usernames, so that no sensitive data could be transferred out of the system
- Direct connection to SAP on premise system via SAP Connectivity and SAP Integration Suite services from SAP BTP
Considering that each SAP client has – in theory at least – direct SAP basis version and support package level of the system, we developed an SAP Fiori application and hosted it in our SAP NetWeaver on HANA DB cloud that uses SAP NetWeaver security features to separate data of different clients.
Skybuffer cloud demo tenant grants you access to real SAP systems where you can test various consolidations of backends on your own, see how easily the number of full use equivalents is optimized, model what-if scenarios and have a full understanding of your SAP landscape potential. You can get demo user and password from this web page: