The Three KPIs Every SAP Security Team Should be Tracking in the age of STAR
How to align SAP access control with financial and operational performance.
With SAP’s STAR licensing model now in full effect, the role of the SAP security team has evolved. No longer just the custodians of access governance and Segregation of Duties (SoD) compliance, today’s security teams also have a direct influence on licensing costs, especially in SAP Cloud ERP Private (formerly RISE with SAP).
In this new landscape, visibility is everything. If you can’t measure the financial and operational impact of your access control strategy, you can’t improve it. That’s why forward-thinking SAP teams are shifting from reactive controls to KPI-driven governance.
Here are the three KPIs every SAP security team should track right now.
1. Actual vs Assigned FUEs
What it is:
The difference between the number of Full Use Equivalents (FUEs) based on assigned authorisations (what users can do) and actual usage (what users actually do).
Why it matters:
SAP’s STAR model classifies users based on assigned access—not usage. This often results in over-licensing. Tracking this KPI helps quantify just how far your current SAP role design deviates from your true licensing needs.
What to aim for:
A variance of less than 20% between assigned and actual usage is generally a good benchmark, though organisations with legacy roles may see a much wider gap initially.
2. Role Clean-Up Potential
What it is:
The number (or percentage) of FUEs that could be eliminated by removing unused or unnecessary authorisations from user roles—without disrupting business operations.
Why it matters:
Most SAP environments accumulate access over time. Users are granted access “just in case” or retain permissions from previous roles. This unused access often includes high-tier authorisations that inflate licensing costs.
What to aim for:
Remediation activities, including user access review, should be performed more regularly.
3. Access Risk Tolerance
What it is:
The ratio between potential SoD conflicts (based on role design) and actual SoD violations (based on actual usage).
Why it matters:
There is a tendency to over-assign access in SAP. By defining an access risk tolerance KPI, organisations can measure the gap between potential access risks introduced by role design and the actual risks based on real user activity—enabling more informed and targeted remediation.
What to aim for:
Attempt to achieve a ratio of less than 3. In other words, your Potential risk count should not be more than 3 times the actual risk count.
Whatever KPI your organisation defines as their KPI, this metric provides the security team with a clear objective.
Putting It All Together
These three KPIs create a holistic view of your access environment:
- Actual vs Assigned FUEs shows where you’re over-licensed
- Role Clean-Up Potential shows where you can reduce costs
- Access Risk Tolerance provides a measurable KPI that both the security teams and business users can work towards
Together, they give SAP security teams the metrics they need to operate with confidence—and to demonstrate value beyond audit compliance.
How Soterion Helps
Soterion’s SAP License Manager and Access Risk Manager provide real-time visibility into these KPIs. Our platform analyses assigned vs actual authorisations, identifies clean-up opportunities, and helps teams focus SoD remediation where it truly matters.
This isn’t just about reporting—it’s about making better, faster, and more strategic decisions.
Conclusion: From Gatekeepers to Value Creators
In the age of STAR, SAP security teams are no longer just access gatekeepers—they’re financial enablers. By tracking the right KPIs, they can play a proactive role in controlling costs, improving governance, and unlocking business value.
Want to know your best-case licensing scenario?
Let us show you. Get in touch with Soterion for a tailored SAP License Assessment that can help you optimise costs and discover your true licensing needs.
Meet Soterion
We’re a team of specialists in SAP security and license management, and we’re known for combining market-leading technology with deep advisory expertise. With a proven track record in delivering robust, scalable, and easy-to-administer SAP authorisation solutions, we genuinely understand the practical challenges organisations face in managing access, compliance, and governance.
At Soterion, we take immense pride in designing solutions that are not only technically sound but also intuitive and low-maintenance. This ensures that our solutions are easy for IT teams to administer and straightforward for business stakeholders to use. Ultimately, our goal is to remove complexity and empower business users to take ownership of their access risk management activities with confidence and clarity.
Our access control solutions are particularly effective during project phases, where it provides data-driven insights, simulates role designs, and validates access risks. This allows us to deliver audit-ready solutions that align with wider business objectives, including data privacy (privacy by design), license optimisation (licensing by design), and scalable governance frameworks that support organisational growth.
If you have any questions or would like to see a demo, feel free to reach out to us by emailing [email protected]
