Your SAP Role Design was Never Built for RISE: the Hidden FUE Cost Most Organisations Miss 

Consider this: the SAP role designs most organisations are running today were built five, ten, or even fifteen years ago — long before SAP Cloud ERP Private (formerly RISE with SAP) existed. Those roles were designed to control access and manage audit risk. License cost was never part of the equation. Under the Full-Use Equivalent (FUE) model, that oversight now has a direct price tag. 

Many organisations moving to SAP Cloud ERP Private are subscribing to more FUEs than they actually need — not because their users require that level of access, but because their role designs were never optimised for license efficiency. The financial exposure from over-assigned access is, for many organisations, arguably greater than the fraud risk those same roles were designed to prevent. 

This article explains how legacy role design inflates FUE consumption, what organisations can do about it before and during a RISE subscription, and why right-sizing your SAP licenses is now a commercial priority, not just a compliance exercise.

Under SAP Cloud ERP Private, user licenses are measured using the STAR rule set. The STAR rule set evaluates the authorisation objects assigned to a user and classifies them into an FUE tier. The higher the tier, the greater the license cost attributed to that user. 

The critical point is this: it is the access assigned to a user — not the access they actually use — that determines their FUE classification. A user assigned a broad set of financial transactions, even if they only ever use two or three of them, may be classified at a higher FUE tier than their actual job function warrants.

Most SAP environments have accumulated role designs that over-assign access for entirely understandable reasons:

• Wider access granted during a project that was never revoked. 
• Composite roles built for convenience that bundle far more access than the typical user requires. 
• Legacy role designs inherited from SAP ECC migrations, brought across without rationalisation. 
• Business pressure to grant access quickly, with the intention of reviewing it later — a review that rarely happens. 
• SAP users moving internally, inheriting new access with the old access never being revoked. 

None of these decisions were wrong at the time. They were pragmatic responses to operational demands. But under a FUE-based model, they carry a measurable and ongoing cost. 

When an organisation signs a SAP Cloud ERP Private subscription, they commit to a specific FUE count. If actual consumption exceeds that count during the subscription term, a mid-term true-up is triggered.  

The scenario most organisations have not fully planned for is not a one-off spike in FUE consumption, but gradual FUE creep. As users are onboarded, roles are adjusted, and access requests are processed through business-as-usual provisioning, FUE consumption quietly increases. Without continuous visibility into how each access change affects FUE classification, organisations are effectively managing their subscription in the dark. 

Two moments of significant FUE exposure deserve particular attention:

Right-sizing is not a once-off project. It is an ongoing governance discipline.

The phrase ‘license by design’ is straightforward in principle: build and maintain SAP roles with FUE classification in mind, not just access control. In practice, it requires a shift in how organisations approach the entire SAP access lifecycle.

License-by-design role optimisation involves the following steps:

• Assess the current FUE baseline: understand what each user’s current role assignments would generate in FUE consumption under the STAR rule set. This gives organisations a measurable starting point. 
• Identify roles contributing disproportionate FUE uplift: not all roles carry equal license weight. Identifying the specific authorisation objects and the roles that push users into higher FUE tiers allows targeted remediation rather than a full role redesign. 
• Re-engineer composite roles: break down broad composite roles and reassign access based on what users actually need to perform their job function. Removing unused or unnecessary authorisation objects reduces FUE classification without impacting operational capability. 
• Model FUE impact before applying changes: before any role change is approved and applied, evaluate its effect on the user’s FUE classification. This is what prevents FUE creep in BAU operations. 
• Embed FUE awareness into provisioning workflows: every joiner, mover, and leaver event should trigger a FUE impact assessment as part of the standard access change process — not as a separate audit exercise. 

This is not about restricting access inappropriately. It is about ensuring that the access users hold genuinely reflects what their role requires — and that organisations are not subsidising unnecessary license costs through unconsidered role design.

One important clarification worth making: the STAR rule set, in its current version (v1.69), is actually quite lenient. SAP publishes the rule set openly, which means organisations can — for the first time — design roles with full transparency about how access assignments translate into FUE classifications. This predictability is genuinely useful: it makes license-by-design a practical, engineerable discipline rather than a guessing game. It is also a significant improvement over the license classification approaches used in SAP ECC and SAP S/4HANA On-premise environments, where classifications were loosely defined in contracts and open to interpretation. 

The problem most organisations face is not that SAP’s measurement approach is punitive — it is that their role designs were built with no reference to FUE at all. A well-designed SAP role landscape, built with the STAR rule set in mind, can often achieve the same operational coverage at a meaningfully lower FUE tier. 

Organisations that engage with the STAR rule set proactively — rather than discovering its implications at subscription renewal or true-up — are in a materially stronger commercial position.

The organisations best positioned under SAP Cloud ERP Private are not those that completed a one-off FUE assessment before go-live. They are those that have embedded FUE governance into their day-to-day SAP access management process. 

Continuous FUE governance delivers three distinct commercial benefits:

• Reduced initial subscription cost: a right-sized role design before or at go-live means the FUE commitment is based on genuine access requirements, not legacy over-provisioning. 
• Prevention of mid-term true-up exposure: every access change is evaluated for FUE impact before it is applied. FUE creep is stopped before it starts. 
• Informed decision-making at subscription renewal: organisations with continuous FUE visibility can enter renewal negotiations with accurate consumption data, rather than estimates. 

The tools to support this exist. Soterion’s SAP License Manager provides a detailed FUE assessment against the current STAR rule set, enabling organisations to understand their current FUE baseline (consumption vs actual) and model the impact of role changes. The What-If Simulator extends this capability to BAU operations — every proposed access change can be evaluated for FUE impact before it is approved, giving access approvers the information they need to make license-informed decisions. 

This is continuous governance in practice: not a compliance exercise, but a commercially motivated business process. 

---

Final Thoughts

The transition to SAP Cloud ERP Private has fundamentally changed the commercial stakes of SAP role design. Access that was previously an audit concern now carries a quantifiable license cost — and that cost compounds every time an unconsidered access change is applied. 

Organisations that approach RISE with legacy role designs and no FUE visibility are taking on financial exposure that is both preventable and measurable. Right-sizing SAP user licenses before a subscription begins, and maintaining FUE-aware governance throughout, is the practical way to protect a RISE investment and avoid the cost of mid-term true-up surprises. 

The conversation does not have to start with a full role redesign. It starts with understanding your current FUE baseline — and knowing where the commercial risk actually sits.  

Want to understand your current FUE exposure before it appears on an invoice?

Soterion’s SAP License Manager gives you a detailed FUE assessment against the STAR rule set — showing exactly which users and roles are driving your license consumption, and what a right-sized role design could look like.

Request a demo to see the FUE impact of your current role design, and what a right-sized structure could save over the life of your subscription. or email us at [email protected]