The Importance of Aligning SAP Access Governance with FUE Licensing
This article by Dudley Cartwright, the CEO of Soterion, explores how the introduction of the SAP STAR measurement framework means necessary adjustments to SAP Access Governance. These adjustments need to be made with licensing efficiency in mind to mitigate organisational financial exposure.
For many years, the primary driver for implementing SAP access control solutions has been to strengthen internal controls, specifically to prevent Segregation of Duties (SoD) violations and reduce the risk of fraud. Access risk management has rightly been seen as a cornerstone of financial governance, ensuring that no individual has excessive or conflicting access that could result in unauthorised activity or financial mis-statement.
However, with the introduction of SAP’s STAR measurement framework, used for licensing in S/4HANA and SAP Cloud ERP Private (formerly RISE with SAP), the landscape has shifted. Under this new framework, SAP user license classifications are based on the authorisation objects and field values assigned to users, as defined in the STAR rule set – as opposed to broad, manually assigned user types.
This shift introduces significant financial exposure for organisations whose access requirements overstate actual license needs, sometimes substantially. This leads to an inflated Full Use Equivalent (FUE) count, which forms the basis for RISE contract pricing, potentially locking organisations into higher-than-necessary licensing costs. Most SAP role designs were never developed with licensing efficiency in mind.
Furthermore, during the subscription period, ineffective access provisioning and role management can result in ongoing FUE creep, triggering costly mid-term true-ups. While the risk of fraud remains valid, many organisations now face an even greater financial risk due to poor license management. This reality calls for a broader approach to access control, one that includes both SoD risk management as well as user (FUE) license management.
What Has Changed in SAP User Licensing?
The STAR measurement framework introduced by SAP for S/4HANA is positioned by SAP as a significant improvement over previous licensing models. Under ECC, license classifications were based on broad user types, which were often ambiguous, leaving room for interpretation.
By contrast, STAR assigns license categories according to a defined set of authorisation objects and field values; users whose roles include those values fall into the corresponding license tier. This shift to a more definitive approach to user licensing enables organisations to design their SAP roles with licensing in mind, eliminating guesswork and potentially reducing uncertainty around license requirements.
“This shift to a more definitive approach to user licensing enables organisations to design their SAP roles with licensing in mind, eliminating guesswork and potentially reducing uncertainty around license requirements.”
What Has Changed in SAP User Licensing?
1. Difficulty Justifying Migration Business Cases
Most existing SAP role designs were not built with licensing considerations in mind. Therefore, when STAR measurements are applied during cloud migration planning, FUE counts are often heavily overstated. This inflates costs and undermines the business case.
2. Overpaying for FUEs
Remediation activities can be highly technical. Without a license-focused optimisation approach, organisations risk paying for significantly more FUEs than they actually need.
3. Subscription Cost Increases
Post-contract, subscription costs can escalate unexpectedly when SAP access changes inadvertently assign high-cost authorisations. This often reflects challenges in maintaining license-aware access governance, rather than a flaw in the STAR framework itself.
Whilst the STAR rules are considered structured, transparent and relatively lenient, overpayment is possible and commonly linked to role designs that don’t align access with actual business needs.
Licensing by Design
With STAR measurement now in play, organisations must shift their role design mindset. A role design optimised for SoD compliance may not be efficient for licensing. In many cases, SoD-optimised roles are too broad and inadvertently trigger higher license classifications.
Effective licensing by design means defining SAP roles that strike a balance between business functionality, compliance, and license efficiency. This involves categorising users accurately, separating high-cost functionality, and tailoring access to actual job requirements. By building roles around license tiers, organisations can significantly reduce their FUE consumption without compromising operational needs.
The Importance of Preparation Time
One of the most common mistakes organisations make is waiting too long to address licensing concerns. Whether it’s a role clean-up initiative or a full redesign, these projects require time, resources, and cross-functional alignment.
The more time an organisation has to prepare, the greater the opportunity to analyse, model, test, and optimise the design before migrating to SAP Cloud ERP Private. There is a direct and measurable correlation between preparation time and long-term license efficiency.
In contrast, starting late often results in rushed remediation, half-finished clean-up, and excessive FUE allocations that could have been avoided with better foresight.
The Role of Continuous Monitoring
Preparation is only part of the picture. Ongoing visibility into how access changes affect licensing is becoming increasingly important – particularly under the STAR framework, where small authorisation adjustments can have a measurable financial impact.
Continuous monitoring can be approached in a number of ways depending on organisational needs and complexity. This is where SAP licensing management platforms, like Soterion’s SAP License Manager, come in – to model FUE exposure, simulate the license impact of access changes, and identify optimisation opportunities in real time. For example, the insight given by Soterion’s SAP License Manager empowers organisations to plan more accurately, understand where optimisations can be made, and estimate the effort needed for remediation. Then, beyond the initial assessment, it enables ongoing management by simulating the FUE impact of every SAP access change request before it is implemented in the productive system. This functionality helps organisations manage their license position in real-time, reducing the risk of mid-term surprises and unbudgeted true-up costs.
In Summary
The move to SAP’s STAR licensing model is more than just a change in how licenses are counted – it’s a shift in how access, compliance, and cost efficiency must be managed together. The organisations that respond strategically will benefit the most. Aligning SAP role design with both SoD compliance and license optimisation is no longer optional – it is essential. Those who act early, prepare thoroughly, and continuously monitor their access landscape will benefit significantly from license efficiencies, reduced risk, and long-term financial control.
“Those who act early benefit significantly from license efficiencies, reduced risk, and long-term financial control.”— Dudley Cartwright, CEO, Soterion
This article was originally written for ANZSAP Volume 3 and has been republished on our blog to share these insights more widely, extending the conversation beyond its original publication.
If you have any questions or would like to see a demo, feel free to reach out to us by emailing [email protected]
