SAP's named user licensing model is simple in theory: every person who accesses the system needs a licence, and the type of access determines the licence category — and the price. In practice, enterprises accumulate user accounts the way they accumulate software licences: through growth, project work, acquisitions, and the organisational reluctance to delete anything that might be needed later.
The result is that at true-up time, many organisations discover they are licensing 15-30% more users than they actually need, in categories that are more expensive than the access patterns warrant. SAP's USMM (User and System Measurement) tool will find every active user. The question is whether you find and fix the issues before SAP runs its measurement — or whether you explain to your CFO why the true-up bill is twice what was budgeted.
How SAP Counts Named Users (and Why You're Probably Over-Licensed)
Overpaying for SAP? We handle SAP licensing and RISE contract negotiation on a 25% gainshare basis — you keep 75% of every dollar saved. No retainer. No risk.
Get a free SAP savings estimate →SAP uses the System Measurement tool (transaction USMM or the equivalent in S/4HANA) to classify users according to the highest-privilege role assigned to them. The key word is "assigned" — not "used." A developer who has been given Professional User access to run a one-time report retains that classification permanently, even if they never log in again.
The standard SAP licence user types, from most to least expensive, include: Professional User (full access, highest cost), Limited Professional User, Employee User (basic self-service), Developer User (developer licences, premium-priced), and Test User (restricted to non-production systems). Each carries a dramatically different annual fee, and the spread between a Professional User and an Employee User can be 10x or more in annual cost per seat.
Three structural problems drive over-licensing in almost every SAP estate:
- Role inflation over time: When users need temporary elevated access for projects or training, IT grants Professional User roles as the path of least resistance. Those roles are rarely revoked when the project ends.
- Termination lag: Leavers and contractors often retain active SAP user accounts for weeks or months after leaving the organisation, particularly if HR system integration with SAP is manual or delayed.
- Acquisition accumulation: When companies are acquired, their SAP user population is folded in with existing licences. Role cleanup in merged environments is typically deferred and then forgotten.
The Tools SAP Gives You — and How to Use Them Before SAP Does
SAP provides the USMM transaction precisely because they intend to use it. Running USMM yourself before SAP's annual measurement is your first line of defence. The transaction produces a detailed report of every user classified by licence type, giving you the raw data for an optimisation exercise.
For S/4HANA environments, the equivalent capability exists within the SAP System Landscape Optimization (SLO) toolset and within SAP's Cloud ALM for cloud deployments. The LAW (Licence Auditing Workbench) consolidates usage data across multiple SAP systems in a landscape, which is essential for enterprises running SAP ECC, S/4HANA, BW, CRM, and other components in parallel.
The critical reports to run at least 90 days before your true-up date:
- USMM User Classification Report: Full list of users by licence type. This is what SAP will measure — you need to see it first.
- Last Logon Date Analysis: Users who have not logged in within the past 90 days are candidates for account deactivation. SAP does not licence inactive users, but you need to lock or delete them before measurement day.
- Role Assignment Review: Identify users assigned to Professional User roles whose actual transaction usage is consistent with Limited Professional or Employee access. These are your right-sizing opportunities.
- Cross-System Usage Check: In multi-system landscapes, confirm that users with access to multiple SAP components are classified at the correct level for each system, not automatically elevated across the board.
Our SAP negotiation service includes a pre-true-up user access audit that typically identifies 15-30% reduction in licensable user counts. We work on a 25% gainshare basis — if we don't reduce your SAP costs, you pay nothing.
Get Your Free SAP Savings EstimateSAP Named User Categories: Where the Money Is
Understanding the cost structure of SAP's user types is essential to knowing where to focus your optimisation effort. Not all miscategorisations are equal — downgrading 50 Professional Users to Limited Professional delivers far more value than reclassifying 200 Employee Users to Test Users.
| User Type | Typical Use Case | Relative Annual Cost | Common Miscategorisation |
|---|---|---|---|
| Professional User | Finance, procurement, operations users needing full transactional access | High (1x baseline) | Assigned to IT staff, developers, occasional users |
| Limited Professional | Users with defined, limited transaction sets | Medium-High (0.4–0.6x) | Often upgraded to Professional unnecessarily |
| Employee User | Self-service HR, travel, expense, basic approvals | Low (0.1–0.15x) | Correctly classified but volume drives cost |
| Developer | ABAP developers, basis admins requiring development access | Very High (1.5–2x) | Given to IT staff who don't actually develop |
| Test User | Non-production system access only | Very Low (0.05x) | Accidentally given production access, upgrading licence |
The highest-value optimisation target is almost always the boundary between Professional User and Limited Professional User. In a typical 500-user SAP estate, 20-30% of Professional Users are in roles that could be reclassified as Limited Professional — with no operational impact. At typical SAP pricing, that reclassification across 100 users can represent $400,000–$800,000 in annual savings.
Inactive Users: The Fastest Win in SAP Licence Optimisation
Every SAP environment has a population of inactive users — accounts that exist in the system but whose owners have left the organisation, moved to roles that don't require SAP access, or simply stopped using the system. These users are fully licensable if they appear in USMM as active accounts, regardless of whether they've logged in recently.
SAP's position is that a user account that is not locked or deleted represents a potential access that must be licensed. The counter-argument — that a user who hasn't logged in for 18 months isn't really "using" the system — is not one SAP accepts in true-up discussions. The only effective approach is to actually lock or delete inactive accounts before measurement day.
A 90-day last-logon threshold is the standard starting point for identifying inactive users. In our experience working with enterprise SAP estates, this typically surfaces 10-20% of all user accounts as candidates for deactivation. The process is straightforward: export the last-logon data from SAP, cross-reference against HR active employee records, obtain line-manager confirmation for edge cases, and lock or delete accounts confirmed as no longer needed.
90-Day Pre-True-Up User Access Cleanup Checklist
- Run USMM measurement and export full user classification report
- Generate last-logon report for all users — flag anyone inactive >90 days
- Cross-reference with HR active employee list — lock all leavers immediately
- Review Professional User list for role inflation — identify downgrade candidates
- Audit Developer User assignments — remove from any non-developer IT staff
- Check for production system access assigned to Test User accounts (triggers upgrade)
- Run LAW across all SAP systems to identify cross-system over-licensing
- Implement provisioning workflow to prevent recurrence
Digital Access Licensing: The Hidden Named User Problem
Since SAP introduced Digital Access pricing in 2018, the named user question has become more complex for organisations using third-party applications that interact with SAP. Digital Access is triggered not by human users but by documents created in SAP via indirect access — purchase orders, sales orders, goods receipts, invoices — generated by non-SAP systems connecting to the SAP backend.
If your CRM system creates sales orders in SAP, those orders may require Digital Access documents. If your e-commerce platform generates SAP goods receipts, those receipts have a cost. Critically, Digital Access pricing is separate from named user pricing, and many enterprises have signed Digital Access agreements without fully understanding what their integration landscape generates.
The interaction between named user management and Digital Access is an area where forensic analysis is essential before any true-up or renewal negotiation. We have seen enterprises negotiating named user reductions while simultaneously facing uncapped Digital Access exposure they weren't aware of.
Using User Access Data as Negotiation Leverage
A thorough user access audit does more than reduce your true-up exposure — it creates negotiation leverage for your broader SAP contract negotiation. When you enter a true-up discussion with clean, independently verified user data, you can challenge SAP's measurement on factual grounds and negotiate the true-up amount rather than simply accepting SAP's figure.
More importantly, accurate user data is the foundation of right-sizing your SAP named user licence mix at renewal. Enterprises that arrive at renewal negotiations knowing their actual consumption by user type — not SAP's estimate — consistently achieve better outcomes. SAP expects buyers to be uncertain about their own data; when you're not, the negotiation dynamic shifts.
Three specific negotiation positions become available when you have clean user access data:
- Challenge the true-up baseline: If SAP's measurement differs from your own, you have documented grounds to dispute. In our experience, discrepancies of 5-15% in user counts are common, and SAP will negotiate on verified data.
- Right-size at renewal: Use the optimised user count as the basis for your renewal licence quantities — not SAP's historical invoice. Reducing your licensed user count by 20% at renewal means 20% less in annual maintenance fees going forward.
- Bundle user optimisation with other concessions: User count reductions can be traded for better pricing on S/4HANA migration, BTP credits, or extended payment terms — elements of the broader SAP RISE negotiation that add significant long-term value.
⚠ Timing Warning: SAP's standard contract language specifies that the true-up measurement date is determined by SAP, often with limited advance notice. If your contract allows SAP to measure at any time during the year, you need a continuous user access management process — not just a 90-day pre-renewal sprint. Review your contract language and negotiate a fixed measurement date in your next renewal.
Building a Sustainable SAP User Access Governance Process
A one-time cleanup before true-up is valuable but not sufficient. The structural causes of user account accumulation — role inflation, termination lag, acquisition gaps — will recreate the problem within 18-24 months if you don't address the underlying governance process.
The most effective SAP user access governance programmes include four components: automated joiner/mover/leaver integration between HR and SAP, role-based access profiles that prevent ad-hoc Professional User grants, quarterly access reviews by department heads confirming user access is still required, and a mandatory USMM run six months before any true-up or renewal date.
The HR-to-SAP integration is the single highest-impact investment. When an employee terminates and their HR record closes, their SAP account should be locked automatically within 24 hours. Manual processes operating on a weekly or monthly cycle create windows of unnecessary licence exposure. For organisations running SAP SuccessFactors, this integration is available natively — but it requires configuration and testing, and many organisations have not activated it.
From a commercial perspective, SAP user access governance should be framed to your CFO as licence cost control, not IT housekeeping. The annual saving from eliminating 200 inactive Professional Users is typically $600,000–$1.2M. That is a compelling ROI for a process investment that takes two to three months to implement properly.
SAP Audit Risk: How User Access Management Intersects with Compliance
User access issues are among the most common triggers for SAP software audit exposure. When SAP's License Audit Management (LAM) team initiates a measurement, they look specifically for users classified below their role requirements — a Professional User-level role assigned to an Employee User account being the most common finding. The remediation cost per miscategorised user can exceed $10,000 when back-licensing and penalties are applied.
The inverse problem — users classified at a higher level than their roles require — represents money you're paying unnecessarily but doesn't create audit exposure. This asymmetry means that an audit-focused user access review and a cost-optimisation user access review have different starting points, and you need both approaches before a renewal negotiation.
Our SAP negotiation specialists — former SAP account executives and licensing advisors — have resolved over $150M in SAP true-up and audit exposure. We work on a gainshare basis: 25% of the verified savings we achieve, with nothing owed if we don't deliver. The user access management analysis is part of the engagement at no additional cost.
Further Reading
class="cta-inline">Facing an SAP true-up or renewal negotiation? Our team runs the pre-measurement user access audit, identifies reduction opportunities, and negotiates directly with SAP on your behalf. You keep 75% of every dollar saved. Download our SAP RISE Evaluation Framework for more context on the full contract landscape.
Talk to an SAP Negotiation ExpertThe Bottom Line on SAP User Access Management
SAP's named user model is designed to be simple to measure but difficult to optimise without active management. The 90-day pre-true-up user access audit described in this article consistently identifies 15-30% of licensable user counts as candidates for either deactivation or reclassification. At typical SAP per-user pricing, that represents material annual savings for any organisation running more than 500 SAP users.
The three actions that deliver the highest return with the least effort: lock all inactive users (last logon >90 days), review Developer User assignments, and audit Professional User roles for downgrade to Limited Professional. These three steps alone address the vast majority of over-licensing in most SAP estates.
Beyond the immediate savings, clean user access data changes the nature of your SAP negotiation. SAP expects uncertainty from buyers. Eliminate that uncertainty and the commercial conversation shifts in your favour — not just at true-up time, but at every renewal and contract discussion going forward.