As the German magazine “Computerwoche” reported, SAP plans to enforce new license compliance guidelines, which have long been referenced in SAP’s Software Use Rights (SUR) document, but weren’t strictly enforced up to this point: user license assignment based on authorizations.
Until now, it has been common license practice to assign licenses according to actual user activity. Understandably, most companies would prefer to apply the cheapest license for users with minimal observed SAP usage. SAP now tries to prevent this purchasing strategy. The plan: In the future, license types should be based on the total sum of functionality, a user is authorized to access. The user’s roles and profiles hence shall govern, which license type applies to achieve contractual compliance.
Is this approach really new?
Actually, the model of licensing based on authorizations isn’t new at all. There are cases in which customers and SAP already agreed on using this method. However, you will require a very lean and transparent authorization concept to avoid wasting money with this variant.
License assignments based on authorizations aren’t new – what is new however, is SAPs change of course to request customers assign licenses only on the basis of authorizations. At VOQUZ, we question whether this approach will be enforceable in the field. Check your contracts to determine which entitlements govern, as you may very well have beneficial terms dating back to the early days of your SAP implementation. Make sure you hold on to these terms dearly during any SAP negotiation.
One platform to rule them all – all methodologies for license assignments that is
samQ is already armed for all kinds of licensing. Its Customizing provides a license key assignment based on authorizations. Additionally, samQ offers the possibility to identify excess access within roles – the perfect foundation for incremental role and security optimization.
To solve the problem of automatic role updates, we are working on our Role Designer solution “setQ”. Using our setQ solution you can create new, individualized roles from existing roles limited to observed usage in your user population. Moreover, you can correct and re-distribute old roles.
Within the role design a permanent adjustment of a list of critical combinations on the object level takes place. Thereby you can avoid to assign authorizations, which aren’t permitted. In the first step, the Role Designer will take a look at used and unused transactions. In the second step the optimization will also be applied on the other objects via trace reporting.
Using samQ you are equipped to meet these challenges. Be ready to zig whenever SAP zags – Indirect Access is another example of this. I’ve you’ve been following our blog, you know what we’re talking about.