A large medical technology manufacturer needed independent support to understand its SAP licensing exposure and bring order to a complex SAP ECC environment. The company operated an extensive global landscape with multiple productive systems that supported manufacturing, supply chain, sales, finance and safety workflows. Over time, the environment had accumulated thousands of roles and a wide range of user types, yet very little documentation explained how these roles connected to SAP license requirements. 

Executives were preparing for future S/4HANA migration conversations and were aware that SAP had become far more detailed in how it evaluates license usage. The company wanted a complete, factual view of its SAP license risk along with a practical plan to reduce exposure. 

A Complex SAP Landscape Exceeding Internal Control Capacity

The company had recently been subject to an enhanced SAP audit. The audit reviewed named user license assignments, business object usage and high-privilege authorizations. That combination revealed inconsistencies in how users were classified. It also highlighted widespread assignment of Professional user types that surpassed the company’s entitlements. 

Over many years, the organization had expanded its SAP footprint to include tens of thousands of users and thousands of technical roles. Composite role design simplified access for end users yet obscured license implications for auditors. Internal teams lacked source-of-truth documentation that explained how job functions, technical roles and SAP license types were intended to align. 

This created a situation where business teams could not clearly justify why some users required Professional licenses while others with similar responsibilities did not. 

Reconstructing Licensing Logic Through Technical and Functional Analysis 

The assessment was structured as a forensic review of how SAP licensing decisions were being made within the system. Technical data and business context were analyzed in parallel to rebuild the reasoning behind the organization’s license footprint. 

User behavior and job function mapping: User records were evaluated across multiple productive systems to identify functional patterns. Job titles, access groups and system assignments were mapped to determine which users could safely qualify for lower license types like Worker, Logistics or Employee without impacting operations. 

Deep analysis of technical roles and focus on S/4: Role content was analyzed through authorization objects, not only role names. Many roles that appeared identical across systems differed significantly inside. Even slight variations in authorization objects could trigger Professional classification under SAP’s modern audit methods. The review identified thousands of roles that contained Professional-level access in a way that was not visible through transaction-level review. 

Object-level and STAR-based analysis: Because SAP increasingly evaluates license requirements through the STAR dataset for S/4HANA scenarios, the team reviewed object-level access to identify Professional license triggers. STAR-based logic revealed hidden Professional authorizations inside otherwise routine roles. This insight showed that license exposure had less to do with actual user activity and more to do with how roles had evolved over time. 

Cross-system aggregation: A user’s classification depended on their highest level of access across all systems, not just one. Many users who appeared to qualify for lower license categories in one environment were elevated to Professional due to authorizations in another system. e same calibre of expertise typically engaged on larger programmes, but available instantly and proportionally to the client’s needs.

Where SAP License Exposure Emerged 

Conclusion

The exercise identified the risks and the solution; however, the work demonstrated that the environment was more complex than traditional R/3 maintenance and optimization approaches could address. As the next stage of the project, the recommended path forward was to adopt a user management service that incorporates JNC/ITAA-vetted user management software, supported by a process review and real-time user management monitoring to provide a sustainable long-term solution. 

Protecting our clients’ confidence is of the utmost importance at ITAA. While our case studies are based on true projects, we have used fictitious names and removed or changed other identifiable details.