SAP's system measurement is not a neutral process. When SAP conducts a basic audit, USMM (User and System Measurement) is run across your SAP landscape. The data output gets fed directly to SAP's commercial team, who use it to calculate compliance gaps and back-licence claims. How you manage this data — what you provide, what format, what context — determines your financial exposure.
USMM (transaction code SUSMM in SAP) scans your SAP system for all users with active accounts, their assigned roles and profiles, and the SAP modules they can access. It produces a raw data extract that SAP auditors use to classify users against your Effective License Position (ELP). The tool is not sophisticated; it counts access rights, not actual usage. This fundamental distinction is where most enterprises lose money during audits.
When SAP's audit team receives the USMM output, they run it through SAP's internal classification engine, which sorts users into pre-defined user type categories: Guest, Limited Professional, Professional, and Application-Specific (for domain-specific roles). The classification happens automatically based on role assignments and module access patterns. In our experience, this automated classification overcounts users in higher-cost categories by 25-40% because it doesn't account for actual transaction usage or organisational context.
Your job before the audit measurement runs is to ensure that (1) inactive users are locked before measurement occurs, (2) user role assignments accurately reflect actual job functions, and (3) your organisation has clear documentation of who accesses what, and why. This documentation becomes your evidence during settlement negotiation when SAP's initial claim lands on your desk at 3x the actual compliance gap.
Not all measurement data carries equal risk. Understanding the risk profile of each category helps you determine what to prioritise during audit preparation and what to challenge during the audit itself.
USMM identifies all user accounts with status "Active" in the User Master (SUIM transaction). The risk: inactive accounts that haven't been locked are still counted as active users. In our audit defence cases, inactive user overcount typically represents 15-25% of SAP's initial compliance gap. A user on parental leave, long-term sick leave, or who departed the organisation 6 months ago but whose account wasn't locked still appears in USMM as an active user.
Your defence: Lock all users who haven't logged in for 90+ days at least 4 weeks before the official audit measurement. SAP's own guidelines state that any user who hasn't authenticated in 90 days should be evaluated for deactivation. Document the locking dates and reasons. When SAP's measurement runs, those users won't appear in USMM output. This alone can reduce your compliance gap by 10-20%.
USMM maps each user to their assigned roles and profiles. The issue: role assignment doesn't reflect actual job function or usage patterns. A user assigned the "PP_PROFESSIONAL" (Production Planning Professional) role who never creates, modifies, or executes production plans is still classified as a Professional user. In composite roles (where a user has multiple roles), SAP classifies users at the highest-cost role in their assignment, even if they rarely use that functionality.
Our advisors are former SAP insiders working exclusively for enterprise buyers. Book a free 30-minute discovery call.
Book a Free Consultation →Challenge user classifications by building a usage-based argument. SAP's own tools (SUIM, ST05 transaction analysis, SM20 audit logs) produce transaction-level usage data. If you can demonstrate that a Professional-classified user hasn't executed a single purchase order in the last 12 months, they should be reclassified as a Guest or Limited Professional user. This classification challenge often reduces compliance gaps by 5-15%.
USMM identifies which SAP modules each user can access based on their role assignments. The risk: access to a module doesn't mean usage of that module. A user with access to FI (Financial) and CO (Controlling) might only use FI_READ transaction (read-only reporting) while the role assignment suggests full Professional-level FI access. SAP's measurement methodology counts access rights; it doesn't distinguish between read-only access and transactional access.
Your challenge: Conduct a user access review prior to audit measurement and remove unnecessary module access for users whose job function is narrower than their role assignment suggests. A procurement analyst who needs MM (Materials Management) read-only access shouldn't be assigned the full MM_PROFESSIONAL role. This pre-audit access cleanup consistently reduces measurement-based compliance gaps.
For organisations using SAP engines and packages (embedded analytics, user provisioning engines, integration engines), USMM measurement becomes more complex. SAP counts consumption-based engines (like SAP Analytics Cloud or Integration Suite) differently from traditional user-based licensing. The measurement methodology is disputed territory: SAP's commercial team has one interpretation, independent advisors frequently have another.
If your audit includes engine licensing (you'll see this in the audit scope definition), challenge SAP's measurement methodology. SAP often overstates engine consumption by not accounting for licensing exclusions or by counting non-licensed technical interfaces. Engaging independent technical advice ahead of the audit helps you articulate a defensible position on engine usage.
USMM output reveals your entire SAP system landscape: production, non-production, development, test systems. SAP wants visibility of all systems; you want to limit measurement scope to production systems (and potentially non-prod systems if your Master Agreement explicitly requires it). The risk: SAP may attempt to expand the audit scope to include development or test systems where your licence terms don't require it.
Your defence: Check your Master Agreement and audit clause carefully. Most licence agreements permit SAP to audit systems within the Effective License Position (ELP) scope. If your development system isn't listed on your ELP, SAP shouldn't be measuring it for compliance purposes. Before audit measurement, document which systems are within scope and ensure auditors understand the contractual limitation.
You are required to provide measurement data that falls within your contractually agreed scope. This is non-negotiable. What you can negotiate is the preparation, context, and timing of that submission.
Your contractually required submission includes:
Timing matters. If SAP initiates an audit and requests immediate measurement data, don't comply immediately. You have the right to reasonable preparation time (typically 30-60 days). Use this time to lock inactive users, clean up role assignments, and prepare your challenge documentation. SAP's audit clause typically requires "reasonable cooperation," not instant access to raw data.
Format matters too. Provide USMM data in a structured format (CSV or Excel), not raw text exports. Include a data dictionary explaining what each field represents. This format gives you control over data interpretation and makes it harder for SAP to impose their own classification logic.
There are several categories of data that enterprises often hand over to SAP without proper scrutiny. This is where audits go wrong.
Don't submit raw USMM exports without annotation. USMM output includes every user account, every role assignment, every module access. If you submit this raw, SAP's commercial team will run their automated classification algorithm and classify users at the highest cost. Instead, submit USMM data alongside a classification document that explains your interpretation: which users are actually active, what their actual job functions are, and why certain role assignments may not reflect actual module usage.
Don't submit preliminary measurement results before your own verification. If SAP's measurement team runs USMM on your systems and produces a preliminary compliance assessment, don't accept it at face value. Request a 30-day review period. Run your own independent USMM extraction and compare results. If discrepancies exist, document them and challenge SAP's methodology.
Don't grant unconstrained access to Solution Manager data. SAP may request access to your Solution Manager instance to review system configurations, licences, and user data. Limit this access to read-only and to specific data elements required by the audit clause. Don't allow SAP to export full Solution Manager datasets without boundaries.
Don't submit system landscape data that covers entities not named in your licence agreement. If you have a subsidiary or acquisition that's not explicitly licensed under your SAP Master Agreement, don't include that subsidiary's systems in the audit scope. Challenge SAP if they attempt to measure unlicensed entities.
The best audit defence starts before SAP runs its official measurement. A structured 8-12 week pre-audit preparation campaign can reduce your compliance gap by 30-50%.
Step 1: Run your own internal USMM 8-10 weeks before the official audit (Week 0-2). Extract USMM data from your systems and build a detailed user classification spreadsheet. List every user, their status (active/inactive), last login date, assigned roles, and actual module usage. This gives you the baseline against which you'll measure SAP's official output later.
Step 2: Lock all inactive users (Week 2-4). Any user who hasn't logged in for 90+ days should be locked. Coordinate with HR to identify users on leave, contractors whose engagements have ended, and employees who've departed. Update SAP user status from "Active" to "Locked" (not deleted — you need the audit trail). Document locking dates in a spreadsheet. When SAP runs USMM 6-8 weeks later, those users won't appear in the output.
Step 3: Challenge user classifications (Week 4-8). Review every user assigned a Professional or higher-cost role. For each user, pull transaction usage data (SUIM, ST05, SM20). If a Professional user hasn't executed a single transactional function related to their assigned role in the last 12 months, prepare a reclassification argument. Document this in a "User Classification Challenge" spreadsheet with supporting evidence.
Step 4: Conduct a role clean-up exercise (Week 6-10). Review composite roles (users with multiple role assignments). If a user has FI, MM, and HR roles but their job function only requires FI access, remove the MM and HR role assignments. This reduces module-level overcounting in USMM.
Step 5: Document everything (Ongoing). For every user classification decision, every locking, every role change, maintain audit documentation. Write a memo explaining your rationale. When SAP produces their audit findings and claims compliance gaps, your documentation becomes your defence evidence.
If your audit scope includes indirect access or document-based licensing (sometimes called "Digital Access"), the measurement methodology is fundamentally different from USMM user counting.
Indirect access licensing (which became Digital Access Licensing in SAP's newer terms) counts documents processed via third-party systems that integrate with SAP. A sales order created in Salesforce and synced to SAP counts as one Order document. An invoice scanned by OCR software and imported to SAP counts as one Invoice document. The question SAP poses: how many of your integrated documents require an SAP licence?
The answer is complex because:
If your audit includes Digital Access measurement, engage independent technical advice before the official measurement. Document your integration landscape and which integrations you believe require licensing. Challenge SAP's document attribution methodology if their estimates seem inflated.
For some enterprises, SAP License Administration Workbench (LAW) provides a more defensible alternative to USMM measurement. LAW is SAP's purpose-built licence administration tool that allows granular classification of users against specific licence metrics.
Unlike USMM, which is purely a data extraction tool, LAW includes classification logic. You can assign users to specific licence types, modify classifications based on actual usage, and generate compliance reports that reflect your organisation's interpretation of the Master Agreement.
If you have LAW implemented and SAP is willing to accept LAW data as the source of truth for your audit measurement, this can be a game-changer. LAW outputs typically reflect lower compliance gaps than USMM because LAW allows context-aware classification. However, SAP doesn't always accept LAW data — they prefer USMM because it's more standardised and gives them less room for challenge.
Negotiate LAW as your measurement source. If you have LAW implemented and properly configured, propose to SAP that LAW output becomes the basis for audit measurement instead of USMM. Frame this as a mutual benefit: you get more accurate licensing visibility, and SAP gets more reliable data. In our experience, 40% of enterprises can successfully negotiate LAW as the measurement source, which typically reduces compliance gaps by 15-25%.
Companies that run independent third-party measurement before the official SAP audit consistently report lower compliance gaps when the official measurement occurs. The reason is straightforward: they've already identified and addressed the obvious overcount issues, so when SAP measures, the delta between SAP's initial claim and your pre-audit baseline is smaller.
Here's how independent measurement works:
In our audit defence practice, enterprises that run independent measurement 4-6 weeks before an official audit settle at 30-50% lower cost than enterprises that don't. The investment in independent measurement (typically $30-50K USD) returns 10-20x through lower settlement costs.
Our audit defence team specialises in forensic USMM analysis, user classification challenges, and pre-audit measurement preparation. We help enterprises reduce compliance gaps and negotiate lower settlements with SAP. Get independent advice before your audit measurement runs.
Explore Audit Defence ServicesDon't wait until SAP initiates an audit to prepare. Our licence compliance team helps enterprises implement continuous USMM monitoring, user classification governance, and audit-ready documentation. Start with a free compliance assessment.
Explore Compliance ServicesOur advisory services cover audit defence, contract negotiation, licence optimisation, RISE advisory, and S/4HANA migration — all buyer-side, no SAP affiliation.
Book a Free Consultation →