Lukardi

Webinar: Jak autoryzacje w ECC wpływają na koszty licencji w S/4 Rise with SAP  

Lower Costs in SAP: How to Remove Inactive Users - SAP License Optimization

Share

The following entry contains a synopsis of the work carried out for one of SAST's clients, the main core of which was the optimization of authorization and user access was also implemented remodeling of the authorization concept. One of the elements of the implementation was to assess the validity of whether all accesses are really needed, the project also included optimization of SAP licenses. Projects such as the authorization remodeling project and the implementation of the new concept are paying off, as they result in the classification of users and access reduction, which entails Reduce the cost of SAP licenses.

Every year SAP audits customers' systems and, based on this, often requires an additional license fee for excess users. It is known that all active SAP dialogue users are affected by the license fee. In this context, "active" means a time limit on the validity of a user account, not an administrator's lockout.

So reducing the number of active master user records has a direct and noticeable impact on cost savings. Many companies, when in doubt, decide to leave some of the active users for fear that daily operations may be disrupted. The concern is also that a particular user may still be used as a technical user to handle background jobs, for example. The obvious question then arises:

How do you gain insight into user activity in SAP systems and how can you effectively analyze different types of user access?

Is the user active? No specifics

There is an apparent tendency to leave active users for fear that their removal may have the effect of interrupting the business process. This is primarily due to a lack of specific knowledge about the use (both indirect and direct) of users' master records.

If we look at the timestamp of a user's login - it will not be precise information, taking additionally into account complex environments (multi-system), or web tools, for example. The level of complexity of such analysis increases if we consider RFC or SOAP and OData connections - here we often lack both the knowledge and solutions needed to effectively assess accesses.

Analysis - opportunities and difficulties

One of the options for analyzing the use of transactions is ST03N (STAD - business transaction analysis). This transaction allows you to analyze the use of different types of communication:

The analysis indicates which users are generating load on the system with a particular type of communication. From this data, it is obvious which users are active, but there is some restriction - the data is only for a specific day. For deeper analysis, we need more time, especially when we need to draw far-reaching conclusions. ST03N allows you to analyze transactions and program calls. With just a double-click, you can view the users who used a specific transaction or ABAP program.

Unquestionable the challenge is to combine both data sources. Without this, we will not get the full picture. Standard SAP tools will only provide us with data sources. Unfortunately, we don't have the flexibility of analysis (for example, for individual users). So manual analysis and aggregation of data is required to get the right information.

Best Pratice - transaction utilization analysis using SAST

An example from one of our clients - a mix of accesses, with no specific knowledge of how users use transactions. During the analysis, we looked at general information about accesses - this included all levels of usage (dialog, batch, RFC, http, etc...).

To optimize analysis time, we used the SAST Suite function that allows for detailed analysis of transaction usage. This analysis was carried out for all active users based on CCMS. Comprehensively, all levels of communication with the system over a longer period than one day were analyzed. We also provide access frequency information (Transaction Usage or Transaction Usage Analysis and Frequency) by this means.

25% inactive users - measurably lower costs

In this case, the analysis included such elements as:

  • Information about all users (including technical users),
  • analysis period six months.

As a result of the above, we received information about which users left no trace of activity during this period - these users therefore became candidates for removal. This is therefore a direct example of how SAP license optimization can be addressed.

Result:

  • With SAST, information about inactive users,
  • Their removal was done without side effects on business operations,
  • almost 25% users (out of a pool of 1,350) were inactive users,
  • specific unused accounts to be deleted,
  • An immediate, significant return on investment.

Optimization procedure:

Phase 1 - Preparation

- Project preparation
- SAST Installation.

Phase 2 - Analysis

- Evaluation of user master records activity
- Data connection
- Activity documentation
- Coordination with the administrator

Phase 3 - Implementation

- Inform the business (relevant departments)
- Removal of inactive UMRs

We Manage the Digital Transformation of Your Business

Do you want to secure your business from cyberattacks? Or are you planning a digital transformation or looking for IT specialists for a project? We'd be happy to help. We are here for you. Let's talk about professional IT services for your business.

Tomasz Jurgielewicz

Head of Security Department at Lukardi. For the past 10 years, he has led a team of SAP Security specialists, providing comprehensive services and tools to secure SAP systems and optimize licenses. Experience in the areas of: - identification of authorization conflicts and authorization reorganization, - identification of SAP vulnerabilities, - integration of SIEM solutions with SAP, - optimization of SAP licenses.