Usage-based vs. Authorization-based User License Allocation
Licensing is either usage-based or authorization-based. Dr. Jana Jentzsch and Guido Schneider attempt to shed light on the background in a technical discussion and approach solutions. In the course of their S/4 license consulting work, Jana Jentzsch and Guido Schneider have noticed that more and more existing SAP customers believe that the allocation of the corresponding S/4 Hana user licenses must be based on the existing SAP authorization roles. This assumption is now also shared by SAP employees themselves and other SAP licensing experts, who have also published corresponding articles in the E3 magazine.
On the other hand, there are members of the SAP community who believe that the basis for the allocation of user licenses for SAP R/3, ERP/ECC 6.0 and S/4 Hana is the actual use, e.g. the execution of a transaction.
The financial impact can be considerable. If a person has more authorizations than they actually use, they may have to be assigned a more expensive user license type (authorization-based) than they may use (usage-based). It is therefore time to clarify whether this supposed change in the basis of licensing has actually taken place.
Guido Schneider, Software License Compliance 365 (SLC365):
To clarify this question, I took a closer look at the SAP Price and Conditions List, PKL, 2023/4, version October 2023. I left out the developer license, S/4 Hana Developer Access. The ECC Professional User
license largely corresponds to the "SAP S/4HANA Enterprise Management for Professional Use" license under S/4. Anyone who has been assigned this license type may use the S/4 system in accordance with the definition contained in the PKL and thus perform all operational, system administration and management roles in particular.
In S/4 Hana, in addition to the extensive Professional Use license, there are the following two license types: SAP S/4HANA Enterprise Management for Productivity Use - costs around a tenth of the Professional Use license; and SAP S/4HANA Enterprise Management for Functional Use - costs around a third of the Professional Use license; whereby the Productivity Use license is included in the Functional Use license.
Excerpt from the PKL dated October 2023, page 46: "2.6 S/4HANA Enterprise Management for Productivity Use: Use is permitted for individuals who are employees of the Client. They are authorized to perform the following solution functions: [followed by a listing of solution functions as well as 'Display Use Rights' and 'Approval Use Rights']."
Use refers to the assignment of the license type to an individual, not the use of the solution function. This sentence is also included in the definition of the functional use license (under b), but is extended to the employees of the business partners (under a). It is therefore clarified at this point in the PKL to which individual person this license type can generally be assigned. "You are authorized to execute the following solution functions" or in other words: The individual to whom this license type, in this case S/4HANA Enterprise Management for Productivity Use, has been assigned may execute the listed solution functions and only these.
The same applies to the definition of the functional use license. The restriction is therefore that the individual may only execute the listed solution functions. If the individual is allowed to execute other solution functions, the assignment of this license type is not permitted.
It does not say that the assigned SAP authorization roles must be adapted so that they may only contain the listed solution functions. The so-called SAP authorization concept, as we know it from SAP Basis, is not mentioned here or anywhere else in the PKL. According to SAP's PKL, the basis for assigning user licenses is clearly usage-based. How do you see this as a lawyer?
Dr. Jana Jentzsch, Jentzsch IT Rechtsanwaltsgesellschaft:
As the manufacturer, SAP is generally the owner of the copyrights to the software. On the basis of and within the scope of copyright law, SAP may in principle contractually regulate whether and to what extent the customer is granted rights of use to the software.
Specific customer rights provided for in copyright law, such as the right to use as intended in accordance with Section 69d UrhG, must be preserved. In principle, however, from a copyright perspective, there is nothing to be said against rights-based licensing and, accordingly, measurement based on the rights granted in the system. However, this must be reflected in the contractual granting of usage rights. If you look at the relevant clauses in the contracts, PKL and GTC, I have considerable doubts that an authorization-based concept has been established here in a legally secure manner. There is a lot to be said for the interpretation in favor of a usage-based concept.
Guido Schneider:
During the technical SAP system measurement, USMM, the assigned SAP authorization roles of the individual persons are not checked to see whether they correspond to the definitions of the three user license types described above. SAP customers could have the required user license calculated based on the license category, license type, assigned to each individual SAP authorization role.
To do this, the developer who builds the SAP authorization roles must manually write the corresponding license type to each SAP authorization role. The USMM uses this to build the corresponding user license for each SAP account. This method already existed in the days of R/3, ECC 6.0, and it still exists with S/4 Hana. Alternatively, the SAP user administrator can assign the required user license type directly to the respective account manually, e.g. via transaction SU01. With both methods, it is up to the SAP customer to decide how to classify either the SAP authorization roles or the individual SAP accounts.
However, the methods cannot be used simultaneously. The SAP account classification is leading, regardless of which license types may have been previously assigned to the SAP authorization roles.
I know that this is primarily a technical question, but from a legal point of view, is there any connection between SAP system measurement and the question of what basis the SAP user license assignment (classification) - usage-based or authorization-based - should be made?
Jana Jentzsch:
The SAP system measurement checks whether the customer is using the licensed SAP software in accordance with the contract or whether he is exceeding the contractually licensed scope. The provisions of the contracts and, of course, the applicable data protection law, which must not be violated by a system measurement, are decisive for this. The processing of personal data, including access to this data by SAP for the purposes of system measurement, would have to be covered by individual agreements, for example. The implementation of a usage or authorization-based user classification would only be relevant if it were contractually regulated.
If the SAP Standard Terms and Conditions contain unclear or contradictory provisions, customers may generally interpret the provisions in a way that is more favorable to them on the basis of the law on general terms and conditions.
Guido Schneider:
I also asked this question because SAP's STAR service, S/4HANA Trusted Authorization Review Service, offers a kind of assistance with SAP user license assignment. SAP has developed a tool, Object Analyzer, which compares the existing authorizations with the new S/4 types using a standard set of rules. This method can now also be carried out by existing SAP customers themselves, without having to work with SAP. The result can then be used to automatically classify the SAP authorization roles described above. The USMM then compiles the required SAP user license for each SAP account.
The application, STAR, is an aid, for example, to save developers the work of manually classifying SAP authorization roles or to estimate future S/4 user license requirements. Is there any indication anywhere in the SAP contracts, GTCs or PKL that this STAR service is mandatory? I am not aware of any.
Jana Jentzsch:
I am not aware of any such regulation in our previous consulting work. Incidentally, not only can individual errors occur in the context of such services, but the entire classification may not even be based on what has been contractually agreed. In particular, if there are many contracts from different years, the most recent PKL and metrics must not be used as the only basis for measurement; the relevant provisions in the specific contract must always be taken into account. Customers should ensure that they are not disadvantaged by blanket allocations that do not correspond to their contracts.
Guido Schneider:
With Rise with SAP S/4 Hana, S/4 in the cloud, SAP has taken a step towards user licensing. This makes license management easier. Instead of purchasing exact numbers of specific user license types, SAP customers can purchase so-called FUEs, Full Use Equivalents. Example: RISE with SAP S/4HANA Cloud, Public Edition, Premium. These FUEs can be used to cover the user license requirements, whereby a distinction must be made between the Public Edition and Public Cloud - they have different feature scope descriptions.
As before, people can (now) access certain solution functions of the Rise with S/4 Hana Cloud Service.
1 FUE = 1 SAP S/4HANA for Advanced Use (corresponds to approx. "Professional Use")
1 FUE = 5 SAP S/4HANA for Core Use (corresponds to approx. "Functional Use")
1 FUE = 30 SAP S/4HANA for Self-Service Use (corresponds to approx. "Productivity Use")
SAP customers can assign each FUE to one of the usage packages and change the assignment during the term of the contract. In the view of the legal expert, has this changed the basis for SAP user license allocation?
Jana Jentzsch:
With Rise with SAP S/4 Hana Cloud, SAP must also ask itself whether a purely authorization-based concept has been clearly implemented in the contracts. If I apply the standards of German law, in particular the law on general terms and conditions applicable in the B2B sector, I have considerable doubts here.
Conclusion
The SAP contracts, GTC and PKL do not clearly regulate the question of whether the user license allocation should be usage-based or authorization-based. There is no corresponding court ruling on this. According to current GTC law, unclear or contradictory regulations may not be interpreted to the disadvantage of customers. When migrating from ECC 6.0 to S/4 Hana, we believe that SAP customers should take the opportunity to review existing and possibly outdated authorization concepts and adapt them to the actual or future use of S/4. In this way, depending on the individual case, the risk of potentially expensive authorization-based user licensing can be significantly reduced.
Editorial note: The general writing rule of the E3 magazine is based on the guideline "We write the way we talk". Thus, for E3, the name of the SAP database is logically Hana. However, in order to ensure the greatest possible correctness with regard to license designations and types, the respective spelling from the SAP PKL, Price and Conditions List, has been adopted in this text.