FUE and User Type: How are SAP Licenses Measured?

SAP license model has evolved over time. SAP S/4 HANA (whether Public or Private edition) uses the concept of Full User Equivalent (‘FUE’). FUE is the aggregation method by which a SAP customer may allocate individuals’ access to SAP S/4 HANA in accordance with the ratios set forth in the respective agreement with SAP.

Every SAP S/4 HANA customer purchase FUEs for a specific validity period. FUE works together with the concept of User Types. The Use Type refers to the person who will be logging on and use the SAP S/4HANA system. Depending on the capabilities and authorizations assigned to the user, the Use Type can be determined. A Use Type can be one of 4 possible classifications, which are as follows:

1. Advanced (Professional) Users: Refers to users with broad authorizations (create, change and delete) across multiple company codes.
2. Core (Functional) Users: Refers to users with limited authorizations such as display, verify, clear, etc within a limited scope.
3. Self-Service (Productivity) Users: Refers to Employee Self‑Service (‘ESS’) user for HR or time entry who accesses personal HR details, with minimal input rights.
4. Developer or Special Role Users: Refers to an ABAP Developer who accesses technical tools like SE80, SE38, or ST22.

Total FUE consumption is calculated using the weightage assigned to the various User Types as follows:

1. Advanced Users: 1 User = 1 FUE
2. Core Users: 5 Users = 1 FUE
3. Self-Service Users: 30 Users = 1 FUE
4. Developer: 0.5 Users =1 FUE.

What are the challenges with Compliant User Access

One of the fundamental SAP security aspects is user authorization. It is important to ensure that users have need based access, which is compliant with any Segregation of Duties (‘SoD’) policies defined by the organization.

Due to complex authorization structure, enforcing compliant user access in SAP S/4 HANA has always been challenging. It is not uncommon for users to have redundant and conflicting access in SAP S/4 HANA. In many case, such access is simply migrated from SAP ECC 6.0 into SAP S/4 HANA as part of the ERP transformation program because organization often fail to clean up the user access as part of the transformation.

While the security and compliance team keep highlighting the risks related to such unnecessary, redundant (and often conflicting) access, they do not get sufficient support due to cost and resource constraints.

How does the SAP FUE based licensing affect the Compliant User Access?

However, with the new FUE-based licensing in SAP S/4 HANA, the impact of non-compliant user access goes beyond just SAP security. It actually costs more money to the organization in terms of SAP licenses, if users are assigned with redundant access.

Therefore, it becomes imperative for organizations to take Compliant User Access in SAP S/4 HANA seriously. By cleaning up the user access, organization not only address security risks and ensure compliance, they also end up saving licenses cost.

How can Hexadius Help?

Hexadius can assist you with automated analysis of your user access and identify opportunities to clean up user access – both to address security & compliance requirements (such as removal of additional or conflicting access) as well as to save licenses cost. Contact us for details.