The Truth About SAM Tools – Know This Before You Buy!
Written by James Cochlin – Principal Consultant and Consulting Director at JNC
Foreword: I work as an SAP License Management Consultant at some of the world’s largest SAP customers. The majority of those organizations are utilizing a SAM product, however in reality, some of these tools are redundant because they were poorly set-up, are lacking ownership, they are not measuring according to the customer contract, or simply put, not capable of measuring the customer’s environment.
Would I rely on a SAM Tool for SAP Licensing Compliancy?… No!
Sounds a little harsh but allow me to explain. I have and continue to work with numerous customers who have bought a SAM tool for SAP. They have set it up, and hey presto they think they are in control. Personally, I have a slightly different view based on my experiences and those of my clients. I would use a tool more as a radar, to provide license management intelligence to support decision making, however I wouldn’t completely rely on it to ensure I am compliant. There is also the ongoing maintenance of your SAM tool updating any rules configured in the tool if you’re entitlement or the SAP landscape changes. Landscape changes affect what is being measured, and entitlement configurations affect what the measured usage is being compared to. Given the complexities of SAP licensing models, metrics and landscapes this challenge should not be under estimated.
A SAM tool will not fix your problems, if you have any. It highlights them, therefore don’t under estimate any clean-up activities required once the tool is up and running. Otherwise, you’re still not compliant with your contract.
“Many SAP contracts are based on the authorization to use and most commercial SAM tools recommend license types based on actual use”
Also, beware of the authorizations vs usage licensing dimension. Many contracts are based on the authorization to use and most commercial SAM tools recommend license types based on actual use. In this instance acting on the outputs of your SAM tool measurements would create a significant non-compliancy issue, which could only be resolved by removing the authorizations to coincide with the new lower level license type assigned. Where SAP Role design is concerned this can open a significant and can of worms.
Is it possible to work without a tool? …Certainly
This depends on the entitlement help by any given customer. I have witnessed numerous contracts where the entitlement is very straight forward, to the point the customer only needs to control and monitor a limited set of attributes. In this case a tool really isn’t necessary. Some customers have purchased a SAM tool where the tool is not benefiting the customer at all, and therefor becomes redundant and unused.
The most important question to ask before asking “which tool”, is “do I need a tool”. A RFP process for a SAM tool should only be initiated on the basis of a strong and compelling business case providing the need with respect the estate and environment to be managed.
Look at The Entitlement First
Review your contracts, establish your entitlement and create you bill of material (BOM). Now you should have sufficient knowledge to determine what is required to measure your users and packages. Of course, seek advice from an SAP license management specialist to ensure you are not overlooking anything.
If you have a relatively “straight forward” entitlement for example a user heavy entitlement mix (users vs packages) made of Professional, Limited Professional and Employee Self-Service users it should be relatively straight forward. An understanding of definitions and the correct technical management processes should suffice. There are of course other considerations and complexities to factor in, which I will come to later.
Let’s Get Technical!
There is no better way of illustrating the point than a good practical example. The below table shows possible software use rights associated with, for example, and ESS License, and A Professional User License. All SAP contracts provide actual definitions for each license type more or less outlining what each license type allows a user to do in SAP.
Below is an illustration showing three SAP Users: John, Jane and Alan. I can identify that John can only use SAP for typical self-service activities therefore I only need an ESS self-service license type. Jane and Alan can do a lot more than self-service activities, so automatically I would classify them as SAP Professional Users. The question is, do I perform a periodical self-assessment without the aid of a SAM tool and perform the checks manually using Excel or utilize a custom report in ABAP or similar. In this particular scenario I would utilize manual checks or possibly create an excel macro to manage this.
Let’s Jane as an example. The tool should tell me that Ciaran needs a Professional license type however he could be optimized, he could potentially have an ESS license as the tool has leveraged statistical data from SAP and has identified that he only uses the same permissions as me John. Of course, this doesn’t mean that I can change Jane’s license type. It means I need to perform some clean-up activities against John’s privileges. Once done, I can re-assign him an ESS license type. Remember, it’s not necessary what you have done in the SAP system, it’s what you can do that really determines the license type you should have.
As is the case with SAP standard audit tools your typical SAM Tool is not capable of interrogating SAP Authorizations to the extent that is can at all times inform you of what license type each user should be assigned in addition to the license type they could be assigned. Thus, following the outputs without managing the impact of that change can result in non-compliant licensing of SAP users.
Something else to consider is licensing roles within SAP, if user privileges are the base to determining what licenses need to be assigned to end users then it makes sense to allocate a license to a role so you can track what licenses are required considering day to day user role changes in the system.
“Your typical SAM tool is not capable of interrogating SAP Authorizations to the extent that it can determine what should be assigned in addition what could be assigned”
End of Technical Overload!
“I have a large and complex landscape without transparent roles. We have an issue with maintaining consistent user Id’s?”….
The above statement is again all too common. Utilizing a SAM tool should be your GPS system to navigate through unchartered territory and help you maintain control of the as-is. Again, many of the issues raised through the above statement can be overcome utilizing SAP standard reports and components such as a GRC solution.
Let’s face it, with the exception of the entitlements, all the data needed to identify who needs what license is data held within SAP itself. A SAM tool should help you and it should guide you but you need to test the results produced by the tool to avoid the “blind leading the blind” scenario.
Don’t just fall victim to the sales hype around SAM tools for SAP. Really challenge whether or not you need one and consider what tools and management processes you can implement yourself to stay on top of SAP licensing. JNC support customers with SAM Tool selection and our consultants can help design SAP License Management Frameworks, which provide the roles and responsibilities, processes and procedures, tools and techniques required to effectively manage and stay on top of SAP Licensing.