Why named user categories matter
Every active dialog user in an SAP system is assigned a category that ties to a price band in the SAP price list. The category determines the audit cost. The named user position is the line item that drives the largest portion of the SAP renewal commercial total for most enterprises. Misclassification produces audit exposure and renewal pressure. The auditor compares the assigned category to the actual activity captured in the Security Audit Log and the workload statistic. A delta produces a finding and a back charge proposal. The defensible position is built before the audit by classifying every active user against the documented activity test and the role pattern map. Reference the license audit complete guide and the licensing models explained pillar and the user counting analysis and the user misclassification analysis and the license optimization expertise.
The seven principal categories
The Professional user category covers the broad operational user with full transaction access. The Limited Professional category covers the focused operational user with a constrained transaction set. The Employee category covers the standard worker with leave, time, and travel functions. The Employee Self Service category covers the very narrow self service worker with no operational transaction. The Developer category covers the ABAP, Fiori, and integration developer. The Project category covers the implementation or rollout user during a defined window. The Platform user category covers the technical integration account and the batch user. Each category has a list price and a usage envelope documented in the SAP price list and the use rights notice. Reference the licensing models explained pillar and the Professional versus Limited analysis and the Employee Self Service analysis and the Developer license analysis and the license reclassification analysis.
The activity test
The activity test maps the captured transaction list to the category envelope. The data source is the Security Audit Log, the workload statistic in ST03, and the table TUSR with last login. The test runs in three steps. The collection step pulls the transaction list per user for the rolling twelve month window. The classification step matches each transaction to the category envelope using the SAP transaction class table. The assignment step posts the recommended category per user with the supporting evidence. The customer position retains the evidence pack. The auditor cannot challenge the assigned category when the customer holds the evidence pack with the transaction list, the role assignment, and the dated activity statistic. Reference the user counting analysis and the annual measurement analysis and the LAW tool guide and the license reclassification analysis and the user misclassification analysis.
Customer programs that retain the evidence pack with the transaction list, the role assignment, and the dated workload statistic close the auditor reclassification proposal in the data room without contract escalation.
The role pattern map
The role pattern map is the second pillar of the defensible position. The map ties each composite role to the category envelope it implies. A composite role that contains the SAP_ALL profile or the broad operational transaction set ties to Professional. A composite role with the time and travel set only ties to Employee. A composite role with the leave application only ties to Employee Self Service. The map is built once and refreshed twice a year. The map produces the role to category recommendation that the user administrator applies at creation time. The role pattern reduces the manual classification burden and prevents the off cycle drift that drives misclassification. Reference the role design analysis and the authorization concepts analysis and the user access review analysis and the license governance analysis and the license optimization expertise.
The defensible named user position
The defensible named user position has five components. The seven category definition library aligned to the contract use rights notice. The activity test that runs on the rolling twelve month window. The role pattern map that ties composite roles to category envelopes. The reclassification cycle that promotes or demotes users twice a year based on activity. The evidence pack that retains the transaction list, the role assignment, and the dated workload statistic. The five components produce the named user position that withstands the SAP audit and informs the renewal commercial position. Reference the security audit pillar for the cross cluster control surface and the compliance framework pillar for the regulatory map. Reference the security audit pillar (cross cluster reference) and the compliance framework pillar and the license audit complete guide and the audit defense expertise and the license optimization expertise.
Practical posture for sap named user license types
- Every active dialog user is assigned a category that drives the largest renewal commercial line
- Seven principal categories cover Professional, Limited Professional, Employee, Employee Self Service, Developer, Project, and Platform
- The activity test maps captured transactions to the category envelope across a twelve month window
- The role pattern map ties composite roles to category envelopes for creation time classification
- The reclassification cycle promotes or demotes users twice a year based on captured activity
- The evidence pack retains transaction list, role assignment, and workload statistic for audit defense
For the broader context, our license audit complete guide (cross cluster reference) and compliance framework pillar document the response posture and the regulatory map that govern SAP risk. The GRC and security expertise page documents the senior advisor methodology, and the audit defense expertise page documents the senior advisor playbook. Confidential consultation is available through the contact form.