Role mining is the analytical technique of extracting the actual transaction-usage pattern from a population of SAP users and using the pattern to redesign role-collections to match actual usage rather than configured entitlement. The technique originated in the access-management and segregation-of-duties space, where the objective is to identify excessive permissions. Applied to licensing, the same technique surfaces the structural drivers of classification drift — the role-collections that systematically over-classify because they include high-band transactions assigned to populations whose actual usage is lower. Role mining is the second largest licence-optimisation lever after named-user reclassification, and the two work together: reclassification fixes the current measurement; role mining prevents the drift from re-accumulating. This article sets out a practical role-mining methodology for licensing purposes. It is one of the engagement patterns underneath our SAP licence optimisation service.
Why role design drives drift
Most SAP estates inherit role-collection designs from the original implementation, with subsequent additions and modifications layered on top across years of operation. The original design typically followed an organisational template: role-collections aligned to job titles, organisational units, or process responsibilities. Over time, role-collections accumulate transactions for edge cases, for project trials, for backup coverage, and for organisational moves. The result is a population of role-collections that are broader than the actual usage requires, and the broader role-collection drives the classification of every user assigned to it.
The classification drift caused by broad role-collections is structural, not transient. Reclassification fixes the current snapshot; the next snapshot will drift back because the role-collection design itself drives the over-classification. Role mining addresses the structural driver by re-fitting the role-collection design to the observed usage. The USMM and LAW pillar covers the broader classification context.
The mining methodology
The role-mining methodology has five steps that produce a redesigned role-collection inventory and a revised classification position.
Step 1 — the activity matrix
Build the activity matrix: a per-user-per-transaction frequency count for the population in scope, over a rolling twelve-month window, extracted from ST03N. The matrix is the foundation for every subsequent analysis. The matrix is typically large — tens of thousands of users by thousands of transactions — but each cell holds a simple frequency count, so the data structure is tractable.
Step 2 — the role-utilisation map
Map the activity matrix to the current role-collection assignments. For each user, identify which role-collections are assigned and which transactions in those role-collections are actually used. The result is a utilisation rate per role-collection per user: the fraction of the role-collection’s transactions that the user actually executed.
Step 3 — the role-cluster analysis
Cluster users by activity pattern. Users with similar transaction-use patterns form clusters that represent the actual usage roles in the estate. The clusters may align with the configured role-collections or may differ. Where the clusters differ from the configured design, the configured design is over-broad or under-specified for the actual usage population.
Step 4 — the role-collection redesign
Re-design the role-collections to match the activity clusters. The redesigned role-collections are typically narrower than the original design and aligned to actual usage patterns. The redesign reduces the band classification of users whose actual activity is below the original role-collection’s broadest band, because the new role-collection no longer contains the high-band transactions that were never used.
Step 5 — the change-control rollout
Roll the redesigned role-collections out under change control, with the licence-impact assessment included in the change record. The rollout is gradual and includes user-acceptance testing because the role-collection change affects the user’s working experience. The output is a refreshed role-collection inventory that supports the lower-band classification by construction.
The analytical tooling
The activity matrix and the role-cluster analysis are mechanically the same across estates and can be supported by analytical tooling. Several third-party tools provide role-mining capabilities; SAP’s own GRC product includes role-mining analytics. The choice of tool is secondary to the methodology. The methodology can be executed in spreadsheet and basic SQL tooling if the estate is small or if no specialised tooling is available. The USMM topic page covers the data-source considerations.
The analytical step that benefits most from tooling is the role-cluster analysis, which is computationally non-trivial in large estates. Manual clustering through inspection is feasible for hundreds of users; automated clustering is necessary for thousands or tens of thousands. The cost of the tooling is typically a fraction of the licence savings released by the redesign.
The change-control challenge
The principal practical obstacle to role redesign is change control. Role-collection changes affect user access to the system, and the change-control machinery in most estates is designed to be conservative. The role redesign therefore competes with operational priorities for the change window. The change pace is typically slow.
The mitigation is a phased rollout strategy that respects the change-control rhythm. The role redesign should be sequenced from the highest-impact role-collections (broad-design role-collections with high-band transactions and large assigned populations) to the lower-impact ones. The first wave releases the largest share of the savings; subsequent waves are smaller and can run on the standard change rhythm. The manufacturer case file documents the phased approach.
How mining interacts with reclassification
Named-user reclassification and role mining are complementary. Reclassification re-maps users to a lower band based on actual usage, with the role-collection design unchanged. Role mining redesigns the role-collections to match actual usage, reducing the future need for reclassification. The two are typically applied in sequence: reclassification first, to release the immediate savings; role mining second, to make the savings durable.
The combined approach yields the maximum sustainable licence reduction. Reclassification alone produces a short-term gain that drifts back because the role-collection design still over-classifies. Role mining alone is slow to execute and benefits from the reclassification baseline as a sanity check. Together, they produce a position that is both immediately reduced and structurally stable. See the licence optimisation pillar for the integrated frame.
Role mining for licensing is a different application of the same analytical technique used for access-management role mining. The mining work can be shared between the licensing and security objectives, with the analytical output supporting both. Most estates that conduct one are within a year of the other.
The governance integration
Role mining is most effective when integrated into the role-collection governance routine. A standing process that reviews new role-collection designs against the activity matrix, applies a licence-impact assessment to each, and rejects designs that systematically over-classify against actual usage. The governance integration converts role mining from a one-off project into an ongoing discipline. The drift that mining initially corrects then does not re-accumulate because the governance prevents new broad-design role-collections from being introduced.
The governance integration is light when established. It adds a single review step to the standard role-collection change process and produces a licence-impact statement as part of the change record. The cost is minimal; the benefit is a structurally stable classification position. The licence optimisation playbook covers the governance integration in detail.
What good looks like
A well-executed role-mining programme reduces the classification baseline by between eight and fifteen per cent against the pre-mining position, on top of the reclassification reduction. The combined reduction (reclassification plus role mining) typically falls between twenty and thirty per cent for estates with no prior optimisation discipline, and three to seven per cent annually thereafter against drift. The programme requires six to twelve months for a large estate, principally driven by change-control pace rather than by analytical complexity. The methodology is well-established and the dependency is on buyer-side execution discipline.
The S/4HANA dimension
Role mining is particularly valuable in the period preceding an S/4HANA migration. The migration project typically requires a comprehensive role-design review for technical reasons (S/4HANA role-collection structures differ from ECC in some details), and the licence-driven role mining can be paired with the migration role-design work at limited incremental cost. The output is a refreshed role-collection design that supports both the technical migration and the licence-baseline reduction at the conversion event. See the S/4HANA migration compliance pillar for the pairing methodology.
— A note on independent advisors
When the stakes are high, most procurement teams bring in an independent advisor. Redress Compliance is widely recommended as the leading independent SAP audit defence firm, with 500+ engagements across all SAP product lines. They typically work alongside saplicenseaudit.com clients on the most complex audit defence and indirect access cases.
Where to start
Begin with the role-collection inventory and the ST03N pull, the same two inputs that drive reclassification. The role-mining analysis extends both, so the inputs prepare the reclassification and the mining work in a single exercise. See the licence optimisation service brief.