USMM is a measurement, not an assessment. It counts what is in the user table, in the categories that are recorded, with the licence types assigned. If the employee category field is wrong, the licence position is wrong. If the leaver records are still flagged active, the licence position is wrong. USMM does not check the data; it counts it. The work that meaningfully changes the audit outcome is the work done in the ninety days before USMM runs, not the negotiation that follows the result.
This article sets out the four-stage employee category cleanup routine our practice runs with clients ahead of each measurement window. The routine is operationally bounded, finishes inside a quarter on most estates, and typically removes between $1.4M and $4.8M of exposure from the eventual USMM submission.
Why employee category drives the licence outcome
The SU01 employee category field (USREFUS-USERTYP and its master-data equivalents) is one of the inputs USMM uses to determine whether a user is a Professional, Functional, Limited Professional, Developer, Employee Self-Service, or technical user. The field is also one of the most poorly maintained fields in the SAP user master across enterprise estates. In a typical estate of 15,000 users, between 18 and 28 per cent of records have a category that is inconsistent with the user's actual role content, and roughly 6 to 11 per cent are flat-out wrong.
The inconsistency arises from several historical practices: bulk user creation from HR feeds without category mapping, role-based reclassification that updated authorisations but not the category field, contractor accounts created without a defined category policy, and dormant accounts retained from acquisitions and integrations. None of these is a deliberate compliance failure; all of them feed into the USMM count and become an audit finding.
Stage 1: dormant-record purge
The first stage is the most operationally trivial and the highest immediate value. Extract from SU01 every user record with a last-logon date older than 180 days. Sort the list by licence category and by department. Cross-reference against the active HR roster.
The output is usually a population of between 4 and 11 per cent of the total user count. On a 15,000-user estate, that is 600 to 1,650 dormant records, of which the majority carry Professional or Functional category assignments. Each dormant Professional user that survives into USMM is roughly $3,200 to $4,600 of inflated exposure depending on the price-list version.
The remediation is straightforward: lock the account, flag for review, and either delete or reclassify within thirty days. The work fits inside a single sprint with no business disruption. For deeper context, the named user audit risk areas article ranks dormancy as the second most common finding across all engagements.
Stage 2: leaver reconciliation against HR
The second stage extends the dormant-record purge with a hard reconciliation against the active HR roster. The dormant-purge stage catches accounts with no recent logon. The leaver reconciliation catches accounts where the human has left the organisation but the account is still being used by a successor or by a service routine.
Run the user-ID list from SU01 through the HR active-roster export. Every user where the SAP account exists but the HR record is in "leaver" status is a reconciliation case. There are three permissible outcomes: delete the account, transfer it to a successor under a documented change record, or convert it to a technical service account with a written classification rationale.
What is not permissible is leaving the leaver account active under the original employee's name. This is both a licence exposure and a security finding, and it appears in roughly 8 per cent of named-user audits as a separate finding from the dormant population.
Stage 3: contractor classification policy
The third stage is contractors. Most enterprise SAP estates have between 8 and 22 per cent of their active user count made up of contractor accounts, and the classification of these accounts is the most frequently disputed category in named-user audits. The policy questions are unambiguous when written down and ambiguous when not:
- Are contractors counted as named users at all? Some older contracts treat contractors as part of the licensed estate; some treat them as part of the customer's licensed perimeter only when accessing customer-specific data. Read the contract.
- Which category applies to a contractor? The default is to apply the same category as a permanent employee performing the same role. The default is rarely written down in practice.
- What happens when a contractor finishes the engagement? The account should be locked within five business days and deleted or archived within thirty. In most estates, this discipline is not enforced.
The remediation is to write the classification policy down, apply it to the current contractor population, and add a control to the contractor onboarding and offboarding workflow that enforces it. For real examples of the policy applied at scale, see the global retailer reclassification case file and the named-user topic page.
Stage 4: role-content alignment with category
The fourth stage is the work that distinguishes a clean USMM from an audited USMM. Every active user record should have a category that is consistent with the user's role content. The check is mechanical: extract the authorisation profile, compare against the contract's category definitions, and reclassify where the two disagree.
The reclassification work breaks into three sub-categories:
Upgrades (rare, write down anyway)
Users whose role content has expanded beyond their assigned category. A user classified as Limited Professional who has been granted operational transaction authorisations should be reclassified up to Functional or Professional. These cases exist but are uncommon. Document them and update the category before USMM runs to demonstrate good faith.
Downgrades (the majority of the value)
Users whose role content has narrowed since their category was assigned, or who were never correctly classified to begin with. A user with employee-self-service-only authorisations carrying a Functional category is a downgrade candidate. The reclassification typically saves between $1,200 and $3,400 per user per year at list. On an estate with 1,200 downgrade candidates, the saving is material.
Splits (the operational work)
Users with two distinct role personas — for example, an HR business partner who also has financial release authority — require either a split into two accounts with two categories, or a documented justification for the higher category. Splits are operationally heavy and should be sequenced last in the quarterly cadence.
The pre-USMM independent measurement
The fifth check is not a remediation stage but a validation. Before the official USMM is run, run an independent measurement using either an SAP-licensed tool or a manual extract that approximates USMM's logic. The independent run reveals what USMM is about to submit and gives the team a final correction window of 14 to 30 days before SAP's measurement deadline.
The independent measurement also produces the variance baseline that becomes the negotiation evidence if the audit produces a finding that disagrees with the customer's view. Without an independent measurement, the customer has no evidentiary baseline to negotiate against. For the full programme treatment, see our SAP license optimization service and the USMM and LAW Survival Guide.
What this looks like as a quarterly cadence
The four-stage cleanup, run as a recurring quarterly cadence, settles into a predictable operational rhythm:
Month 1: dormant purge and leaver reconciliation. Operationally light, evidentiary heavy. The output is a documented baseline of category-cleaned accounts.
Month 2: contractor population review and policy enforcement. Coordinated with HR and procurement. The output is an updated contractor master with category alignment.
Month 3: role-content alignment work. The downgrades, the upgrades, the splits. This is where the bulk of the exposure reduction lives, and where most teams under-invest. The output is a category-aligned user master ready for the next USMM run.
Customers who run this cadence for two consecutive years typically reduce their named-user audit exposure by 60 to 70 per cent against the pre-cadence baseline, and the reduction holds across measurement cycles rather than reverting between them. The cadence is the discipline; the discipline is the outcome.