We are seeing an increase in the adoption of Software Asset Management (SAM) tools by businesses worldwide. Many companies are under the impression that the reports generated by SAM tool(s) can be used to determine their software compliance position. This may be true for non-Oracle software but is rarely the case for Oracle programs. Oracle has a complex licensing model that is not well defined. Also, many of their products contain multiple programs, including restricted-use licenses in some cases. Determining whether Oracle program usage is within one’s license entitlements is difficult at best.

What does Oracle really say and what data are they really after?

Oracle’s License Management Services’ website (“LMS” – Oracle’s audit department) states the following as it relates to certain 3rd party SAM providers such as Flexera, iQuate, Aspera, etc.

“Tools from the following vendors have been verified to provide data sets that supplement an Oracle LMS engagement. It’s important to note that the scope of the verification process only covers the data collection related to the installation and usage of specific Oracle products, namely Oracle Database and associated options. The verification does not include any other Oracle products or the overall capabilities of the vendor’s solution.

Oracle LMS will accept data from any of these tools as an alternative to installing Oracle LMS measurement tools…. In addition, the usage data gathered from these tools will still need to be analyzed by the Oracle LMS organization to assess license needs and provide the customer with a compliance statement.”

The information that LMS is primarily interested in having has nothing to do with the various SAM reports that a company generates, rather the SAM data repository itself. The data repository consists of information gathered by deployed agents running modified versions of LMS’s database and cpu audit scripts. LMS analyzes the data from this repository to determine a customer’s compliance position. The results from an LMS analysis most likely will differ considerably from the results found in the SAM reports. In short, knowing how to interpret the data is just as important as gathering the data.

What are the risks of relying solely on reports?

At Palisade Compliance we have identified multiple risks when relying solely on reports generated from SAM systems.

  1. Oracle licensing policies are complex, not well defined, and constantly changing. It is challenging for any SAM system to take in and interpret all of these factors correctly.
  2. Oracle has several program licensing levels other than standard “full use”, such as disaster recovery restricted, proprietary hosting restricted, etc. In many cases SAM systems are unable to correctly allocate licenses with different restrictions to program deployments.
  3. Oracle contracts often contain terms and conditions that restrict program usage and/or program deployment beyond license level restrictions that are described in the program literature.
  4. SAM-based reports sometimes fail to identify program feature usage, especially when such usage is 12+ months old. LMS pursues all program feature usage regardless of “when” the program usage took place.
  5. Counting the correct number of licenses has become more difficult over the last several years because of advances in virtualization technology, including cloud. Determining the number of cores to be counted in certain virtualized environments may not be possible by running standard operating system commands. For example, depending on the type of partitioning technology in use, the operating system commands may only be capable of seeing what Oracle calls the “soft” partitioned level as opposed to the physical server level.

What should you do?

There are companies that understand how to interpret the data collected and used by LMS. It is advisable to have an expert perform a comparison of the compliance position indicated by SAM report(s) against the compliance position determined by an expert using either data contained in the SAM repository or data gathered by the expert organization’s scripts.

Conclusion

SAM tools are an important piece of the puzzle when it comes to managing your software deployments. However, it is important to understand that there are limits to what these tools can provide in terms of determining whether one is operating within the terms and conditions of their software license entitlements. Having an expert review and interpret the data is a crucial part of the puzzle. Whether you decide to work with Palisade, or go with another company, don’t go it alone.