Over the last years, Oracle has been successful in transforming its own Oracle ERP on premise customers to its Oracle Fusion Cloud Service. In its journey to transform end-users to the cloud, Oracle is heavily competing (and rather successfully so) in winning over SAP ERP customers to switch over to Oracle Fusion Cloud and has been named by Gartner as a Leader.
Early adopters from Oracle’s Fusion Cloud Services have however as well been already confronted with the first “compliance claims” associated to unlicensed use of Oracle Fusion Cloud Services. Many end-users thought “with the cloud, there are no compliance issues anymore”; but…. the reality is however different.
In this article we will focus on how the actual license metrics of Oracle’s Fusion Cloud Services dictates the importance of setting up and monitoring your users in a complete and accurate manner. In the following articles we will focus on the most common compliance issues seen at Oracle Fusion Cloud customers and the different non-standard terms you can negotiate with Oracle during your next negotiations.
Oracle Fusion Cloud Services – Different Metrics
Oracle is famous with the wide variety of different license metric definitions. This is not different for Oracle’s Fusion Cloud Services. The latest price list as published by Oracle already includes 36 distinct metrics and associated metric definitions under which Oracle sells its Fusion Cloud Service.
The most common used metrics are:
Hosted Named User: is defined as an individual authorized by You to access the hosted service, regardless of whether the individual is actively accessing the hosted service at any given time.
Hosted Employee: is defined as (i) all of your full-time, part-time, temporary employees, and (ii) all of your agents, contractors and consultants who have access to, use, or are tracked by the programs. The quantity of the licenses required is determined by the number of Employees and not the actual number of users. In addition, if you elect to outsource any business function(s) to another company, the following must be counted for purposes of determining the number of Employees: all of the company’s full-time employees, part-time employees, temporary employees, agents, contractors and consultants that (i) are providing the outsourcing services and (ii) have access to, use, or are tracked by the programs.
Based on these license metric definitions, how individual users are receiving “access” to the different roles, privileges and associated cloud services within an Oracle Cloud Subscription, is key to stay within compliance and to control your costs. So let’s have a closer look on how the “access” provisioning actually works.
Role Based Access Control:
The moment you receive your Oracle Cloud application, access to the different functionalities and data is done by using the standard industry framework for authorisation: Role-Based Access Control. As an end-user, you implement this role-based access control provided by Oracle, so that individual users have appropriate access to data and functions. This sounds rather simple, isn’t it?
But, if you look a bit deeper, this role-based access control model introduces several complexities you should be aware of. This since:
- An individual USER gets assigned to one or multiple ROLES
- A single ROLE is assigned one or more ACCESS PRIVILEGES (a role can either be a standard (“seeded”)or “custom” )
- A PRIVILEGE belongs to one or more CLOUD SERVICES
- A CLOUD SERVICE belongs to one or more CLOUD SUBSCRIPTIONS
In order to get access to a specific cloud service, individual users gain access to application data and functions when you assign them different roles. These roles can be divided into four different categories:
- Abstract Roles: This role defines the users’ functions in the organization, which are independent of the actual job the individual has. It inherits duty role but does not contain security policies. (e.g. Employee)
- Job Roles: This role defines a specific job an employee is responsible for. An employee may have many job roles. It may require the data role to control the actions of the respective objects. (e.g. Accounts Receivable Specialist).
- Data Roles: This role defines access to the data within a specific duty. Who can do what on which set of data? The possible actions are “read”, “update”. “delete”, and “manage”. Only duty roles hold explicit entitlements to access the data. These entitlements control the privileges such as in a user interface that can see specific screens, buttons, data columns, etc.
- Duty Roles: This role defines a set of tasks. It is the most granular form of a role. The job and abstract roles inherit duty roles. The data security policies are specified to duty roles to control actions on all respective objects.
The below diagram provides an overview of the relationship between the different roles:
Understanding this concept, makes you realise that one individual user can have any number of different roles at the same time. The combination of roles determines the user’s level access to a specific cloud service.
For example, an individual user might be assigned the roles:
- Sales Manager role,
- Sales Analyst role,
- Employee role
In this example, the individual user gets access:
- As an employee, so the user can access employee functions and data.
- As a sales manager, so the user can access sales manager functions and data.
- As a sales analyst, so the user can access sales analysis functions and data.
In case the user signs in to the application (and is successfully authenticated), the user session is established and all the roles assigned to the specific user are loaded into the session repository. The Fusion Cloud application determines the set of privileges to application resources that are provided by the roles, and then grants the user the most permissive level of access.
In order to understand how the individual user and its associated roles and privileges, result in the license requirements for the different cloud services and its associated cloud subscriptions, the below real-live example has been created.
User and its Roles:
User “John Doe” is having the roles of “Manager” and “Employee”.
Roles and its Privileges
An individual user can have one or multiple roles.
The role “Employee” includes (among others) the privileges:
- Access Time Work Area
- Create Performance Document by Worker
- Manage Expense Report
The role “Line Manager” includes (among others) the privileges:
- Create Performance Document by Manager
- Manage Team Reputation Tasks
- Access Learning Common Components
Privileges and its Cloud Services
A privilege can belong to one or multiple cloud services. If you start “mapping” the different privileges to cloud services, the following conclusions can be drawn:
The privilege “Access Time Work Area” relates to
- Time and Labor Cloud Service AND
- Enterprise Resource Planning for Self Service Cloud Service
The privilege “Create Performance Document by Worker” relates to
- Performance Management Cloud Service
The privilege “Manage Expense Reports” relates to
- Enterprise Resource Planning for Self Service Cloud Service
The privilege “Create Performance Document by Manager” relates to
- Performance Management Cloud Service
The privilege “Manage Team Reputation Tasks” relates to
- Workforce Reputation Management Cloud Service
The privilege “Access Learning Common Components” relates to
- Oracle Learning Cloud Service
Cloud Services vs Cloud Subscriptions
A functional cloud service can belong to one or multiple “Cloud Subscriptions” that can be purchased from Oracle. If you start “mapping” the different cloud services to cloud subscriptions, the following conclusions can be drawn:
- The cloud service “Time and Labor Cloud Service” relates to the cloud subscription “Oracle Fusion Time and Labor Cloud Service”
- The cloud service “Enterprise Resource Planning for Self Service Cloud Service” relates to the cloud subscription “Oracle Fusion Enterprise Resource Planning for Self Service Cloud Service”
The cloud service “Performance Management Cloud Service” relates to the cloud subscription “Oracle Fusion Talent Management and Workforce Compensation Cloud Service”, or
“Oracle Fusion Talent Management for Coexistence Cloud Service”
- The cloud service “Workforce Reputation Management Cloud Service” relates to the cloud subscription “Oracle Human Capital Management Base Cloud Service”
- The cloud service” Oracle Learning Cloud Service” relates to the cloud subscription “Oracle Fusion Learning Cloud Service”
After doing all these “mappings” the individual user “John Doe” requires (among others) a Hosted Named User subscription for:
- Oracle Fusion Time and Labor Cloud Service Oracle Fusion Enterprise Resource Planning for Self Service
Oracle Fusion Talent Management and Workforce Compensation Cloud Service, or
Oracle Fusion Talent Management for Coexistence Cloud Service
- Oracle Human Capital Management Base Cloud Service
- Oracle Fusion Learning Cloud Service
Standard (Seeded) Roles
In the standard “out of the box” provisioned Oracle Fusion Cloud Service, several standard job roles – so called Seeded Roles – are provided. These standard roles can be used instantly and enables you as an end-user to:
- use the pre-defined roles immediately (faster “time to value”)
- reduce the operational security management costs (using standardised roles)
- scale-up quickly (since these roles exist in all Oracle Fusion solutions, the adoption of a new module is in theory simple)
However, there are several disadvantages as well. Apart from the fact that many end-users do not have any visibility on how the usage of the Fusion Cloud Service complies with their security requirements (since it is based on Oracle’s Cloud SoD Policies which are not publicly available), each quarter a new update of the Oracle Fusion Cloud software is made available.
The updates of the Oracle Fusion Cloud software can introduce new functionality and access into these pre-configured “seeded roles”. In other words, the individual users that are making use of “seeded roles” can un-notified provide individuals access to functionality or cloud services, you as an end-user organisation do not have an Oracle Cloud Subscription for, creating a compliance issue. This since each individual that is “authorised” to make use of the cloud service, regardless of whether the individual is actively using the cloud service, is required to have a subscription!
Although standard seeded roles are positioned to be used as “the way to go” (and although Oracle Support representatives sometimes may state that you don’t receive support if you are making use of custom roles) you are at all times recommended – both from a security and from a license compliance and cost control perspective –to make use of custom job roles. Custom roles will not be affected by newer versions of the cloud service.
Although many end-users thought that with the “cloud” all the compliance issues are gone, the reality is completely different. Having a clear and accurate up to date understanding of the obtained rights from your cloud subscriptions and reconciling these with your actual consumption of the different cloud subscriptions on a regular basis continues to be required to avoid and save costs.