Oracle Fusion Cloud: Part 2 – Most Common Compliance Issues

Over the last few years, Oracle has been successful in transforming its own Oracle ERP on premise customers to its Oracle Fusion Cloud Service. In its journey to transform end-users to the cloud, Oracle is heavily competing (and rather successfully so) in winning over SAP ERP customers to switch over to Oracle Fusion Cloud and has been named by Gartner as a Leader.

Early adopters from Oracle’s Fusion Cloud Services have however as well already been confronted with the first “compliance claims” associated to unlicensed use of Oracle Fusion Cloud Services. Many end-users thought “with the cloud, there are no compliance issues anymore”; but…. the reality is however different.

In our previous article we focused on how the actual license metrics of Oracle’s Fusion Cloud Services dictates the importance of setting up and monitoring your users in a complete and accurate manner. In this article we will focus on the most common compliance issues faced by Oracle Fusion Cloud customers. Our next article will focus on the different non-standard terms you can negotiate with Oracle during your next Oracle Fusion negotiations.

Most Common Compliance Issues Seen

The below provides an overview of the most common compliance issues we have seen end-users being confronted with during an audit or commercial negotiation with Oracle.

Authorized Users vs Active Users

Similar as for Oracle application environments deployed on premise, the management of users within the Oracle Fusion Cloud Service is an attention point for many end-user organizations. Many end-user organizations do not have the proper controls in place to:

• disable an individual user account from an employee that left the organization or
• adjust the privileges or roles from an individual user account (when the individual is changing roles within the organization)

or

• obtain additional user subscriptions for additional users authorized to make use of the cloud services.

End-user organizations often underestimate the fact that if an individual remains AUTHORISED to make use of the Fusion Cloud Service, a subscription is required for such individual, regardless of whether the individual is actively using the Fusion Cloud Service or not.

Mapping of Users vs Privileges vs Cloud Service vs Cloud Subscriptions

The actual mapping of individual user accounts to the different roles (abstract roles, job roles, data roles, duty roles) either being standard out of the box “seeded roles” or “custom roles” with its individual privileges that belong to one or multiple cloud services and that on its turn belong to one or multiple cloud subscriptions, often results in in-complete and in-accurate understandings of the actual consumption of the different subscriptions. Although Fusion Cloud is a SaaS solution from Oracle, as an end-user you have the responsibility to make sure that the individual users are only getting access to the different privileges belonging to the different cloud services, as part of the different cloud subscriptions you purchased entitlements for. This compliance responsibility always remains at yourself as an end-user and does not lay at Oracle.

Bundling Changes – Keeping track is key!

Oracle continuously develops new features and functionalities of its Fusion Cloud applications. A great benefit to continuously stay “up to date” with the latest and greatest developments. But the rapid developments within the application, also means that you continuously need to stay up to date with the bundling changes that Oracle puts through on a quarterly basis.

For example, you may have bought Oracle cloud subscriptions for “Oracle Fusion Project Contract Billing Cloud Service” in 2018, including the right to make use of the cloud services:

• Oracle Fusion Project Billing
• Oracle Fusion Project Contracts
• Oracle Fusion Enterprise Contracts Management
• Oracle Fusion Transactional Business Intelligence for Projects

But Oracle decided in June 2019 to no longer sell this Cloud Subscription and instead bundled the functionalities into “Oracle Fusion Enterprise Resource Planning Cloud Service” subscription

This Oracle Fusion Enterprise Resource Planning Cloud Service includes several individual cloud services including:

• Financials Cloud Service,
• Fusion Financial Reports Center Cloud Service,
• Advanced Collections Cloud Service,
• Revenue Management Cloud Service,
• Grants Management Cloud Service,
• Project Contract Billing Cloud Service,
• Project Financials Cloud Service,
• Project Management Cloud Service,
• Automated Invoice Processing
• Fusion Transactional Business Intelligence Cloud Service

So, if you want to renew your initial functional requirements, you will need to renew a different cloud subscription. This cloud subscription may however come with a higher price per Hosted Named User, especially if you did not negotiate a price hold in your Fusion Cloud contract!

Unlicensed Cloud Subscriptions through Seeded Users

Many end-user organisations started to make use of standard job roles (seeded roles) at the start of their Fusion Cloud implementation. End-user organisations however often don’t realise themselves that through these seeded roles, additional privileges providing access to unlicensed cloud subscriptions are granted to the users as setup with the cloud environment. End-users that have licensed its cloud services on a “Hosted Employee” metric are as such through this mechanism often confronted with a claim from Oracle that additional subscriptions for the unlicensed cloud subscription ABC are required to be obtained for the complete Employee population.

Generic Users or Multiplexing Users

As end-users created “generic” or “multiplexing” users within their on-premises applications, the similar concept is seen within the Oracle Fusion Cloud environment. It is not uncommon that end-users either setup a “IT Service Desk user” or “Finance Department User” within the cloud service, providing multiple individuals that are working at the IT Service Desk or Finance Department access through one generic user to multiple different Fusion Cloud Services. As the licensing terms specify that everyone that is authorised to make use of the cloud service is required to have a subscription, setting up one generic user for an IT Service Desk department with 22 distinct employees, still require you to have a subscription for all 22 distinct individuals “authorised” to use the different cloud services through the generic user account.

Application Implementation Consultant

The moment that you start implementing and configuring your Fusion Cloud environment, administrators typically start to make use of the powerful standard role called “Application Implementation Consultant”. This role enables administrators to configure anything within the Fusion Cloud Service. Once you finalise the configuration of the Fusion Cloud, Oracle’s program documentation specifies in detail that you should remove this role and replace it with other roles which are  less powerful. In practice this is however often forgotten, resulting in the fact that the implementation consultants remain to have access to all the different Fusion Cloud Services available. This results in a subscription requirement for the implementation consultants, even if you have already completed your configuration years ago!

Double Counting:

A specific privilege may be part of multiple cloud services. As one example only, the previously mentioned privilege “Access Time Work Area” is a privilege that belongs to both the cloud subscription “Time and Labor Cloud Service” and the cloud subscription “Enterprise Resource Planning for Self Service Cloud Service”. This is just one of many examples that we see in our day-to-day practice. Many end-users do struggle with mapping the right privilege to the right cloud subscription, often resulting in “double counting” of the required number of cloud subscriptions for your consumption reporting as preparation for your Fusion Cloud renewal.

In addition, an individual user (e.g. John Doe) may have multiple user accounts as setup within your Cloud environment. Think for example as your cloud administrator that is having access to all the different cloud services to configure the different uses (through a user ID called “SYSADMIN”) that is also having access to the different cloud services through its own personal user account: JOHNDOE. As per the licensing terms, the total amount of distinct individuals (and not usernames) is required to be counted to determine the number of subscriptions required. If John Doe is having access to the cloud service through two user accounts, he still remains to be one individual that should be counted only once, but he is required to be counted for each individual cloud service he has access to (as assigned to through one of the two accounts).

Robots or Non-Human Users

More and more end-user organisations start to make use of RPA tools and “robots” to take care of repetitive tasks. These robots may require (direct or indirect) access to the cloud service but are not individuals (human beings) as defined under Oracle’s standard terms and conditions. Although Oracle is not explicit in its licensing terms (and we recommend you obtain clear language for this in your agreements) Oracle does consider such “robot” user as an individual user that is required to have its own subscription. Or, depending on how access is regulated, each individual being able to execute the “bot” are required to be counted for an individual subscription.

Conclusion

Although many end-users thought that with the “cloud” all the compliance issues are gone, the reality is completely different. Having a clear and accurate up to date understanding of the obtained rights from your cloud subscriptions and reconciling these with your actual consumption of the different cloud subscriptions on a regular basis, continuous to be required to avoid and save costs. SoftwareONE’s Oracle Advisory Services are specifically designed to help you as an end-user to achieve these goals. Reach out to your SoftwareONE representative to schedule a call with one or our solution specialists to find out more!

About the author – Richard Spithoven:

Richard is the Global Lead for Oracle License and Commercial Advisory Services at SoftwareONE. Before his current role, he was one of the managing partners at B-lay. Richard brings more than twenty years of relevant license management experience to his role, having previously served as Regional Director of License Compliance at Oracle Corporation. Richard uses his knowledge of enterprise software vendors to educate, equip and enable software end users in their challenges regarding proper software license management. Richard holds a master’s degree in IT, from the University of Amsterdam in the Netherlands.

Richard is the LISA Course Leader for the Oracle Licensing Training Course