Beware of the Oracle Audit!

[FNorelli]

About a year ago I left JDE/PSFT/ORCL after 16 years of dedicated consulting service, and have been at a local customer site since. About two months ago I was contacted by someone at Oracle demanding that they perform an audit on my system. After cornering us with contract papers, we had to let them audit our system. They were looking to see if we were in violation of our licensing agreement by counting the number of concurrent users. 16 years on the service provider side and not once have I ever heard of such an audit. Apparently, this is common practice for ORCL. After 3 weeks of continuous data gathering and auditing, they found us to be in violation of our CONCURRENT user count by 2 licenses for 30 minutes on two different days. So we asked to buy two more concurrent licenses to be in compliance. Here's the kicker. They no longer sell concurrent user licensing, but rather force you to change your contract from concurrent to per user, based on each id setup in the F0092. Yup, even the test and student ones. Their calculated conversion increased our contract fee by $500,000 for us to use the software, as is. There was a mass push on my end to slash F0092 ids. I cleaned up about 40%, and we offered a number of different solutions to be compliant with the current contract. ORCL said our attempts were great for the future, but since they found us in violation, we have to pay lots of money. After some back and forth, they lowered their fee to $386,000. Keep in mind, there is NO mechanism in the software to monitor your concurrent user count. Hence, we are letting them take it to legal measures.

After some digging, I heard through the grapevine that that ORCL closes their fiscal year around now, and this is a sales attempt to generate more revenue for closing. Don't know if this is true or not but if it is then the audit is a crummy way of bleeding your customers if you ask me.

So be forewarned. To avoid this atrocity, you may want to implement mechanisms to monitor the number of concurrent users accessing the system so that the number doesn't exceed your license agreement. For example, you could use Citrix, capping the number of users that can access the published application, and terminating idle connections after a period of time. The web server has the same mechanisms.

I hope this information helps prevent you all from being devoured by the hungry Oracle giant.

 

[kicrsa]

Well since the system doesn't have a mechanism to
count concurrent users as you pointed out, how did
Oracle determine that you were out of compliance by
two licenses for 30 minutes on two different days?

 

[jstooge]

JDE, and subsequently PSFT, and thusly now Oracle have always had tools that could be used for auditing. Remember, just because they don't SELL the tool to customers, doesn't mean they've not developed one for internal use!

 

[FNorelli]

Oracle will install a set of tools on your servers that monitors the security kernel every 10 minutes, for about 3 weeks continuous weeks. They will ask you to send them the results and some key files, one of which is the F0092. So CNC guys, start looking at your F0092 and getting rid of ids that no longer matter.

 

[altquark]

My customer was audited for about the same amount of non-compliance a couple of years ago - exactly the same scenario. We were able to negotiate for a much-reduced 50 user license even though we were only out by a couple of licenses - and after much deliberation, we sat there and ensured that all of our compliance would be handled by Citrix.

What was interesting is we found huge issues in the auditing process - initially they stated we were around 20 to 30 out - but looking at the tools it was easy to see that they were also counting JDENet kernels as users, and that if a user had become disconnected and immediately logged back on, that would create double connections. Be careful, make sure you have someone carefully go through ORCL's data - after all, you do not want to have to pay for the additional licenses with your back against the wall.

Oh, and, as an ex-JDE employee, I think the auditing is a very good idea. Had JDE ever put something like that into effect, imagine how much profit they would have been able to amass. JDE was horribly mismanaged, and couldn't show a penny of profit. PSFT and ORCL know how to squeeze the existing customers out of their dough - just like SAP does. I'm certain that this auditing procedure has ensured a LOT of profit.

However, to be absolutely ensured you are compliant - make sure that your client-server is counting the concurrent connections - that evidence is far better than what JDE put up.

As for cleaning out the F0092 - look at your existing contract before you go crazy - if you have concurrent licenses, you don't need to cut this down. I can't believe they don't have new concurrent licensing any more - Named users is ridiculous - especially since they count the 10-15 "default" user ID's. Check your contract - ensure that your company negotiated for additional concurrent licenses in the future as part of the language of the contract.