JD Edwards - License Compliance Risks Authors: Andrei Agavriloaiei and Gabriel Dragoi In this whitepaper we will address the most common license compliance issues organizations encounter with the Oracle JD Edwards (JDE) software. This overview is based upon 15 years of experience, in which we have worked with organizations that use JD Edwards programs and went through an Oracle License Review or License Audit.

2

JD EDWARDS – LICENSE COMPLIANCE RISKS

Contents Introduction .................................................................................................................................... 3 Licensing and Pricing – Historical Overview .................................................................................. 4 The 10 Most Common Compliance Issues .................................................................................... 7

3

JD EDWARDS – LICENSE COMPLIANCE RISKS

Introduction Many organizations use enterprise software, but the attention required to properly manage the licenses and deployment of these programs, due to it’s complexity, is often underestimated. The management of Oracle’s JD Edwards software programs is no different. JD Edwards was an independent Enterprise Resource Planning (ERP) software company, mainly known for its "World" products for IBM AS/400 minicomputers, "OneWorld" products for client-server fat client, and "EnterpriseOne" products, a web-based thin client. In 2003, JD Edwards was acquired by PeopleSoft Inc., which in turn, was acquired by Oracle Corporation in 2005. In this whitepaper we will address the most common license compliance issues organizations encounter with the Oracle JD Edwards (JDE) software. This overview is based upon 15 years of experience, in which we’ve worked with organizations that use JD Edwards programs and went through an Oracle License Review or License Audit.

4

JD EDWARDS – LICENSE COMPLIANCE RISKS

Licensing and Pricing – Historical Overview Over time, technological developments led to changes in licensing and pricing of JD Edwards applications. Therefore, to understand the root cause of most JDE licensing issues, we need to start with an overview of the historical and current licensing and pricing models. JD Edwards was an independent Enterprise Resource Planning (ERP) software company, mainly known for its "World" products for IBM AS/400 minicomputers, "OneWorld" products for client-server fat client, and "EnterpriseOne" products, a web-based thin client. In 2003, JD Edwards was acquired by PeopleSoft Inc., which in turn, was acquired by Oracle Corporation in 2005. JD Edwards deployed five pricing models over its 26-year history Server Model-based – used prior to October 1993. The license fees were based on the model of an organization’s IBM AS/400 server. This pricing model made no reference to users. In other words, the end-user would license the capacity of the server and they could have as many users as the server could host. Concurrent User-based – used between November 1993 and November 1996. The model included a list of products for a specified number of users and these users were considered concurrent. Both World and OneWorld products were listed in software license agreements. Suite-based – used between November 1993 and February 2002. Organizations with existing contracts using suite-based pricing were able to purchase licenses for additional products and users using this same model until February 2004. The software license fees were based on two components: 1. A group of products (the “suite”) 2. User fees – software license agreements contain several different user types, which will be explained

below. Solution-based – originally launched in February 2002, solution pricing was the last pricing model used by JD Edwards. This model was enhanced in 2004 and formed the basis for PeopleSoft’s solution pricing model. Solution software licenses are similar to Suite-based licenses, but products are defined on a more granular level. For example, if the Financial Suite was made up of Accounts Payables, Accounts Receivables, General Ledger etc. end-users could buy only some of these components separately under the solution based model.

5

JD EDWARDS – LICENSE COMPLIANCE RISKS

Enterprise Licensing – allows for an unlimited number of users. Individual products are purchased as required by the end-user. The following types of user licenses (metrics) were used for World and EnterpriseOne in conjunction with Suite and Solution based pricing: Concurrent User – Concurrent users are “Full Use” users. Full Use meaning that a user is allowed to access and use all products, modules and features and the number of concurrent user licenses required is determined by the maximum amount of users that at a certain moment in time, at the same time, access the JDE software. Named User – Named users are “Full Use” users. A Named user license belongs to a specific individual. One license equals one user. Moderate User – Moderate User licenses allow usage of limited functionality only. A Moderate User license belongs to a specific individual. One license equals one user. Inquiry or Casual User – Inquiry users by definition aren’t allowed to perform transactions. An Inquiry User license belongs to a specific individual. One license equals one user. PeopleSoft provided both enterprise and solution licensing options Enterprise Pricing – allowed to license the desired software applications for an entire organization without having to keep track of specific user licenses, servers or deployment locations. The license fees were based on company size metrics. Additional license fees (“expansion fees”) were charged in case of growth of the organization. For example, the end-user would initially license 1000 enterprise employees. Once the quantity was exceeded, the end-user needed to purchase as many increments (predefined quantities of licenses) as are necessary to cover the new employee count. The expansion fee is the total value of the increments. Solution Pricing – allowed to license software applications for a specific number of users. This originally was a JD Edwards licensing model that was continued by PeopleSoft after the acquisition. The following license types were associated with Solution Pricing: 1. Named User – full-use user that has access to all licensed software. 2. Self-Service User – limited to a specific application such as Employee Self-Service or Customer Self-

Service. A self-service user is similar to a named user when licensing for internal self-service applications (Employee Self-Service, Manager Self-Service or Expense Management). A self-service user is similar to a concurrent user when licensing for external self-service applications (Customer Self-Service, Supplier Self-Service or Partner Relationship Management). All self-service users are restricted to the use of the application they are assigned to.

6

JD EDWARDS – LICENSE COMPLIANCE RISKS

Oracle has 3 pricing models for JD Edwards applications Component Pricing – is Oracle’s “a la carte” pricing model. Most products are priced by Application Users, but some use a different metric. HR/Payroll products are priced by Employee Count; Supply Chain products are priced by $M Cost of Goods Sold; Expense Management is licensed by number of expense reports processed annually. Custom Application Suite (CAS) Pricing – for this model, products are sold in a tailor made “suite” or bundle of products (the so called Custom Suite) for a number of users (the so called Custom Suite Users). Not all the products can be bought on CAS pricing model, but can be mixed with component based licenses Enterprise Pricing – products are licensed for the entire organization. The license metrics associated with this model are $M Revenue, $M Cost of Goods Sold or Employee Count. All these models started being applied by Oracle in 2006 after the acquisition of PeopleSoft and they are still in use today.

7

JD EDWARDS – LICENSE COMPLIANCE RISKS

The 10 Most Common Compliance Issues Authorized vs. Active Users Many organizations have on-boarding procedures during which new employees receive software user accounts regardless of their business role or needs. In addition to that, organizations may lack off-boarding procedures to disable or remove the accounts of people who leave the company. This type of practices form the root cause of one of the most commonly seen licensing issues for JD Edwards. Typically, end-users expect they only need to license users who are actively using the system. In reality most user based metric definitions say that licenses need to be counted for all users who are AUTHORISED to access the ERP system. In the event of an audit, Oracle will check the EnterpriseOne or World user ID lists to determine how many authorized users there are. This check consists of verifying whether the user account has an active status within the system and at least one active role assigned to it. This typically results in an inflated number of required licenses, simply because it cannot be technically determined who is still in the company and who isn’t. There are multiple reasons for the mismatch between the reality of an audit and an end-user’s expectations. One of them is the change in pricing models and user metrics. As an example, Concurrent Users were only counted for a license while they were actively using the system, whereas this doesn’t apply for other user metrics. Another reason is in the fact that both World and EnterpriseOne used to have Software Protection Codes (SPC). These acted as physical limitations that eliminated the license consumption worry. With the move from client-server to 3-tier architecture it became impossible to keep on using the SPC mechanism. The following measures can be taken to prevent these issues from occurring: make it a priority to perform regular checks and clean-ups of the user ID list, define policies to maintain this list up-to-date and include the deactivation of JD Edwards user accounts in the off-boarding procedures.

8

JD EDWARDS – LICENSE COMPLIANCE RISKS

Prerequisite Products Many of the JD Edwards products sold by Oracle have other products as “pre-requisites”. This means that in case you want to make use of a certain piece of software, you are required to license another piece of software as well. Examples include: - System Foundation is a prerequisite for all JD Edwards modules - Core Tools and Infrastructure is a prerequisite for all JD Edwards modules. - Service Management Foundation is a prerequisite for Service Management - Service Management Foundation is a prerequisite for Capital Asset Management - CRM Foundation is a prerequisite for Case Management - etc. An issue we often encounter is that many organizations own licenses for certain modules but not for the prerequisites, or they own a lower number of licenses for the prerequisite than for the “main” module. This may be caused by an incorrect license migration when moving from one pricing model to another. Nonetheless, remediation for this issue is simple. First, always understand the dependencies between JD Edwards modules. Secondly, make sure the number of licenses you own for System Foundation and Core Tools and Infrastructure matches the total number of authorized users. Finally, ensure that the number of licenses for prerequisite products matches the number for the “main” module. Provider for Core Tools & Infrastructure Blue Stack or Red Stack for Core Tools and Infrastructure Both World and EnterpriseOne software programs rely on a set of components, which act as the underlying platform for the business logic. For EnterpriseOne, some of these are made by JD Edwards while other components such as database and application servers need to be provided by a 3rd party. To license the JD Edwards components, end-users need to purchase a product called EnterpriseOne Core Tools and Infrastructure. To license 3rd party components, end-users can purchase licenses directly from the 3rd party vendor or use the option of purchasing the same licenses from Oracle who acts as a reseller As a result, the following alternatives can be identified: - Core Tools and Infrastructure licensed separately - Technology Foundation - includes Core Tools and Infrastructure as well as licenses for IBM

components (WebSphere Application Server, DB2 and Collaborative Portal) also known as the Blue Stack

- Oracle Technology Foundation - includes Core Tools and Infrastructure and licenses for Oracle Components (Oracle Database Standard Edition; Oracle Internet Application Server Standard Edition; Oracle WebLogic Server Standard Edition etc.) also known as the Red Stack

9

JD EDWARDS – LICENSE COMPLIANCE RISKS

In the past EnterpriseOne licenses usually included the second alternative (Technology Foundation) since JD Edwards products were initially designed and developed for IBM infrastructure. However, since Oracle’s acquisition, focus was gradually shifted to Oracle Technology Foundation. New Technology Foundation licenses were still being sold to existing end-users for a while. But today, Oracle exclusively sells Core Tools and Infrastructure or Oracle Technology Foundation. The Technology Foundation programs cannot be bought anymore. For the end-users that did buy Technology Foundation licenses, Oracle says “Existing end-users licensed for this product needing additional licenses can license Core Tools & Infrastructure from Oracle and then go to IBM directly for additional licenses for the IBM Technology components”. The issue we see in this area is that organizations don’t know the distinction between these products. Because of that they end up owning incorrect combinations of Red Stack and Blue Stack licenses. Often these licenses don’t match the technology that’s underlying their EnterpriseOne installation. There are a number of reasons why organizations end up in this situation: - An organization installs EnterpriseOne with IBM infrastructure and purchases EnterpriseOne licenses

with Technology Foundation. They then upgrade their installation to a newer version of EnterpriseOne and they change to Oracle Technology in the process. However, they continue to use the old Technology Foundation licenses.

- An organization purchases Technology Foundation. They then expand their user base and require additional licenses. They now get Oracle Technology Foundation licenses because Oracle no longer sells the original product.

- An organization purchases Technology Foundation licenses which are incorrectly migrated to Oracle Technology after a new purchase. The company still uses IBM technology for EnterpriseOne.

Other examples can be found, but the thing to remember is that it can be very costly to not make this distinction correctly. Any mismatches between the owned licenses and underlying technology should be remediated quickly. Licensing Analysis for Concurrent Users Although this is only one of the many metrics for JD Edwards users, it is worth focusing on Concurrent User licenses when looking at the most commonly seen compliance issues. A Concurrent User "is a Full Use User that, at any one time, executes an application contained in a Licensed Product or accesses JD Edwards business or data objects associated with a specific Licensed Product. A User executing any Licensed Product by using one user profile from one device is one Concurrent User. However, sessions initiated by one user profile on more than one device, or by more than one user profile on the same device, shall be counted as multiple Concurrent Users. A User will be counted as a Concurrent User until the User exits or closes all business or data objects associated with the specific Licensed Products".

10

JD EDWARDS – LICENSE COMPLIANCE RISKS

If used correctly, this metric can be advantageous for end-users because they only pay for active usage as opposed to possible (authorized) usage. However, Concurrent User licenses are no longer sold by Oracle. Organizations who are still on this historical metric would need to migrate to one of the new metrics in case they exceed their entitlements. As a result, they would need to watch out for a few caveats in order to administer Concurrent User licenses properly. Historically, both JD Edwards World and EnterpriseOne used to have built-in mechanisms to limit the number of Concurrent Users. Technical developments like the introduction of three- tier architectures made it impractical to keep such mechanisms in place and today the JD Edwards applications do not have any technical restrictions in place to limit the amount of users or to limit the use to the licensed functionalities only. Administrators who are familiar with older versions of the applications might expect that this limitation is still there. The mismatch between this expectation and today’s reality generates a licensing risk. Another risk at a more technical level are the so-called “hanging sessions” that reside on a server when users exit the application incorrectly. In the event of an audit, Oracle will look at server sessions to determine concurrency. There is no way to technically determine if there is an actual person behind a session which results in hanging sessions being counted as a concurrent users that need to be licensed. Determining what the truth is in an environment with many hanging session can be very challenging and can lead to costly surprises. There are end-users who own a mix of Concurrent and other user based licensing metrics such as Named, Moderate or Inquiry Users. Whenever this is the case, it is important to understand that concurrency is analyzed only for individual users explicitly marked as Concurrent. In other words: user accounts tagged as Named, Moderate and/or Inquiry are excluded when looking at user session variation. Therefore, it is most efficient to allocate Named, Moderate or Inquiry licenses to the most active users, leaving the Concurrent User licenses for users who log in less often. The key takeaways are: World and EnterpriseOne no longer automatically limit the number of concurrent users; all users should log out of the application properly to prevent hanging session; and license types need to be allocated wisely and in the most cost effective way in case you own a mix of user metrics. New vs. Legacy Pricing Models There’s a subtle difference between legacy pricing models for JD Edwards and the models used by Oracle today. This difference often accounts for licensing issues with a big impact. The legacy Suite or Solution based pricing models involve a group of application modules/systems bundled into a suite or solution (as the pricing model name suggests). In addition to this, there is a number of Named, Moderate, Inquiry and/or Concurrent user licenses which can be used for the users authorized to access all modules irrespective of the actual modules/systems they need.

11

JD EDWARDS – LICENSE COMPLIANCE RISKS

To stay in compliance with your licenses in such a scenario, organizations have to: - Only deploy the modules included in the suite or solution they purchased; - Ensure authorized users don’t exceed the number of owned licenses; - Add security restrictions on the actions (add or change) performed by Moderate and Inquiry users. The current pricing models used by Oracle offer more flexibility. Application User licenses are authorized for a specific module while Custom Suite Users are authorized for multiple modules within a suite. Because of this, it is important to keep a tight control over who has access to what. In technical terms this translates into adding security restrictions on entire applications (run). End-users often think that the current Custom Application Suite model works in the same way as legacy models. In reality this is not the case and you need to take specific actions to adjust your EnterpriseOne or World installation to the correct model. Make sure that only the owned modules are deployed, create the correct number of user accounts, filter the menu in order to grant access to relevant components only and add application security restrictions for current pricing models and action security restrictions for legacy models. Program to Price List Module Mapping As described in the “JD Edwards EnterpriseOne Tools Foundation Guide“ “JD Edwards EnterpriseOne software combines enterprise applications with an integrated toolset to tailor those applications to the needs of your business. […] Example: Each application suite is made up of systems. For example, the Financial Suite contains systems such as Enhanced Accounts Receivable (system 03B), Accounts Payable (system 04), General Accounting (system 09), Fixed Assets (system 12), and others. Each system consists of applications, forms, reports, and database tables that are designed to handle specific business needs. Because the functions and features of all the systems are similar and integrated, you are not necessarily aware of moving from one system to another when working with various applications.” This can result in a compliance risk under Oracle’s current pricing models. For example, to accomplish his/her job function, a user may use an application/report etc. from a different module/system than the one designed specifically for his or her role. This will trigger the need for an additional license; a license for the additional module to which the user got authorized. To prevent this issue, organizations need to understand which programs and reports are being used in their business processes. The best approach is to make an inventory of all the names corresponding to these objects. Once this inventory is available, an end-user should understand to which systems these objects belong. This can be done either by understanding JD Edwards Naming Conventions or by extracting the system code for each object from the application’s Object Librarian table.

12

JD EDWARDS – LICENSE COMPLIANCE RISKS

Finally, organizations need to make sure they license all the modules and systems resulting from this process. Custom Programs and Reports The success of JD Edwards applications is largely based on the fact that they are so flexible and versatile. These qualities are ensured by the fact that users can customize components of the applications to suit their needs. This results in custom programs and reports both in World and EnterpriseOne. However, this comes with a licensing cost. End-users typically think they don’t need to license the usage of these custom objects as they consider them their own intellectual property. In reality, Oracle will however map customized objects to modules from its price list, based on the tables they interact with or the business functions they rely on. As such we recommend end-users to align their expectations with the reality explained above and to evaluate their licensing needs from this perspective. Indirect Usage For JD Edwards applications indirect usage can occur when a web site/shop/application is connected directly to the underlying database, or when applications and 3rd party systems are specifically designed to interact with JDE at application level. A common example of such a system is dcLink. The issues we see in this area are caused either by end-users being unaware of the fact that all the individuals should be counted at the front end of the 3rd party systems and that this number determines the required number of licenses or end-users believe there are exceptions for certain infrastructure configurations. The data transfer between a 3rd party system and JDE can be done in multiple ways. It can happen in real-time when the front end user of a 3rd party system performs an action in that system and his/her action automatically triggers an update or read action in JDE. It can also happen in batches when data is collected in a buffer queue or flat file and then that buffer is emptied in the target system at a predefined moment. In the world of licensing there is some wording around not licensing front end users in the second scenario. However, this type of wording is not applicable to JD Edwards applications sold under Oracle contracts and it is also not applicable to Oracle Applications in general.

13

JD EDWARDS – LICENSE COMPLIANCE RISKS

Another source of confusion is the wording from certain legacy metrics. For example, the definition for the legacy Named User metric starts with “Is a User with an assigned ‘user id’ on the Customer System(s)...”. This wording is weaker when it comes to enforcing the multiplexing policy because front end users don’t have user ids in the JD Edwards system. As a result, Oracle usually will not pursue an indirect usage claim for a legacy contract and will try to respect the commitment made between the end-user and PeopleSoft or JD Edwards. However, if the end-user does not respect that commitment by exceeding the license grant, they will have to migrate to an Oracle metric. To conclude: make sure to license all front end users of connected systems. If an end-user wants to migrate from a legacy contract, there is the option to negotiate a custom definition for Application Users or Custom Suite Users in order to cover specific IT architecture configurations. Implementation Partners Many JD Edwards end-users turn to 3rd party companies for implementing their JD application. Implementation partners are typically hired to implement the system and not to manage the licenses. Although these companies generally create reliable and well documented systems, this creates a risk both in terms of licensing needs and the ability to properly maintain the JDE installation. The Oracle License Review or License Audit process can become quite costly for organizations who have to turn to the implementation partner in order to fulfill the audit requests. Especially because Oracle’s standard audit clause states that you will pay all your own costs related to the execution of an audit. Because of this the end-users should ensure that the implementation partner documents the complete implementation of the software, including what modifications have been made and why they have been made. This will help the end-user to assess the licensing implications. After all, ultimately, the license compliance position is the end-user’s responsibility. 3rd Party Security Tools The security mechanism both for World and EnterpriseOne is very complex. End-users need to create security restrictions in the applications to authorize the right users for the right content, to ensure data protection policies are enforced etc. These requirements generate a need for making security easier to apply and administer. There are 3rd party tools available that address this need.

14

JD EDWARDS – LICENSE COMPLIANCE RISKS

We see that more and more JD Edwards end-users use such tools. The issue with this is that licensing is not among the purposes for which these tools are built. In fact, the security restrictions they add are often insufficient to ensure consumption of the right amount of licenses., JD Edwards administrators would therefore need to add additional security rules directly into EnterpriseOne or World just for licensing purposes. This raises two questions: 1. Do administrators know how to do that if they have only been trained to add security using the 3rd

party tools? 2. Can the security restrictions they add directly conflict with those added from the 3rd party security

tool? Since the setup of both the security tools and World or EnterpriseOne is quite complex we see many implications on licensing. Whilst it is impossible to give a one-size-fits-all advice in this matter, the message is that these situations need to be handled carefully and organizations should not forget about licensing when they configure their security rules.

©2017 B-lay BV. All rights reserved.

JD EDWARDS – LICENSE COMPLIANCE RISKS

About the author – Andrei Agavriloaiei “Everything not saved will be lost” – Nintendo Quit Screen message Andrei has been working in the Software Licensing industry for over 5 years, part of that being in Oracle’s License Management Services (LMS) team and conducting license compliance reviews and anlyses of JD Edwards software. Andrei believes clear understanding of licensing rules is a benefit both for software vendors and end users and that the gap between these parties can be closed. Contact Andrei: andrei.agavriloaiei@b-lay.com About the author – Gabriel Dragoi “Any sufficiently advanced technology is indistinguishable from magic” – Arthur C Clarke Gabriel has been working in the Software Licensing industry for over 2 years, conducting license compliance reviews and analyses of JD Edwards software. Gabriel leverages his experiences of working within Oracle’s License Management Services (LMS) team to educate, equip, and enable end users to understand JD Edwards Entitlements and Software Deployment. Contact Gabriel: gabriel.dragoi@b-lay.com We share our knowledge, so you can focus on the facts! Do you want to know more about different related license management topics, we have a selection of white papers available through www.b-lay.com. If you are in need of extra expertise and a structured approach, feel free to contact B-lay. We will help you make software compliance an exciting opportunity to improve your business! About B-lay B-lay is a specialist in software license management and provides services around software compliance, software audits, software asset management tools and insight in software spend. Our services offer organizations worldwide insight into the risks associated with software licenses, help prevent license compliance issues and help create considerable cost savings by optimizing their licensing position. B-lay was founded in 2008 and has offices in the Netherlands, Romania and the US. B-lay BV | Maliebaan 79 | 3581 CG Utrecht | The Netherlands | info@b-lay.com | www.b-lay.com | +31 88 0233 700