Challenges and risks related to the management of licensed software based on users

Article

Challenges and risks related to the management of licensed software based on users

Part two - Software Asset Management

June 2019

The first part of the article discussed license metrics classified based on the manner of calculating users (named users and concurrent users). In this part we would like to take a look at how to measure licenses in accordance with imposed restrictions or their purpose. The suggested classification is our proprietary methodology developed for the purpose of this publication.

General overview of classification based on imposed limitations or license purpose:

a) license metrics limited geographically,

b) license metrics limiting the program functionality,

c) license metrics taking into account relations between the user and the company,

d) license metrics taking into account the frequency of program use.

License metrics limited geographically

The first type of licenses classified based on imposed limitations includes license metrics restricted to location from which the program is being used. Here, among the most popular license metrics (e.g. Micro Focus, OpenText) are:

a) Global User,

b) Area User,

c) Site User.

In the case of a Global User a licence holder has access to software from any place in the world. 

While with an Area User (user from a specified location/local user) access to software is restricted to a concrete area defined by the software producer; this might be a geographical region such as EMEA, i.e. Europe, Middle East and Africa, JAPAC (Japan, Asia-Pacific and Australia) or even a city where a server with software is located (e.g. OpenText).

The last license metrics, a Site User, enables software use in a specified place (site) only, e.g. in a particular room in a building, at a physical address (pre-defined street name and house number) or within a specified group of addresses etc.

Apart from Area and Site User licenses there are also Area and Site licences without a user specified. In the first case, the Area License can, for instance, enable software installation on any number of computers (and thus, its use by any number of users) but within restricted area (e.g. Radiation Software - 40 kilometres from the area of the first installation or Bitvise - 75 kilometers). The second one, Site, enables the use of software by an unlimited number of users but within a specified building or a group of adjacent buildings.

License challenges and risks:

  • License utilization monitoring This process rarely is supported by control mechanisms incorporated into the program (this is the case of Micro Focus/HPE products). If a licensee does not implement a propriety control system to monitor license utilization, this may result in license risk for licenses restricted by area (e.g. Site User/Area User). For instance: some employees frequently travel on business or use a given software while working from home, and once they leave the permitted zone (e.g. site or area) they may need to get a different type of a license to be able to access the program.
  • Determining the area where license can be used. Here we may expect restrictions on distance (possible installations within a 40-kilometre radius) but we suggest that detailed license provisions of individual producers be taken into account. For HPE/Micro Focus such area has to be defined in an additional document at the time of purchase otherwise the area where the original order was placed is deemed the right area for using Area User licenses. Whereas for the Site User license, this will be the place to which the product has been sent as specified in the invoice (therefore it is unacceptable to provide multiple addresses or addresses in different countries for licensing purposes).
  • Additional licensing costs. If a company changes its registered office (and relocates its employees) and the change entails moving to a different area (Area Userlicense) or using the program from a different location (Site User license), it is important to remember about an additional fee for license relocation. Otherwise such a situation may exert a considerable impact on a company’s long-term growth strategy and the nature of its business operations.

License metrics limiting program’s functionality

In this case we may expect the following license metrics (e.g. Microsoft, SalesForce):

a) Full User,

b) Limited User,

c) Guest User.

The first one, i.e. the Full User, provides the end user with access to all software functions while the Limited User ensures access to specific elements of the program described by the producer or the user can perform just strictly defined activities (e.g. user has only access to data but is not allowed to add or modify them).  As per the Guest User license metrics, some of the software providers (e.g. Micro Focus/HPE) use it as the equivalent of Limited User (used by Microsoft). SalesForce has adopted a completely different approach to naming; here the name of the user type specifies which program elements the user is entitled to use (e.g. Salesforce Platform User, Force.com – One App User, Chatter Free User, Chatter External User).

License challenges and risks:

  • Determining the need for individual licenses. Irregularities in this area may lead to vesting unnecessary entitlements in user, which consequently may result in decreased IT security of the company, higher unjustified costs as well as unused licenses (which may also generate license support and maintenance costs). Through adequately determined demand for individual types of users the company can make considerable savings on licence purchase (for Microsoft products the difference between a Limited and Full User license for certain programs may reach up to 80%).
  • Change of the license type. With some producers (e.g. Microsoft Dynamics Nav) moving from a limited to an extended license version may entail bearing the full cost of an extended license together with support and maintenance costs for both licenses.

License metrics that take into account user’s relations with the company

Here we can distinguish between two types of license metrics (e.g. Micro Focus, IBM):

a) Internal User,

b) External User.

External User is a user from outside the company provided with access to software in order to perform an assigned task, extract information etc., while Internal User is a user who is an employee of the organization that owns a given software.

License challenges and risks:

  • Additional user defining requirements. Despite the fact that usually the division into internal and external users allows for costs optimization and a better matching of the licenses held to the current company needs (e.g. in the case of Micro Focus Vibe External User licenses do not entail any additional licensing costs), detailed licensing terms and conditions for external users may include additional requirements (e.g. Novell Vibe version 3.4 includes the following conditions: e-mail as the account name, lack of synchronization with catalogue services, lack of abridged logging to the system). Failure to satisfy any of these conditions may result in the necessity to provide all external users with basic licenses.
  • Various definitions of users. In IBM Content Foundation (version 5.5.2), internal users (defined as Employee User/user who is an employee) who require licenses based on UVU (User Value Unit) encompass not only all employees hired in a company (regardless of whether or not they have access to the program) but also all users acting on behalf of the company or under a personal service contract with access to the program. Whereas external users (Eligible Participants) are not company employees but are program users who take part in any program which involves rendering managed services or services tracked by the program, and need licences based on RVU (Resource Value Unit).
  • Restrictions concerning provision of services. Providing external users with access requires particular caution as license provisions often include restrictions on rendering services with the use of licensed software for the licensee company only and not for the benefit of external entities. Thus, services rendered to other entities by an external user with the use of a given software may lead to licensing inconsistency. Such a provision is included in Micro Focus Vibe (4.0.2) license.

License metrics that take into account the frequency of use of the program

Here we have singled out one user type -Infrequent User. IBM software licensing rules define it as an authorized user who obtains access to the program no more than one hundred twenty times within the next twelve months. In this way single access is defined as one or multiple interactions with the program within fifteen minutes. So, in the event when a given user fails to adhere to specified terms and conditions, a full license needs to be purchased. In terms of other software providers (e.g. Qlik), an infrequent user is defined as Login Access Pass. In this very case the allowed access is 60 minutes within the next 28 days, with a renewable license assigned at logging-in. Should the said terms not be satisfied, another license is used until the pool gets depleted. Used licensed can be reused after the lapse of 28 days.

License challenges and risks:

  • Usage monitoring. Using infrequent user licenses can bring considerable savings for a company due to lower license costs. In the case of IBM ten infrequent users correspond to one authorized user. However, software producers usually do not offer integrated mechanisms to monitor the use of such licenses and developing such a proprietary solution that would monitor their use level is the task of the licensee. Lack of such a solution, its malfunctioning or else lack of the possibility of demonstrating the use level pose a risk that licensing requirements would be calculated same as for a normal user.

License requirements discussed both above and in the first part of the article do not exhaust the notion of risk and challenges related to the management of licensed software based on users. Nevertheless, please remember that while considering the purchase of one product from one producer you may have to deal with various license metrics depending on the program version (e.g. ArcSight - licensing based on the number of processor cores, next on the number of GB processed in a time unit and later on the average number of events in a time unit). This involves the necessity of ongoing monitoring of such changes which constitutes another challenge and poses additional license risk. Apart from license types presented in this article there are also other kinds of license metrics based on users, e.g. virtual users who are mostly used for the purpose of software testing. What is more, the discussed license types can also be combined and give rise to a Site Concurrent User for instance. In this case license requirements can reflect any combination of requirements for individual license types.

In majority of systems software identifies users via a user account secured with a password, devise key, biometric data. Accounts can be created for the needs of a specified program but synchronization with catalogue services (Active Directory [Microsoft], eDirectory [Micro Focus] or IBM Security Directory Server [IBM]) is much more convenient. Nevertheless it entails other license threats that result from invalid users still remaining in the system, the issue with synchronizing individual instances in dispersed environments, changes in the user name methodology applied in the company (and the existence of duplicated user accounts) or failure to perform synchronization (at certain stage of work) between production, development and test environments. Each of the above may lead to a license abuse as well as infringe the company’s cybersecurity (which may result in theft or data disclosure).

A multitude of user-related license metrics, their frequent updates and modifications made by software producers as well as lack of uniform terminology to define users and their entitlements, get in the way of the license management process and consequently expose end users to the risk of license inconsistencies. Additionally, software producers not always support end users with monitoring the licensed software utilization level. That is why it is worth knowing that the market offers solutions that address presented challenges such as specialist software to monitor the level of license usage which when supported by experts in Software Asset Management can completely eliminate the risk of license incompliance. 

Software Asset Management

Software Asset Management is an essential element of the IT area in every company, not only from the perspective of cost optimization but also with a view to improvement of systems and applications security. SAM combines technology, competencies, processes and reliable data.

Did you find this useful?