Why Tool Selection Defines Assessment Outcomes

Most Oracle licensing exposures are not discovered by Oracle first. They are discovered by the organisation's own team — or, more often, not discovered at all until Oracle's License Management Services arrives with a formal review request. The difference between these two outcomes is almost always the quality and independence of the assessment toolkit in place.

Oracle provides its own collection tools freely — and with good reason. The LMS collection scripts are designed to surface every possible exposure across Database, Middleware, Java, and Applications. Accepting Oracle's offer to run its own tools in your environment is the equivalent of handing Oracle a complete evidence package before any discussion about its interpretation.

An independent assessment toolkit — combining Oracle-verified third-party SAM data, expert-led policy interpretation, and a controlled evidence environment — gives the enterprise the same visibility as an Oracle audit, with the ability to evaluate, remediate, and negotiate before that visibility is shared with Oracle.

Each of the 20 checkpoints below addresses a specific dimension of Oracle assessment tooling. The risk rating reflects the frequency with which gaps in this area lead to material licensing exposure across Redress Compliance engagements. The expert note provides practical guidance on how to apply or avoid each tool or approach.

Section 1 — Oracle Native Tools: Capabilities and Cautions
01 Have you reviewed what Oracle's LMS Collection Scripts collect before agreeing to run them in your environment during a formal audit? High Risk
Expert Note Oracle's LMS Collection Scripts are a series of SQL queries and operating system commands that extract deployment data across Oracle Database, Options and Packs, Middleware, and Java. When run, they produce output files that Oracle uses to construct its entitlement demand. The scripts collect far more than licence data — they capture configuration settings, AWR and ASH history, DBA_FEATURE_USAGE_STATISTICS entries, and server topology information. Organisations that run LMS scripts during an audit without first running equivalent independent scans have no basis to challenge Oracle's interpretation of the data. Always run an independent scan first and compare outputs before agreeing to share any LMS script results.
02 Is the Global Deployment Matrix (GDM) used as an internal inventory tool or only completed in response to Oracle requests? Medium Risk
Expert Note Oracle's Global Deployment Matrix is an Excel-based form used to document Oracle product deployments by server and location. Oracle provides the GDM both as an internal inventory aid and as the standard format for licence position reporting during audits and ULA certifications. Organisations that complete the GDM only in response to Oracle requests are working reactively — any omissions or inaccuracies become permanent audit record. Using the GDM proactively as a quarterly internal inventory document, reconciled against actual deployment data, ensures the organisation always has a validated position ready to present.
03 Has your team reviewed Oracle's DBA_FEATURE_USAGE_STATISTICS view on all production Oracle Database instances to understand what usage evidence Oracle will see during a review? High Risk
Expert Note DBA_FEATURE_USAGE_STATISTICS is Oracle's built-in usage tracking mechanism. It records every invocation of Oracle Database features and options — including Diagnostics Pack, Tuning Pack, Partitioning, Advanced Compression, and over 180 other features — with timestamps and invocation counts. Oracle LMS uses this view as its primary evidence source for Options and Packs licensing claims. The view cannot be purged or modified by the customer. The correct action is to query this view proactively on every instance, identify any features accessed without licence entitlement, and either cease access (which stops future accumulation) or budget for the exposure before Oracle's review finds it.
04 Is Oracle's Java Usage Tracker deployed and monitored, and has the output been reviewed against the current Oracle Java SE subscription scope? High Risk
Expert Note Oracle provides a Java Usage Tracker — a JVM agent that logs Java SE usage events including the JDK version invoked, the application accessing Java, the user, and the system hostname. Oracle can request Java Usage Tracker data during a Java audit. Organisations that have not deployed the Java Usage Tracker typically underestimate their Java deployment scope by 30 to 50 percent, as embedded and automated Java invocations are invisible without it. Deploying the Java Usage Tracker as an internal tool — rather than waiting for Oracle to request it — provides the enterprise with advance visibility of every Java deployment that Oracle will find.

Want an independent Oracle assessment before any LMS contact?

Redress Compliance uses its own independent toolkit — not Oracle's scripts — to give you a protected assessment.
Download Assessment Guide →
Section 2 — Third-Party SAM Platforms
05 Is the SAM platform in use Oracle-verified for the specific Oracle product categories present in your environment — Database, Options, Middleware, Java, and EBS? High Risk
Expert Note Oracle maintains a list of verified SAM tools whose data collection methodology and output Oracle accepts during formal audits. Verification is product-category-specific: a tool may be verified for Oracle Database but not for Oracle Java or Middleware. Flexera One and Snow Software are the most broadly verified platforms, covering Oracle Database, Database Options, Middleware, Java SE, and E-Business Suite. ServiceNow SAM Pro and Certero for Oracle carry verification for Database and some Middleware categories. Using a non-verified or partially-verified SAM tool does not protect the organisation from an Oracle audit finding — Oracle will fall back to its own LMS scripts if it does not accept the SAM data presented.
06 Has the SAM platform's Oracle Database agent been validated to correctly apply the Processor Core Factor Table for all CPU architectures in the environment? High Risk
Expert Note Oracle's Processor Core Factor Table assigns different factors to different CPU architectures — 0.5 for Intel and AMD multi-core processors, 0.75 for SPARC T4-series, 1.0 for older single-core Intel and AMD. SAM platforms must apply these factors correctly to calculate licence requirements. Redress has identified SAM platforms applying incorrect factors to AMD EPYC and ARM-based processors introduced after the SAM platform's last Oracle policy update. Validating the Core Factor Table logic in your SAM platform against Oracle's current published table — available on Oracle's website — is an essential annual check.
07 Does the SAM platform correctly identify Oracle Database deployments in VMware environments and apply Oracle's soft partitioning policy to calculate the full cluster processor liability? High Risk
Expert Note Oracle's VMware soft partitioning rule — requiring all physical processors in any VMware cluster where an Oracle VM can run to be licensed — is the single largest source of Oracle licensing exposure across enterprise environments. SAM platforms vary significantly in how they handle this calculation. Some platforms calculate licence requirement based only on the processors allocated to Oracle VMs; others correctly identify the full cluster processor count. Validate your SAM platform's VMware Oracle licensing calculation by running a manual cluster boundary check on at least two representative VMware environments and comparing against the SAM platform's output.
08 Is the SAM platform configured to detect Oracle Java SE deployments across all endpoints — including servers, workstations, developer machines, and build pipeline agents? Medium Risk
Expert Note Oracle Java SE deployments are frequently undercounted in SAM platforms because the default agent configuration scans only managed servers — omitting developer workstations, CI/CD pipeline agents, Docker containers, and endpoints managed through MDM rather than the SAM agent. A comprehensive Java SE scan must include endpoint discovery across all device management platforms, container image scanning for embedded Java, and build pipeline inspection for Java dependencies. Organisations that rely solely on SAM server discovery for Java typically undercount their Java population by 35 to 60 percent.
Section 3 — Independent Assessment Methodology
09 Is your Oracle licensing assessment conducted under legal privilege — either through external counsel or with a structured privilege framework — to protect findings from Oracle disclosure requests? High Risk
Expert Note Assessment findings prepared in anticipation of litigation or formal Oracle review can attract legal privilege protection in many jurisdictions, meaning Oracle cannot compel their disclosure. This protection requires the assessment to be commissioned through, or in coordination with, external legal counsel. Organisations that conduct Oracle self-assessments without a privilege framework risk Oracle issuing discovery requests for internal compliance reports, gap analyses, and remediation plans during a formal audit process. Establishing a privilege framework before beginning any material Oracle assessment is a standard risk management step that Redress recommends to all enterprise clients facing potential Oracle review.
10 Does the assessment methodology include a policy-layer review — comparing Oracle's current published licensing policies against the SAM platform's rule set — to identify policy interpretation gaps? Medium Risk
Expert Note SAM platforms are updated periodically but not continuously. Oracle publishes policy updates, new product definitions, and changes to licensing metrics — including the Java SE subscriber definition, the VMware cluster boundary interpretation, and Database Options classification changes — outside of SAM platform update cycles. An independent Oracle policy-layer review, conducted quarterly by an Oracle licensing specialist, bridges the gap between SAM platform rule sets and Oracle's current enforcement position. In 2024, Oracle's updated interpretation of VMware vSphere 8 cluster boundaries created an exposure that most SAM platforms did not reflect for three to six months after Oracle's position became enforceable.
11 Are assessment scans scheduled and run on a cadence that reflects Oracle risk events — infrastructure changes, M&A activity, and support renewal timelines — rather than on a fixed calendar? Medium Risk
Expert Note Annual or quarterly SAM scans miss the majority of Oracle licensing exposures because most exposures are created by discrete events: a server refresh that changes Core Factor applicability, a VM migration that expands a VMware cluster boundary, a new application deployment that introduces unlicensed Oracle Options, or an acquisition that adds unlicensed entities. Configuring SAM agents to generate Oracle-specific alerts on infrastructure change events — new server onboarding, VM movement across cluster boundaries, Oracle product installation — enables real-time exposure detection rather than periodic retrospective discovery.
12 Is there a formal evidence management process for storing Oracle assessment findings, entitlement documentation, and remediation records in a format that can be presented to Oracle during a formal review? Medium Risk
Expert Note Oracle audits require the enterprise to demonstrate entitlement — not merely assert it. Entitlement documentation includes signed Oracle agreements, licence certificates, order confirmations, and amendment letters for every product and metric in scope. Organisations that cannot locate original licence certificates for products acquired through resellers, acquired entities, or historic transactions are in a significantly weaker negotiating position during an Oracle review. A centralised Oracle entitlement repository — maintained alongside the SAM platform and updated with every Oracle transaction — is the foundation of a defensible audit position.
Section 4 — Virtualisation and Cloud Assessment Tools
13 Is vCenter or equivalent hypervisor management data feeding into the Oracle licensing assessment to provide accurate cluster topology and VM migration capability maps? High Risk
Expert Note Accurate Oracle licensing calculations in VMware environments require current vCenter topology data — including cluster membership, vMotion configuration, resource pool boundaries, and DRS automation settings. SAM platforms that pull Oracle deployment data from database agent scans without correlating against vCenter topology will undercount the Oracle processor exposure in soft-partitioned environments. Integrating vCenter API data into the Oracle licensing assessment — either through the SAM platform or through a dedicated virtualisation mapping tool — is a non-negotiable step for any enterprise running Oracle on VMware.
14 For Oracle workloads in public cloud — OCI, AWS, Azure, or GCP — is the BYOL entitlement calculation validated against Oracle's current cloud-specific licensing rules, including OCPU and vCPU mapping? High Risk
Expert Note Oracle's BYOL rules differ by cloud platform. On OCI, one Oracle Database processor licence covers two OCPUs — a more favourable ratio than on AWS or Azure, where two vCPUs equal one Oracle processor licence. SAM platforms with outdated cloud licensing rule sets may calculate OCI BYOL requirements incorrectly, either overstating licence need (leading to unnecessary purchases) or understating it (creating audit exposure). Validating cloud BYOL calculations against Oracle's current published cloud licensing policies — which Oracle updates independently of SAM platform release cycles — should be part of every quarterly licence position review for cloud-deployed Oracle workloads.
15 Are container and Kubernetes environments scanned for Oracle Database or Oracle Middleware deployments, given that container-based Oracle deployments carry the same licence obligations as bare-metal deployments? Medium Risk
Expert Note Oracle's licensing policies apply to containerised deployments of Oracle software. An Oracle Database instance running in a Kubernetes pod requires the same processor licence entitlement as the same instance running on a physical server — calculated against the physical processors of the underlying host nodes on which the pods can be scheduled. Container deployments are one of the most commonly missed Oracle licensing areas in SAM assessments because traditional agent-based SAM tools do not scan container images or Kubernetes cluster configurations. An Oracle assessment for any environment using Kubernetes or Docker must include container image scanning as an explicit step.
Section 5 — Assessment Governance and Continuous Monitoring
16 Is there a designated Oracle SAM owner with authority to approve new Oracle product deployments, activate Oracle features, and sign off on SAM platform configuration changes? Medium Risk
Expert Note Oracle licensing exposures accumulate most rapidly when there is no single owner responsible for the licence position. Without a designated Oracle SAM owner, DBA teams activate Database Options for performance troubleshooting, application teams install Oracle Java SE as a build dependency, and infrastructure teams migrate Oracle VMs across cluster boundaries — each action creating licensing exposure that no one is tracking. A designated Oracle SAM owner, with authority to enforce a pre-deployment checklist and a quarterly sign-off on the SAM-reported licence position, is the governance control that prevents progressive exposure accumulation.
17 Does the SAM platform generate Oracle-specific compliance alerts — for cluster boundary breaches, new Options activations, and Java version changes — in real time rather than through scheduled report runs? Medium Risk
Expert Note Real-time Oracle compliance alerting requires SAM agent data to be processed against Oracle policy rules continuously rather than in batch. The majority of SAM platforms process Oracle compliance calculations in nightly or weekly batch jobs — meaning a DBA who activates Diagnostics Pack at 9am on a Tuesday may not appear in the compliance report until the following week. Real-time alerting — available in Flexera One and Certero for Oracle — enables the SAM owner to investigate and remediate an exposure before DBA_FEATURE_USAGE_STATISTICS accumulates material evidence of unlicensed access.
18 Is the Oracle entitlement position reconciled against the SAM deployment position at least quarterly, with a formal sign-off confirming the licence surplus or deficit in each product area? Low Risk
Expert Note A quarterly entitlement-versus-deployment reconciliation — comparing Oracle licence entitlement (from the entitlement repository) against Oracle deployment data (from the SAM platform) — produces a licence position statement that the Oracle SAM owner signs off. This document serves three purposes: it ensures the organisation always knows its current compliance position; it provides a ready-made response to Oracle's first audit information request; and it creates a documented history of the licence position that demonstrates good-faith compliance management. Organisations with a documented quarterly reconciliation history consistently achieve better audit outcomes than those presenting a licence position for the first time in response to an Oracle request.
19 Has the assessment toolkit been tested against a known Oracle licensing scenario — such as a simulated VMware cluster expansion — to validate that the tools correctly identify the new exposure before Oracle does? Low Risk
Expert Note Testing the Oracle assessment toolkit against a known scenario is the most reliable way to validate its accuracy. Construct a test scenario — for example, add a new host to an existing VMware cluster where Oracle VMs are running — and verify that the SAM platform identifies the expanded processor exposure within the expected detection window. If the SAM platform does not detect the scenario correctly, the gap identifies either a configuration issue in the SAM agent, a rule-set gap in the Oracle policy engine, or a vCenter topology integration failure. Correcting these gaps in a test environment is significantly preferable to discovering them during an Oracle audit.
20 Is an independent Oracle licensing expert engaged to review the SAM platform configuration, entitlement repository, and assessment methodology at least annually to identify gaps Oracle's audit team would exploit? Low Risk
Expert Note SAM platform vendors are not Oracle licensing experts — they are software developers building tools to a published Oracle specification that lags Oracle's enforcement position. An independent Oracle licensing adviser reviews the assessment toolkit from Oracle's audit perspective: what would Oracle's LMS team find that the SAM platform does not currently report? This annual independent review typically identifies two to four categories of exposure that the SAM platform is missing — often relating to recent Oracle policy changes, new product definitions, or cloud licensing updates. The cost of the annual review is a fraction of the commercial exposure it identifies.
"We thought our SAM platform had Oracle covered. The independent review found three categories of exposure the platform wasn't detecting — VMware cluster boundaries on vSphere 8, embedded Java in our CI/CD pipeline, and Database Options activated in test environments. All three were on Oracle's known audit target list."
— Global Software Asset Manager, European Financial Services Group

Building Your Independent Oracle Assessment Toolkit

An effective Oracle assessment toolkit combines an Oracle-verified SAM platform, vCenter topology integration, a structured entitlement repository, a policy-layer review process, and independent expert oversight. No single tool provides complete Oracle licensing visibility — the toolkit is the combination of all five elements operating with clear governance.

Redress Compliance provides independent Oracle assessment services that complement existing SAM investments — reviewing what your current tools are and are not detecting, validating policy interpretation, and providing a defensible licence position before Oracle engages.

Download the Oracle Assessment Guide →