SaaS roles & privileges: getting on top of ‘unexpected usage’

In the January blog I talked about right-sizing your current estate and why it’s important before any move to cloud. But monitoring your Oracle assets doesn’t stop there. Cloud environments—particularly Software as a Service (SaaS) ones—bring their own challenges.

It is important to understand your Software as a Service (SaaS) deployments to avoid ‘unexpected usage’

When an organization first implements SaaS, some seeded privileges and roles can be created automatically. For example, the Implementation Consultant role, which manages enterprise-wide applications, may appear by default.

It is the customer’s responsibility to avoid using these if they aren’t needed. If they aren’t managed, it makes the SaaS environment vulnerable to ‘unexpected usage,’ which is the term given to usage that isn’t accompanied by a subscription.

Of course, there are other ways unexpected usage can occur, such as creating custom roles, or where privileges are common to many services. This could result in true-ups that require additional spend or complex conversations  to explain usage without a subscription.

What is a privilege?

Privileges are what give you access to the functionality needed to do your day-to-day job. And, importantly for this blog, they’re the way Oracle counts a user in a service part number (SKU).

What is a role?

Roles are assigned to users, and each role has several privileges. Customers often bulk assign users to a role. Roles can be customized for specific business needs, often using an out-of-the-box seeded role as the starting point. 

Seems simple enough?

Now imagine multiple service SKUs with multiple available privileges for each, shared among hundreds of roles. Add an environment tailored to the business with lots of custom roles. And suddenly it’s easy to over-consume or allocate incorrect privileges, which results in consuming a service that you haven’t purchased or don’t have enough of and may need to purchase additional subscriptions for.

Now you can see why it’s so important to stay on top of your usage.

How can you check usage?

Checking your deployments against your subscriptions involves a few things.

The technical things

• Check each role, privilege and SKU against known subscriptions. Identify any without an associated subscription.
• Know what you’ve subscribed to. Gather a list of your cloud subscriptions to compare against usage.
• Run reports from the SaaS console to see what you’re consuming, including custom roles.
• Know your seeded items to help establish any unexpected usage.
• Check for over-subscribed SKUs and pinpoint the roles/privileges that contribute to excess.
• Look for multiple roles with the same privilege in one SKU. Duplications like this make it difficult to know which roles to assign to new users.
• Verify that all users have the correct privilege/role allocation by comparing the permissions a role allows to the user’s daily tasks.

The operational things

• Discuss the process for custom role creation with your teams, including who agrees, provisions and monitors them.
• Set up external alerts and corresponding processes covering areas like:
  • Thresholds. For example, you’ve licensed 20 users and are consuming 18. The alert flags the approaching limit.
  • Under-utilization. For example, you’re licensed for 20 users and only five are active. This is an optimization opportunity.
• Establish a strategic plan. Is it expansion and ever-increasing usage, or retraction with managed efficiency?
• Do you have users who provide backup for each other outside of their main job? How do you provision this in the SaaS environment? Do they both need the same sets of roles/privileges, or can roles and privileges be reduced to only those necessary for coverage?
• Who provisions new SaaS environments and what’s the process around this? Who checks the accuracy of the request, the number of users, and if the product is fit for purpose?

The financial things

• Where can you manage costs by reviewing roles, or using other products you subscribe to with similar functionality?
• Do you have multiple SaaS environments from acquisitions? How does that impact overall spend?
• How do you provision budget for new or additional SaaS usage?

If you aren’t already carefully managing your SaaS environment, I hope this helps you take your first steps. SaaS is often considered as easy to manage, but if you aren’t monitoring your deployment—whether on-premises or cloud—and don’t have good processes in place, there’s a real risk  unexpected usage can occur.

We’re here to help

Our team of Oracle SaaS licensing experts are here to help you get to the bottom of your roles, privileges and SKUs so that you can have confidence around subscription consumption and are  getting all you can from your Oracle investment. Visit our Oracle Licensing & Subscription Services page to find out about our services.

In our next blog, I talk about the five key areas you need to consider as part of a Software Asset Management program.